MIRLN --- 19 Feb - 11 March 2017 (v20.04)
- Software helps assemble social media posts from a specific event or point in time
- Judge Gorsuch on copyright and technology
- Federal agency begins inquiry into auto lenders’ use of GPS tracking
- If your TV rats you out, what about your car?
- China orders every vehicle in region troubled by ethnic unrest to be fitted with Satnav tracker
- Verizon cuts Yahoo deal price by $350 million
- Yahoo’s top lawyer resigns, CEO Marissa Mayer loses bonus in wake of hack
- Appeals court says filming the police is protected by the First Amendment
- The police can’t just share the contents of a seized iPhone with other agencies, court rules
- Google’s new project aims to clean up comment sections
- Pentagon launches open-source experiment
- Why Trump’s election scares data scientists
- Top bank executives required to vouch for cyber attack defences
- Open link to file-sharing site was like leaving legal file on a bench, judge says; privilege waived
- American Bar Association to offer cybersecurity insurance to law firms
- Law firms must manage cybersecurity risks
- 6 major law firm hacks in recent history
- “Proof Mode” for your smartphone camera
- Something amazing from JSTOR labs
- The government’s secret wiki for intelligence
- Excellent nominations for CIA GC and DoD GC
- Uber’s ‘Greyball’ program puts new focus on legal dept
- Facebook parking chatbot now turns lawyer helping refugees claim asylum
- Zero days, thousands of nights
Software helps assemble social media posts from a specific event or point in time (ABA Journal, 1 Feb 2017) - Before he became a trial lawyer (and an advocate on behalf of the wrongfully convicted), Sean MacDonald in Toronto worked as a private investigator. His experiences on both sides of the coin taught him all too well how time-consuming and expensive it could be to locate eyewitnesses months or years after the fact. Then he saw a demo of LifeRaft , a cloud-based program that uses geolocation technology and data mining to monitor social media. It can re-create a scene based on public posts on social media. LifeRaft was marketed primarily toward law enforcement officials to maintain public safety and monitor potential threats. But MacDonald saw other uses. “When I first saw it, it struck me like a bolt of lightning,” says MacDonald, a solo practitioner who sits on the board of directors at Innocence Canada. “I knew this would be unbelievably useful for lawyers preparing for trial.” Social media contains a potential treasure trove of information. It seems people’s first instinct nowadays is to reach for the smartphone while they witness a fight, traffic crash or crime, then log on to spill the details. The problem was trying to comb through all the selfies, pet portraits and other irrelevant information in a quick, cost-effective way. With TrialDrone , which launched in late February 2016, MacDonald thinks lawyers now have the ability to go back in time and see who witnessed an event and what he or she said about it. TrialDrone, a sibling company to LifeRaft that uses the same software, claims to be able to re-create an event by identifying everyone who posts publicly to social media at a given time and location. * * *
Judge Gorsuch on copyright and technology (James Grimmelmann, 17 Feb 2017) - I’ve done a quick pass through Judge Gorsuch’s opinions in the fields I know something about (mainly IP and Internet law) and I’m impressed by what I’ve found. His writing style is designed to make his conclusions sound reasonable and sensible, and in these cases at least, they are. A few highlights: * * *
Federal agency begins inquiry into auto lenders’ use of GPS tracking (NYT, 19 Feb 2017) - They can figure out when you leave town and see where you parked your car. They can see how many times you went to the grocery store or the health clinic. Auto loans to Americans with poor credit have been booming, and many finance companies, credit unions and auto dealers are using technologies to track the location of borrowers’ vehicles in case they need to repossess them. Such surveillance, lenders say, allows them to extend loans to more low- income Americans, knowing that they can easily locate the car. Lenders are also installing devices that enable them to remotely disable a car’s ignition after a borrower misses a payment. Now, federal regulators are investigating whether these devices unfairly violate a borrower’s’ privacy. The auto lender Credit Acceptance Corporation said this month in a securities filing that it had received a civil investigative demand from the Federal Trade Commission asking for its “policies, practices and procedures” related to so-called GPS starter interrupter devices, which are used to disable an ignition. Industry lawyers say the action is part of a broader inquiry by the agency into tracking technologies used in the subprime auto lending market.
- and -
If your TV rats you out, what about your car? (Autoblog, 24 Feb 2017) - Vizio, the TV manufacturer, recently had to pay a $2.2-million fine to the FTC recently because it was discovered that its sets were collecting data about viewers’ watching habits and then using the information for its own benefit. Last year, it was revealed the Samsung smart TVs were busy listening to what was being said, even if the conversations in question had absolutely nothing with switching the channel away from the Matt LeBlanc Gear. Nowadays, auto manufacturers seem to be tripping over each other pointing out that they offer Apple CarPlay and Google Android Auto. And more recent phenomenon are announcements-from companies including Ford and Hyundai-that they are offering Amazon Alexa capabilities. You talk. It listens. In late January, General Motors said it is releasing a next-generation infotainment software development kit (NGI SDK) to software developers to write apps for GM cars. The NGI SDK includes native Application Program Interfaces (APIs) that allow access to expected things - like oil life and tire pressure and whether lightbulbs are burned out - but unexpected things, as well. Like the presence of passengers in the vehicle. In making the announcement of the NGI SDK, GM pointed out that it has the largest connected fleet on the road, some 12-million vehicles. The company also noted: “From 2015 to 2016, GM has seen data usage by customers increase nearly 200 percent. Mobile app use for GM vehicles also hit an all-time high in 2016, with more than 225 million interactions.” Is it not plausible that they know more those interactions than simply the number of them? GM’s privacy agreement is like most privacy policies, which boils down to: You use it (the device, software, etc.), you potentially give up a portion of your privacy. * * *
- and -
China orders every vehicle in region troubled by ethnic unrest to be fitted with Satnav tracker (Techdirt, 27 Feb 2017) - Techdirt stories on China tend to paint a fairly grim picture of relentless surveillance and censorship, and serve as a warning of what could happen in the West if government powers there are not constrained. But if you want to see how a real dystopian world operates, you need to look at what is happening in the north-western part of China’s huge domain. Xinjiang was originally a turkic-speaking land, but the indigenous Uyghur population is increasingly swamped by Chinese-speaking immigrants, which has caused growing unrest. Violent attacks on the Chinese population in the region have led to a harsh crackdown on the Uyghurs, provoking yet more resentment, and yet more attacks. Last November, we noted that the Chinese authorities in Xinjiang were describing censorship circumvention tools as “terrorist software.” Now the Guardian reports on an ambitious attempt by the Chinese government to bring in a new kind of surveillance for Xinjiang: Security officials in China’s violence-stricken north-west have ordered residents to install GPS tracking devices in their vehicles so authorities are able to keep permanent tabs on their movements. The compulsory measure, which came into force this week and could eventually affect hundreds of thousands of vehicles, is being rolled out in the Bayingolin Mongol Autonomous Prefecture of Xinjiang, a sprawling region that borders Central Asia and sees regular eruptions of deadly violence. The rollout is already underway—those who refuse to install the trackers will not be allowed to refuel their vehicles * * *
Verizon cuts Yahoo deal price by $350 million (CNN, 21 Feb 2017) - Verizon is moving forward with its deal to buy Yahoo, but at a lower price. The two companies have agreed to cut the acquisition price by $350 million following Yahoo’s disclosures in recent months of two massive security breaches affecting more than one billion users. Verizon’s new price tag for buying Yahoo’s core Internet assets is $4.48 billion, all in cash. The deal is expected to close in the second quarter of this year. Verizon and Yahoo have also agreed to split the cost of any legal liabilities resulting from the security breaches. Yahoo has already been hit with multiple lawsuits from customers claiming the company was negligent. The U.S. Senate has also begun probing Yahoo over the breach. [ Polley : SANS’ John Pescatore writes : “ [This] essentially means Yahoo’s failures in security cost the company at least $700M in revenue from the sale and that is on top of the costs they have already incurred in dealing with the breach, which likely at least doubles the impact - a $1.5B hard cost. That will definitely get the attention of Boards of Directors - making this news item a good opportunity for CISOs to advance strategies and plans for changes needed to make sure it doesn’t happen to their companies. “]
- and -
Yahoo’s top lawyer resigns, CEO Marissa Mayer loses bonus in wake of hack (NYT, 1 March 2017) - Yahoo’s top lawyer, Ronald S. Bell, has resigned, and its chief executive, Marissa Mayer, lost her 2016 bonus after a board investigation of the 2014 theft of information on more than 500 million user accounts. Senior executives, company lawyers and information security staff were aware of the hack in 2014 and also knew about subsequent attempts to break into the affected accounts in 2015 and 2016, but failed to ‘properly comprehend or investigate’ the situation, the company’s board of directors said in a securities filing on Wednesday. The board “did not conclude that there was an intentional suppression of relevant information.” The company’s filing, which it said concluded its investigation, avoided naming any individuals responsible for Yahoo’s security woes, and it left many important questions unanswered. The board offered no new information about the company’s apparent failure to notice a separate theft in 2013 of the account information of one billion users. Mr. Bell, a longtime lawyer at Yahoo, appears to be taking the blame for the company’s security failures. Yahoo said he resigned on Wednesday and would receive no payments in connection with his departure. The company’s chief information security officer at the time of the 2014 breach, Alex Stamos, left for Facebook in 2015 after repeated battles with Ms. Mayer over security priorities.
Appeals court says filming the police is protected by the First Amendment (TechDirt, 21 Feb 2017) - In news that will surprise no one , police officers decided they must do something about someone filming the police department building from across the street. That’s where this Fifth Circuit Court of Appeals decision begins: with a completely avoidable and completely unnecessary assertion of government power. Phillip Turner was filming the police department. He was accosted by two officers (Grinalds and Dyess). Both demanded he provide them with identification. He refused to do so. The officers arrested him for “failure to identify,” took his camera, and tossed him in the back of a squad car. Given the circumstances of the initial interaction, it’s surprising the words “contempt of cop” weren’t used on the official police report. * * * First, the court asks whether the right to film police was “clearly established” at the time the incident took place (September 2015). It can’t find anything that says it is. * * * The court doesn’t leave it there, although it could have. The court notes that there’s a circuit split on the issue, but just because the issue’s far from decided doesn’t mean courts have not recognized the right exists. It points to conclusions reached by the First and Eleventh Circuit Appeals Courts as evidence the right to film police has been acknowledged. Even so, there’s not enough clarity on the issue to remove the officers’ immunity. * * * This is where the opinion gets interesting. While many judges would leave a trickier, somewhat tangential issue open and unanswered, the Fifth Circuit Appeals Court decides it’s time for it to set some precedent: We conclude that First Amendment principles, controlling authority, and persuasive precedent demonstrate that a First Amendment right to record the police does exist , subject only to reasonable time, place, and manner restrictions.
The police can’t just share the contents of a seized iPhone with other agencies, court rules (Orin Kerr, 21 Feb 2017) - If a police agency gets a search warrant and seizes a target’s iPhone, can the agency share a copy of all of the phone’s data with other government agencies in the spirit of “collaborative law enforcement among different agencies”? Not without the Fourth Amendment coming into play, a federal court ruled last week in United States v. Hulscher , 2017 WL 657436 (D.S.D. February 17, 2017) . Here’s a summary of the new case, together with my reactions. * * *
Google’s new project aims to clean up comment sections (TechCrunch, 23 Feb 2017) - If you read stuff on the internet (and obviously you do because hi, you’re reading a blog) then you know the golden rule: never read the comments. Scrolling past the end of a story is an adventure into a realm of racism, conspiracy theories and ad hominem attacks that will quickly make you lose your faith in humanity. But instead of encountering Godwin’s Law in the comments, you might start encountering Google instead. Google’s internet safety incubator Jigsaw launched new technology today called Perspective, intended to clean up comment sections. Perspective reviews comments and assigns them a toxicity rating that reflects the likelihood that the comment is intended to be harmful. Jigsaw’s goal is to keep people engaged in the conversation, so it assesses “harm” as something that would drive other commenters away. How to interpret and react to a toxicity rating is up to publishers. Jigsaw won’t do anything except provide the score, so the comments can be flagged for human review or hidden behind a warning so readers have to click through to see them. Commenters can also be confronted with their own toxicity rating so they can make a choice about whether that’s really what they want to say. Media outlets have been struggling to come up with solutions to the comment problem on their own. Outlets like Reuters have deleted their comment sections outright, while BuzzFeed is experimenting with curated comments. The New York Times partnered with Jigsaw to help develop Perspective - the paper receives 11,000 comments per day, which Jigsaw used to feed its machine learning model.
Pentagon launches open-source experiment (Nextgov, 24 Feb 2017) - With a new website showcasing federal software code, the Pentagon is the latest government entity to join the open-source movement. The Defense Department this week launched Code.mil, a public site that will eventually showcase unclassified code written by federal employees. Citizens will be able to use that code for personal and public projects. Code written by government employees can be shared with the public because that material usually isn’t covered by copyright protections in the U.S., according to the Pentagon. The site, which redirects to code repository GitHub, currently features a draft “open source license agreement” that includes stipulations such as ”n places where DoD has no copyright protections in this Work, it is licensed under the terms and conditions in this Agreement and the License as a contract between DoD and You.”
Why Trump’s election scares data scientists (CNN, 25 Feb 2017) - When Donald Trump was elected, most people probably weren’t concerned about the future of data. But for some groups, that was top of mind. Data Refuge was founded after the election, with a goal of tracking and safeguarding government data. The volunteer group of hackers, writers, scientists and students collects federal data about climate change in order to preserve the information and keep it publicly accessible. “When things like science are politicized, scientific information will be less accessible,” said Dr. Bethany Wiggin, co-director of Data Refuge. “If you can keep knowledge out of the hands of your political opponents, that’s an effective win.” In the past three months, Data Refuge has hosted 17 events where hundreds of volunteers figure out how to copy and publish research-quality data. The group, which grew out of the Penn Program in Environmental Humanities, also monitors scientific research that depends on government funding because there’s concern this could dry up. These fears are stoked by the fact that some content has already been removed from agencies’ websites. For instance, ProPublica found that the Energy Information Administration edited an educational website for kids to significantly downplay the negative impacts of coal. The White House also removed all of the data from its portal of searchable federal data. The site previously included data on everything from budgets to climate change to LGBT issues. It now displays a message telling people to: “Check back soon for new data.” Additionally, some USDA data on animal testing, puppy mill cruelty and company audits has been completely removed since Trump’s inauguration. * * *
Top bank executives required to vouch for cyber attack defences (Financial Times, 26 Feb 2017) - Top executives at some of the world’s biggest banks and insurers will have to vouch for their companies’ resilience to cyber attacks, under tough rules laid down by New York’s state regulator. A new regulation, which takes effect on March 1, requires companies supervised by New York’s Department of Financial Services to establish and maintain a cyber security programme that can protect consumers’ private data and “ensure the safety and soundness” of the state’s financial services industry. Executives will be made to submit an annual certification that the company is complying with the various requirements, and agree to notify the DFS of any serious breaches within 72 hours of their discovery. “This has gone further than any other regulation I’ve seen, and is the most prescriptive,” said Joe Nocera, Chicago-based leader of PwC’s cyber security practice. * * * Analysts say the protocols are mostly in line with those adopted by the Federal Financial Institutions Examination Council, an inter-agency body that sets uniform standards for examinations by regulators including the Federal Reserve and the Office of the Comptroller of the Currency. But the requirement for an executive to testify that the company’s systems are up to scratch, could expose that individual to liability if the company’s cyber security programme is later found to be non-compliant. For now, no other US state “comes anywhere close” to New York’s level of scrutiny, said Jim Halpert, Washington-based co-chair of the cyber security practice at DLA Piper, a law firm.
Open link to file-sharing site was like leaving legal file on a bench, judge says; privilege waived (ABA Journal, 27 Feb 2017) - An insurance company has waived any claim of privilege to materials uploaded to an unprotected file-sharing site, a federal magistrate judge in Virginia ruled earlier this month. U.S. Magistrate Judge Pamela Meade Sargent said in a Feb. 9 decision that the Harleysville Insurance Co. waived its privilege in documents uploaded to a site where they were accessible to anyone who had the hyperlink, according to the ABA BNA Lawyers’ Manual on Professional Conduct . “In essence,” Sargent wrote, “Harleysville has conceded that its actions were the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it. It is hard to imagine an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web.” According to the Lawyers’ Manual, the decision “should make lawyers think twice before putting confidential documents in a file-sharing site without password protection.” Harleysville was not the only litigant criticized in the opinion. Its opponent also acted improperly, Sargent said, by accessing the drop-box materials and using them without notifying lawyers for Harleysville.
American Bar Association to offer cybersecurity insurance to law firms (Cyberscoop, 28 Feb 2017) - After a year which saw multiple law firms end up in the headlines for data breaches, the American Bar Association expanded its insurance program Tuesday to offer cybersecurity coverage . Chubb Limited, the world’s largest publicly traded property and casualty insurer, will underwrite the policy. “The American Bar Association has been educating lawyers about cyber security and the risks to their clients and their practices for a number of years. ABA Insurance is a new program though, developed by the Association within the last year to provide members with access to affordable coverage from top-quality carriers,” ABA Deputy Executive Director James Dimos told CyberScoop.
- and -
Law firms must manage cybersecurity risks (ABA Journal, 1 March 2017) - It’s another busy day at the office when you receive an email with an attached memo. You don’t remember asking for the memo, but you download the attachment anyway. Alarm bells! It’s not an attachment. It’s malware that’s now infecting your computer and every other computer in your law firm. This was the situation that Jessica Mazzeo and Fran Griesing faced. In July 2016, the computer system for their small Philadelphia firm of 12 lawyers was infected with malware. They contacted Integrated Micro Systems, their outsourced information technology provider. * * * That incident changed the way the law firm dealt with websites, emails and mobile devices. As a small firm, Griesing Law leans on outside providers for help. The firm uses Workshare, a cloud-based program that allows users to send files securely online, and Trend Micro to quarantine suspicious emails. It also made firewall changes to block certain websites from being accessed by employees because of the risk of malware. A new policy was implemented last year on internal email: If the source is unknown or if you’re not expecting the email, don’t open it. * * * Cybersecurity is evolving. This is more than just a technology issue or an added clause in the retainer agreement-it’s the biggest risk that law firms face in 2017. * * * [ Polley : This is a long, thoughtful article, for which I was interviewed. The ABA’s Cybersecurity Legal Task Force is working on a 2nd edition of the Cybersecurity Legal Handbook , for publication this summer.]
- and -
6 major law firm hacks in recent history (ABA Journal, 1 March 2017) - Law firms have been victims of some of the most damaging hacks in recent history. Here’s a list of the major law firm hacks in the past five years: * * * [ Polley : I thought it was unclear how the Mossack Fonseca documents were leaked; the last I remember, it was attributed to a former employee. Not sure I’d call that a “hack”.]
“Proof Mode” for your smartphone camera (Bruce Schneier, 1 March 2017) - ProofMode is an app for your smartphone that adds data to the photos you take to prove that they are real and unaltered: On the technical front, what the app is doing is automatically generating an OpenPGP key for this installed instance of the app itself, and using that to automatically sign all photos and videos at time of capture. A sha256 hash is also generated, and combined with a snapshot of all available device sensor data, such as GPS location, wifi and mobile networks, altitude, device language, hardware type, and more. This is also signed, and stored with the media. All of this happens with no noticeable impact on battery life or performance, every time the user takes a photo or video. This doesn’t solve all the problems with fake photos, but it’s a good step in the right direction.
Something amazing from JSTOR labs (InsideHigherEd, 2 March 2017) - A quick note: I’ve been working with an intern to track some research down, but the keywords are slushy and the controlled vocabulary in the databases we’re using just hasn’t been cutting it. Mostly, we’ve been able to make some progress by seeing who is citing the articles that seem most relevant, but even that traditional citation-tracing method isn’t producing quite as much as I hoped. But then I happened on a nifty new tool today, the JSTOR Labs Text Analyzer , thanks to the kind of serendipity my Twitter community seems to promote. Basically, you upload a document (something you wrote, a text you’re reading, an article PDF, a syllabus, even) and . . . something magical happens. The analyzer finds patterns in the text and looks for similar documents. The words used in the pattern appear on one side. There are sliders for how much you want to emphasize some concepts. There’s a collection of keywords roughly sorted by type, and you choose which ones are most relevant to your interests or decide which ones aren’t of interest. You can even add your own words. If you want your results to emphasize current content, there’s a checkbox for that. Results can be limited to the JSTOR content your library subscribes to, or you can search it all to see what you might want to obtain through interlibrary loan. It only surfaces JSTOR content, but that’s a lot of good material.
The government’s secret wiki for intelligence (The Atlantic, 3 March 2017) - During the final weeks of the Obama administration, officials began to worry that the results of ongoing investigations into Russia’s election-related hacking might get swept under the rug once President Trump took office. They decided to leave a trail of breadcrumbs for congressional investigators to find later, according to a report from The New York Times . In another age, the paper trail may have taken the form of notes stuffed into a box in a forgotten archive. But this being the 21st century, some of the breadcrumbs were submitted to an online wiki. According to the Times, intelligence officers in various agencies rushed to complete analyses of intelligence about Russian hacking and file the results, at low classification levels, in a secret Wikipedia-like site for intelligence analysts. There, the information would be widely accessible among the intelligence community. That site, called Intellipedia, has been around for more than a decade. It’s made up of three different wikis, at different classification levels: one wiki for sensitive but unclassified information, another for secret information, and a third for top secret information. Each wiki can only be accessed by employees in the U.S. intelligence community’s 17 agencies who have the appropriate clearance level. Intellipedia was formally launched in 2006, but grew slowly at first. “It was received skeptically by most,” said Carmen Medina, the former CIA director for the study of intelligence and one of the first officials to green-light the project. “Analysts were not really rewarded for contributing to Intellipedia.” Since then, the wikis have grown steadily. According to a release celebrating the site’s second anniversary, the system housed nearly 50,000 articles by March 2008. In January 2014, the National Security Agency responded to a Freedom of Information Act request with the latest statistics: The three domains had just over 269,000 articles, more than 40 percent of which were found on the top secret wiki. (It’s not clear whether articles are duplicated across the wikis.)
Excellent nominations for CIA GC and DoD GC (John Bellinger on Lawfare, 7 March 2017) - This evening, President Trump nominated Courtney Elwood to be CIA General Counsel and John Sullivan to be DoD General Counsel. These are excellent appointments and good news for the national security law community. Courtney and John are both superb lawyers-both former Supreme Court clerks, for Chief Justice Rehnquist and Justice Souter, respectively-with extensive national security experience in the Bush Administration. The country will be well-served by both of them. * * *
Uber’s ‘Greyball’ program puts new focus on legal dept (Inside Counsel, 7 March 2017) - Uber Technologies Inc. has used software to evade law enforcement and public officials in cities where the company faced opposition from regulators, The New York Times reported Friday , and legal ethics professionals said the company may be steering into the wrong lane. While the program may not be illegal, ethics professionals said, it does appear to skirt ethical standards. And if in-house counsel approved the program knowing that Uber would use it to break the law, then disbarment could be in store for the lawyers who signed off on it, they said. The New York Times report said Uber’s legal department, led by general counsel Salle Yoo, approved use of the program. “For lawyers, the legal ethics issue is did they approve of the program so that Uber could act illegally?” Wayne State University professor of law Peter Henning said. “That could put a license at risk to practice law.”
Facebook parking chatbot now turns lawyer helping refugees claim asylum (IBT, 7 March 2017) - A Facebook chatbot called DoNotPay that helped overturn over 160,000 parking fines is now helping refugees claim asylum. The chatbot, which described itself as the “world’s first robot lawyer”, was created by Stanford student Joshua Browder, designed to provide free legal advice via a user-friendly chat interface. New updates to the chatbot now allow it to help refugees file immigration applications in the US and Canada, as well as aid refugees apply for asylum support. The chatbot asks users a list of questions to determine which application should be filled out for the refugee and to ascertain whether the user is eligible for asylum protection under international law. The chatbot then collects information required for the appropriate application. In case of users based in the UK, the bot helps them fill out an ASF1 form for asylum support, informing them that they are required to file the application in person. Browder claimed that once the application form is filled and sent out the “details are deleted” from his end. However, Browder acknowledged that there are some drawbacks to the Messenger. For instance, it doesn’t come with end-to-end encryption, which is now available in most other chat apps. [ Polley : Spotted by MIRLN reader Corinne Cooper - @ucc2]
Zero days, thousands of nights (Rand, 9 March 2017) - Zero-day vulnerabilities - software vulnerabilities for which no patch or fix has been publicly released - and their exploits are useful in cyber operations - whether by criminals, militaries, or governments - as well as in defensive and academic settings. This report provides findings from real-world zero-day vulnerability and exploit data that could augment conventional proxy examples and expert opinion, complement current efforts to create a framework for deciding whether to disclose or retain a cache of zero-day vulnerabilities and exploits, inform ongoing policy debates regarding stockpiling and vulnerability disclosure, and add extra context for those examining the implications and resulting liability of attacks and data breaches for U.S. consumers, companies, insurers, and for the civil justice system broadly. The authors provide insights about the zero-day vulnerability research and exploit development industry; give information on what proportion of zero-day vulnerabilities are alive (undisclosed), dead (known), or somewhere in between; and establish some baseline metrics regarding the average lifespan of zero-day vulnerabilities, the likelihood of another party discovering a vulnerability within a given time period, and the time and costs involved in developing an exploit for a zero-day vulnerability. * * * [ Polley : pretty interesting.]
Digital Privacy at the U.S. Border: Protecting the Data On Your Devices and In the Cloud (EFF, 9 March 2017) - The U.S. government reported a five-fold increase in the number of electronic media searches at the border in a single year, from 4,764 in 2015 to 23,877 in 2016. Every one of those searches was a potential privacy violation. Our lives are minutely documented on the phones and laptops we carry, and in the cloud. Our devices carry records of private conversations, family photos, medical documents, banking information, information about what websites we visit, and much more. Moreover, people in many professions, such as lawyers and journalists, have a heightened need to keep their electronic information confidential. How can travelers keep their digital data safe? The U.S. Constitution generally places strong limits on the government’s ability to pry into this information. At the U.S. border, however, those limits are not as strong, both legally and practically. As a matter of the law, some legal protections are weaker - a fact EFF is working to change. As a matter of practice, border agents may take a broad view of what they are permitted to do. Border agents may attempt to scrutinize the content stored on your phones, laptops, and other portable electronic devices. They may try to use your devices as portals to access your cloud content, including electronic communications, social media postings, and ecommerce activity. Moreover, agents may seek to examine your public social media postings by obtaining your social media identifiers or handles. As of this writing, the federal government is considering requiring disclosure from certain foreign visitors of social media login credentials, allowing access to private postings and “friend” lists. This guide (updating a previous guide from 2011) helps travelers understand their individual risks when crossing the U.S. border, provides an overview of the law around border search, and offers a brief technical overview to securing digital data.
State Data Security Breach Notification Laws (Mintz Levin, 15 Feb 2017) - This chart is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel when reviewing options and obligations in responding to a particular data security breach. Laws and regulations change quickly in the data security arena. This chart is current as of February 15, 2017.
Copyrighted Laws: Enabling and Preserving Access to Incorporated Private Standards (U. Minn. Law Review) - Traditional laws-statutes, judicial opinions, and regulations-are not eligible for copyright protection. This principle is firmly established in over one hundred years of case law, despite the Copyright Code not expressly addressing the eligibility of laws. This has caused little controversy. In the last few decades, however, federal agencies have increasingly given legal force to privately authored copyrighted works by incorporating them verbatim by reference into regulations. The authors of those works continue to exercise their exclusive right to control reproduction and distribution by charging the compliance-seeking public fees to obtain transfer-restricted copies. Concealing legal obligations from the public and controlling access to them with fees and threats of litigation raises significant concerns. This practice does not fit within the case-law analysis of traditional laws because incorporated private standards are copyrighted works that later obtain legal force. With little case law on point and silence from the Copyright Code, this Note examines whether any other copyright doctrines can be used to enable public access to copyrighted works that are subsequently given legal force. This Note argues that none of the proposed copyright doctrines would prevent incorporated copyrighted works from maintaining their copyright. This Note proposes a two-part legislative solution that adds laws to the Copyright Code’s subject-matter exclusions and provides a special section for neutralizing the copyright of private works that are subsequently given legal force.
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
Insurance company refuses to cover law firm’s blog (Computerworld, 22 March 2007)—A law firm in New Jersey has temporarily halted plans to launch a blog because its insurance company would not cover the blog under an existing malpractice insurance policy. James Paone, a partner at Lomurro, Davison, Eastman and Munoz in Freehold, N.J., said that the firm’s insurer—The Chubb Corp.—said several weeks ago that it would not add the blog to the existing policy. “We were in the process of beginning to set up a blog, having internal discussions about what areas of law would be the subjects,” he said. “We wanted to cover the first base, which is [Chubb’s] coverage. Our insurance carrier said [a blog] is not a risk they were interested in insuring. The entire discussion stopped.” Paone said his firm contacted Chubb to ask about insurance coverage in case someone tried to sue it over content in the blog. Now, the law firm is in the process of setting up a meeting with Chubb “so we can understand what their rationale is for saying they weren’t interested in covering that kind of risk,” Paone said. Chubb did not immediately respond to a request for comment.
Greece Fines Ericsson Hellas in tapping case (Reuters, 6 Sept 2007 - Greece’s privacy watchdog has fined the Greek unit of telecom equipment maker Ericsson more than 7 million euros over a wiretapping scandal that rocked the country last year. In 2006 the Greek government revealed that more than 100 people, including the prime minister, senior ministers, journalists and activists, had their mobile phones tapped for about a year around the Athens 2004 Olympics. “The Hellenic Authority for Information and Communication Security and Privacy (ADAE) decided to fine Ericsson Hellas 7.36 million euros ($10 million) in relation to the wiretap issue,” ADAE said in a statement released late on Wednesday. It gave no further details. ADAE has said Ericsson Hellas’s equipment was used in the phone tapping. Ericsson Hellas said it planned to appeal the decision. In December 2006 ADAE also fined the Greek unit of Vodafone (VOD.L: Quote, Profile, Research) 76 million euros for a “number of infringements attributed to the company”, also without giving details. Vodafone Hellas has rejected the decision, saying it considers the fine illegal and is appealing the decision. The bugged phones were found to have been tapped mostly before and during the Athens Games by unknown eavesdroppers. The case became public after Vodafone Greece informed the government of its concerns when it suspected its equipment was being used. The government went public with the case almost a year after it was informed by Vodafone, prompting questions in the media about whether foreign intelligence services were involved. At the time, the Greek government said Ericsson-supplied software was used to tap phones from June 2004 until March 2005. Calls were relayed to unknown destinations via four mobile phone antennas in central Athens. The bugging stopped when Vodafone Greece discovered the software and removed it from the system. [Editor in 2007: Excellent technical discussion of the yet-unsolved wiretapping techniques employed: http://www.spectrum.ieee.org/jul07/5280 ]