Caveat 10.14.21
Ep 98 | 10.14.21

Government agencies have different obligations on keeping data.


Paul Robichaux: And that puts a different set of obligations on them in terms of what data they are allowed to keep and what data they must keep and for how long, you know, what format and so on. And that's really where PST files start to become a problem.

Dave Bittner: Hello, everyone, and welcome to "Caveat," the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner. And joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: This morning, Ben has the story about the European Union considering a mandate for common chargers for all phones. I've got the story of an Uber driver in the U.K. getting locked out of his account because of facial recognition software. And later in the show, my conversation with Paul Robichaux from Quest Software. We're going to be discussing how government agencies can better protect citizen data. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's jump into some stories here. Why don't you start things off for us? 

Ben Yelin: So last week we ragged on Facebook. 

Dave Bittner: (Laughter). 

Ben Yelin: So I feel like this week we have to pick on a different Big Tech company. 

Dave Bittner: (Laughter) OK. 

Ben Yelin: And our story this week relates mostly to Apple. It's from the New York Times. And it's entitled "In a setback for Apple, the European Union seeks a common charger for all phones." It's by Elian Peltier. The European Union, through the European Commission, is considering a new piece of legislation which would regulate the charging ports for all smartphones, tablets and other electronic devices. All of those devices would be required to have a jack for USB-C cords. 

Ben Yelin: Apple is, of course, not happy about this because they've moved on to greater and bigger and better things in terms of chargers, as Apple is wont to do. They've decided that the chargers that have sustained us through smartphones 1.0 2007 to 2017 or so are no longer sufficient, and they've employed a sleeker, more efficient charger. 

Dave Bittner: Yeah, the Lightning port. 

Ben Yelin: The lightning port. Exactly. 

Dave Bittner: Yup. 

Ben Yelin: So this decision would hurt Apple the most. I think most other devices, whether they are tablets, smartphones, et cetera, wouldn't be affected by the European Commission or the European Union's decision here because they already use this common charging port. Apple, of course, is not happy about this. They're going to lobby hard to the European Parliament, which would have to approve this new regulation. 

Dave Bittner: Right. 

Ben Yelin: And my instinct is that the law is still going to pass. And we're going to get into a situation where Apple wants to maintain these sleek charging apparatuses - apparati? 

Dave Bittner: (Laughter) Yeah, whatever. 

Ben Yelin: Yeah. 

Dave Bittner: Devices. 

Ben Yelin: Yeah. Once... 

Dave Bittner: Gadgets (laughter). 

Ben Yelin: Right. And they're worried that regulations like the one in Europe are going to stifle innovation... 

Dave Bittner: Ah, yes. 

Ben Yelin: ...And are going to prevent us from having the most efficient technology for charging our devices. 

Dave Bittner: OK. 

Ben Yelin: I don't think that's a concern that's beyond the pale. I mean, I think it's completely legitimate. 

Dave Bittner: Yeah. 

Ben Yelin: And it's not just Apple saying this. Other tech experts have railed against this potential regulation, saying who knows what the charging technology is going to be in five years? Why should we lock into this charging port? 

Dave Bittner: Yeah. 

Ben Yelin: On the other hand... 

Dave Bittner: (Laughter). 

Ben Yelin: I was in a situation yesterday where I have a MacBook Air, which does not have a USB port. I was in a - at a conference trying to give a presentation and had to go searching for an adapter cable. And that's no fun. 

Dave Bittner: Yeah. 

Ben Yelin: And that's something that all Apple users are used to. And so I can see why the European Union and the European Commission representing its constituents wants to standardize this, wants to make it so that your drawer full of old chargers doesn't become obsolete. 

Ben Yelin: So you're really dealing with competing, you know, rather compelling policy objectives here. On the one hand, protecting the consumer from having to constantly purchase new products and then sustaining innovation in the industry. You know, I think in the United States, we generally, in these types of disputes, come down more on the side of the industry and trying to sustain innovation. 

Dave Bittner: Right. 

Ben Yelin: And that's not just true for the tech industry, it's true for health care. It's true for a bunch of different sectors. It's just part of our political culture. 

Ben Yelin: What I am somewhat concerned about is we get to a situation in five years where Apple has to produce separate devices for its European customers than from its U.S. customers and its customers in other countries, which could be - you know, could have an upward effect on consumer prices, first of all, and, you know, also might be just kind of an undue burden on the company itself. 

Ben Yelin: So it will be an - it'll be interesting to watch. The regulation has not yet been enacted. They are - the European Commission, which is kind of the bureaucratic arm of the EU, is still considering the proposal. But it's certainly something to watch out for. 

Dave Bittner: My sense on this - I - and I generally am an Apple fan boy, I guess it's fair to say. 

Ben Yelin: Yeah. Oh, me too. 

Dave Bittner: I enjoy their devices and have for a long time. But I think in this case, Apple doth protest-eth too much (laughter). 

Ben Yelin: Yes. 

Dave Bittner: I think they have already started switching some of their iPads to USB-C. So it's not like even within the company, they're holding fast that Lightning is the superior connector, the one connector to rule them all, you know? And of course, their laptops have USB-C. Many of their most recent laptops use USB-C for charging. 

Ben Yelin: Right. 

Dave Bittner: So Apple is on board with that to a certain degree. I think there's an argument to be made that Apple wants to stay with Lightning because Apple owns Lightning. And so every app - every cable that's made by anyone that has a Lightning connector on it, Apple makes a little money off of that. So they're with - not without their own financial interest in keeping Lightning a thing. 

Ben Yelin: Certainly not. Yeah. That is absolutely correct. I mean, they're not coming at this from - they might talk about innovation publicly. That's going to be their public justification for opposing this law. We know what their private justification is, which is, yes, they own a portion of this technology. They're making money off of it. 

Dave Bittner: Yeah. 

Ben Yelin: And, you know, part of Apple is, you know, coming up with the next best thing. And if they have, some time over the next five to 10 years, something beyond the Lightning connector, a technology that doesn't even exist yet, they don't want to have to be constrained by a European Union regulation way back in 2021. 

Dave Bittner: Yeah, (laughter) where dinosaurs roamed the Earth. 

Ben Yelin: Yeah, exactly. You know, I think there are a couple of other criticisms of this law beyond what it would do to Apple. 

Dave Bittner: Yeah. 

Ben Yelin: One of them is that this is coming too late because the use of these USB-C connectors have actually decreased over the past several years. So, you know, I think that's certainly a legitimate criticism. And, you know, is it - I guess, from a broader perspective - and I don't think this is an answerable question - is it the job of any governing agency to make hard and fast rules for device connectors? 

Dave Bittner: Well, I don't know. I mean, we've got standard wall outlets for electricity, you know? I mean, there's a standard gas tank - you know, interface between the gas pump and your car, so... 

Ben Yelin: Not to get too philosophical though, but those are public goods. You know, you get electricity from the public electric grid, so it has to be - you have to have the same, you know... 

Dave Bittner: Yeah. 

Ben Yelin: ...Placement of holes in the outlet. 

Dave Bittner: Right. 

Ben Yelin: Whereas, you know, that's not necessarily the case with a bunch of different devices that are all privately owned and operated. These are not public utilities yet. 

Dave Bittner: Yeah. 

Ben Yelin: You know, despite what Justice Thomas says, these are not yet considered even common carriers. So what place does any governing body have to regulate this if it's not, you know, a health and safety issue, which it is not? 

Dave Bittner: Right, right. 

Ben Yelin: I don't come down on either side of this issue, I just think that's, you know, going to be a source of the debate here. 

Dave Bittner: Yeah. I mean, I agree with the philosophical side of saying that it could hurt innovation. I think that's a legit beef here. My personal take is that I don't see, over the next few years, having to use USB-C. Given the specs of USB-C with what it can do in terms of both power and data transfer, I don't see that as being a huge limiting factor in how we're going to be using our mobile devices for the foreseeable future. 

Dave Bittner: I tend to think that Apple is moving away from having any ports on their devices that - you know, they got rid of the headphone jack. They've put the charger on the back of the phone, the - I forget what their name is for their wireless charging protocol. But I could see them just sealing the whole thing off; you know, take the waterproof ability to the next level and not have any ports at all, charge it wirelessly and then have all of the data connection happen wirelessly as well. 

Dave Bittner: So I think it would - I don't know the answer to this, but is the EU requiring a charge port at all? If - must they have a port on these devices? I don't know the answer to that. 

Ben Yelin: So actually, the article mentions that wireless chargers would not be affected. But for any iPhone or Apple device that uses a Lightning charging port that's proprietary to Apple, there would be an effect. Also, I should note this law wouldn't come into effect at the earliest until 2024 because of just the process of going through the European Commission and European Parliament. 

Dave Bittner: Yeah. 

Ben Yelin: So we're still a couple of years away from this being operational, but it's certainly something that we're going to have to keep an eye on. 

Dave Bittner: (Laughter) I just - I love the idea that maybe Apple could go totally bonkers and just put both ports on the phone, you know (laughter)? 

Ben Yelin: Right, exactly. 

Dave Bittner: That'll never happen, but it's a funny thing to consider (laughter). 

Ben Yelin: Wave my American flag and say, in America... 

Dave Bittner: Right. 

Ben Yelin: ...We can use both ports. 

Dave Bittner: That's right. That's right. 

Ben Yelin: For you bully Europeans, you have to be stuck with the wireless charger. 

Dave Bittner: That's right. And the new phones - iPhones will have, you know, Super Lightning or something (laughter). 

Ben Yelin: Yeah, exactly - Super American Lightning. 

Dave Bittner: Right. 

Ben Yelin: The Captain America... 

Dave Bittner: U.S.A. U.S.A. 

Ben Yelin: ...Lightning port. 

Dave Bittner: Right. 

Ben Yelin: Yeah. 

Dave Bittner: Right, exactly. All right. Well, it's an interesting thing to follow. I like - the overall policy issue here, I think, is particularly interesting; of, you know, the U.S. - or the EU, rather, trying to do something for the sake of consumers. But yeah, I think there's a legit concern here that it could limit innovation, so... 

Ben Yelin: Absolutely. 

Dave Bittner: Yeah. All right. Well, my story this week, this comes from the Guardian. And this is about an Uber driver - or should I say an ex-Uber driver who has taken legal action against Uber because evidently, Uber uses facial recognition software to allow Uber drivers access to the app. And this gentleman, who is one of a group of people - this article points out that at least 35 other drivers have had their registration with Uber terminated because this facial recognition software is unable to identify them. 

Dave Bittner: Now, Ben, I'm going to go out on a limb here, and I'm going to get - I'm going to ask - put you on the spot and ask you to guess, what color skin do you think that this Uber driver has that the facial recognition software had trouble recognizing him? 

Ben Yelin: Before having read the article, I'd just say, based on having read the news some time over the past, you know, 10 years, I'm going to guess it was a person of color. 

Dave Bittner: Ding, ding, ding, ding, ding, ding, ding, ding. (Laughter) That is correct. 

Ben Yelin: What do I win for... 

Dave Bittner: That is correct. 

Ben Yelin: ...For that innovative guess... 

Dave Bittner: Yes. 

Ben Yelin: ...There? 

Dave Bittner: It's a - you get a free CyberWire sticker. 

Ben Yelin: Yes. 

Dave Bittner: So there you go. (Laughter) Put it on your laptop. Yes, the coveted CyberWire sticker. 

Dave Bittner: So this - now, this gentleman says that he tried to log in multiple times, was refused, received a notice from Uber saying that his account was terminated. Uber says that they strongly refute completely unfounded claims and that they are committed to fighting racism and being a champion for equality both inside and outside their company. They say that these checks were designed to protect the safety and security of everyone who uses the app by ensuring that the correct driver is using their account. 

Dave Bittner: Now, that's - an interesting point here is that part of what Uber is using this for is so that someone can't register to be an Uber driver and then have their best friend or their cousin or their brother or their sister or someone else drive as them. 

Ben Yelin: Right. 

Dave Bittner: Because that obviously is a safety issue, or could be, you know? Uber doesn't want that. So what do you make of this, Ben? 

Ben Yelin: It's really frustrating. I mean, Uber on, you know, Martin Luther King Day in the United States and Juneteenth is going to post statements on social media saying they support racial justice, yet they are using an algorithm which was devised by Microsoft, in which Microsoft admitted that this "facial recognition software didn't work as well for people of color and could fail to recognize them." And that's a quote directly from the article. 

Dave Bittner: Yeah. 

Ben Yelin: And this is not just true for this one facial recognition software from Microsoft. It's true, as we've discussed many times, in several facial recognition software packages. So it's a persistent problem. 

Ben Yelin: This is a case that's being brought in the United Kingdom. And it's worth noting that 9 out of 10 Uber drivers in the United Kingdom are Black or are either of Black British ancestry or Asian or Asian British ancestry or mixed race, so it's not a problem that's going to be confined to a small subset of Uber drivers. It's going to be relatively widespread because those are the demographics of the drivers in the United Kingdom. 

Ben Yelin: Again, I completely understand that you want some type of algorithm to verify that the person who was driving the Uber car is who they say they are. 

Dave Bittner: Yeah. 

Ben Yelin: I understand the safety concerns there, but there has to be a better way. I think we could go with the Dave Bittner suggestion where these types of algorithms have to go in front of some sort of regulatory review board. You set actionable standards. You know, this algorithm, if it's going to be approved, this facial recognition software, has to pass standards to ensure that it is not racially biased, that it doesn't miss people of color. 

Dave Bittner: Yeah. 

Ben Yelin: I think that is the long-term solution here. I don't know enough about the legal system in the United Kingdom to be a prognosticator, but I will say that this is a widespread issue not just in the United Kingdom, but also in the United States as well. 

Dave Bittner: Yeah. I wonder - you know, before we had Face ID, for example, on iPhones, we had Touch ID. 

Ben Yelin: Yup. 

Dave Bittner: And it was - and it remains highly reliable. So why not fall back to something like that? Why not use fingerprints? That - there were - I saw no reports about issues with fingerprint scanning having any sort of racial bias. 

Ben Yelin: Right. That is a great question. Maybe because scanning one's finger isn't as cool as having your entire face scanned. 

Dave Bittner: (Laughter). 

Ben Yelin: It's not something you're as likely to see in a science fiction movie. 

Dave Bittner: Yeah. I mean, I guess - so fair to say every device has a camera, right? 

Ben Yelin: Right. 

Dave Bittner: Not every device has a fingerprint scanner or a Face ID scanner. 

Ben Yelin: But it's sort of a chicken and the egg problem. You know, the reason that many devices no longer have a scanner for the finger or a touchpad for the finger is because we're using facial recognition. 

Dave Bittner: Right, right. Now, I was curious because part of this article made me think that I had not seen any allegations of racial bias when it comes to Apple's Face ID. And I was curious why that is. And I did a little bit of digging, and I found a couple of articles actually dating back to 2017 that were asking this very question. And evidently, because Face ID uses infrared to do its scanning - it's not just using the camera on your device, there's a - on your iOS device, there's an infrared scanner, a separate scanner and imager - that because it uses infrared, that it doesn't matter what color your skin is. It's basically looking at a heat signature and mapping a 3D image of your face. So it's pretty immune to this bias as well. 

Dave Bittner: And I wonder what if someone like Uber, who wanted to do something like this, said, OK, if you want to be an Uber driver, you have to have an iOS device because we're going to use this. We're going to use Face ID instead of just using the camera on your phone. Would that itself be discriminatory? Because Apple devices are more expensive than Android devices, aren't always as readily available. Is that a - as an employer, is it fair for them to make a restriction like that, saying that it is going to be for security? 

Ben Yelin: I think that's fair for an employer to do that. They're a private company. I mean, they have other restrictions in terms of which vehicles can be used to transport passengers, for example. 

Dave Bittner: Right. 

Ben Yelin: I mean, Uber has standards for those. I think it would be reasonable to require that whatever application or whatever device is being used by drivers, it's one that has facial recognition that's widely recognized as avoiding some of these racial biases if that's something that Uber wants to prioritize. Instead, it seems like they're prioritizing fighting this lawsuit, which I understand. Nobody wants to get sued. 

Dave Bittner: Yeah. 

Ben Yelin: And, you know, if you want to recruit the greatest volume of drivers and a socioeconomically diverse set of drivers, you don't want to confine them to one operating system. 

Dave Bittner: Yeah. 

Ben Yelin: And I understand that. 

Dave Bittner: Yeah, absolutely. 

Ben Yelin: But the reverse of that is by using an algorithm that, you know, we now know has this weak spot for people of color, perhaps that's going to be a disincentive for other people of color to apply to be Uber drivers if they think that they're going to run into this problem... 

Dave Bittner: Yeah. 

Ben Yelin: ...As the individual who was named in this lawsuit. So it really cuts both ways. That's why I think a broader solution is needed so that, you know, we have some sort of regulatory agency approving these algorithms, these facial recognition systems, before they go to market; that there's some type of institutional review board. It's independent. It's made up of a cross-section of individuals; obviously, mostly people who have technical expertise, but also, you know, a shoutout to the sociology majors out there... 

Dave Bittner: (Laughter) Right, right, right. 

Ben Yelin: ...Who might have a source of employment on this type of commission. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: I know this is a pipe dream, but that's ultimately going to be the solution to this problem; is the government stepping in and making sure that any algorithm that goes to market doesn't have these, you know, racially discriminatory effects. 

Dave Bittner: Yeah. Yeah, absolutely. All right. Well, we will have a link to that story in the show notes, of course. 

Dave Bittner: We would love to hear from you. If there's an issue that you would like us to cover or if you have a question for me or for Ben, you can write to us. It's 

Dave Bittner: All right, Ben. I recently had the pleasure of speaking with Paul Robichaux of Quest Software. And we were discussing some ways government agencies can better protect citizen data. Paul has some specific ideas about this. Here's my conversation with Paul Robichaux. 

Paul Robichaux: When you talk about what government agencies need from the cloud - and I guess first, I want to start by segmenting off - let's push the high-reliability, high-security DOD intelligence community, let's kind of push those people to the side because they have their own requirements that are immovable, right? They're not ever going to adopt a cloud service. It doesn't meet 100% of the things that they need, and most of them are not using PSTs or other technologies like that anyway. 

Paul Robichaux: But for the majority of government agencies, for people like, you know, the State Insurance Board or the U.S. Department of the Interior or the Centers for Disease Control, you know, these people all have the same problem that we have, which is - in the commercial world, which is they have a set of services that they need to deliver to their end user customers, and they have a finite budget and a finite number of people. And so cloud services are attractive to government agencies for the same reason they're attractive to commercial and educational agencies. 

Paul Robichaux: The difference is that government agencies have got a slightly different regulatory regime. Many of them have got open records laws that they're required to comply with, for example, that don't apply to "CyberWire Daily" or to Quest Software or to, you know, Uncle Joe's bakery. And that puts a different set of obligations on them in terms of what data they are allowed to keep and what data they must keep and for how long, you know, what format and so on. And that's really where PST files start to become a problem. 

Dave Bittner: Let's dig into that. I mean, what are the - first of all, can you - for folks who aren't familiar, can you give us a little definition of what PST files are and what's the issue here? 

Paul Robichaux: Sure. So PST files are the colloquial name for the extension file that Microsoft included in early versions of Outlook. Way back in the day, like decades ago, if you had a 10-megabyte mailbox, you were a king, right? That was like a really big deal. 

Dave Bittner: (Laughter) Right. 

Paul Robichaux: And so everybody had more emails than that. Now, of course, email message sizes have gotten larger, but even in those days, it was very common for people to need to keep more mail around to do their job than their mailbox size quota would allow. 

Paul Robichaux: So Microsoft said, oh, you know what we'll do? We'll give you an offline file format that you can move messages into that'll stay on your local PC. And that way, even if you're only allowed to have 10 megabytes in your real mailbox, you can have PST files on your local workstation or laptop that will hold as much email as you want. And if a PST file gets full or if you want to start a new one every year or a new one for every project or whatever, you can. 

Paul Robichaux: And that seemed to work OK until people caught on to all of the record-keeping and chain-of-custody and records-management implications of letting every individual person keep some unknown amount of some unknown set of email contents on a machine that wasn't getting backed up, wasn't centrally managed, couldn't be participating in discovery requests and so on. 

Dave Bittner: And so is this basically - I don't know - for lack of a better word, a searchable archive of email that people have control over on their own endpoint computer then? 

Paul Robichaux: Yeah. Although it - saying it's searchable is exaggerating a little bit because Outlook's search didn't always work as well as anybody would like it to. But at least the intent was to let users have their own user-controlled storage repository where they could keep whatever email they thought was important enough to keep around. 

Dave Bittner: So what are the consequences of this then? From an organization's point of view, I have a bunch of employees who are basically, you know, dialing in their own amount of being a pack rat when it comes to old emails. How does that affect the organization? 

Paul Robichaux: Well, the biggest problem that PST files cause for the organization is, because they are not centrally managed and centrally searchable, you can't really effectively control what content or how much content people store. And I'll give you an example of why that's bad. 

Paul Robichaux: There was a case some years ago, ironically involving Microsoft, where Microsoft was sued for doing something anti-competitive. And the plaintiff issued a discovery request that said, hey, Microsoft, you need to give us all of the emails about this bad thing you allegedly did. And so Microsoft went off, and they brought back some records and said, OK, judge, this is all the records we have about this thing. And it turned out that the plaintiff had some email that Microsoft did not because they had kept copies in their PST files. That turned out to be very bad for Microsoft because then the judge, you know, wagged his finger very sternly at them and said, you guys are not playing ball and fined them a bunch of money. 

Paul Robichaux: And there are a number of other similar cases where keeping PSTs around means that when you're compelled to produce some kind of record in a legal matter, you can't guarantee that you've produced everything because these PST files, essentially, as they sit on individual machines, are invisible to eDiscovery tools. So I may have a copy of an email from my CEO telling me to do something really terrible, like kick a puppy in my PST file. 

Dave Bittner: Right. 

Paul Robichaux: And if the judge says, show me all your records relating to puppy-kicking and I don't produce that record and later it comes to light, say, because the person to whom I sent it has a copy and enters that into the case, now all of a sudden, it looks like I'm hiding evidence even though it may be completely inadvertent. And for government agencies, when you multiply that out, the problem they have is that there are pretty stiff legal penalties for not complying with open records requests. 

Paul Robichaux: And so, for example, the National Archives and Records Administration in the U.S. is the entity that's responsible for making sure that government agencies keep the amount of data they're supposed to for the right amount of time. And what they've persistently found is that there are federal agencies who have data that they don't know about or who don't have data and don't realize they don't have it because PST files have - if I say interfered, that sounds bad, but because the PST files represent this sort of black box of you don't know what's in them, you don't know how many of them there are, you don't know who has them. It makes it much harder for an agency to know whether or not they're in compliance or to prove that they are in compliance or to protect themselves from the consequences of not being in compliance. 

Dave Bittner: So what are the alternatives out there? I mean, I suspect for organizations who know that they have an obligation to be on top of this, are there other tools at their disposal? 

Paul Robichaux: Sure. The best tool that people have at their disposal is to give their users bigger mailboxes. And Microsoft has done a great job of emphasizing the value behind large, low-cost mailboxes. So the trick there is if you have PST files or you think you might have PST files - when we talk about them at Quest, we usually talk about them in the sense of upgrading your PSTs to the cloud. 

Paul Robichaux: So you've got some number of PSTs on workstations. Great. What you want to do is you want to grab that content and bring it into people's cloud mailboxes. That way, they still have access to the data if they need it for their jobs. But also, that way when you do an eDiscovery search for puppy-kicking or chocolate chip cookie recipe-stealing or whatever, you know, heinous thing you're accused of... 

Dave Bittner: (Laughter) Right. 

Paul Robichaux: ...The right records will show up, and the organization will be protected. Plus, there's another side to this too - that it's not a records retention issue per se, but it is an end user productivity and security issue. Because these PST files are portable and because they're typically stored on individual workstations, they tend to not get backed up, and they are vulnerable to being lost or stolen. 

Paul Robichaux: And so if you can imagine somebody who's worked in an agency for 20 years and has, you know, PST files yearly from, say - I don't know - 1988 to 2012, when they moved to a bigger email server, that data may have some intrinsic value. And lightning or a spilled Diet Coke or a fire - any number of reasons may cause you to lose that data, and then it's gone because it wasn't protected in the cloud. 

Paul Robichaux: Then of course, the other problem that you see is occasionally attacks, like the one that Sony Pictures suffered from a few years ago, where an attacker who can compromise a workstation can shoplift PST files and then read everything that's in them, which essentially means they've got a copy of, you know, that individual's email traffic. 

Dave Bittner: Yeah. I mean, how much of this is - I don't know - the reality that perhaps email as we know it has sort of outlived its usefulness? You know, it seems like it's popular and sometimes fashionable to complain about how old and creaky our email system is, and yet we're sort of stuck with it because it's what everybody has and it works. I guess it strikes me that people are using email in a way that it was never designed for; you know, this sort of - this historical record of all of your business interactions, which is what, for a lot of people, email is; having emails that go back five or 10 years. 

Dave Bittner: I mean, I have emails that are 20 years old. Sometimes it's fun to look back on them. But I guess to your point, shouldn't we be at a place where they're automatically getting offloaded to a proper archival system if they're important to us? 

Paul Robichaux: Oh, absolutely. No, that's an excellent point, Dave. If people have done their due diligence around designing their email system, they'll have retention policies in place that will keep the right amount of data for the right amount of time and then get rid of things that are no longer necessary. And then if people want to, the organization may permit them to say, OK, great. If you have some data that you think is special that you need to keep, then you can tag it to say, don't delete this, exempt it from the default retention policy. 

Paul Robichaux: Microsoft has put a huge amount of effort into designing the tools to enable that and making them accessible and, you know, building them into the product. And they work very well. So that addresses a problem once you wake up and realize, oh, my goodness, people are keeping this data, and I don't know where, and I don't know how, and I don't know how much, so I want to put some retention controls into place. That's the good news. The bad news is that doing that doesn't get rid of - it didn't make the PST file problem go away. To do that, you have to make the PSTs go away. 

Dave Bittner: Is this a universal problem here? I mean, if - people who are using other service providers, if I'm using Gmail or something like that, are there similar challenges all around? 

Paul Robichaux: I'm going to say not exactly. And the reason for that is the PST file format is a child of Outlook for Windows. And so if you have Outlook for Windows talking to Gmail, you could still have a PST file that has data from Gmail in it. Realistically, nobody does that, but you could. 

Paul Robichaux: So the big problem that we see are for organizations that had on-premise exchange for a while and where employees got into the habit of creating PST files to save data that they thought was important. And now, even if they move to the cloud, they still have this sort of, you know, toxic waste dump of PSTs scattered throughout the organization that they need to do something to remediate. 

Dave Bittner: So what are your recommendations, then? I mean, for organizations who want to get on top of this and put proper procedures in place, where do they get started? 

Paul Robichaux: That is a really good question, Dave. The best way to get started is by, first of all, disallowing the creation of new PSTs. So there's a registry key that you can set and then distribute through group policy or through the Office client policy service that says, hey, you're no longer allowed to create new PSTs with, you know, file new PST in Outlook. That at least will stop the hole from getting any bigger. It didn't do anything to address whatever PSTs you may have around, but, you know, at least it doesn't let the problem get any worse. 

Paul Robichaux: Really, the next step after that has to start with educating your users. The simplest, lowest-cost migration option is you just tell people, hey, if you have a PST file, you need to grab its contents and drag it into your archive folder in Outlook. Now, the problem is you're asking users essentially to sort of distributively perform a task that really should be centralized. It should be centrally managed. 

Dave Bittner: Right. 

Paul Robichaux: But to centrally manage it and, you know, do it the right way, you've got to buy a service or a tool. And I - you know, not every organization is willing to do that or has budget to do that. So one way to start is if you can tell people, hey, if you have old PST files, you know, do something with that content yourself to bring it under management. That's a decent start. 

Paul Robichaux: Now, as with any other technical measure, when you ask an end user to do something like that, you'll see adoption on a bell curve. You're going to have some people who immediately do it because they're comfortable with the technology and they see the value. You're going to have some people who will never do it, no matter what. It's too hard, or they hate the IT department or whatever, and they're just not going to do it. And most of the people in the middle will fall into this sort of group where if it seems like a good idea and they have time and it's not too hard and they're not too busy, they'll do it. They don't mind, but it's not going to be a top priority for them. So get the easy pickings first, right? Get your early adopters to get off PSTs. 

Paul Robichaux: But really, at the end of the day, you know, Microsoft has a tool for doing PST imports, but, frankly, it's not very good. It doesn't do a good job of discovering PSTs. When it does discover them, sometimes it can't tell who the PST belongs to. And the last thing in the world you want to do is grab a PST and say, oh, this looks like the CFO's email and import it into her mailbox when it's actually from the CEO or a... 

Dave Bittner: Right. 

Paul Robichaux: ...Product manager or a podcast producer, right? 

Dave Bittner: Right. 

Paul Robichaux: If you can't attribute that data, it's worse - much worse to just randomly grab it and put it somewhere. So if that's the only tool you have available, it's probably better than nothing as long as you're careful and judicious about how you use it and how you monitor it. But, you know, really your best bet long term is going to be to find a vendor or a service that can help you scope the problem, to understand where all your PSTs are and how many of them you have and how much data is in them and then get them securely moved into the cloud so that you can sort of dust your hands together and say, great, problem solved. 

Dave Bittner: All right, Ben. What do you think? 

Ben Yelin: I really enjoyed listening to the interview. I mean, I think government institutions have unique vulnerabilities. As a private institution, you certainly have some legal obligations as it comes to data. If you're a health care institution, you know, you have to worry about HIPAA. There are lots of different laws that apply in different sectors. But for government institutions, you know, you just magnify those concerns tenfold. It's not just HIPAA violations, it's personnel records. So I think that does leave government institutions particularly vulnerable. And, you know, so any help that's out there to ameliorate the effects of, you know, data breaches or data loss is a good idea. And so I really enjoyed listening to the interview. 

Dave Bittner: Yeah. Our thanks to Paul Robichaux from Quest Software for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. 

Dave Bittner: The "Caveat" podcast is proudly produced in Maryland at the startup studios of Data Tribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.