MIRLN --- 6-26 August 2017 (v20.12)

MIRLN --- 6-26 August 2017 (v20.12) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Estonia steps up plan to counter cyber attacks by siting critical systems offshore (ZDnet, 3 Aug 2017) - To thwart a cyber-attack on its national infrastructure or even an invasion, Estonia is getting ready to open its first data embassy overseas. In 2014, Estonia introduced initial plans to create ‘data embassies ‘ capable of running duplicates of its critical systems, including databases and services, in secure data centers on foreign soil. Now, three years on, the then seemingly utopian plan is becoming a reality. Estonia has signed its first official contract with Luxembourg to guarantee diplomatic immunity for all the Baltic state’s systems that are to be duplicated and run from a data center in the principality. “Next, we have to sign rental and service contracts to use Luxembourg’s national data center and then we can start building the technology and ‘furnishing’ the data embassy,” Mikk Lellsaar, ministry of economic affairs and communications executive specialist tells ZDNet. He says the embassy in Luxembourg is going to mirror many data systems of critical importance, such as the state treasury information system, state pension insurance registry, identity documents registry, business register, land register, and land cadastre among many others. top

Facebook is starting to put more posts from local politicians into people’s News Feed (ReCode, 4 Aug 2017) - Facebook is testing a new feature that inserts posts from local politicians into users’ News Feeds, even if they don’t necessarily follow those politicians. The new feature, which was first noticed by one of my Recode colleagues, included a label titled “This week in your government.” A Facebook spokesperson confirmed that the feature is a test. “We are testing a new civic engagement feature that shows people on Facebook the top posts from their elected officials,” this spokesperson said in a statement. “Our goal is to give people a simple way to learn about what’s happening at all levels of their government.” The feature will appear, at most, once per week, and only for users who follow at least one local, state or federal representative from their area. Facebook knows who your local reps are if you handed over your address to use the company’s voting plan feature - or its “Town Hall” feature, which helps people find and follow their elected officials. Otherwise, you’ll just see posts from politicians at the state and federal levels. Facebook has been active in the past year about getting its user base more involved in politics. In addition to the features mentioned above, which were rolled out before the November presidential election, Facebook also let users register to vote via the social network, and CEO Mark Zuckerberg claims more than two million people did so. Adding this new feature might inspire more politicians to post to Facebook, especially if they think their posts will be promoted to more voters. It’s unclear if Facebook takes political affiliation into account when deciding which posts to show people, but if it does not, it could also be a way for politicians to get their message to voters across the aisle. top

Your voter records are compromised. Can you sue? Theories of harm in data-breach litigation (Lawfare, 7 Aug 2017) - Last year, the Republican National Committee hired a firm called Deep Root Analytics to collect voter information. The firm accidentally exposed approximately 198 million personal voter records. This was 1.1 terabytes of personal information that the company left on a cloud server without password protection for two weeks. On June 21 of this year, victims filed a class action in Florida court against Deep Root Analytics for harm resulting from a data breach. Donald Trump has denounced such breaches as “gross negligence.” The Deep Root lawsuit took him at his word, using that quote as evidence to make a claim on the legal theory of negligence. The complaint demands more than $5 million in damages. Defendants in data-breach cases (in this case, Deep Root Analytics is the defendant) often challenge a claim on the grounds that the pleading does not include an injury that is (1) “concrete, particularized and actual or imminent,” (2) caused by the defendant, and (3) redressable by a court of law. * * * top

Gov. Rauner signs bill to protect Illinois from cyberthreats (Illinois.gov, 7 Aug 2017) - Today, Governor Rauner signed House Bill 2371, requiring all executive branch State of Illinois employees responsible to the Governor, not including public university employees, to undergo annual cybersecurity training to understand the risks, threats and best practices to defend against cyber threats.” Hackers and cyber criminals continually grow more sophisticated in their attempts to steal sensitive data and infect state computer systems. It is crucial that state employees have knowledge to protect themselves and the state from the impact of cyber-attacks. This legislation is another advancement in the governor’s vision for a cyber-secure Illinois to better protect the personal information of state residents and ensure critical state services are not interrupted. top

Harvard goes outside to go online (InsideHigherEd, 8 Aug 2017) - If any American university might be positioned to begin a new online program all by itself, Harvard University—with its world-famous brand, many-billion-dollar endowment and founding relationship with the online course provider edX—might be it. But the university announced Monday that three of its schools would create a new business analytics certificate program with 2U, the online program management company. A collaboration between 2U and professors at the Harvard Business School, the John A. Paulson School of Engineering and Applied Sciences, and the department of statistics in Harvard’s main college, the Faculty of Arts and Sciences, the program will teach students how to leverage data and analytics to drive business growth. Aimed at executives in full-time work, the program will be delivered through 2U’s online platform and will feature live, seminar-style classes with Harvard faculty members. The program will cost around $50,000 for three semesters, with an estimated time requirement of 10 hours per week. Chip Paucek, CEO of 2U, said the technology 2U can offer universities goes far beyond “just what the student sees.” The company can use analytics to predict things such as enrollment and completion of courses, in addition to making programs widely accessible, and securing content from cyberattack. Aside from technology, 2U also offers up-front money. The company “invests heavily in each of its partnerships,” said Paucek, typically spending between $5 million and $10 million in the first few years. Each 2U partnership lasts a minimum of 10 years to give the company time to recoup its investment from a significant slice of the student enrollment fees. Paucek said the partnership with Harvard was a high point in the company’s 10-year history, and that the company was “honored to be a brand ambassador for one of the best-known brands in the world.” Deciding to work with 2U was “not a trivial decision” for Harvard, said Paucek, adding that university officials “were clear they would not commit to it if it was not one of the world’s best programs.” Conversations about working together began around five years ago, according to Paucek. But it was not until two years ago that talks centered specifically on creating a business analytics program. top

EFF to court: Border agents need warrants to search contents of digital devices (EFF, 8 Aug 2017) - Searches of mobile phones, laptops, and other digital devices by federal agents at international airports and U.S. land borders are highly intrusive forays into travelers’ private information that require a warrant, the Electronic Frontier Foundation (EFF) said in a court filing yesterday. EFF urged the U.S. Circuit Court of Appeals for the Fifth Circuit to require law enforcement officers at the border to obtain a warrant before performing manual or forensic searches of digital devices . Warrantless border searches of backpacks, purses, or luggage are allowed under an exception to the Fourth Amendment for routine immigration and customs enforcement. Yet EFF argues that, since digital devices can provide so much highly personal, private information-our contacts, our email conversations, our work documents, our schedules-agents should be required to show they have probable cause to believe that the device contains evidence of a violation of the immigration or customs laws. Only after a judge has signed off on a search warrant should border agents be allowed to rifle through the contents of cell phones, laptops, or tablets. Digital device searches at the border have more than doubled since the inauguration of President Trump. top

Two studies suggest trouble ahead for paywall journals (Phys.org, 8 Aug 2017) - Two independent studies looking at two aspects of paywalls versus free access to research papers suggest that trouble may lie ahead for traditional journals that continue to expect payment for access to peer-reviewed research papers. In the first study, a small team of researchers from the U.S. and Germany looked at the number of freely available papers on the internet using a web extension called Unpaywall-users enter information and the extension lists sources online for free. In the second study, a team with members from Canada, the U.S. and Germany looked at the popularity of a website known as Sci-Hub that collects and freely distributes research papers. Both groups have written papers describing their studies and results and have uploaded them to the PeerJ Preprints server. Free access to research papers is a hot topic in the research community, perhaps indicating coming changes to the status quo. The traditional model, in which a researcher pays for the privilege of reading published articles on journal sites like Science and Nature in order to cite work by others, is under fire. Many have claimed the system is unfair to those who cannot afford to pay such fees. Meanwhile, journal sites maintain their stance that the only way they can continue to exist as profitable entities is to charge access fees. They note also that they provide a valuable service-peer review. In these two new efforts, the researchers with both teams hint that the argument may soon become moot, as people who want to read research papers for free find easier access. In the first paper, the researchers worked with the team that makes the Unpaywall extension to get statistics on its use. They report finding that nearly half (47 percent) of all of the papers that people searched for using the app in 2015 were available for free. They also report that overall, users were able to find free versions of 28 percent of articles they were looking for. In the second paper , the researchers worked with the team behind Sci-Hub, which many have described as a pirating site. They report that visitors could access 85 percent of articles that were still behind a paywall. They found also that the percentage was even higher for papers held behind Elsevier paywalls. They note that the team at Sci-Hub told them that efforts to shut down their site through legal means have resulted in free press, increasing its user base-a term they described as the “Streisand Effect"-after Barbra Streisand, who famously tried to stop distribution of aerial photographs of her home several years ago, inadvertently exposing the photographs to many more people. top

Parting with our books (InsideHigherEd, 8 Aug 2017) - A few weeks ago, we moved into a new house-one much smaller than the home we lived in for 14 years before moving out of state. As part of our family’s move to our transitional housing after taking a new job out of state last year, we downsized considerably. We gave away furniture, mementos that meant less and less as more and more time had passed by. We discarded the kids’ first outfits from the hospital after their birth, their finger paintings, their first attempts at coloring within the lines, their first try at writing their own names, and a multitude of certificates of accomplishments. In fact, I managed to throw away a purse with my daughter’s life fortune, a few hundred dollars that she will never forgive me for accidentally discarding. Disposing of these old and generally-considered sentimental items was nowhere near what it felt like giving away old my old books. The first time I went through the book purge, it was hard. I hate moving and wanted to be done with it! Getting rid of old textbooks on building democratic societies, the fall of the Soviet Union, the rise of the Tiger economies, Mexican political history, economics and econometrics, and even most of my Dostoyevsky collection was somewhat painful, but practical. I knew then that, wherever we would end up living, most of the rooms would not have floor-to-ceiling bookcases as we had in most rooms of the home in which we had thought we would die. It was painful, but it had to be done. Moving into a permanent home now, I went through the book purge again. This time, I gave away more recent books, including some that I had not yet read. When my one of my best friends was writing her dissertation on French and Caribbean literature, I bought so many of the books that she found interesting and I found interesting when she talked about them. They were fiction, which I generally find difficult to read. I bought a ton of them, but read few. This weekend, as I packed those books in French and English, I wondered if there would come a day when I would ever finish Simone de Beauvoir’s Le Deuxieme Sexe or the Marie Vieux Chauvet, Jacques Roumain, Rene Depestre and so many other books that I bought a decade ago. The truth is that the probability of me ever finishing or even starting some of those books was very slim-statistically insignificant from zero. So, I packed them feeling never more grateful for my undergraduate, liberal education that exposed me to so much more than statistical methods and measurement, where my reading interests were parked for a very long time. Had it not been for those general education courses, I would have likely stopped reading fiction and literature after high school. I would lack culture (though I can’t claim to have a ton of it now). I realized as I packed these new sets of books to give away that, by the time I should ever want to read them, they will be available electronically or in some other form that I can’t even imagine now. In many ways, I am old-fashioned. I cannot read books on a Kindle and I never learned how to type, so I pick the letters one by one even as I write this post. This made parting with those books even more emotional. The world is changing, but we don’t know what the change will look like exactly. Maybe letting go of the books is somewhat symbolic of letting go of an unrealized aspiration of the cultured person I had the potential of becoming. The universe of things I read about now seems both broader and narrower at the same time. Perhaps, this post should have been titled “In Praise of Liberal Education,” but there are so many of those essays already. Parting with our books is hard, but the technology that exists today and will soon come will make it easier to go back to that person that I was becoming. [ Polley : strongly resonated with me.] top

Ratings principles: Now coming to cybersecurity (CorporateCounsel.net, 9 Aug 2017) - Recently, a group of more than 40 prominent banks, retailers & tech companies released these “ Principles for Fair & Accurate Securities Ratings .” Here’s a teaser from this BakerHostetler blog (also see this Reuters article ): The principles are designed to promote fair and accurate cybersecurity ratings - in response to the recent emergence of several ratings companies that collect and analyze publicly accessible data to analyze a company’s cybersecurity risk posture. The ratings are increasingly used by insurers - as well as in M&A and other business decisions. The data for risk ratings is typically collected without the target company’s knowledge and comes from a variety of sources - e.g. hackers’ forums, darknet data, Internet traffic stats, port-scanning tools & open-source malware intelligence sources. Ratings companies then use proprietary methodologies and algorithms to analyze the data and assign a grade. Importantly, however, cybersecurity ratings have the potential for being inaccurate, incomplete, unverifiable and unreliable - if, for example, the source data is inaccurate or the methodology doesn’t account for risk mitigations in place at a company. The principles developed by the consortium were designed to increase confidence in and the usability of fair and accurate cybersecurity ratings by addressing the potential problems. The principles were modeled after the Fair Credit Reporting Act. We don’t know if cybersecurity risk ratings will become anywhere near as important as credit ratings - but keep them on your radar. The signatories to the principles include Aetna, American Express, Bank of America, Chevron, Eli Lilly, Fannie Mae, FICO, Goldman Sachs, Home Depot, Honeywell, JP Morgan, Microsoft, State Street & lots of other big names. top

- and -

When is “Hacking Disclosure” required in SEC filings? (CorporateCounsel.net, 9 Aug 2017) - By now, most companies have a cyber incident response plan - which should include contacting a securities lawyer to evaluate disclosure requirements. As outlined in this Goodwin memo , these decisions continue to depend on a fact-specific materiality analysis: What is “material” ends up being far less clear, and there is plenty of room for a public company to determine in good faith that a specific cyber incident does not require separate disclosure. Where the obligation is unclear, a company’s reluctance to disclose is understandable: Disclosure may highlight vulnerabilities, and will bring unwelcome attention from customers, regulators and others. The plaintiffs’ bar will also circle, smelling the possibility of a class action, and they will not view the company and its managers as the victims. While the SEC won’t second-guess a good-faith analysis, they also won’t shy away from investigating disclosure lags - see this WSJ article about whether Yahoo’s data breach should’ve been reported sooner to investors. The memo identifies factors affecting disclosure decisions - such as the significance of other notice obligations, existing risk factors & potential remediation costs. Since the decision will probably have to be made quickly, it’s not a bad idea to create a decision tree in advance. Our “ Cybersecurity Disclosure Checklist “ is a good starting point, and check out this blog as well… top

- and -

SEC observations on cybersecurity Sweep 2 (Artemis, 14 Aug 2017) - On Monday, the SEC released “Observations” on the seminal 2015 Cybersecurity Examination Initiative or what they are now referring to as “Sweep 2.” While we find this document to be an unremarkable kitchen-sink of cyber-findings, the SEC has offered a concept for what they consider to be robust practices and perhaps a roadmap for achieving a higher level of Cybersecurity maturity for firms. We have reviewed the release and have distilled what we believe to be the key takeaways and suggestions for improving your program. To the degree that observations on a near two-year old examination period are accurate or relevant is questionable. A whole new class of security tools is available, infrastructure and movement toward cloud-based services continues, and firms have been plodding forward on information security practices despite the SEC’s nearly two-year silence on the subject. This is not completely fair as the SEC did include Cybersecurity as a concern under “Assessing Market-Wide Risks” in the 2017 Examination Priorities and issued a more timely, May 17 Risk Alert on Ransomware in the wake of WannaCry attacks. There is progression in the SEC’s approach to Cybersecurity and now fourth Risk Alert, and the Commission has been clear that they are still finding facts and learning in an area of persistent high risk and developing regulatory scrutiny. The SEC started the initiative with a clear focus on Policies and Procedures and fundamental identification and protection practices. IT security evolves organically from basic blocking and tackling of controls to more advanced practices such as monitoring/detection and testing/validation. The SEC’s understanding and corresponding expectations of financial services firms appears to be developing along similar lines - to a call for greater granularity and specificity in certain IT security activities. * * * top

AVVO blasts new ethics opinions on attorney match services (New York Law Journal, 9 Aug 2017) - New York has become the latest state to target attorney match service Avvo Inc. for ethical violations. A new bar association ethics opinion says a lawyer paying Avvo’s marketing fee to participate in its legal services program is making an improper payment for a recommendation, in violation of state ethics rules. The New York State Bar Association released the opinion by its committee on professional ethics on Wednesday. While the state bar’s ethics opinions are advisory only, they are widely read and followed. Lawyers who continue to participate in Avvo’s legal services program “do so at their own peril,” said state bar president Sharon Stern Gerstman, counsel at Buffalo law firm Magavern Magavern Grimm. But in an interview, Avvo’s chief legal counsel, Josh King, encouraged New York lawyers to continue participating, adding that Avvo would back any lawyer facing disciplinary action for his or her participation. To date, King said he is not aware of any attorney in such a position. The ethics opinion examines Avvo Legal Services, which King said has existed for about a year and a half and is only a narrow portion of Avvo’s business. Although he declined to say how many New York attorneys participated, he said it can be measured in the “hundreds” and less than 2,000. The New York ethics opinion follows recent actions in other states such as New Jersey, where a joint opinion by three state’s Supreme Court committees has blacklisted three web-based services that match litigants with attorneys, including Avvo, because of concerns over illicit fee-sharing and referral fees. Other states with ethics concerns over lawyer website services include Ohio, Pennsylvania and South Carolina. top

Bloomberg Law adds practice center devoted to e-discovery (Bob Ambrogi, 9 Aug 2017) - Bloomberg Law today is officially announcing the addition to its research platform of the E-Discovery Practice Center, a curated collection of a range of court opinions, tools, sample forms, news and expert guidance related to both federal and state e-discovery practice. The practice center is available to all Bloomberg Law subscribers at no additional cost. Bloomberg says it is the only legal research platform to have a resource of this kind devoted to e-discovery. Bloomberg “soft launched” the practice center for some customers at the recent annual meeting of the American Association of Law Libraries, but today is formally announcing its availability to all customers. The practice center’s main page includes federal and state court opinions related to e-discovery, federal and state rules and laws related to e-discovery, news and law reports, and BNA’s E-Discovery Portfolio series, which provides an entry point to resources such as practice guides, books and treatises, and law reviews, as well as specific guidance on such issues as understanding and preventing spoliation. E-discovery rules for all states are included. Another section of the practice center provides materials grouped by stage of e-discovery, such as preservation, production and technology-assisted review. Here you can find resources such as a checklist for preparing for a Rule 26 meeting and a guide to preparing a legal hold notice, as well as sample forms for legal holds. top

US judge says LinkedIn cannot block startup from public profile data (Reuters, 14 Aug 2017) - A U.S. federal judge on Monday ruled that Microsoft Corp’s (MSFT.O) LinkedIn unit cannot prevent a startup from accessing public profile data, in a test of how much control a social media site can wield over information its users have deemed to be public. U.S. District Judge Edward Chen in San Francisco granted a preliminary injunction request brought by hiQ Labs, and ordered LinkedIn to remove within 24 hours any technology preventing hiQ from accessing public profiles. The case is considered to have implications beyond LinkedIn and hiQ Labs and could dictate just how much control companies have over publicly available data that is hosted on their services. “To the extent LinkedIn has already put in place technology to prevent hiQ from accessing these public profiles, it is ordered to remove any such barriers,” Chen’s order reads. HiQ Labs called the decision an important victory for companies that rely on publicly available data for their businesses. “HiQ believes that public data must remain public, and innovation on the internet should not be stifled by legal bullying or the anti-competitive hoarding of public data by a small group of powerful companies,” the company said in a statement Monday evening. That sentiment was echoed by Falon Fatemi, chief executive of Node, a San Francisco startup that uses publicly available data and artificial intelligence to help companies identify potential customers. “If LinkedIn is going to allow profiles to be indexed by search engines to benefit their platform then why shouldn’t the rest of the internet benefit from that as well?” she said. The dispute between the two tech companies has been going on since May, when LinkedIn issued a letter to hiQ Labs instructing the startup to stop scraping data from its service. HiQ Labs responded by filing a lawsuit against LinkedIn in June, alleging that the Microsoft-owned social network was in violation of antitrust laws. top

LinkedIn connection request doesn’t violate non-solicitation clause (Eric Goldman, 14 Aug 2017) - This is another case considering when LinkedIn activity violates a non-solicitation clause. Bankers Life, a company that sells insurance and financial products, sued one of its ex-employees (and his new employer, ASB) alleging among other things that the ex-employee violated his non-solicitation covenant through his communications on social media. * * * Gelineau’s alleged violation? He sent LinkedIn requests to three Bankers Life employees who could “then click on to Gelineau’s profile and . . . see a job posting for ASB.” Bankers Life also alleged that Gelineau instructed another ASB employee to solicit Bankers Life employees, but the court found Bankers Life’s evidence insufficient with respect to this claim. * * * This case is a nice complement to the Mobile Mini case I blogged about last month. There, the posts in question were essentially sales pitches, and the court says they likely violate the non-solicitation clause, whether sent as direct messages or not. Here, the LinkedIn messages had no call to action other than to connect. So it’s not unexpected that the court finds there is no violation. It’s surprising to see an employer think that a generic “let’s connect!” email campaign could violate a non-solicitation clause. But Bankers Life did, and the court rightly shut it down. top

ABA and Jones Day launch website to connect veterans to legal services (Bob Ambrogi, 14 Aug 2017) - At its annual meeting in New York Saturday, the American Bar Association announced the launch of VetLex.org , a website, developed in partnership with the law firm Jones Day , that matches veterans in need of pro bono legal services with attorneys willing to provide such services. For now, the new site is only accepting registrations from attorneys, law firms and legal organizations interesting in providing services. By Veterans Day, the site will open on a pilot basis in a limited number of cities and states to accept veterans’ cases. The site will become fully operational nationally in 2018, the ABA’s announcement said. Once the site opens to veterans, it will provide an online too for them to obtain pro bono counsel for their specific legal needs, including civil, criminal or administrative matters. It will also provide educational information on basic legal concepts, and serve as a repository for paperwork, such as DD 214s, that is required by various service providers. The ABA expects that the site will also be used by organizations that serve veterans in helping them find lawyers to assist their clients. Lawyers who register at the site will be asked to create a profile that defines the kinds of cases they are willing to take. The site will also provide training in handling certain kinds of kinds. * * * top

The Miami Heat are switching to smartphone-only tickets for home games this season (The Verge, 14 Aug 2017) - If you’re planning on attending a Miami Heat game at the team’s home court American Airlines Arena this coming season, you’ll need to own a smartphone. The basketball team announced last week that it would be switching over to mobile-based tickets for entry at home games, becoming the first in the NBA to enact such a policy, via ESPN . According to a statement from the team, the new policy is due to the fact that roughly one in every three fans used mobile tickets to attend games last season. While other teams in the NBA like the Timberwolves and the Cavaliers have primarily switched over to mobile tickets, those teams still offer the option for fans use a driver’s license and credit card to get into the stadium. The new policy applies to all Heat tickets, too. So, if you walk up to American Airlines Arena and buy tickets at the box office, you’ll still get them on your phone now. top

Massive new searchable database of federal court opinions, including ones that haven’t been formally published (WaPo Eugene Volokh, 15 Aug 2017) - The Free Law Project, famous for its RECAP browser extension for PACER users , has now scraped all the federal court opinions available for free on PACER, and put them in a free database with a fairly powerful search engine : At Free Law Project, we have gathered millions of court documents over the years, but it’s with distinct pride that we announce that we have now completed our biggest crawl ever. After nearly a year of work, and with support from the U.S. Department of Labor and Georgia State University, we have collected every free written order and opinion that is available in PACER. To accomplish this we used PACER’s “Written Opinion Report,” which provides many opinions for free. This collection contains approximately 3.4 million orders and opinions from approximately 1.5 million federal district and bankruptcy court cases dating back to 1960. More than four hundred thousand of these documents were scanned and required OCR, amounting to nearly two million pages of text extraction that we completed for this project. All of the documents amassed are available for search in the RECAP Archive of PACER documents and via our APIs. New opinions will be downloaded every night to keep the collection up to date. top

Tech companies urge Supreme Court to boost cellphone privacy (Reuters, 15 Aug 2017) - More than a dozen high technology companies and the biggest wireless operator in the United States, Verizon Communications Inc., have called on the U.S. Supreme Court to make it harder for government officials to access individuals’ sensitive cellphone data. The companies filed a 44-page brief with the court on Monday night in a high-profile dispute over whether police should have to get a warrant before obtaining data that could reveal a cellphone user’s whereabouts. Signed by some of Silicon Valley’s biggest names, including Apple, Facebook, Twitter, Snap and Alphabet’s Google, the brief said that as individuals’ data is increasingly collected through digital devices, greater privacy protections are needed under the law. “That users rely on technology companies to process their data for limited purposes does not mean that they expect their intimate data to be monitored by the government without a warrant,” the brief said. * * * Nathan Freed Wessler, an attorney with the American Civil Liberties Union who is representing Carpenter, said the companies’ brief represented a “robust defense of their customers’ privacy rights in the digital age.” Verizon’s participation in the brief was important, he added, given that it receives, like other wireless carriers, thousands of requests for cellphone location records every year from law enforcement. The requests are routinely granted. top

- and -

Verizon-yes, Verizon-just stood up for your privacy (Wired, 16 Aug 2017)] - Fourteen of the biggest US tech companies filed a brief with the Supreme Court on Monday supporting more rigorous warrant requirements for law enforcement seeking certain cell phone data, such as location information. In the statement, the signatories-Google, Apple, Facebook, and Microsoft among them-argue that the government leans on outdated laws from the 1970s to justify Fourth Amendment overreach. One perhaps surprising voice in the chorus of protesters? Verizon. Verizon’s support means that the largest wireless service provider in the US, and a powerful force in Silicon Valley, has bucked a longtime trend of telecom acquiescence. While carriers have generally been willing to comply with a broad range of government requests-even building out extensive infrastructure to aid surveillance-Verizon has this time joined with academics, analysts, and the company’s more privacy-focused corporate peers. Carpenter v. United States is “one of the most important Fourth Amendment cases in recent memory,” Craig Silliman, Verizon’s executive vice president for public policy and general counsel, wrote on Monday. “Although the specific issue presented to the Court is about location information, the case presents a broader issue about a customer’s reasonable expectation of privacy for other types of sensitive data she shares with any third party.… Our hope is that when it decides this case, the Court will help us better apply old Fourth Amendment doctrines to an evolving digital era.” Carpenter v. United States, which the Supreme Court will hear this fall, relates to the acquisition, without a warrant, of months of individuals’ location records by law enforcement officials in 2011. Officials looked back on 12,898 location records, spanning a four-month period, of one of these individuals, Timothy Carpenter, to build their case; Carpenter was eventually convicted. His appeal argues that location-data collection by law enforcement without a warrant violates his Fourth Amendment rights-and Verizon agrees. top

Justice Department fights web hosting company for Trump protester information (Lawfare, 15 Aug 2017) - The Justice Department is fighting for information on all of the visitors to the website disruptj20.org , as well as log files on when and from where the visitors logged onto the site, what they looked at, and emails related to the site. The site at the center of the storm bills itself as a platform connecting Trump protesters and “support[ing] the massive and spontaneous eruption of resistance across the United States that’s happened since the election.” At the New York Times , Charlie Savage reports that federal investigators have issued a search warrant to the internet hosting company DreamHost, which is now challenging the warrant as unconstitutionally broad-complying with it would allegedly require handing over 1.3 million visitor IP addresses and the information, emails and photos of thousands of users. Also see the Washington Post story last night from Ellen Nakashima. Dreamhost announced the fight yesterday in a blog post entitled “We Fight for the Users.” Here are the key documents: the search warrant ; the Justice Department’s motion to show cause ; and DreamHost LLC’s third-party response in opposition to the Department’s motion. [ Polley : see also Justice Dept. demands data on visitors to anti-Trump website, sparking fight (NYT, 15 Aug 2017)] top

- and -

Justice Department walks back demand for information on anti-Trump website (The Berge, 22 Aug 2017) - After controversy over a broad search warrant that could have identified visitors to an anti-Trump website, the Justice Department says it’s scaling back a demand for information from hosting service DreamHost. Last week, DreamHost disclosed that it was involved in a legal dispute with the department over access to records on the website “disruptj20.org,” which organized protests tied to Donald Trump’s inauguration. The warrant issued by the department was so broad, DreamHost said, that it was effectively requesting information that could identify lawful protestors - including information on more than 1.3 million IP addresses from visitors to the site. The warrant immediately drew condemnation from some privacy law experts. In a legal filing today , the Justice Department argues that the warrant was proper, but also says DreamHost has since brought up information that was previously “unknown.” In light of that, it has offered to carve out information demanded in the warrant, specifically pledging to not request information like HTTP logs tied to IP addresses. The department says it is only looking for information related to criminal activity on the site, and says that “the government is focused on the use of the Website to organize, to plan, and to effect a criminal act - that is, a riot.” Peaceful protestors, the government argues, are not the targets of the warrant. The filing asks the court to proceed with the new, less burdensome request, which, apart from the carved-out sections, still requests “all records or other information, pertaining to the Account, including all files, databases, and database records stored by DreamHost in relation to that Account.” It’s unclear if DreamHost will continue to fight the new demand. The company did not immediately respond to a request for comment. top

NotPetya ransomware attack cost us $300m - shipping giant Maersk (The Register, 16 Aug 2017) - The world’s largest container shipping biz has revealed the losses it suffered after getting hit by the NotPetya ransomware outbreak, and the results aren’t pretty. The malware surfaced in Ukraine in June after being spread by a malicious update to MeDoc, the country’s most popular accounting software. Maersk picked up an infection that hooked into its global network and shut down the shipping company, forcing it to halt operations at 76 port terminals around the world. “In the last week of the quarter we were hit by a cyber-attack, which mainly impacted Maersk Line, APM Terminals and Damco,” CEO Soren Skou said in a statement today. “Business volumes were negatively affected for a couple of weeks in July and as a consequence, our Q3 results will be impacted. We expect that the cyber-attack will impact results negatively by USD 200-300m.” Admittedly Maersk is massive - it’s responsible for around 15 per cent of the world’s entire shipping network - but that kind of financial damage is close to a record for such an attack. Then again, the company’s entire network was down for days, Skou told the Financial Times. top

Fitch: NAIC rules may boost US insurers’ cyber risk management (FitchRatings, 16 Aug 2017) - The National Association of Insurance Commissioner’s (NAIC) CyberSecurity Working Group approved the Insurance Data Security Model Law, which if approved by the NAIC Executive Committee, will promote more rigorous cyber risk management practices in the U.S. insurance market, Fitch Ratings says. At the same time it will add to insurers’ compliance costs and associated risks of penalties for compliance violations. In its current form the proposed model law is credit-neutral for the U.S insurance sector. It is largely complementary to other federal and state regulations for cybersecurity, including the New York State Department of Financial Services cybersecurity regulations from March 1, 2017, which apply to more than 3,000 financial service firms doing business in New York. The proposed model law still needs approval of the Innovation and Technology Task Force and NAIC Executive Committee to be a considered a model law. Application of model laws require state-by-state approval, which will take considerable time, and some individual states may adopt their own approaches to regulating insurers’ cybersecurity. The NAIC’s framework establishes industry standards for data security that will apply to a broad range of parties including insurance companies, agents and brokers. Organizations will be required to have a written information security program for protecting sensitive data, including incident response and data recovery plans to demonstrate their preparedness for cyber events. Companies will have to certify compliance annually to their state insurance commissioner and give notification of data breaches within 72 hours. The model law will also motivate insurers to incorporate cybersecurity into their overall enterprise risk management and corporate governance practices. Key provisions include minimum practices of board and senior management reporting and oversight of information security practices, and monitoring of third party service provider arrangements and the outcome of cybersecurity events. top

Berkman Klein study finds partisan right-wing websites shaped mainstream press coverage before 2016 election (Harvard, 16 Aug 2017) - The Berkman Klein Center for Internet & Society at Harvard University today released a comprehensive analysis of online media and social media coverage of the 2016 presidential campaign. The report, “ Partisanship, Propaganda, and Disinformation: Online Media and the 2016 U.S. Presidential Election ,” documents how highly partisan right-wing sources helped shape mainstream press coverage and seize the public’s attention in the 18-month period leading up to the election. “In this study, we document polarization in the media ecosystem that is distinctly asymmetric. Whereas the left half of our spectrum is filled with many media sources from center to left, the right half of the spectrum has a substantial gap between center and right. The core of attention from the center-right to the left is large mainstream media organizations of the center-left. The right-wing media sphere skews to the far right and is dominated by highly partisan news organizations,” co-author and principal investigator Yochai Benkler stated. The study found that on the conservative side, more attention was paid to pro-Trump, highly partisan media outlets. On the liberal side, by contrast, the center of gravity was made up largely of long-standing media organizations. Robert Faris, the Berkman Klein Center’s research director, noted, “Consistent with concerns over echo chambers and filter bubbles, social media users on the left and the right rarely share material from outside their respective spheres, except where they find coverage that is favorable to their choice of candidate. A key difference between the right and left is that Trump supporters found substantial coverage favorable to their side in left and center-left media, particularly coverage critical of Clinton. In contrast, the messaging from right-wing media was consistently pro-Trump.” top

ILTA 2017: Where have all the lawyers gone? (Lawyerist, 17 Aug 2017) - In looking at this year’s International Legal Technology Association (ILTA) attendance list, I saw lots of legal professionals from well-known and well-heeled law firms, a big group of big tech vendors, a few legal startups, and very few practicing lawyers. Why aren’t there more practicing lawyers here? Indeed, I seem to be one of the few outside practicing lawyers in attendance. So much so in meet ups and informal chats, when I tell people I am an active practitioner, I am usually met with raised eyebrows. ILTA touts that the conference “is the premier educational and networking event for the legal sector” that “empowers us to share what works, what doesn’t and what’s next.” If that’s the case, it would seem to be one of the more important events for practicing lawyers to attend. * * * There was even a session where in-house counsel from such companies as Microsoft, Exelon, and Sanofi, offered their opinions on what they wanted from their law firms. I think I was the only practicing lawyer in the room. It’s as if the big firms for whom most of the legal professionals here work for have basically farmed out all things tech and don’t want to get their hands dirty. And therein lies the problem: by creating this gap between the lawyers using the technology and what some lawyers call “staff” a lack of understanding and communication exists. Warren Rheaume of Davis Wright Tremaine, a speaker on the politics of change-and one of the few other practitioners in attendance-calls it a crisis. top

Consortium formed to drive blockchain adoption in legal industry (Bob Ambrogi, 17 Aug 2017) - Bob Craig, chief information officer at Baker Hostetler, has a vision of a technology that will transform the business of law. That technology is blockchain. Craig and his firm are part of a group of law firms and technology companies that this week announced the formation of the Global Legal Blockchain Consortium . The consortium will work to drive the adoption and standardization of blockchain in the legal industry, with the larger goal of improving the security and interoperability of the global legal technology ecosystem. Members of the consortium include the law firms Baker Hostetler and Orrick, IBM Watson Legal, and the newly formed company Integra Ledger , which is hoping to become the ledger used throughout the legal industry for blockchain digital identities. At an event Tuesday to announce the consortium’s formation, Craig said that establishment of consortia has become common in many industries as a way to get the right people around the table to explore how blockchain technology can solve real-world business problems or, in this case, real-world legal problems. top

- and -

Bitcoin-accepting sites leave cookie trail that crumbles anonymity (The Register, 20 Aug 2017) - Bitcoin transactions might be anonymous, but on the Internet, its users aren’t - and according to research out of Princeton University, linking the two together is trivial on the modern, much-tracked Internet. In fact, linking a user’s cookies to their Bitcoin transactions is so straightforward, it’s almost surprising it took this long for a paper like this to be published. The paper sees privacy researcher Dillon Reisman and Princeton’s Steven Goldfeder, Harry Kalodner and Arvind Narayanan demonstrate just how straightforward it can be to link cookies to cryptocurrency transactions: Only small amounts of transaction information need to leak, they write, in order for “Alice” to be associated with her Bitcoin transactions. It’s possible to infer the identity of users if they use privacy-protecting services like CoinJoin, a protocol designed to make Bitcoin transactions more anonymous. The protocol aims is to make it impossible to infer which inputs and outputs belong to each other. Of 130 online merchants that accept Bitcoin, the researchers say, 53 leak payment information to 40 third parties, “most frequently from shopping cart pages,” and most of these on purpose (for advertising, analytics and the like). Worse, “many merchant websites have far more serious (and likely unintentional) information leaks that directly reveal the exact transaction on the blockchain to dozens of trackers”. top

- and -

IRS now has a tool to unmask bitcoin tax cheats (Daily Beast, 22 Aug 2017) - You can use bitcoin . But you can’t hide from the taxman. At least, that’s the hope of the Internal Revenue Service, which has purchased specialist software to track those using bitcoin, contract obtained by The Daily Beast. The document highlights how law enforcement isn’t only concerned with criminals accumulating bitcoin from selling drugs or hacking targets, but also those who use the currency to hide wealth or avoid paying taxes. The IRS has claimed that only 802 people declared bitcoin losses or profits in 2015; clearly fewer than the actual number of people trading the cryptocurrency-especially as more investors dip into the world of cryptocurrencies, and the value of bitcoin punches past the $4,000 mark. Maybe lots of bitcoin traders didn’t realize the government expects to collect tax on their digital earnings, or perhaps some thought they’d be able to get away with stockpiling bitcoin thanks to the perception that the cryptocurrency is largely anonymous. “The purpose of this acquisition is… to help us trace the movement of money through the bitcoin economy,” a section of the contract reads. The Daily Beast obtained the document through the Freedom of Information Act. The contractor in this case is Chainalysis, a startup offering its “Reactor” tool to visualize, track, and analyze bitcoin transactions. Chainalysis’ include law enforcement agencies, banks, and regulatory entities . The software can follow bitcoin as it moves from one wallet to another, and eventually to an exchange where the bitcoin user will likely cash out into dollars or another currency. This is the point law enforcement could issue a subpoena to the exchange and figure out who is really behind the bitcoin. top

- and -

Hacking Coinbase: The great bitcoin bank robbery (Fortune, 22 Aug 2017) - Sean Everett wasn’t sure how his bullish bet on cryptocurrency would turn out. But he definitely didn’t expect it to be over so soon. In March, he sold all his stocks, including Apple and Amazon, and used a chunk of the proceeds to buy Bitcoin and Ethereum on a site called Coinbase. The decision made Everett, the CEO of artificial intelligence startup Prome, almost instantly richer, as the blockchain-based currencies’ value rocketed up exponentially over the next several weeks. But then, while he was out walking the dog after 10 p.m. on Wednesday, May 17, Everett got the call. It was T-Mobile, ringing him to confirm that it was switching his phone number to a different device. It was a suspicious move that Everett had most certainly not requested. But even as he pleaded with the agent to block the switch, it was too late. Less than five minutes later, Everett’s cell service abruptly shut off, and as he rushed to his computer, he saw himself being robbed in real time. A raft of email notifications confirmed that someone had taken control of his main Gmail account, then broken into his Coinbase “wallet.” They’d gotten in with the help of his switched-over phone number: Everett’s account required him to log in with a two-factor authentication code sent by text message, as a second safeguard-and now the text had gone straight to the thief. * * * [ Polley : Long, and fascinating; see also Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency (NYT, 22 Aug 2017)] top

New NIST draft embeds privacy into US govt security for the first time (The Register, 18 Aug 2017) - A draft of new IT security measures by the US National Institute of Standards and Technology (NIST) has for the first time pulled privacy into its core text as well as expanded its scope to include the internet of things and smart home technology. The proposed “Security and Privacy Controls for Information Systems and Organizations” will be the go-to set of standards and guidelines for US federal agencies and acts as a baseline for broader industry. As such, it has a huge impact on how technology is used and implemented across America This version of the document - its fifth draft - concerns itself with edge computing: the rapidly expanding world of interconnected systems and devices that continue to be added to IT systems and the broader internet. With so many of these powerful computing devices now in the hands of millions of private citizens, that review has inevitably led NIST to consider privacy implications and for the first time privacy has gone from being an appendix to being pulled into the main body of the document. “The ultimate objective is to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable,” the document states. Another interesting side effect of the new focus is that NIST has stopped pretending that it is only influencing federal agencies (all federal agencies will now be required to follow this NIST guidance following executive action by President Trump) and is actively pitching its contents to private enterprise in the hope of building a more resilient overall network. Major changes include: * * * top

Law firms, legal departments predicted to focus more on IT risk (LegalTech, 21 Aug 2017) - Legal departments and law firms are likely to continue to focus more on information technology risk, given a recent projection that global spending on information security services and products will continue to rise. According to a recent Gartner study , overall global spending in the sector will total $86.4 billion this year, an increase of 7 percent over last year. Similarly, spending is predicted to jump to $93 billion in 2018, the study said. “Gartner’s latest report about increased spending on security comes as no surprise, given the increase in data breaches, ransomware and the introduction of GDPR [the General Data Protection Regulation] in 2018,” Darren R. Hayes, a professor at Pace University, told Legaltech News. “While the liability associated with data breaches in the U.S. may be limited to reputation, the potential fines associated with the introduction of GDPR [in Europe] should be a wake-up call for multinational corporations,” he said. “Google [was] … already fined $2.7 billion by an EU [European Union] antitrust ruling in June of this year so it is clear that the EU will enforce its new draconian cyber-related laws.” And GDPR compliance is likely to put a strain on legal professionals. In recent years, financial institutions have prioritized regulatory compliance, as regulatory fines have reached an estimated $100 billion annually, Hayes said. Breach response costs are also increasing, and this problem will be exacerbated by GDPR. The Gartner study predicts GDPR will drive 65 percent of data loss prevention buying decisions through 2018, and security services will continue to be the fastest growing segment in the sector, especially IT consulting, outsourcing and implementation services. “Legal and compliance departments can expect to focus more on IT risk in the near future, which includes greater scrutiny of third-party IT service providers and their associated service level agreements,” he added. top

The Twitter #hashtag is 10 years old (CNN, 23 Aug 2017) - The hashtag character (#) popularized on Twitter ( TWTR , Tech30 ) was tweeted for the first time by designer Chris Messina on this day in 2007. He asked his followers: “how do you feel about using # (pound) for groups. As in #barcamp [msg]?” But the hashtag wasn’t born on Twitter. The hash—also called the octothorp—first appeared on touch-tone telephones in the 1960s. We still use the character to interact with automated phone systems. Users on Internet Relay Chat, a popular chat room software, long used the pound sign on the internet to join different channels. It’s unclear who invented the IRC hashtag. Facebook adopted hashtags years later in 2013, but it serves the same purpose. top

RESOURCES

General Data Protection Regulation (GDPR) and the Proposed ePrivacy Regulation (MLPB, 18 Aug 2017) - W. Gregory Voss, Toulouse Business School, has published First the GDPR, Now the Proposed ePrivacy Regulation at 21 Journal of Internet Law 3 (July 2017). Here is the abstract: On January 10, 2017, less than nine months after the General Data Protection Regulation (GDPR) was adopted by the European Union, the European Commission issued its proposal for a new ePrivacy Regulation. In analyzing this new proposal, this article first places European Union ePrivacy legislation in context before detailing the main points of the proposed ePrivacy Regulation, including its broad territorial scope, its material scope, its interface with the GDPR, as well as provisions on cookies, confidentiality of communications, application of the concept of consent and unsolicited direct marketing communications and enforcement measures (including sanctions). Next, this article discusses advisory and industry reactions to the proposed Regulation, and outlines the legislative process, prior to making certain conclusory remarks. top

Hoofnagle on FTC Regulation of Cybersecurity and Surveillance (MLPB, 24 Aug 2017) - Chris Jay Hoofnagle, University of California, Berkeley, School of Information, and University of California, Berkeley, School of Law, is publishing FTC Regulation of Cybersecurity and Surveillance in The Cambridge Handbook of Surveillance Law (David Gray and Stephen Henderson, eds., Cambridge University Press 2017). Here is the abstract: The Federal Trade Commission (FTC) is the United States’ chief consumer protection agency. Through its mandate to prevent unfair and deceptive trade practices, it both regulates surveillance and creates cybersecurity law. This chapter details how the FTC regulates private-sector surveillance and elucidates several emergent properties of the agency’s activities. First, private-sector surveillance shapes individuals’ reasonable expectations of privacy, and thus regulation of the private-sector has effects on the government as surveillant. The FTC’s activities not only serve dignity interests in avoiding commercial inference in one’s life, they also affect citizens’ civil liberties posture with the state. Second, surveillance can make companies directly liable (for intrusive web monitoring, for tracking people offline, and for installing malware) or indirectly liable (for creating insecure systems, for using deception to investigate, and for mediating the surveillance of others) under the FTC Act. Third, the FTC’s actions substitute plaintiffs’ litigation for privacy, as the class action is burdened in novel ways. Fourth, the FTC’s actions increase the quality of consent necessary to engage in surveillance, and in so doing, the FTC has made some kinds of surveillance practically impossible to implement legally. Finally, the FTC’s actions make companies more responsible for their surveillance technologies in several ways-by making software vendors liable for users’ activities, by imposing substantive security duties, and by narrowing internet intermediary immunity. top

Cisco 2017 Midyear Cybersecurity Report (Cisco, 24 Aug 2017) - For nearly a decade, Cisco has published comprehensive cybersecurity reports that are designed to keep security teams and the businesses they support apprised of cyber threats and vulnerabilities-and informed about steps they can take to improve security and cyber-resiliency. In these reports, we strive to alert defenders to the increasing sophistication of threats and the techniques that adversaries use to compromise users, steal information, and create disruption. With this latest report, however, we find we must raise our warning flag even higher. Our security experts are becoming increasingly concerned about the accelerating pace of change-and yes, sophistication-in the global cyber threat landscape. That is not to say defenders are not improving their ability to detect threats and prevent attacks, or to help users and organizations avoid or recover more quickly from them. But we see two dynamics undermining their hard-won successes, hindering further progress, and helping to usher in a new era of cyber risks and threats: * * * top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Settling it on the web (ABA Journal, 4 Oct 2007) - Online dispute resolution was supposed to take over the legal profession. With the rise of the Internet, ar­tificial intelligence and other clever bits of technology, lawyers would be able to solve legal disputes with computers, not courtrooms and judges. “Around 1999 or 2000 we thought this would be huge; every court would have a kiosk out front for ODR,” says Colin Rule, ODR director for eBay and PayPal. But a funny thing happened after the dot-com bust. ODR seemed to fail. And now, instead of being imposed on the legal profession from the outside, it is bubbling up from within the trade. Rule says ODR is integrated into a lot of business models and has become so integral that many people might not even know it’s there. “Look at me: When we started, I worked at a tiny, independent ODR company,” he says. “Now I’m part of this big company that handles millions of disputes online, and nobody thinks twice about it.” Web technology is now slowly making inroads into dispute resolution that had been handled offline. Dan Rainey, director of the office of alternative dispute resolution services for the National Mediation Board, a federal agency, says he hopes to soon handle 10 percent of its arbitration cases online. top

Software provider liable for unauthorized practice of law in Ninth Circuit (Findlaw.com, March 2007)—Legal software vendors beware! The Ninth Circuit recently held that a seller of web-based bankruptcy software qualified as a bankruptcy petition preparer and, as such, engaged in fraud and the unauthorized practice of the law. Any provider of software that claims to “know the law” and offers automated form selection should examine this decision closely to make sure their activities are within legal boundaries. The suit, Frankfort Digital Services v. Kistler (In re: Reynoso), arose out of a bankruptcy proceeding, during which the petitioner paid to use browser-based software that prepared his bankruptcy petition based on information he provided. The product’s web site explained that the software would choose which bankruptcy exemptions to apply for and remove any need for the petitioner to individually select which schedule to use for the various pieces of information involved. During the first meeting with the petitioner’s creditors, the Chapter 7 trustee noticed mistakes, learned about the software and filed an adversary action against the software vendor alleging violations of 11 U.S.C. section 110. This action added to the list of section 110 proceedings against the software vendor, which had already run afoul of several other Chapter 7 trustees. The bankruptcy court held that collateral estoppel prevented the vendor from challenging its status as a “bankruptcy petition preparer engaged in the unauthorized practice of law,” since a previous case had gone against the vendor on this point. The Bankruptcy Appellate Panel of the 9th Circuit agreed with the bankruptcy court and affirmed based on issue preclusion. The regular Ninth Circuit panel decided to address the merits of the case, however, after accepting defendant’s argument that the website had changed since the previous case was decided. The court found that the vendor indeed qualified as a bankruptcy petition preparer, which was the first time that the Ninth Circuit had determined that a software-provider could qualify as such. Since bankruptcy petition preparers are, by definition, not attorneys, the court’s next step was to examine California law to determine whether the vendor engaged in the unauthorized practice of the law. Case at http://caselaw.lp.findlaw.com/data2/circs/9th/0417190p.pdf top