MIRLN --- 4-24 September 2016 (v19.13)
- NIST publishes major revisions to digital authentication guidance
- NIST releases Baldridge-based tool for cybersecurity excellence
- New Mexico high court urges judges to be discreet on social media
- Florida Bar Social Media presence leads the nation
- Military supermarket chain’s encryption setup is ‘unacceptable,’ commissary says
- World map shows countries requiring open source software
- Go to court without leaving home
- EFF to Court: Public’s right to access the law should not be blocked by bogus copyright case
- Now you can buy a USB stick that destroys anything in its path
- Court finds violation of TCPA itself constitutes concrete injury
- CFTC imposes cybersecurity rules for U.S. commodities, derivatives firms
- · Cybersecurity enhancements proposed for financial firms in New York
- This Bill Gates-backed tech startup is on a mission to fundamentally change the way scientists work
- Apple came up with ‘AirPods’ in 2015 - here’s how it kept it under wraps
- Long-secret Stingray manuals detail how police can spy on phones
- MoMA will make thousands of exhibition images available online
- Avvo wins First Amendment fight, as judge compares it to Sports Illustrated
- Ninth Circuit tells FTC to back off common carriers
- IP lawyer learns the hard way: Copying Newegg appellate brief is not fair use
- FBI restricts impersonation of journalists
- EU Court: Wi-Fi providers not responsible for illegal downloads
- When Alexa is listening, what do you tell houseguests?
- Indian court says ‘copyright is not an inevitable, divine, or natural right’ and photocopying textbooks is fair use
- Lloyd’s of London survey reveals nine out of 10 businesses have suffered a major cyber attack
- Verizon’s statement on Yahoo’s data breach is about as rough as it gets
- University may remove online content to avoid disability law
- Court: With 3D printer gun files, national security interest trumps free speech
- A new service just launched that allows voters in key states to register to vote via text message
NIST publishes major revisions to digital authentication guidance (Federal News Radio, 30 August 2016) - Hoping to balance today’s requirements with future needs, the National Institute of Standards and Technology released a major update to Special Publication 800-63 for digital authentication. The third version was published Aug. 30, and divides the digital authentication document into four sections, ranging from credentials that are tied to a specific person to the process of sending those authentication results to the party who needs know that certification. The third revision has already received more than 200 comments. Unlike the original special publication, the third version is split into four documents: digital authentication guidelines, enrollment and identity proofing, authentication and lifecycle management, and federation and assertions. Garcia said identity proofing is “a complete re-write,” based off good practices guidance like the kind seen in Canada and the UK.
- and -
NIST releases Baldridge-based tool for cybersecurity excellence (NIST, 15 Sept 2016) - The US Commerce Department’s National Institute of Standards and Technology (NIST) released today the draft Baldridge Cybersecurity Excellence Builder , a self-assessment tool to help organizations better understand the effectiveness of their cybersecurity risk management efforts. NIST is requesting public comments on the draft document, which blends the best of two globally recognized and widely used NIST resources: the organizational performance evaluation strategies from the Baldridge Performance Excellence Program and the risk management mechanisms of the Cybersecurity Framework .
New Mexico high court urges judges to be discreet on social media (ABA Journal, 1 Sept 2016) - For most of its 37-page opinion in State v. Thomas, issued June 20, the New Mexico Supreme Court explained its finding that the convictions of Truett Thomas for murder and kidnapping violated the confrontation clause. The supreme court reversed the convictions and remanded the case for a new trial only on the murder charge because there was insufficient evidence to support the kidnapping conviction. It wasn’t until page 31 of the opinion that the justices turned to an issue that might have been a more important factor in the case, if not for the confrontation clause violation. During the trial, Judge Samuel L. Winder of the District Court of Bernalillo County, which encompasses Albuquerque, posted the following statement on a Facebook page created for his unsuccessful re-election campaign: “I am on the third day of presiding over my ‘first’ first-degree murder trial as a judge.” While this was a seemingly innocuous post, Winder later posted the following message after trial but before sentencing: “In the trial I presided over, the jury returned guilty verdicts for first-degree murder and kidnapping just after lunch. Justice was served. Thank you for your prayers.” On appeal, “defendant argues that social media postings by the district court judge demonstrate judicial bias,” wrote Chief Justice Charles W. Daniels in his opinion for a unanimous court (with one abstention). “During the pendency of the trial, the district court judge posted to his election campaign Facebook page discussions of his role in the case and his opinion of its outcome. Although we need not decide this issue because we reverse on confrontation grounds, we take this opportunity to discuss our concerns over the use of social media by members of our judiciary.” Judges “should expect to be the subject of public scrutiny that might be viewed as burdensome if applied to other citizens,” stated Daniels, citing Rule 21-102 of the New Mexico Code of Judicial Conduct. “Judges must avoid not only actual impropriety but also its appearance, and judges must ‘act at all times in a manner that promotes public confidence in the independence, integrity and impartiality of the judiciary.’ These limitations apply with equal force to virtual actions and online comments and must be kept in mind if and when a judge decides to participate in electronic social media.” Daniels emphasized that the court was sounding a note of caution to judges. “While we make no bright-line ban prohibiting judicial use of social media,” the opinion states, “we caution that ‘friending,’ online postings and other activity can easily be misconstrued and create an appearance of impropriety. Online comments are public comments, and a connection via an online social network is a visible relationship, regardless of the strength of the personal connection.” The New Mexico Supreme Court’s opinion echoes the view expressed by the ABA Standing Committee on Ethics and Professional Responsibility in Formal Ethics Opinion 462, issued Feb. 21, 2013. “A judge may participate in electronic social networking,” states the committee in Opinion 462, “but as with all social relationships and contacts, a judge must comply with relevant provisions of the Code of Judicial Conduct and avoid any conduct that would undermine the judge’s independence, integrity or impartiality, or create an appearance of impropriety.”
- and -
Florida Bar Social Media presence leads the nation (Future Lawyer, 9 Sept 2016) - Florida Bar social media efforts connect with members and the public . Do you want to change the perception of lawyers in society? Go where the people are. Do you want to communicate with a diverse group of lawyers and keep them up to date daily on news and events that are important to them? Go where they are. Do you want to let the world know that lawyers are ordinary people doing extraordinary things? Go where the world is. Nowadays, the bulletin board is on the Internet, and people, including lawyers, interact on social media; whether it be Twitter, Facebook, Pinterest, Google+, or elsewhere. This article shows why the Florida Bar’s social media team has become the national leader in this area. Social media is where everyone goes to get news, and to have conversations about current affairs. Not only should lawyers follow the Florida Bar; but, everyone else can see lawyers in a positive light. Too often the only contact regular citizens have with lawyers and the legal system are sensational stories on the news, or negative interactions with the system. As my mom used to say: “If you don’t toot your own horn, no one else will.” Congratulations to the Florida Bar social media team. They get it.
Military supermarket chain’s encryption setup is ‘unacceptable,’ commissary says (NextGov, 2 Sept 2016) - The Defense Department’s $6 billion supermarket chain needs tighter security for the secret keys fastening its hundreds of databases, Pentagon officials say. Currently, those keys-lengthy, computer-generated passwords-essentially are stored underneath the doormat, beside personal and financial data, contracting documents show. “In today’s solutions, the keys reside with the data and that is not acceptable,” Defense Commissary Agency officials said in a recent request for information from vendors. The data at stake includes encrypted payment card industry, or PCI, data and personally identifiable information, or PII, agency spokesman Kevin Robinson told Nextgov . Scrambled in code indecipherable to hackers, the records contain credit card numbers and security codes from the back of the card, he said. The commissary agency’s proposed system would make it possible, say, to deposit keys at DeCA’s Fort Lee, Virginia, headquarters for locking and unlocking remote databases at a server farm “in the cloud,” the contracting papers said. Beyond using encryption to protect grocery store operations, the military deploys the data-scrambling feature in handheld radios, missile system data links and other communications devices to hide information from foes. While the 250-store grocery chain has not committed to buying anything, officials Aug. 24 said there’s a possibility an acquisition will take place in fiscal 2017 . The system, formally dubbed the Enterprise Encryption and Key Management Solution, would consist of commercial, currently available technology that stows encryption keys in a different location than the data in the agency’s 629 database environments, officials said.
World map shows countries requiring open source software (Slashdot, 3 Sept 2016) - “Europe and South America are the biggest hotspots for open-source use in government,” reports Network World, while Bulgaria requires all software written for the government to be FOSS . Slashdot reader alphadogg quotes their report: It’s become increasingly common over the past decade or so to see laws being passed to either mandate the use of open-source software or, at the very least, encourage people in government who make procurement decisions to do so. Here’s a map of the status of open-source laws around the world .
Go to court without leaving home (ABA Journal, 7 Sept 2016) - A few years ago, J.J. Prescott went to court to deal with a traffic ticket. The University of Michigan Law School professor waited four hours to have a very short informal hearing. “Imagine if I lived in a rural area where the courthouse was two hours away,” he says. “And as a result, I had to miss an entire day of work to go to court, which, if I were paid by the hour, would equate to $100 or more in lost wages. All of that aggravation, all to come over to have that conversation. “I can’t believe that in 50 years, that’s how our courts will operate.” They might not, and Prescott’s work could be a reason why. The U-M Online Court Project, which began with his collaboration with former student Ben Gubernick, created an online platform allowing citizens to resolve smaller legal matters-civil infractions, plus minor warrants and misdemeanors-without having to go to court. Users submit their side of the story and other information, answer questions and eventually hear from a decision-maker. Prescott says at least half of court cases are minor matters that could be resolved simply: “It can happen the way you request an increase in the credit limit on your credit card-at 11 p.m. from your couch.” Online interactions have a lot of advantages over the traditional model, Prescott says. They remove barriers caused by poverty, disability and personal obligations; reduce time spent on cases; avoid the intimidation and fear some people feel in courthouses; and sidestep the possibility that the defendant’s appearance could create perceived or actual bias. The project was in the beginning stages when Prescott got the ticket. With a grant from the University of Michigan, he had a prototype made and convinced the Michigan state court administrative office to give the project access to court data. Through the university’s Office of Technology Transfer, which helps academics build businesses out of their ideas, Prescott launched a startup, Court Innovations Inc., to market the technology and give it a permanent home. He now has the software, Matterhorn, in 15 Michigan district courts and is in talks with other states.
EFF to Court: Public’s right to access the law should not be blocked by bogus copyright case (EFF, 8 Sept 2016) - On Monday, September 12, Electronic Frontier Foundation (EFF) Legal Director Corynne McSherry will urge a federal court to confirm that the public has a right to access and share the laws, regulations, and standards that govern us and cannot be blocked by overbroad copyright claims. The court in Washington, D.C., is hearing arguments in two cases against EFF client Public.Resource.Org , an open records advocacy website. In these suits , several industry groups claim they own copyrights on written standards for building safety and educational testing they helped develop, and can deny or limit public access to them even after the standards have become part of the law. Standards like these that are legal requirements-such as the National Electrical Code-are available only in paper form in Washington, D.C., in expensive printed books, or through a paywall. By posting these documents online, Public.Resource.Org seeks to make these legal requirements more available to the public that must abide by them. The industry groups allege the postings infringe their copyright, even though the standards have been incorporated into government regulations and, therefore, must be free for anyone to view, share, and discuss. McSherry and co-counsel Andrew Bridges at Fenwick & West will argue at the hearing that our laws belong to all of us and private organizations shouldn’t be allowed to abuse copyright to control who can read, excerpt, or share them. They will be assisted by EFF Senior Staff Attorney Mitch Stoltz and Fenwick & West Associate Matthew Becker. [ Polley : see also Carl Malamud has standards (Backchannel, 12 Sept 2016)]
Now you can buy a USB stick that destroys anything in its path (ZDnet, 8 Sept 2016) - For just a few bucks, you can pick up a USB stick that destroys almost anything that it’s plugged into. Laptops, PCs, televisions, photo booths—you name it. Once a proof-of-concept, the pocket-sized USB stick now fits in any security tester’s repertoire of tools and hacks, says the Hong Kong-based company that developed it. It works like this: when the USB Kill stick is plugged in, it rapidly charges its capacitors from the USB power supply, and then discharges—all in the matter of seconds. On unprotected equipment, the device’s makers say it will “instantly and permanently disable unprotected hardware”.
Court finds violation of TCPA itself constitutes concrete injury (Steptoe, 8 Sept 2016) - Last month, the U.S. District Court for the Northern District of Illinois held, in Aranda v. Caribbean Cruise Line, Inc. , that a violation of the Telephone Consumer Protection Act (TCPA) constituted a concrete injury that conferred standing without any additional allegations of harm. In doing so, it engaged in an extensive analysis of the Supreme Court’s decision in Spokeo, Inc. v. Robins and expressly disagreed with the Central District of California’s decision, in Smith v. Aitima Medical Equipment , which had found no standing in similar circumstances. The decision marks an important interpretation of the Supreme Court’s muddled decision in Spokeo , which could influence how courts approach standing in cases alleging statutory violations in the future.
CFTC imposes cybersecurity rules for U.S. commodities, derivatives firms (SC Magazine, 9 Sept 2016) - The Commodity Futures Trading Commission (CFTC) Thursday approved a set of rules that will require frequent testing of information technology at U.S. commodities and derivatives firms, including exchanges and clearinghouses. Systems will undergo vulnerability testing, penetration testing, controls testing, security incident response testing, and enterprise technology risk assessment, according to a government fact sheet . Key elements of the rules include, specified cybersecurity testing, minimum testing frequency, use of independent contractors, testing scope, and internal reporting, review and remediation. The CFTC’s comprehensive approach to this new regulation demonstrates a clear appreciation of the reality that between 40 and 70 percent of data breaches originate from third party vendors and partners, Jeff Hill, director of product management for the security firm Prevalent told SCMagazine.com via emailed comments.
- and -
Cybersecurity enhancements proposed for financial firms in New York (SC Magazine, 15 Sept 2016) - Banks and insurance companies in New York will soon be required to adhere to new cybersecurity guidelines, including appointing CISOs. In a statement , Gov. Andrew Cuomo called the proposed new regulations a “first-in-the-nation” initiative to bolster cybersecurity policies at financial institutions licensed in the state. Cuomo’s long-awaited guidance for institutions overseen by the New York State Department of Financial Services (NYDFS) will first face a 45-day notice and a request for public comment before adoption procedures commence. The proposed rules are intended to guard consumer data and financial systems from terrorist organizations and other criminal enterprises. They mandate that regulated financial institutions adhere to five principal requirements: * * * [ Polley : John Pescatore of SANS writes : “ The proposed regulation sets a very low bar: covered entities must have written policies, a designated CISO, annual pen tests, etc. A few requirements bump it up a bit: CISO must brief the board at least twice per year, for example. However, a requirement for encrypting sensitive data at rest allows compensating controls to be substituted for the first 5 years. Biggest lack: no prioritization of requirements - would be good to see that included or the Critical Security Controls referenced for prioritization. “]
This Bill Gates-backed tech startup is on a mission to fundamentally change the way scientists work (Business Insider, 10 Sept 2016) - Meet Ijad Madisch. He’s a Berlin-based entrepreneur on a mission to change the way scientists go about their research. The computer science graduate and qualified doctor set up a company called ResearchGate in 2008 when he realised that scientists were making the same mistakes over and over again as a result of not sharing their work publicly. “It’s one of the biggest problems we have in the world, especially if we are repeating mistakes made by other scientists that cost us a lot of time and money,” Madisch told Business Insider. ResearchGate can be described as a social network for scientists. It started off as a free-to-use platform for academics but it’s become increasingly popular with scientists working in corporates, including tech firms like Google and Facebook. There are currently 1,145 Google employees registered on the platform and 199 Facebook employees . In total, ResearchGate boasts over 10 million users. “ResearchGate has become the biggest and most active scientific social network in the world over the last couple of years,” claims Madisch. “From the beginning, the focus was on convincing scientists to share publication data.” The company claims not to have any competitors but it’s worth noting that it was compared to London’s Mendeley and San Francisco’s Academia.edu in a Times Higher Education article that was published in April. Over the last eight years, tens of millions of pieces of scientific information have been uploaded onto ResearchGate’s platform and today more than two million scientific publications are uploaded every month. In addition to publications, scientists are also uploading general articles, conference papers, and raw data. Now the company wants to make it even easier for scientists to collaborate on chunky problems like climate change and illnesses like HIV and cancer. “Recently we launched a ‘Project’ feature where scientists can collaborate in real time and document what they have found within the experiment,” said Madisch.
Apple came up with ‘AirPods’ in 2015 - here’s how it kept it under wraps (Business Insider, 12 Sept 2016) - Earlier this week, Apple announced a new type of wireless headphones at a media event in San Francisco. It called them “AirPods.” That name would have sounded familiar if you read Apple trademark applications. In fact, it was hiding in plain sight since at least early 2015, when an Apple-aligned holding company first registered the trademark. However, “AirPods” was registered under a dummy corporation called “Entertainment in Flight.” In the run-up to Apple’s big reveal, Rennick Solicitors trademark lawyer Brian Conroy definitively linked Entertainment in Flight to Apple - and discovered a few other names Apple wanted to make sure it could name future products after, like Beats’ EP headphones , which were announced shortly after the event. He also highlighted a number of trademarks Apple didn’t announce, but might one day, including “Today at Apple,” “Apple Touch Bar,” and “Apple Smart Button.” “If Apple had just filed all their applications in the US, or wherever, the intrigue [before the iPhone launch] wouldn’t be nearly as palpable,” Controy told Business Insider. But Conroy is quick to warn that just because a company files a trademark doesn’t mean it’s planning a product. Here’s how Apple hides its trademarks around the world, and how Conroy sleuthed them out. * * *
Long-secret Stingray manuals detail how police can spy on phones (The Intercept, 12 Sept 2016) - Harris Corp’s Stingray surveillance device has been one of the most closely guarded secrets in law enforcement for more than 15 years. The company and its police clients across the United States have fought to keep information about the mobile phone-monitoring boxes from the public against which they are used. The Intercept has obtained several Harris instruction manuals spanning roughly 200 pages and meticulously detailing how to create a cellular surveillance dragnet. Harris has fought to keep its surveillance equipment, which carries price tags in the low six figures, hidden from both privacy activists and the general public, arguing that information about the gear could help criminals. Accordingly, an older Stingray manual released under the Freedom of Information Act to news website TheBlot.com last year was almost completely redacted. So too have law enforcement agencies at every level, across the country, evaded almost all attempts to learn how and why these extremely powerful tools are being used - though court battles have made it clear Stingrays are often deployed without any warrant. The San Bernardino Sheriff’s Department alone has snooped via Stingray, sans warrant, over 300 times . Richard Tynan, a technologist with Privacy International, told The Intercept that the “manuals released today offer the most up-to-date view on the operation of” Stingrays and similar cellular surveillance devices, with powerful capabilities that threaten civil liberties, communications infrastructure, and potentially national security. He noted that the documents show the “Stingray II” device can impersonate four cellular communications towers at once, monitoring up to four cellular provider networks simultaneously, and with an add-on can operate on so-called 2G, 3G, and 4G networks simultaneously. * * * [ Polley : Bruce Schneier linked to this story, with the note: “ It’s an impressive surveillance device.” ]
MoMA will make thousands of exhibition images available online (NYT, 14 Sept 2016) - The Museum of Modern Art, which has defined Modernism more powerfully than perhaps any other institution, can often seem monolithic in the mind’s eye, essentially unchanged since its doors opened in 1929: a procession of solemn white-box galleries, an ice palace of formalism, the Kremlin (as the artist Martha Rosler once called it) of 20th-century art. But a more complicated story has always been told by the hundreds of thousands of documents and photographs in the museum’s archives, a vast accumulation of historical detail that has been accessible mainly to scholars. Beginning Thursday, after years of planning and digitizing, much of that archive will now be available on the museum’s website, moma.org , searchable so that visitors can time-travel to see what the museum looked like during its first big show ("Cézanne, Gauguin, Seurat, van Gogh,” in the fall of 1929); during seminal exhibitions (Kynaston McShine’s “ Information ” show in 1970, one of the earliest surveys of Conceptual art); and during its moments of high-minded glamour (Audrey Hepburn, in 1957, admiring a Picasso with Alfred H. Barr Jr., the museum’s domineering first director). Michelle Elligott, chief of the museum’s archives, who undertook the project with Fiona Romeo, the director of digital content and strategy, said that translating documents from the physical to the virtual yielded some real-world historical discoveries. Yes, as the museum has long suspected but could never quite say definitively, Picasso is the artist who has been included in the most exhibitions (more than 320). The digital archive project will include almost 33,000 exhibition installation photographs, most never previously available online, along with the pages of 800 out-of-print catalogs and more than 1,000 exhibition checklists, documents related to more than 3,500 exhibitions from 1929 through 1989. (The project, supported by the Leon Levy Foundation, will continue to add documents from more recent years and also plans to add archives from the museum’s film and performance departments.) One of the surprises for regular museum visitors will undoubtedly be the highly varied forms the galleries and exhibition programs have taken since the museum first opened in rented offices on Fifth Avenue and then grew, on 53rd Street, into the shiny, streamlined version that the architects Edward Durell Stone and Philip Johnson helped create.
Avvo wins First Amendment fight, as judge compares it to Sports Illustrated (Bob Ambrogi, 14 Sept 2016) - A federal court has dismissed a putative class action against Avvo under the Illinois Right of Publicity Act, ruling that Avvo’s lawyer listings are comparable to the editorial content in Sports Illustrated and deserving of the same First Amendment protection. This is the second time in six weeks in which a right-of-publicity class action against Avvo has been dismissed. Lawyer John Vrdolyak filed the lawsuit in the Northern District of Illinois, alleging that Avvo was using his identity for commercial purposes without his consent, in violation of Illinois law. It did this by listing his profile without his consent and by placing paid advertising on his profile page, including advertising by competing lawyers, he contended. But in granting Avvo’s motion to dismiss, U.S. District Judge Robert W. Gettleman found that Avvo’s lawyer listings constituted non-commercial speech fully protected by the First Amendment. (The full decision is embedded below.)
Ninth Circuit tells FTC to back off common carriers (Steptoe, 15 Sept 2016) - The U.S. Court of Appeals for the Ninth Circuit dismissed a case brought by the FTC against AT&T for allegedly violating Section 5(a) of the FTC Act by reducing internet speeds for customers with unlimited data plans once they exceeded certain usage levels (called “data throttling"). At issue in the case was the scope of the exemption to the FTC Act for “common carriers.” The FTC argued that while a substantial part of AT&T’s activity constitutes common carrier activity, data service was not a common carrier activity at the time AT&T engaged in the alleged activities, so the exemption did not apply to these activities. The Ninth Circuit, however, held that the common carrier exemption is “status-based,” not “activity-based”; thus, AT&T, due to its “status” as a common carrier, was exempt from the FTC Act.
IP lawyer learns the hard way: Copying Newegg appellate brief is not fair use (Reuters, 15 Sept 2016) - Just a few years ago, the New Jersey intellectual property lawyer Ezra Sutton was on the same side as the online retailer Newegg. Newegg and Sutton’s client, the electronics company Sakar International, were among dozens of defendants sued in Texas federal district court by Adjustacam, a patent plaintiff often described as a “troll.” Newegg and Sakar refused to settle with Adjustacam, which ended up dropping its case. Sutton worked with Newegg lawyers on separate motions for attorneys’ fees from Adjustacam. When the trial judge denied the fee requests, Newegg and Sutton’s client both decided to appeal the fee ruling to the Federal U.S. Circuit Court of Appeals. That is when Sutton discovered that Newegg - which is known as a warrior against what it considers unwarranted patent claims - is just as tough on its erstwhile allies as it is on its sworn enemies. As Newegg general counsel Lee Cheng recounts the story, he told Sutton early on that Newegg would be willing to file a joint brief with Sakar if Sakar paid a share of the legal fees. Sutton said no thanks, but, as the filing deadline approached, he came back to Newegg. Cheng agreed to show Sutton a draft of the brief Newegg intended to submit to the Federal Circuit to help him write a complementary brief for Sakar. Instead, the day before Newegg’s brief was due, Sutton filed a brief that was largely copied from Newegg’s draft. When Newegg realized what he’d done and protested the filing, Sutton withdrew the brief and subsequently filed a shorter version focused on Sakar’s argument. That wasn’t good enough for Newegg. In February 2015, the company sued Sutton for copyright infringement in Los Angeles federal district court. On Tuesday, U.S. District Judge Terry Hatter ruled that Sutton’s copying was not fair use, despite Sutton’s arguments that Newegg wasn’t harmed by the copying. The judge held Sutton liable for copyright infringement. Damages are to be determined at a trial in December. I’ve never before seen a case in which a lawyer is on the hook for copying a co-defendant’s brief. And after talking Thursday to Sutton and Newegg general counsel Cheng, I have mixed feelings about the outcome. * * *
FBI restricts impersonation of journalists (The Hill, 15 Sept 2016) - The FBI is imposing new restrictions making it more difficult for investigators to impersonate journalists, following scrutiny over a 2007 episode in which the bureau posed as a reporter to track a suspected criminal. The FBI did not violate its internal policy during that controversial incident, the Justice Department’s Office of the Inspector General claimed in a 30-page report. Yet this June, it implemented an interim policy barring impersonation of a journalist without approval from the FBI’s deputy director, the watchdog revealed. The changes are the result of a 2007 incident when FBI investigators wrote a fake AP story and placed it on a website designed to mimic the Seattle Times in order to infect a suspect’s computer. A link to the story bearing the headline “Bomb threat at high school downplayed by local police department” was sent to the MySpace page of a student suspected of making multiple threats against the school and launching cyberattacks against its computer network. In followup emails to the student, Charles Jenkins, an FBI investigator portrayed himself as an “AP staff publisher” in order to get Jenkins to click on the link and links to other photographs. The operation became public in 2014 and was immediately attacked by news organizations claiming that it eroded the public’s trust in journalists.
EU Court: Wi-Fi providers not responsible for illegal downloads (Deutsche Welle, 15 Sept 2016) - The Court of Justice of the European Union (CJEU) issued a decision freeing businesses that provide free Wi-Fi internet access to their customers from being held responsible for copyright infringement committed by their patrons. The decision by the European Court of Justice in Luxembourg serves as a new precedent in case law across the European Union. In 2010, Sony had brought legal proceedings against a shopkeeper in Germany after a customer used free internet access to illegally download a music album covered by Sony’s copyright stipulations. The court found that the owner of the business had no say in the perpetrator’s decision to illegally download the data in question. The European Court of Justice did concede, however, that those providing free online access could be obliged secure their networks with a password or to have users sign in with their names to establish their identities. The district court in Munich, which initially was in charge of the case, had turned to the CJEU to ask for assistance in the case, as the alleged copyright infringement was covered by European law. The owner of the shop meanwhile commented that he found the court decision to be “disappointing” because it would serve as a further hindrance to establishing free Wi-Fi across Europe. He referred to the ruling as a “partial win.”
When Alexa is listening, what do you tell houseguests? (Christian Science Monitor, 16 Sept 2016) - Earlier this week, Amazon unveiled its $50 internet-connected personal assistant “so you can add Alexa to any room in your home.” Alexa is the online giant’s artificial-intelligence powered bot that listens to what you say and answers your commands and questions: What’s the weather? How’s traffic? Can you order me a large pepperoni pizza? And the low priced Echo Dot, about the size of a hockey puck, means many more homes will soon have on-command digital listening devices that eavesdrop on - and store - family conversations, holiday celebrations, and even off-color comments (and also bickering siblings or quarreling spouses). Sure, it has its conveniences and Star Trek-like appeal and maybe you’re OK with potential privacy implications. But what happens if your houseguests aren’t? What if your friends think your robot assistant is creepy? Maybe your in-laws worry about the device’s Orwellian implications, or your babysitter is concerned about his privacy. So, what are the manners when it comes to connected homes? Are we approaching a time when we’ll warn guests, “Be careful what you say, Alexa is listening.” Trevor Hughes, chief executive of the International Association of Privacy Professionals (IAPP), says that moment is fast approaching. “We don’t have the social norms for someone to say, ‘Oh hey, I have my Amazon Echo on, just so you know.’ That’s not happening,” says Mr. Hughes. “Society will have to decide, what are the right norms? What are the right ways to set the dials so we can maintain privacy and also enjoy these new technologies? We can foresee that there will be flash points, but they haven’t happened yet.” This confusion isn’t exclusive to devices such as Echo. Anything connected to the internet and equipped with a microphone poses quandaries of etiquette. Consider connected toys such as the talking Barbie doll that records and stores its conversations with children. Should parents warn their child’s playmates that the dolls could be listening in? [ Polley : see also Google backs off on previously announced Allo privacy feature (The Verge, 21 Sept 2016)]
Indian court says ‘copyright is not an inevitable, divine, or natural right’ and photocopying textbooks is fair use (TechDirt, 19 Sept 2016) - Last week there was a big copyright ruling in India, where a court ruled against some big academic publishers in ruling that a photocopying kiosk that sold photocopied chapters from textbooks was not infringing on the copyrights of those publishers . We wrote about this case over three years ago, when it was first filed . It’s actually fairly similar to a set of cases in the US that found college copyshops to be infringing—leading to a massive increase in educational material for college students. The Indian court went the other way. The full ruling takes a fair use-style look at the question, and recognizes that educational purposes are more important than padding the bank account of some big publishers. The ruling is pretty long, but there are a number of good points in there. Here’s the one that a bunch of people have been quoting, noting that copyright is not inevitable, divine or a natural right: Copyright, specially in literary works, is thus not an inevitable, divine, or natural right that confers on authors the absolute ownership of their creations. It is designed rather to stimulate activity and progress in the arts for the intellectual enrichment of the public. Copyright is intended to increase and not to impede the harvest of knowledge. It is intended to motivate the creative activity of authors and inventors in order to benefit the public.
Lloyd’s of London survey reveals nine out of 10 businesses have suffered a major cyber attack (ITProPortal, 20 Sept 2016) - According to a new survey, nine out of 10 big business in Europe have fallen victim to a significant cyber attack during the last five years, though less than half are concerned regarding the possibility of future breaches.
Lloyd’s of London conducted a survey of chief executives and senior bosses at 346 European companies with a turnover of €250 million or more. The boss of the company, Inga Beale believes that the results of the survey show that European businesses are “complacent” when it comes to cyber attacks and the damage they could cause their business and brands.
- and -
Verizon’s statement on Yahoo’s data breach is about as rough as it gets (Mashable, 22 Sept 2016) - You don’t see corporate statements like this every day. On Thursday, Yahoo admitted that a data breach in 2014 ended up with the theft of far more user data than had been previously thought. By Yahoo’s count, some 500 million user accounts had at least some information stolen. That’s news to Verizon, the company that acquired Yahoo’s core business in July for $4.83 billion but has not yet finalized the acquisition. When reached for comment, Verizon released a pretty stunning statement, claiming it had not been aware of the breach until very recently. “Within the last two days, we were notified of Yahoo’s security incident. We understand that Yahoo is conducting an active investigation of this matter, but we otherwise have limited information and understanding of the impact. We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities. Until then, we are not in position to further comment.” Among the surprising details, Verizon is claiming that Yahoo only provided notification of the breach in the last two days. TWO DAYS. Yahoo has had a deal with Verizon for an acquisition for two months. Next, Verizon said that even now, the company doesn’t really know what’s going on. I’m sure it knows more than we do at this point, but you’d imagine that with almost $5 billion on the line, there would be a healthy amount of transparency.
University may remove online content to avoid disability law (InsideHigherEd, 20 Sept 2016) - The University of California, Berkeley, has announced that it may eliminate free online content rather than comply with a U.S. Justice Department order that it make the content accessible to those with disabilities. The content in question is all free and is for the general public to use. “The department’s findings do not implicate the accessibility of educational opportunities provided to our enrolled students,” said a statement on the situation by Cathy Koshland, vice chancellor for undergraduate education. While the university has not made a final decision, she said, it may not be able to afford complying with the Justice Department’s recommendations on how to make the online material accessible. The material in question involves courses provided by Berkeley through the edX platform for massive open online courses, and videos on YouTube and iTunes University. The Department of Justice found that much of this online material is in violation of the Americans With Disabilities Act, which requires colleges to make their offerings accessible to people with disabilities. The department investigation followed complaints by two individuals who are deaf—one of them a faculty member at Gallaudet University and one at its school for elementary and secondary school students. Both said that they are unable to use Berkeley online material because it has not been formatted for use by people with hearing disabilities. Berkeley released the Justice Department letter finding the university in violation of ADA. The letter outlined numerous concerns about issues related to those who are deaf as well as those who have visual disabilities: * * *
Court: With 3D printer gun files, national security interest trumps free speech (ArsTechnica, 21 Sept 2016)) - A federal appeals court ruled Tuesday against Defense Distributed, the Texas organization that promotes 3D-printed guns, in a lawsuit that it brought last year against the State Department. In a 2-1 decision, the 5th Circuit Court of Appeals was not persuaded that Defense Distributed’s right to free speech under the First Amendment outweighs national security concerns. As Ars reported in February 2016 , the lawsuit, Defense Distributed v. Department of State , centers on whether a website that publishes CAD files-which would enable foreigners outside the US to print a firearm-violates munitions export laws. Fearing a possible lawsuit by the State Department or prosecution by the government, Defense Distributed took the files down three years ago , but they have since reappeared on BitTorrent sites. The federal civil suit originated three years ago when Cody Wilson and his group, Defense Distributed, published designs for the “ Liberator ,” the world’s first 3D-printed handgun. Within months, Defense Distributed received a letter from the United States Department of State’s Office of Defense Trade Controls Compliance , stating that 10 files, including the designs of the Liberator, were in violation of the International Traffic in Arms Regulations (ITAR). This letter came despite the fact that these files had already been downloaded hundreds of thousands of times and continue to circulate online. Defense Distributed then re-submitted a “commodity jurisdiction request” to the Department of State, which they hoped would clear the way for the publication of the files. After waiting for two years, Defense Distributed, along with the Second Amendment Foundation, sued the Department of State and argued that the government’s action constituted “prior restraint"-preventing publication before it occurs. In the United States, the Supreme Court has generally rejected the concept of prior restraint. However, one member of the 5th Circuit, District Judge Edith Jones, directly disagreed with her colleagues. In a scathing dissent, she called it an “irrational representation” of the export regulations. She also described the government’s actions as “pure content-based regulation.”
A new service just launched that allows voters in key states to register to vote via text message (Business Insider, 22 Sept 2016) - Registering to vote may now be a lot easier for a portion of the roughly 90% of Americans who own a cellphone. The nonprofit group Fight For The Future launched HelloVote on Thursday morning with the goal of boosting voter registration in several key battleground states by allowing voters to register directly via text message or Facebook Messenger. Backed by brands like MTV, Genius, and the Latino Victory Project, the tool is the first major service to offer voter registration through text messaging, a process the company hopes will boost voter registration rolls, particularly among young voters. HelloVote today can register people to vote via SMS or Facebook in six states: Arizona, California, Colorado, Georgia, Massachusetts, and Virginia. HelloVote is only partially operational in other states. Each state maintains its own election laws, and many still require that voters mail in paper registration forms. In these instances, HelloVote’s text system fills out the registration form via SMS and creates a printer-friendly version for voters to print out and submit.
Crypto arg: CA3 judges seemed on board that being forced to enter passcode only testifies to knowing the passcode. (Orin Kerr on Twitter, 8 Sept 2016) - Oral argument here: http://www2.ca3.uscourts.gov/oralargument/audio/15-3537USAv.AppleMacProComputer.mp3
Weapons of Math Destruction: The Dark Side of Big Data (review in InsideHigherEd, 21 Sept 2016) - So often when someone starts a Twitter message with the label “Must read” I get defensive. You’re not my teacher. I’m a grown up. I get to decide what I’m going to read, thank you very much. But I’m really tempted to start this post with “Must read” because Cathy O’Neil’s book, Weapons of Math Destruction: How Big Data Increases Inequality and Threatens Democracy is important and covers issues everyone should care about. Bonus points: it’s accessible, compelling, and - something I wasn’t expecting - really fun to read. O’Neil is a data scientist who taught at Barnard before being seduced by the excitement of applying mathematics to finance, working for a Wall Street hedge fund before the crash of 2008. One of the things she quickly learned was different from academic mathematics was that employees were treated like members of an Al Qaida cell: the amount of information they could share was strictly limited so that if anyone was captured by a competing firm, they couldn’t reveal too much. Also, the scale of their collective if obscure work was ginormous. Subprime mortgages were a three trillion dollar market, but the markets created around them through credit default swaps, synthetic CDOs, and other weird financial inventions based on math and baloney was twenty times that size. As it all began to collapse, the damage cascaded, and people, lots of people, got hurt. These risky financial instruments, like many other proprietary big data projects - what O’Neil calls “weapons of math destruction” - have features in common. They are opaque (few people could understand them even if they weren’t trade secrets that cannot be examined by those who are subject to the decisions they make); they work at large scale, and because they are sealed systems, they can’t learn from their mistakes. They can do a lot a damage and are bizarrely unaccountable for it, often claiming greater objectivity than the fallible humans who encode them. Her experience in high finance is a cautionary tale because the features that crashed the world economy are present in big data systems that affect our lives in myriad ways, from education to jobs to the criminal justice system to how we are persuaded to vote. * * *
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
Free calls from AIM (InternetNews.com, 8 May 2006)—First came free e-mail addresses, and then came free IM accounts. Later this month, Dulles, Va.-based AOL plans to offer free phone numbers through its instant messenger (AIM). AIM Phoneline brings Internet phone calling to the more than 40 million AOL instant messenger users. Slated to begin May 16 in 50 U.S. markets, the service will offer a free base of features along with a $14.95 fee-based premium option, according to an AOL spokesperson. Based on AIM Triton, AIM Phoneline augments AOL’s TotalTalk VoIP offering. AOL will offer Phoneline users free local phone numbers enabling unlimited inbound calls from traditional phones, cell phones and PCs. Cell phone users can receive text messages alerting them when an IM-based call is received, as well as listen to Phoneline voicemail. Along with free phone numbers, AOL will provide AIM users free voicemail. Calls not answered are saved as MP3 files and sent to an AOL or AIM mailbox, according to a company statement. While the differences between AOL’s VoIP plans “are kind of subtle,” the company wants to be sure all its bases are covered, according to Joe Laszlo, analyst with JupiterResearch.
Proposed FEC rules would exempt most political activity on internet (Washington Post, 25 March 2006)—The Federal Election Commission last night released proposed new rules that leave almost all Internet political activity unregulated except for the purchase of campaign ads on Web sites. “My key goal in this rule-making has been to make sure that the commission establish clear rules to exempt individuals who engage in online politics from campaign finance laws,” said Chairman Michael E. Toner, a Republican. “We tried to craft a regulation that would allow the maximum amount of freedom for people as possible,” said Commissioner Ellen L. Weintraub, a Democrat. Most bloggers, individual Web users, and such Web sites as Drudge Report and Salon.com are exempted from regulation and will be free to support and attack federal candidates, much as newspapers are allowed. For the most part, leading advocates of the blogger community welcomed the proposed rules. “As a whole, these are rules that I think those who have been fighting regulations are going to be cheering,” said Richard L. Hasen, a professor at Loyola Law School in Los Angeles, who runs the Election Law blog. The rules provide “broad exemptions for most political activity on the Internet, and expand the media exemption to the Internet,” he said. Hasen and others noted that as technology advances, the regulations will have to be modified. In particular, Hasen said, “as the Internet and TV converge, the FEC or Congress will eventually need to rethink these rules to see if they make sense.” “Generally, it’s in line with what I think bloggers ask for,” said Jerome Armstrong, the founder of the liberal blog MyDD, an adviser to the Howard Dean for president campaign in 2004 and currently an adviser to former Virginia governor Mark R. Warner’s political action committee. “They give bloggers the media exemption.” Armstrong voiced concern, however, over potential difficulties that could result from a requirement that campaign ads have disclaimers. “The size of a Web ad and the size of blog ad is so small that having to put a disclaimer on it is going to take up all the space,” he said.