MIRLN --- 1-20 December 2014 (v17.17)
- Home Depot spent $43 million on data breach in just one quarter
- 5 reasons to allow digital devices in your classroom
- Hackers using lingo of Wall St. breach health care companies’ email
- BITAG report on interconnection and traffic exchange on the Internet
- To follow or not to follow: the brave new world of social media
- A gamified approach to teaching and learning
- Michigan State Law School rebranding itself through social media
- US urges banks to consider cyber risk insurance amid hacking threats
- Defense contractors fighting cyber threats can share information through new ISAC
- I’m from the government, I’m here to help: DOJ announces new cyber-security section
- NYDFS issues examination guidance to banks outlining new targeted cyber security preparedness assessments
- Sites certified as secure often more vulnerable to hacking, scientists find
- Operation AURORAGOLD: How the NSA hacks cellphone networks worldwide
- Comcast makes it more and more difficult to opt-out of Internet sharing
- The FCC takes a seat at the cyber-regulation table
- Pointing users to DRM-stripping software isn’t copyright infringement, judge rules
- Ruling lets work email be used to organize unions
- Cell phones exempt from the automobile search exception, Ninth Circuit rules
- Google, on Google News in Spain
- Federal court agrees with EFF, throws out six weeks of warrantless video surveillance
- Sony’s hacking nightmare gets worse: employees medical records revealed
- Sony GC’s emails leaked in ongoing hacker fallout
- Can Sony get around the First Amendment to sue the media over the hack?
- Tech firms tussle with DOJ over the right to say ‘zero’
Home Depot spent $43 million on data breach in just one quarter (Network World, 25 Nov 2014) - Home Depot spent US$43 million in its third quarter dealing with the fallout of one of the largest ever data breaches, highlighting the costly nature of security failures. The retailer said in a regulatory filing on Tuesday that it expects $15 million of that cost will be reimbursed by a $100 million network security and privacy liability insurance policy. The $43 million was spent on investigations, providing identity theft protection services to consumers, increased call center staffing and other legal and professional services. The retailer warned that it expects “to incur significant legal and other professional services expenses associated with the data breach in future periods.” Home Depot is also facing 44 actions filed in courts in the U.S. and Canada. It expects more claims may be filed on behalf of customers, payment card brands, payment card issuing banks and shareholders. Payment card networks may make claims seeking to recover incremental counterfeit fraud losses and costs for reissuing cards, Home Depot wrote.
5 reasons to allow digital devices in your classroom (InsideHigherEd, 30 Nov 2014) - midst reports of Steve Jobs and other Silicon Valley CEOs imposing extremely strict technology rules on their children, the debate around technology use in the classroom has caught fire once again. One of the strongest arguments for banning technology in the classroom came earlier this fall, from media pundit Clay Shirky in a piece titled “Why I Just Asked My Students To Put Their Laptops Away.” In principle, I agree with a lot of what Shirky writes-multiple studies confirm the cognitive toll that distractions and multitasking inflict on learning; his argument that social media is designed both in form and content to distract has merit; and as an email-addict myself, I know that feeling of “instant and satisfying gratification” he describes all too well. Suggesting, however, that enforcing a technology ban is the solution to students’ lack of engagement strikes me both as insecure and a wee bit simplistic. Surely, learning can take place in the absence of technology. But valuable learning can also take place in the presence of it. In my own experience as a foreign language instructor, I have found that there are many benefits to allowing-and in certain cases encouraging-students to use digital devices in class, five of which are outlined below.
Hackers using lingo of Wall St. breach health care companies’ email (NYT, 1 Dec 2014) - For more than a year, a group of cybercriminals has been pilfering email correspondence from more than 100 organizations - most of them publicly traded health care or pharmaceutical companies - apparently in pursuit of information significant enough to affect global financial markets. The group’s activities, detailed in a report released Monday morning by FireEye, a Silicon Valley security company, shed light on a new breed of criminals intent on using their hacking skills to gain a market edge in the pharmaceutical industry, where news of clinical trials, regulatory decisions or safety or legal issues can significantly affect a company’s stock price. Starting in mid-2013, FireEye began responding to the group’s intrusions at publicly traded companies - two-thirds of them, it said, in the health care and pharmaceutical sector - as well as advisory firms, such as investment banking offices or companies that provide legal or compliance services. The attackers, whom FireEye named “Fin4” because they are one of several groups that hack for financial gain, appear to be native English speakers, based in North America or Western Europe, who are well versed in the Wall Street vernacular. Their email lures are precisely tailored toward each victim, written in flawless English and carefully worded to sound as if they were sent by someone with an extensive background in investment banking and with knowledge of the terms those in the industry employ. Different groups of victims - frequently including top-level executives; legal counsel; regulatory, risk and compliance officers; researchers; and scientists - are sent different emails. Some senior executives have been duped into clicking on links sent from the accounts of longtime clients, in which the supposed client reveals that they found an employee’s negative rants about the executive in an investment forum. In another case, hackers posed as an adviser to one of two companies in a potential acquisition. In several cases, attackers have used confidential company documents, which they had previously stolen, as aids in their deception. In others, the attackers simply embedded generic investment reports in their emails.
BITAG report on interconnection and traffic exchange on the Internet (Benton Foundation, 1 Dec 2014) - The Internet is a complex “network of networks” where individual networks are linked together to form a global network. In order for end users connected to one network to access data and services connected to another network, these networks must “interconnect” with each other, either by directly connecting with each other or by indirectly connecting through intermediate networks. Internet network interconnection, often referred to as “peering” or “transit,” is an increasingly important topic as the Internet ecosystem continues to evolve. The term “interconnection” refers to the various means by which network providers attach to and move traffic between one another, and is a collection of business practices and technical mechanisms that allow individually managed networks to connect together for this purpose. There is no central authority that manages Internet interconnection - the overall system arises because of the many bilateral and multilateral decisions that various actors make to interconnect. Interconnection in the United States has evolved significantly since the early days of the Internet. Peering connections, where two networks interconnect without the use of intermediate networks, are increasingly the primary interconnection paths between networks, supplanting the model of hierarchical interconnection via a small group of long-distance network providers. In most cases, two parties seeking to interconnect are able to come to terms. In some cases after an agreement is reached, however, traffic volumes or other factors may change, which in rare cases have led to “de-peering” events. More commonly, such changes lead to a renegotiation of the manner or type of interconnection agreement between the two parties. Although peering disputes over traffic imbalances, and other reasons, are not new, peering disputes in the U.S. have been increasingly publicized in recent years. With this report, BITAG’s Technical Working Group (TWG) aims to provide a technical reference on the subject of Internet interconnection, and presents a detailed review on how networks connect, the development and changes in connection models, motivations for connection, how networks manage traffic between each other and some of the challenges that arise as networks evolve. Report here .
To follow or not to follow: the brave new world of social media (Justice Barbara Jackson, The Judges’ Journal, December 2014) - In recent years, social media sites have become inextricably interwoven within the fabric of society. A 2012 report notes that ”n the court community, 2012 will probably be remembered as the year when some courts went from viewing new media as a threat to embracing new media’s possibilities as a powerful tool.” That same study states that a little over 46 percent of judges surveyed used a social media profile site, with Facebook being the most popular choice of over 86 percent of users. In comparison, the general public is using social media in far higher numbers. * * * In light of these increasing numbers, historic resistance to judges’ use of social media needs to be reevaluated and prohibitions against use should be discarded in favor of appropriate guidelines for social media use. * * *
A gamified approach to teaching and learning (InsideHigherEd, 2 Dec 2014) - Mark Carnes’s “Minds on Fire: How Role Immersion Games Transform College” offers evidence that an immersive gamified pedagogy can significantly increase student engagement and motivation. Higher education is in the midst of seismic shifts in curricular design, pedagogy, delivery modes, and instructional activities and assessments. Models of education that arose in the Industrial Era slowly give way to new paradigms better suited to the Information Age. A more customized, self-paced and adaptive approach to education is gradually replacing the “mass production,” “one-size-fits-all” paradigm, which assumed that all students should acquire the same information at the same pace. A “transmission” model, in which content experts deliver a body of information to passive students, is slowly succumbing to more interactive forms of teaching that actively engage students in their own learning. A sink-or-swim model designed to separate the wheat from the chaff, is being succeeded by a new ideal: Helping all students achieve proficiency. An artisanal approach to course design, in which solo practitioners develop courses wholly on their own, is yielding to a more collaborative model involving instructional designers, educational technologists, assessment specialists, and teams of faculty members, sometimes on multiple campuses. At the same time, delivery models - hybrid, fully online, emporium, accelerated, competency-based, low-residence - proliferate, slowly displacing lectures and radically altering the ways that students consume education. Meanwhile, linear paths to a degree, through which students complete all courses at a single institution, are being replaced by more circuitous routes, in which students acquire credits from early college high school programs, AP classes, community colleges, and various online providers. As certificates become more common, the bachelor’s degree is no longer the exclusive way students establish credentials. [ Polley : There’s quite a bit here; I’m working on the future of CLE at the ABA, and much of this is relevant.]
Michigan State Law School rebranding itself through social media (Kevin O’Keefe, 3 Dec 2014) - Michigan State Law School is branding itself, at least in my mind, as one of the more innovative law schools in the country. A school that is recognizing the importance of a sound legal education, while at the same time preparing its students to use technology and social media while in school - and upon graduation. The wild thing is that the public’s perception of MSU Law is not changing because of a centralized public relations campaign by the school or via mass mailings to the alumni. The law school’s students are rebranding the school through their individual use of social media. And the students are doing it without the direction of the law school. I receive more requests to connect on LinkedIn from MSU law students than from students at any other law school. The same goes for Twitter followers. Not many on Facebook yet, but that mirrors that age group’s slower take to Facebook for networking. The students are connecting and engaging on social to learn - as well build word of mouth and network for job opportunities. I had a great discussion with Chelsea Rider, a veteran and MSU Law 3L, two nights ago about the impact of technology and social media. Her inquiry centered on how we could leverage tech and social to make the law more accessible. How many other law students around the country were having such a discussion at one o’clock in the morning? I had no idea who Rider was 48 hours ago. Now I cannot wait to meet her. MSU law students didn’t just pick up social and tech from the water in East Lansing. They were exposed to it by professors and guests speaking at the school. It was up to the students to run with the ball. Ellis tells me it was MSU Law’s ReInvent Law Laboratory created by professors Renee Knake and Daniel Katz which opened his eyes to the innovative use of tech in the law and the power of social media. Rider blogs she was exposed to ReInvent Law and the thinking of legal futurist, Richard Suskind, who spoke at MSU Law a couple years ago. But it wasn’t until Assistant Dean of Career Development and Professor Dan Linna hosted a weekend workshop, “Delivering Innovative Legal Services,” lead by Kenneth Grady from Seyfarth Shaw that she realized the legal profession was being reinvented while she was in school - and that she could learn and network via social media.
US urges banks to consider cyber risk insurance amid hacking threats (Reuters, 3 Dec 2014) - Banks should consider cyber risk insurance to help deal with the financial fall-out from the growing threat of cyber attacks, a top U.S. regulator said on Wednesday. Bankers and officials have become more vocal lately about concerns that malicious hacks could put customer data and the stability of the financial system at risk. Cyber insurance will not stop hackers, but it can help banks improve their broader cyber controls, Treasury Deputy Secretary Sarah Bloom Raskin told the Texas Banker’s Association at a cybersecurity conference. Raskin said more than 50 carriers now offer some form of cyber risk insurance, and Treasury was encouraging companies to develop insurance products that could improve firms’ overall cyber protection. “Ideally, we can imagine the growth of the cyber insurance market as a mechanism that bolsters cyber hygiene for banks across the board,” she said. The insurance broking arm of Marsh & McLennan Companies estimates the U.S cyber insurance market was worth $1 billion last year in gross written premiums and could reach as much as $2 billion this year. But many insurers are still trying to develop their skills in handling hackers and data breaches. Raskin also said Treasury was working on an exercise to test communication among government agencies and financial institutions during a cyber attack.
- and -
Defense contractors fighting cyber threats can share information through new ISAC (AL.com, 4 Dec 2014) - The hacking of Sony’s computer networks has again focused attention on the growing cyber security problem in America. But a newly-announced cyber information exchange center will grow Huntsville’s role in cyber security while combating cyber intrusions among defense contractor nationally. “We’re giving smaller defense contractors a way to talk to each other,” says Steve Lines, Executive Director of the Defense Industrial Base - Information Sharing and Analysis Center (ISAC) , slated to open in Research Park in February 2015. Lines says the aim is to give companies that the support mission and the infrastructure of the defense industrial base community a way to share information about cyber intrusions, as well as how to respond to both natural and man-made crisis events. They’ll also have access to a national group of cyber security experts at the National Council of ISACs in Washington. A former Director of Information Assurance at SAIC, Lines says virtually every company today gets hacked. “It’s not a matter of if, but when, a company gets hit with a cyber attack,” he said. Sharing of cyber intrusion information helps to detect patterns of cyber attack, so warnings can be provided to all ISAC members, Lines said. [ Polley : The ABA is considering sponsoring an ISAC for law firms; good-idea, or fools-errand?]
- and -
I’m from the government, I’m here to help: DOJ announces new cyber-security section (Security Current, 5 Dec 2014) - The Department of Justice is establishing a new unit within the Computer Crime and Intellectual Property Section of the Criminal Division designed to actually help entities prevent cybercrime, instead of just prosecuting it after it happens, according to a speech at Georgetown University at the Cybercrime 2020 Symposium by Assistant Attorney General (AAG) Leslie R. Caldwell. In announcing the role of the new Cybersecurity Unit, AAG Caldwell explained: Prosecutors from the Cybersecurity Unit will provide a central hub for expert advice and legal guidance regarding the criminal electronic surveillance statutes for both U.S. and international law enforcement conducting complex cyber investigations to ensure that the powerful law enforcement tools are effectively used to bring the perpetrators to justice while also protecting the privacy of every day Americans. The Cybersecurity Unit will work hand-in-hand with law enforcement and will also work with private sector partners and Congress. This new unit will strive to ensure that the advancing cyber security legislation is shaped to most effectively protect our nation’s computer networks and individual victims from cyber attacks. So, in essence, the Cybersecurity Unit will (1) give legal advice about computer crime and electronic surveillance issues; (2) draft and comment on legislation related to cybersecurity; and (3) engage in outreach with the private sector and the public at large.
- and -
NYDFS issues examination guidance to banks outlining new targeted cyber security preparedness assessments (New York State, 10 Dec 2014) - Benjamin M. Lawsky, Superintendent of Financial Services, today issued an industry guidance letter to all New York State Department of Financial Services (DFS)-regulated banks outlining the specific issues and factors on which those institutions will be examined as part of new targeted, DFS cyber security preparedness assessments. These banks will be examined on their protocols for the detection of cyber breaches and penetration testing; corporate governance related to cyber security; their defenses against breaches, including multi-factor authentication; the security of their third-party vendors, and a number of other issues. The new cyber security assessments will become regular, ongoing parts of all DFS bank examinations moving forward. Taking this step will help encourage stronger cyber security practices at banks since regulatory examination ratings can have significant impacts on the operations of financial institutions, including their ability to enter new business lines or make acquisitions. [ Polley : Note the language “the security of their third-party vendors”. This includes law firms.]
Sites certified as secure often more vulnerable to hacking, scientists find (ArsTechnica, 4 Dec 2014) - Seals certifying the security of e-commerce sites and other online destinations have long aroused suspicions that they’re not worth the bits they’re made of-much less the hundreds or thousands of dollars they cost in yearly fees. Now, computer scientists have presented evidence that not only supports those doubts but also shows how such seals can in many cases make sites more vulnerable to hacks. The so-called trust marks are sold by almost a dozen companies, including Symantec, McAfee, Trust-Guard, and Qualys. In exchange for fees ranging from less than $100 to well over $2,000 per year, the services provide periodic security scans of the site. If it passes, it receives the Internet equivalent of a Good Housekeeping Seal of approval that’s prominently displayed on the homepage. Carrying images of padlocks and slogans such as “HackerProof,” the marks are designed to instill trust in users of the site by certifying it’s free of vulnerabilities that hackers prey on to steal credit card numbers and other valuable customer data. A recently published academic paper discovered an almost universal lack of thoroughness among the 10 seal providers studied. For one thing, the scientists carried out two experiments showing that the scanners failed to detect a host of serious vulnerabilities. In one of the experiments, even the best-performing service missed more than half of the vulnerabilities known to afflict a site. In another, they uncovered flaws in certified sites that would take a typical criminal hacker less than one day to maliciously discover. Most strikingly, the researchers developed attacks that are enabled by a site’s use of security seals, a shortcoming that ironically makes sites that use some seals more vulnerable than if they didn’t use the service. “Through a series of automatic and manual experiments, we discovered that third-party security seals are severely lacking in their thoroughness and coverage of vulnerabilities,” the paper, titled Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals , concluded. “We uncovered multiple rudimentary vulnerabilities in websites that were certified to be secure and showed that websites that use third-party security seals do not follow security best practices any better than websites that do not use seals. In addition, we proposed a novel attack where seals can be used a vulnerability oracles and describe how an attacker can abuse seal providers to discover the exact exploit for any given vulnerable seal-using website.”
Operation AURORAGOLD: How the NSA hacks cellphone networks worldwide (The Intercept, 4 Dec 2014) - In March 2011, two weeks before the Western intervention in Libya, a secret message was delivered to the National Security Agency. An intelligence unit within the U.S. military’s Africa Command needed help to hack into Libya’s cellphone networks and monitor text messages. For the NSA, the task was easy. The agency had already obtained technical information about the cellphone carriers’ internal systems by spying on documents sent among company employees, and these details would provide the perfect blueprint to help the military break into the networks. The NSA’s assistance in the Libya operation, however, was not an isolated case. It was part of a much larger surveillance program-global in its scope and ramifications-targeted not just at hostile countries. According to documents contained in the archive of material provided to The Intercept by whistleblower Edward Snowden, the NSA has spied on hundreds of companies and organizations internationally, including in countries closely allied to the United States, in an effort to find security weaknesses in cellphone technology that it can exploit for surveillance. The documents also reveal how the NSA plans to secretly introduce new flaws into communication systems so that they can be tapped into-a controversial tactic that security experts say could be exposing the general population to criminal hackers. [ Polley : This story reminded me of the 2007 mysterious Greek cellphone hacking story in MIRLN 10.13 ; the IEEE technical discussion here is still fascinating. What do you bet there’s a solid connection?]
Comcast makes it more and more difficult to opt-out of Internet sharing (TechCrunch, 7 Dec 2014) - As we learned back in June , Comcast has decided to turn every cable router on its network into a public wi-fi access point. While this may sound like a good idea - free Internet for all Comcast subscribers everywhere is the goal - the reality clashes with the Internet user’s sense of freedom and control. And, unfortunately, Comcast is making it harder and harder to opt out of their service. DSLReports has noted that many users have found that even after disabling the sharing updates to the firmware re-enable it automatically. Wrote one user, Moulder3 : So again, my ability to turn WiFi off via the “Users & Preferences” page did not exist. Calling the 800 number and going to internet support gave me someone who only suggested trying to disable & re-enable bridge mode (which didn’t eliminate ‘xfinitywifi’). He then suggested I (get this!) read up on the Comcast customer forums on their website as “there are constantly updates to the firmware in our modems and this is probably just an update that has an issue at the moment. “When I told him that wasn’t acceptable, he transferred me to the WiFi department (who actually seemed to be both U.S. based & knowledgeable!) This rep empathized with me and admitted that although I have the WiFi set to ‘off’ and I have my gateway in bridge mode, he could apparently see that xfinitiywifi was active on my account. THIS DEPARTMENT SEEMS TO BE THE ONLY ONE ABLE TO DISABLE THE XFINITYWIFI ON GATEWAYS AT THE MOMENT. Their direct # is 855-308-9453 (I’m glad I asked the clueless tier 1 tech for it before being transferred) I can confirm that this person was able to ultimately able to fix the issue. The only solution, according to forum members, is to “buy your own modem/router,” a solution that seems quite simple. Sadly, however, there are also complaints of Comcast failing to remove router rental fees even after multiple requests. While most users are obviously fine with Comcast sharing their bandwidth, this Kafkaesque experience for those who dare think a bit different looks quite frustrating.
The FCC takes a seat at the cyber-regulation table (Cyber Risk Network, 8 Dec 2014) - The FCC recently slid up its chair to the fiscal feast that is cyber security and data breach regulation and took a hefty piece of the pie. In late October the FCC announced that it charged a record $10 million fine against two telecommunication companies after the telecoms reportedly posted the private information of nearly 300,000 people in a manner making the people eligible for identity theft. Taking a cue from the Federal Trade Commission ("FTC"), the FCC action was not based on any new set of concrete regulations or laws established to give organizations a minimum bar for data protection, but rather on existing FCC powers established under the Communications Act of 1934. The action serves as good warning not only to communications providers that the FCC will be examining data breaches and, more expressly, data storage issues, but also that in the absence of clear cybersecurity regulations, federal agencies will take an expansive view of their existing authority to address cybersecurity-related incidents involving companies subject to their jurisdiction. Similar to the FTC’s response, the FCC’s first foray into data beach regulation was born from its interpretation of its existing authority under the Communications Act of 1934 (the “Act"). Under the Act, the FCC is responsible for regulating interstate and international communications by radio, television, wire, satellite, and cable throughout the United States and its territories. Moreover, under 503(b)(1) of the Act, the FCC is authorized to impose a forfeiture penalty against “any person who willfully or repeatedly fails to comply with any provision of the Act.” As the FCC described in its Notice of Forfeiture, that is exactly what two companies did, YourTel America and TerraCom Inc., when they collected the data of up to 300,000 customers to determine eligibility for the FCC’s low-income discount phone program, “Lifeline.” In order to enroll, potential participants had to demonstrate eligibility by submitting personal information to the Companies, including the applicant’s name, address, date of birth, social security number, and driver’s license information. Between September 2012 and April 2013, the FCC alleges that applicants’ information was stored on data servers that were publicly accessible via the Internet, a fact made known to the FCC after reporters from the Scripps Howard News Service advised the FCC that they were able to access at least 128,066 confidential records by using a simple Google search. Acting under the authority provided by the Communications Act, as amended by the Telecommunications Act of 1996 , the FCC charged the Companies with violations of Sections 222(a) and 201(b) Under 222(a), a carrier has a duty “to protect the confidentiality of proprietary information of, and relating to . .. customers.” Similarly, 201(b) makes it unlawful for a carrier to employ “unjust or unreasonable” data security practices related to its “practices,” such as, in this case, holding customers’ “proprietary information.” [ Polley : Spotted by MIRLN reader Keith Cheresko ]
Pointing users to DRM-stripping software isn’t copyright infringement, judge rules (EFF, 10 Dec 2014) - Telling users how to strip the DRM from their legally purchased ebooks is not contributory copyright infringement, according to a ruling last month by a federal judge in New York. Judge Denise Cote dismissed two publishers’ claims of contributory infringement and inducement in Abbey House Media v. Apple Inc., one of the many cases to come out of the antitrust litigation against Apple and a handful of major publishers. Abbey House Media operated an ebook store for the publishers Penguin and Simon & Schuster from 2010, and was contractually obligated to wrap the ebooks sold in that store with DRM. When Abbey House shut down the ebook store in 2013, it gave its customers a month’s notice that they would no longer be able to add new devices to read their purchased books on-and also explained that some customers were using the free software package Calibre to remove the DRM so they would be able to move their library to new hardware. Penguin and Simon & Schuster argued that, by making that announcement and pointing to a specific piece of software, Abbey House was engaging in contributory infringement and inducing people to infringe. Fortunately, Judge Cote recognized the problems with those claims and dismissed them both.
Ruling lets work email be used to organize unions (NYT, 11 Dec 2014) - In a decision that could affect millions of workers across the country, the National Labor Relations Board ruled on Thursday that employers could not prohibit employees from using their company’s email to communicate and engage in union organizing on their own time. The 3-to-2 ruling overturned a decision made in 2007 , when Republicans held a majority on the board, that had forbidden such use of email. Calling that ruling “clearly incorrect,” the current majority noted how technology had transformed daily habits. “The workplace is ‘uniquely appropriate’ and ‘the natural gathering place’ for such communications,” the board wrote, “and the use of email as a common form of workplace communication has expanded dramatically in recent years.” The board did carve out an exception, saying that in special circumstances, employers might be able to create an overall ban on nonwork use of email if they could show it was necessary for productivity or discipline. The board said that as long as workers were allowed to send non-work-related emails, then employers could not bar the messages from being about union organizing. The majority in the ruling on Thursday wrote: “Empirical evidence demonstrates that email has become such a significant conduit for employees’ communications with one another that it is effectively a new ‘natural gathering place.’”
Cell phones exempt from the automobile search exception, Ninth Circuit rules (Orin Kerr, 11 Dec 2014) - With law school exam season finishing up, here’s a new Fourth Amendment decision with facts that seem straight from a law school exam: United States v. Camou , authored by Judge Pregerson. In the new decision, the Ninth Circuit suppressed evidence from a 2009 search of a cell phone taken from a car incident to arrest at the border. The new ruling might not be the final word in the case. But the court does decide an important question along the way: The Ninth Circuit rules that if the police have probable cause to search a car under the automobile exception, they can’t search cell phones found in the car. In 2009, officers arrested Camou at a border inspection checkpoint for hiding an undocumented immigrant in his truck. Minutes after the arrest, Camou’s phone rang several times from a number known to be from one of Camou’s co-conspirators. When Camou invoked his right to remain silent, officers decided to search the phone for evidence without a warrant. The phone search occurred 80 minutes after Camou’s arrest. The officer who searched the phone first searched through the call logs, then turned to the videos and photos. The officer scrolled through about 170 photos and saw that about 30 to 40 were child pornography. The officer stopped looking through the phone at that point and alerted authorities about the child pornography. Four days later, a warrant was obtained to search the cell phone for images of child pornography, leading to child porn charges against Camou. The issue before the court is whether to suppress the fruits of the initial warrantless phone search as a violation of the Fourth Amendment. The Ninth Circuit rules that the cell phone search violated the Fourth Amendment and that the evidence must be suppressed.
Google, on Google News in Spain (Google, 11 Dec 2014) - After 9/11, one of our engineers, Krishna Bharat, realized that results for the query “World Trade Center” returned nothing about the terrorist attacks. And it was also hard to compare the news from different sources or countries because every web site was a silo. That’s how Google News was born and today the service is available in more than 70 international editions, covering 35 languages. It’s a service that hundreds of millions of users love and trust, including many here in Spain. It’s free to use and includes everything from the world’s biggest newspapers to small, local publications and bloggers. Publishers can choose whether or not they want their articles to appear in Google News—and the vast majority choose to be included for very good reason. Google News creates real value for these publications by driving people to their websites, which in turn helps generate advertising revenues. But sadly, as a result of a new Spanish law , we’ll shortly have to close Google News in Spain. Let me explain why. This new legislation requires every Spanish publication to charge services like Google News for showing even the smallest snippet from their publications, whether they want to or not. As Google News itself makes no money (we do not show any advertising on the site) this new approach is simply not sustainable. So it’s with real sadness that on 16 December (before the new law comes into effect in January) we’ll remove Spanish publishers from Google News, and close Google News in Spain. For centuries publishers were limited in how widely they could distribute the printed page. The Internet changed all that—creating tremendous opportunities but also real challenges for publishers as competition both for readers’ attention and for advertising Euros increased. We’re committed to helping the news industry meet that challenge and look forward to continuing to work with our thousands of partners globally, as well as in Spain, to help them increase their online readership and revenues.
Federal court agrees with EFF, throws out six weeks of warrantless video surveillance (EFF, 12 Dec 2014) - The public got an early holiday gift today when a federal court agreed with us that six weeks of continually video recording the frontyard of someone’s home without a search warrant violates the Fourth Amendment. In United States v. Vargas local police in rural Washington suspected Vargas of drug trafficking. In April 2013, police installed a camera on top of a utility pole overlooking his home. Even though police did not have a warrant, they nonetheless pointed the camera at his front door and driveway and began watching every day. A month later, police observed Vargas shoot some beer bottles with a gun and because Vargas was an undocumented immigrant, they had probable cause to believe he was illegally possessing a firearm. They used the video surveillance to obtain a warrant to search his home, which uncovered drugs and guns, leading to a federal indictment against Vargas. Vargas moved to suppress the evidence and Senior U.S. District Court Judge Edward Shea invited us to submit an amicus brief, which we filed late last year. After an evidentiary hearing, the judge wanted more information about the specific surveillance equipment the government was using, details the government was unsuccessful in keeping secret. Today Judge Shea issued this brief minute order: Law enforcement’s warrantless and constant covert video surveillance of Defendant’s rural front yard is contrary to the public’s reasonable expectation of privacy and violates Defendant’s Fourth Amendment right to be free from unreasonable search. The video evidence and fruit of the video evidence are suppressed. Looking at these two sentences makes clear the court was convinced with our arguments that the invasiveness of constant video surveillance pointed continuously at one of the most sensitive and private places-the front of a person’s home-triggers constitutional protection. Relying on cases decided almost 30 years ago, the government argued that it’s unreasonable for people to expect privacy in an area visible to the public. But as we explained in our amicus brief, no one expects their house to be placed under invasive 24/7 video surveillance for a month. And as the U.S. Supreme Court recently reaffirmed in Riley v. California , the ability for technology to reveal a “broad array of private information” means courts must be particularly vigilant in protecting constitutional rights in the 21st Century.
Sony’s hacking nightmare gets worse: employees medical records revealed (Bloomberg, 12 Dec 2014) - Documents stolen from by hackers include detailed and identifiable health information on more than three dozen employees, their children or spouses—a sign of how much information employers have on their workers and how easily it can become public. One memo by a human resources executive, addressed to the company’s benefits committee, disclosed details on an employee’s child with special needs, including the diagnosis and the type of treatment the child was receiving. The memo discussed the employee’s appeal of thousands of dollars in medical claims denied by the insurance company. Another document leaked in the hack is a spreadsheet from a human resources folder on Sony’s servers that includes the birth dates, gender, health condition and medical costs for 34 Sony employees, their spouses and children who had very high medical bills. The conditions listed include premature births, cancer, kidney failure and alcoholic liver cirrhosis. The release of the health information could be some of the most damaging material, said Deborah Peel, director of Patient Privacy Rights, a non-profit group. “This stuff will haunt all those people the rest of their lives. Once it’s up on the Internet it is up in perpetuity,” Peel said. “This is a thousand times worse than that other stuff,” she said, referring to salary information and personal e-mails. “Health information is the most sensitive information about you.”
- and -
Sony GC’s emails leaked in ongoing hacker fallout (Corporate Counsel, 12 Dec 2014) - Sony Pictures Entertainment Inc. general counsel Leah Weil reportedly argued against a company policy of saving all emails and in favor of instituting a regular purge. Ironically, she made the argument in one of the many Weil emails hacked and made public by a group calling itself Guardians of the Peace. Weil, who has been with Sony since 1996 and GC since 2001, also serves as the company’s chief compliance officer. She couldn’t be reached for comment. On Thursday the hackers reportedly posted emails from the account of Sony’s top lawyer. Most of the hackers’ posts appear briefly and then disappear. But Gizmodo, a design and technology news site, apparently captured some posts of Weil’s emails and revealed them Thursday . Another vague email involving several unnamed executives seems to deal with whether to take a stand on net neutrality, but offers no answer. And another involves what Gizmodo calls a “strategic invitation from Google to start working together.”
- and -
Can Sony get around the First Amendment to sue the media over the hack? (Eriq Gardner, 15 Dec 2014) - On Sunday night, famed attorney David Boies sent a threatening letter on behalf of Sony Pictures to The Hollywood Reporter , The New York Times and other news organizations demanding destruction of stolen information and warning of consequences for publishing the company’s secrets. If Sony does decide to go to court against the media over revelations that keep coming - Channing Tatum and Chris Pratt wish to reboot Ghostbusters , George Clooney lost faith in The Monuments Men , Sony executives weren’t thrilled by Leonardo DiCaprio dropping out of a Steve Jobs biopic - the First Amendment stands as a roadblock. But maybe not an impenetrable one. Many attorneys are now carefully reading every word from a 2001 Supreme Court decision, Bartnicki v. Vopper . The case concerned union officials whose intercepted cell phone conversations landed in the hands of a radio commentator who broadcast the contents. At the high court, the media defendants were given a pass from violating a federal wiretap law as they “played no part in the illegal interception,” “their access to the information on the tapes was obtained lawfully, even though the information itself was intercepted unlawfully by someone else” and finally, “the subject matter of the conversation was a matter of public concern.” That decision offers tremendous hope for news organizations that Sony’s threats against the news media are empty. “Unless the media is involved in the hacks themselves, the Bartnicki case puts the law on the side of the media,” says Andy Sellars at Harvard University’s Berkman Center for Internet & Society. However, some caution might be in order for two reasons. * * * [ Polley : pretty interesting.]
Tech firms tussle with DOJ over the right to say ‘zero’ (WaPo, 16 Dec 2014) - A growing number of technology companies seeking to promote transparency have been testing the limits of new government guidelines on how they can disclose national security orders for their customers’ data. Over the past year or so, about a dozen online and communications firms have reported that they have never received such a request, effectively breaching the spirit if not the letter of government guidance issued in January intended to make it more difficult for would-be terrorists or spies to identify services that could be used to evade detection. Their decisions have frustrated U.S. officials, even as they privately acknowledge there is little they have been able to do about it. In October, Twitter sued the government , charging that its First Amendment rights were squelched when the Justice Department blocked it from publishing a transparency report that sought to disclose the specific number of orders it had received and the fact that the number was limited. The firm also alleged that preventing a company from reporting “zero” national security requests is an unconstitutional restraint on speech. The guidelines take the form of an agreement reached with five major tech companies that allowed for reporting of government national security requests in broad ranges, such as 0-999. There is no “zero” option. Some firms began issuing warrant canaries shortly after the first disclosures by former intelligence contractor Edward Snowden, who revealed a National Security Agency program to gather data about millions of Americans’ phone calls (though not the content) from phone companies. Wickr, a San Francisco-based company that provides an encrypted text message service to more than 4 million users, planted a warrant canary in its transparency report in the summer of 2013, becoming the first company, it said, to do so. The report said, “If the canary flies the coop, the tone of this report will change as well because things will have shifted.”
Preparing to Recover from Cyber Disruptions of the Grid (Roland Trope at Dartmouth, 21 Nov 2014; 67 minute video) - The North American Bulk Power System ("BPS") is perhaps the most vital of our critical infrastructures. The country’s economy and national security depend on the BPS remaining resilient. BPS owners and operators have learned from experience to prepare for, respond to, and recover from “normal” emergency events (such as hurricanes, earthquakes, tornadoes, ice storms). They are, however, much less prepared to respond to and recover from high impact, low frequency events. Geomagnetic disturbances and kinetic cyberattacks may cause damage so catastrophic that afterwards complete restoration of BPS operations might not be possible. If a successful kinetic cyberattack were to damage heavy equipment such as large power transformers, sufficient replacement units might not be available. The long-lead time for these procurements would take at least 8 to 14 months. Meanwhile, the BPS would have to operate at a reduced state of reliability and supply. The electricity industry’s capabilities would be stressed far beyond its already robust emergency response capabilities. This “New Normal” would be characterized by “islands” of electrical power, which would be stabilized by load shedding and rolling blackouts. Electricity would have to be rationed to support the highest priority customers. The North American Electric Reliability Corporation (NERC) refers to such occurrences and consequences as “Severe Events.” Knowing that disruption of a national grid can produce extraordinary damage to a country’s economy and social fabric, how might a cyber adversary exploit the vulnerabilities in the BPS to cause a “Severe Event”? How much of the North American grid might remain seriously degraded for months or years thereafter? What preparations are BPS owners and operators making to be ready to mitigate the damage and manage an orderly and efficient recovery? If commercial companies and critical infrastructure firms are not apprised of the details of such recovery plans, will their own contingency plans leave them ill-prepared to cope with a “Severe Event”?
The Public Performance right after the Aereo decision (MLPB, 3 Dec 2014) - Matthew Sag, Loyola University Chicago School of Law, has published The Uncertain Scope of the Public Performance Right after Aereo. Here is the abstract: The Supreme Court’s recent majority decision in American Broadcasting Companies v. Aereo, Inc. 134 S.Ct. 2498 (2014) holds that a service allowing consumers to watch broadcast television programs over the Internet virtually simultaneously with the original over the air broadcast directly infringes the copyright owners the exclusive rights to ‘perform the copyrighted work publicly.’ The majority overrules the Second Circuit ruling in the same case, and throws into doubt one of the central holdings in the Second Circuit’s Cablevision decision. The majority’s ‘looks like a cable system’ approach makes the public performance right almost incomprehensible. This Article considers a number of questions left open by the Aereo decision relating to specific technologies, including remote DVRs, devices that allow the consumer to pause and rewind live television, and cloud computing generally. It also considers whether the Court’s decision in Aereo portends the use an effects-based approach to expand other exclusive rights under the Copyright Act in future cases. Finally, this Article concludes with a concise explanation as to why Aereo would not have prevailed under a fair use analysis. Judge Chin’s intuition that Aereo’s design was a mere ‘Rube Goldberg-like contrivance, over-engineered in an attempt to avoid the reach of the Copyright Act,’ was spot on; however this technological contrivance should not have been the foundation for the Supreme Court’s legal contrivance.
The Twitter account that unravels time (The Atlantic, 5 Dec 2014) - In the same way that dissecting a joke can render it unfunny, fixating too closely on time can stretch the minutes beyond their usefulness. That’s part of what makes the project All The Minutes, and its Twitter incarnation @alltheminutes , so riveting. The bot crawls Twitter and retweets users who refer to the time for every minute of the day. The effect evokes artist Christian Marclay’s stunning collage film, The Clock , a 24-hour loop that mashes up scenes from thousands of movies and television shows to refer to the actual time as the film plays. All The Minutes, according to creator Jonathan Puckey’s explanation on GitHub, was a way to generate one sprawling story of a single day. The project was originally part of an exhibition at the Van Abbemuseum in the Netherlands, he said. “It interesting to us that these days people choose to speak about exact minutes in relation to their lives,” Puckey told me. “Almost as if they could be doing something different every minute. As if every minute counts.” You can read the tweets in essay form here . More Marclay-esque is this spinoff website that lets you watch a carousel of @alltheminutes tweets in real time based on your time zone. But on Twitter, @alltheminutes warps the real-time experience. Partly because the experience of reading tweets often means you encounter them minutes or even hours after they were retweeted, but also because people are tweeting from all over the world in different time zones to begin with. For instance, this morning when it was 7:42 a.m. for me, @alltheminutes retweeted someone from six hours in the future and two years in the past, from 1:42 p.m. on a March day in 2012.
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
FDIC offers guidance for using open source software (FDIC, October 2004)—The Federal Deposit Insurance Corp. has released guidance for banks on managing risks associated with the use of free and open source software as part of their overall information technology programs. Although open source software does not pose risks that are fundamentally different from the risks presented by the use of proprietary or self-developed software, the FDIC says, open source software may require banks to establish “unique risk management practices.”
San Francisco sets goal of free citywide wifi (Reuters, 21 Oct 2004)—San Francisco Mayor Gavin Newsom set a goal on Thursday of providing free wireless Internet activity in his city that sees itself as a vanguard of the Internet revolution. “We will not stop until every San Franciscan has access to free wireless Internet service,” he said in his annual state of the city address. “These technologies will connect our residents to the skills and the jobs of the new economy.” “No San Franciscan should be without a computer and a broadband connection.” He said the city had already made free WiFi service available at Union Square, a central shopping and tourist hub, and would add access to several other sections of the city including Civic Center around City Hall.