MIRLN --- 29 Jan - 18 Feb 2017 (v20.03)

MIRLN --- 29 Jan - 18 Feb 2017 (v20.03) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Secure messaging for lawyers

Be careful choosing a VPN

How feds can use encrypted apps-without breaking the law

‘Paranoid’ Republicans flock to app that wipes conversations

House members: EPA officials may be using Signal to “spread their goals covertly

Some of the New York Times’ best stories aren’t in the Times - they’re on Twitter

NIST’s draft update to cybersecurity framework focuses on third-party vendors and

the cost-effectiveness of cybersecurity programs

Some surprises in the new New York cybersecurity regulations

When you’re under cyberattack, silence isn’t golden

Google must turn over foreign-stored emails pursuant to a warrant, court rules

Google figured out how to turn pixelated images into high-res ones

The Met makes 375,000 public domain images available

Your smart TV may have been spying on you

Facebook, Oculus, Zenimax, and nonliteral copying of code

Russia’s apparent meddling in U.S. election is not an act of war, cyber expert says

Someone paid random internet users to lobby for Betsy DeVos’s confirmation

NACD publishes five cybersecurity principles every board director needs to know

Boards focus on cyber-risk regularly, but only 1 in 7 have deep security knowledge

Can you hold copyright in federal law?

Linux pioneer Munich poised to ditch open source and return to Windows

Want to help fight legal battles? There’s a crowdfunding site for that.

A US-born NASA scientist was detained at the border until he unlocked his phone

Diehard coders just rescued NASA’s earth science data

Woman’s insurance canceled over Facebook pictures

Secure messaging for lawyers (Lawyerist.com, 23 Jan 2017) - After you have thought through your threat model and secured your accounts and devices , you are ready to delve into communicating privately and securely with your clients and others. If you guessed this means setting up encrypted email, you are wrong. Love it or hate it, email makes the world go round, and it’s probably the main way you communicate with your clients, opposing counsel, experts, and many other people in your personal and professional life. Let’s take a look at how email works, and gain a better understanding of how private these communications are. * * * [ Polley : This is excellent and thorough; I use most of these processes.]

top

- and -

Be careful choosing a VPN (Lawyerist, 31 Jan 2017) - Using a reputable VPN (virtual private network) to protect yourself when you use public Wi-Fi is basic computer security. It’s either that or stay off of public Wi-Fi entirely and use your phone as a personal hotspot. This is where the security experts point out that there is a third option. Yes, a third option. If you are careful only to use websites and services that are properly configured to use HTTPS/SSL, you should be safe. That includes your email server. If you understand how to do that, feel free. For most regular users (and I put most lawyers in this category), it is safer to rely on a VPN or personal hotspot to protect you when you are connecting to the unencrypted half of the internet . Here is the catch. If you rely on a VPN or personal hotspot, that effectively means sending all your information through one service. Therefore, you have to be able to trust your VPN provider. And, this should go without saying: not all VPN providers are trustworthy. In fact, a lot of VPN providers contain viruses and malware . So how do you know which VPN you can trust? For starters, avoid free VPN providers. There are notable exceptions like rolling your own OpenVPN install, but that’s for advanced users only. In general, free VPNs aren’t really free. They make money by inserting one thing or another into your information, or else they harvest your information. Neither is good if security, privacy, and confidentiality are part of your reason for using a VPN in the first place. * * * [ Polley : I use Cloak, VPNsecure, Private Internet Access, and Opera-Developer. See also Beware: Most mobile VPNs aren’t as safe as they seem (Wired, 8 Feb 2017)]

top

- and -

How feds can use encrypted apps-without breaking the law (NextGov, 3 Feb 2017) - “Download Signal,” a career federal employee and longtime source for information told me last month. “We can talk on that. It’s not a good time right now. A lot of us are nervous.” I received similar messages from federal technologists I regularly engage with and another source who handles federal oversight matters. The use of encryption technologies to communicate with peers is undoubtedly safer than using traditional communications, but there are caveats for federal employees. Open records laws dictate how federal employees conduct official business, and those who opt to use encrypted apps need to be aware of the sometimes murky legal ground they’re entering that puts their devices and privacy at risk. Politico reports some in government are using encrypted communications to actively dissent, while others, including some who spoke to Nextgov on condition of anonymity, explained they wanted safe, simple and legal means to communicate with peers without possible consequence or retaliation. * * * Encrypted communications are relatively new as a technology, but for federal employees, they still fall under the Freedom of Information Act and other open-records laws, said Alex Howard, deputy director of the Sunlight Foundation. “The key issue here is not the condition of encryption; the key thing to consider is whether official government business is being conducted or not,” Howard told Nextgov . Federal guidance released by the National Archives Records Administration in July 2015 updated the government’s policies regarding newer forms of communications such as Google Chat and Slack. The guidance states “agencies must capture and manage these records in compliance with federal records management laws, regulations and policies.” Further, it doesn’t matter whether employees are using official government-issued devices or their own. NARA’s guidance covers all federal employees, contractors, volunteers and external experts “when they conduct agency business using personal electronic messaging accounts or devices,” whether agencies formally allow employees to use personal accounts or devices to conduct government business. Both the Environmental Protection Agency and the Internal Revenue Service have come under scrutiny for improperly retaining instant messages. Encrypted messages should be treated by federal employees in the same fashion, Howard said, and not doing so flies in the face of sunshine laws.

top

- and -

‘Paranoid’ Republicans flock to app that wipes conversations (Naked Security, 13 Feb 2017) - A little-known messaging app that automatically erases all conversations has reportedly taken off among “paranoid” US politicians, including members of the Trump administration. The claim emerged from news gossip site Axios , which quoted an unnamed Republican who explained the simple appeal of Confide , an app for professionals launched three years ago by a New York-based startup of the same name: “For folks that are on the inside in this city, it provides some cover.” Lending credibility to the story is a 2015 report that Australian prime minister Malcolm Turnbull has taken to using the same app . Confide uses a proprietary version of the end-to-end encryption used by bigger rivals such as Signal, Telegram, WhatsApp, Facebook Messenger, as well as a growing list of others. Why might politicos be drawn to Confide rather than better-known names? One attraction is the app’s promise that everything sent between contacts will “disappear without a trace when you’re done,” an off-the-record mode of communication that fits the low-trust zeitgeist. Other apps such as Snapchat have similar features, but struggle to stop bypasses such as taking screenshots . Confide counters this by hiding messages until the receiver moves or “wands” their finger or cursor over each line of text. After messages are read once, they disappear, or after 10 minutes if they aren’t, and messages can’t be forwarded or saved. Perhaps its biggest draw could simply be that Confide has reached a critical threshold of users in this unusual community: the more DC insiders who use it, the more who want to use it. There should be sectors where “disappearing” messaging and email won’t work, such as the financial sector and government, because of the need for an audit trail. And yet, despite the recent Clinton email server fracas, there are no fixed rules that government officials and politicians can’t communicate privately, as long as they use official servers for the day job.

top

- and -

House members: EPA officials may be using Signal to “spread their goals covertly (ArsTechnica, 15 Feb 2017) - Two Republican members of Congress sent a formal letter Tuesday to the Environmental Protection Agency’s Office of the Inspector General, expressing concern that “approximately a dozen career EPA officials” are using the encrypted messaging app Signal to covertly plan strategy and may be running afoul of the Freedom of Information Act. The congressmen note that the EPA has previously examined employee use of text messages to conduct government business and found that only a minuscule fraction of those messages was retained under FOIA. “Not only does this demonstrate the vast issues presented with using text messages to conduct official business, but raises additional concerns about using messaging applications to conduct official business, which make it virtually impossible for the EPA to preserve and retain the records created in this manner to abide by federal record-keeping requirements,” they concluded .

top

Some of the New York Times’ best stories aren’t in the Times - they’re on Twitter (ReCode, 26 Jan 2017) - New York Times reporter Maggie Haberman had a great story yesterday: On Saturday, Donald Trump, operating on less than four hours’ sleep, flew into a rage because of a National Park tweet that a fellow Times reporter had retweeted . Trump’s anger led to White House press secretary Sean Spicer’s preposterous crowd size statement . “Trump’s worst impulse control is when he’s tired or overstretched, or in an uncertain situation. All three took place Saturday,” Haberman wrote, and followed that up with insight into Trumpland’s inner circle. It’s must-read stuff. But you couldn’t read it in the New York Times on Wednesday. Instead, Haberman published it as 9-part tweetstorm . Here’s the opener: * * *

top

NIST’s draft update to cybersecurity framework focuses on third-party vendors and the cost-effectiveness of cybersecurity programs (Nat’l Law Review, 1 Feb 2017) - On January 10, 2017, the National Institute of Standards and Technology ("NIST") released a proposed update to its popular cybersecurity blueprint for organizations and businesses, known as the Framework for Improving Critical Infrastructure Cybersecurity (the “Framework"). The updated Framework, titled “Draft Version 1.1,” includes, among other things, new provisions for assessing the cybersecurity risk posed by third-party vendors and the addition of a new section on measuring the cost effectiveness of cybersecurity programs. The proposed changes are NIST’s first attempt to update the Framework since it was issued in February 2014 pursuant to President Obama’s February 2013 Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.” Based on feedback from users, responses to its official request for information, and workshop comments, NIST has identified certain areas of the Framework that needed refining, clarification, or enhancement. Draft Version 1.1 is the result of that effort.

top

Some surprises in the new New York cybersecurity regulations (Veracode, 2 Feb 2017) - In the US, there exist no meaningful national cybersecurity rules, but, as a practical matter, that is likely to change this year. But it’s not coming from Congress. The catalyst is new rules slated to start in March from the New York State Department of Financial Services . In financial areas, that New York department is typically mimicked by a wide range of other state regulators, along with federal regulators. Hence, de facto national rules. The rules themselves (you can peruse the full guidelines here ) are not especially controversial, primarily being security best practices. The rules insist on regular penetration testing and vulnerability assessments. They also establish strict encryption guidelines and require written access-control policies. Notably, however, the way they approach application security is somewhat novel, and the regulations do contain some language that might cause confusion. * * *

top

- and -

When you’re under cyberattack, silence isn’t golden (American Banker, 3 Feb 2017) - With cyberattacks growing in complexity and size, the last thing a financial institution needs is to be its own enemy. Yet, in my capacity helping large banks deal with information security risk, I have observed financial institution leaders make decisions that exposed their organization to greater cyber risk. I have also seen breached institutions make errors that could further harm the company and its brand. Critical mistakes made following an attack will not only hurt a bank’s reputation in the eyes of its customers, but could also breed disillusionment with employees and impair their trust in an organization’s leaders. Here are four principles to avoid making an already dangerous threat environment worse. * * *

top

Google must turn over foreign-stored emails pursuant to a warrant, court rules (Orin Kerr, 3 Feb 2017) - A federal magistrate judge handed down an opinion this afternoon, In re Search Warrant No. 16-960-M-01 to Google , ordering Google to comply with a search warrant to produce foreign-stored emails. The magistrate judge disagrees with the U.S. Court of Appeals for the 2nd Circuit’s Microsoft Ireland warrant case , recently denied rehearing by an evenly divided court . Although the new decision is only a single opinion by a single magistrate judge, the decision shows that the Justice Department is asking judges outside the Second Circuit to reject the Second Circuit’s ruling - and that at least one judge has agreed. [ see also Court denies U.S. government appeal in Microsoft overseas email case (Computerworld, 24 Jan 2017)]

top

Google figured out how to turn pixelated images into high-res ones (Mashable, 7 Feb 2017) - You see it all the time in movies and TV shows: A security camera records footage of an intruder, but the image is too blurry or pixelated to make out who it is. Some nerdy-looking “hacker” then clacks at his keyboard and—boom—seconds later, pixelated image turns into a crisp one revealing the person’s face in glorious detail. “Oh, come on!” we all say while rolling our eyes. Well, you might have to break that habit because Google has figured out a way to turn movie magic into reality (sort of). According to ArsTechnica , researchers at Google’s deep learning research project, Google Brain , have created software that attempts to “sharpen” images made up of 8 x 8 pixels. Of course, Google Brain’s software can’t actually enhance the original block of pixels. Instead, what it’s doing is using machine learning to try to guess what the original image might be if it had been downsized to 64 pixels. [ Polley : like a reverse hash look-up?]

top

- and -

The Met makes 375,000 public domain images available (Fortune, 7 Feb 2017) - The Metropolitan Museum of Art announced Tuesday that more than 375,000 of the Museum’s “public-domain artworks” are now available for unrestricted use. “We have been working toward the goal of sharing our images with the public for a number of years,” said Thomas P. Campbell, director and CEO of the Met, in a statement. “Our comprehensive and diverse museum collection spans 5,000 years of world culture and our core mission is to be open and accessible for all who wish to study and enjoy the works of art in our care.” The image collection covers photographs, paintings, and sculptures, among other works. Images now available for both scholarly and commercial purposes include Emanuel Leutze’s famous painting Washington Crossing the Delaware ; photographs by Walker Evans, Alfred Steiglitz, and Dorothea Lange; and even some Vincent van Gogh paintings. The Met has teamed up with Creative Commons, Wikimedia, Artstor, Digital Public Library of America, Art Resource, and Pinterest to host and maximize the reach of their enormous collection. There is also a public GitHub repository of the images.

top

Your smart TV may have been spying on you (Mashable, 7 Feb 2017) - Electronics company Vizio doesn’t want its customers to believe it ran a giant spying operation, but the company’s surrender to a recent lawsuit suggests otherwise. Vizio agreed to pay $2.2 million on Monday to settle a lawsuit brought against them by the New Jersey government and the Federal Trade Commission. In doing so, they agreed to stop fighting the charge that the company “installed software on its TVs to collect viewing data on 11 million consumer TVs without consumers’ knowledge or consent.” Vizio and “an affiliated company” built their smart TVs to spy on whatever their customers were watching, starting in February, 2014 , according to the complaint filed. They did this with a pixel-reading technology that matched pixels on customer TVs to pixels of whatever show was in their database - live shows, shows recorded for future watching, movies, whatever. By taking this data and matching it to data about their customers, the complaint alleges that Vizio took information about customers’ “sex, age, income, marital status, household size, education level” and more of those who watched particular shows, and sold that information to advertisers. That type of demographic information is incredibly valuable to advertisers. Advertisers already know the demographic they’re after. This information tells them when their potential customers will be relaxed, sitting on a couch, and ready to be pitched on a product. Vizio still contends that its “program never paired viewing data with personally identifiable information such as name or contact information, and the commission did not allege or contend otherwise .”

top

Facebook, Oculus, Zenimax, and nonliteral copying of code (IPWatchdog, 7 Feb 2017) - Just last week, Facebook was spanked with a $500 million court judgement for non-literal infringement of software copyright. Even for Facebook, that’s a lot of money. Though less than the $4 billion that plaintiff ZeniMax had been asking for , it’s a large chunk of the $2 billion that Facebook paid for Oculus in 2014. The case was ZeniMax v. Oculus , and the jury decided that Facebook had infringed on the copyright of ZeniMax’s software source code. According to the jury, Oculus co-founder Palmer Luckey and CTO John Carmack violated a nondisclosure agreement (NDA) with ZeniMax when they all had worked together to develop the Oculus Rift, the virtual reality headset that caught the attention of Facebook. I’ve been seeing some articles about the case from software engineers who are confused about the verdict, especially a Facebook rant by John Carmack . My consulting company specializes in software copyright infringement, my software company has created tools and procedures for determining whether software copyright occurred, and I wrote the primary textbook in the field of software forensics . In fact, I was the expert for Facebook in the famous case made into the movie The Social Network . I was able to show that Mark Zuckerberg didn’t copy Facebook code from the Winklevoss twins at Harvard. My consulting company wasn’t involved in this new case, so I cannot speak to the behind-the-scenes details, but I do think it’s important to understand nonliteral copyright infringement in case you’re thinking of taking some of your employer’s code with you to your next company. * * *

top

Russia’s apparent meddling in U.S. election is not an act of war, cyber expert says (WaPo, 7 Feb 2017) - Russia’s hacks of the Democratic National Committee and its election meddling were alarming, but not an act of war, said a leading scholar of international law in cyber operations. “I’m no friend of the Russians,” said Michael Schmitt, chairman of the U.S. Naval War College’s International Law Department and director of a project that analyzes how international law applies to cyber operations - especially in peacetime. But Moscow’s hacking and dumping of Democratic emails to WikiLeaks “is not an initiation of armed conflict. It’s not a violation of the U.N. Charter’s prohibition on the use of force. It’s not a situation that would allow the U.S. to respond in self-defense militarily.” Schmitt spoke in an interview with The Washington Post coinciding with the release of the Tallinn Manual 2.0, an updated reference for lawyers around the world on how international law applies to cyberspace. Schmitt, who is also a law professor at the University of Exeter in Britain, led the legal team that compiled the manual. Sen. John McCain (R-Ariz.), the chairman of the Armed Services Committee, has said he believes Russia’s interference in the 2016 presidential election amounted to an act of war. Nonetheless, Schmitt said, Russia’s apparent attempt to influence the outcome of the election by its release of emails through WikiLeaks probably violates the international law barring intervention in a state’s internal affairs. And that would give the United States grounds to undertake “countermeasures” that would otherwise be unlawful, he said.

top

- and -

Someone paid random internet users to lobby for Betsy DeVos’s confirmation (Vox, 7 Feb 2017) - Someone out there really wants President Donald Trump’s polarizing nominee for secretary of education, Betsy DeVos, to get the job - so much so that they’ve been paying random internet users to write notes supporting her contentious confirmation . Users on paid task sites like InstaGC, Swagbucks, which reward users for shopping at certain websites or completing small tasks and surveys online, as well as ‘freemium’-based mobile fashion game Covet Fashion, have been reporting a task that links to SupportDeVos.com . The website contains a contact form to get in touch with members of Congress - but only to send notes of support for DeVos’s confirmation. Users who fill out and send the support form earn points or actual cash, but there is no option to send a note of dissent. Spokespersons for InstaGC as well as the company that runs Covet Fashion each confirmed that the ads recently appeared on their sites and have since been removed. The ads attempted to convince users they were paid for by the American Federation for Children, an organization funded and previously chaired by DeVos. But they weren’t. Spokespersons for DeVos and AFC confirmed to Vox that neither she nor the AFC had purchased the ads. Spokespersons for InstaGC and Covet Fashion each confirmed to Vox that the ads were paid for by advertisers using third-party vendors.

top

NACD publishes five cybersecurity principles every board director needs to know (Security Intelligence, 8 Feb 2017) - In January 2017, the National Association of Corporate Directors (NACD) released an updated edition of its “ Director’s Handbook on Cyber-Risk Oversight .” In light of increasing pressures from regulators and ongoing cyberattacks, board directors have a key role to play to ensure proper oversight of cyber risks for their organizations. The 2017 edition improves on the 2014 version by clarifying several points for board directors to help them understand the strategic importance of cyber risks and the complexity of threats. It also includes several appendices that both chief information security officers (CISOs) and directors will find useful when preparing for mergers and acquisitions (M&A). The appendices also contain information about metrics and dashboards, and the relationship between boards and CISOs. * * *

top

- and -

Boards focus on cyber-risk regularly, but only 1 in 7 have deep security knowledge (Bitdefender, 13 Feb 2017) - Nearly 90 percent of directors at public companies say their board discusses cyber-risk regularly, yet only 14 percent of boards have in-depth knowledge of cyber-risks, according to a survey by the National Association of Corporate Directors ( NACD ), cited by Internal Auditor . Almost 60 percent of respondents reported that they find it challenging to oversee cyber risk. For 51 percent of publicly listed companies, cyber-risk oversight falls on the audit committee, but 96% of directors surveyed say the full board takes on the big picture risks that could impact their company’s strategic direction. The most common board cyber-risk oversight practices are reviewing the company’s approach to protecting its most critical assets (77 percent) and reviewing the technical infrastructure used to protect those assets (74 percent). In case of a breach, NACD recommends directors and management focus on the following areas of concern: * * *

top

Can you hold copyright in federal law? (Volokh Conspiracy, David Post, 8 Feb 2017) - The U.S. District Court for the District of Columbia decided last week ( Am. Soc. for Testing Materials v. Public.Resource.org ) that standards-setting organizations whose work product is “incorporated by reference” into federal law do not lose copyright protection for their works (and can, therefore, prohibit others from copying or distributing their standards, or charge for access to them). Standards, the court observed, “are typically developed by standards developing organizations ("SDOs"), like Plaintiffs, who work to develop ‘voluntary consensus standards,’” such as the ones at issue in the case. One of the plaintiffs (ASTM), for instance, has “developed over 12,000 standards that are used in a wide range of fields, including consumer products, iron and steel products, rubber, paints, plastics, textiles, medical services and devices, electronics, construction, energy, water, and petroleum products, and are the combined efforts of over 23,000 technical members, representing producers, users, consumers, government, and academia.” Pursuant to 5 U.S.C. § 552, federal agencies may incorporate such voluntary consensus standards - as well as, for example, state regulations, government-authored documents, and product service manuals - into federal regulations by reference. Applicable regulations provide that a “publication is eligible for incorporation by reference” if it is “published data, criteria, standards, specifications, techniques, illustrations, or similar material,” and it must be “reasonably available to the class of persons affected thereby” before it can be deemed to have been incorporated into the law. * * * Unfortunately, I think Judge Chutkan got the copyright analysis correct on this one; there is simply no provision in the Copyright Act that can be read to strip protection for works that become, after their creation, incorporated into the law. It is a very unfortunate state of affairs. Almost 10 years ago, in response to a similar copyright claim (by the state of Oregon, no less) asserting copyright in the text of its laws, I wrote that “it is completely outrageous that in 2008 [!!] we do not have a complete and authoritative compendium of all of the laws of the 50 States, and the federal government, available at no cost on the Internet.” It was true then, and it is true now; the idea that one has to purchase a copy of relevant regulatory requirements that you are required, by law, to comply with is outrageous - and the fact that one can consult a hard copy of the regulations at the Office of the Federal Register in Washington does not make it less so. But I have to say that Chutkan is probably correct that this is something that Congress, and not the courts, should deal with. [ see also Federal court basically says it’s okay to copyright parts of our laws (TechDirt, 3 Feb 2017)]

top

Linux pioneer Munich poised to ditch open source and return to Windows (TechRepublic, 10 Feb 2017) - Politicians at open-source champion Munich will next week vote on whether to abandon Linux and return to Windows by 2021. The city authority, which made headlines for ditching Windows, will discuss proposals to replace the Linux-based OS used across the council with a Windows 10-based client. If the city leaders back the proposition it would be a notable U-turn by the council, which spent years migrating about 15,000 staff from Windows to LiMux, a custom version of the Ubuntu desktop OS, and only completed the move in 2013. * * * At the time Munich began the move to LiMux in 2004 it was one of the largest organizations to reject Windows, and Microsoft took the city’s leaving so seriously that then CEO Steve Ballmer flew to Munich to meet the mayor. More recently, Microsoft last year moved its German company headquarters to Munich . [ Polley : Munich’s experiment dates back to 2004, when these stories were running: Indian president calls for open source in defense (CNET, 7 July 2004); France lends support to new open-source license (InfoWorld, 9 July 2004)]

top

Want to help fight legal battles? There’s a crowdfunding site for that. (WaPo, 11 Feb 2017) - When online crowdfunding sites like Kickstarter and GoFundMe debuted, people hoping to invent and sell a better bottle opener, those in need of help with medical bills and all sorts of personal would-be fundraisers talked about the concept in grand, world-changing ways. This, they said, was a disruptive, potentially transformative financial development. A new website aims to mash up that kind of popular Internet fundraising with legal work, hoping to turn legal cases into publicly funded - and backed - social causes. CrowdJustice.org , went live with its first U.S. fundraising appeals in recent weeks with a tag­line meant to promote equal access to the courts, regardless of one’s economic standing: “The law should be available to everyone.” The site’s founder, a British transplant, says CrowdJustice is a politically neutral portal where people and organizations pursuing litigation can solicit and win public help with the costs. So far, CrowdJustice has helped fund an assortment of cases, including a lawsuit fighting a multistory car park in Berkhamsted, England, and one trying to quash Brexit. But, just weeks after the site opened to U.S. causes, CrowdJustice, or at least it’s marketing plan, appears to set it on a collision course with one of the Trump administration’s signature policies: the travel ban. * * * [ Polley : NOTE TO READERS - Amazon Prime members now have unlimited access to Washington Post online; free for the first six months, and $4/month thereafter. So, I’m adding MIRLN links to WaPo articles even though they’re possibly behind a paywall; only WaPo and the New York Times are so-treated here. Sorry WSJ.]

top

A US-born NASA scientist was detained at the border until he unlocked his phone (The Verge, 12 Feb 2017) - Two weeks ago, Sidd Bikkannavar flew back into the United States after spending a few weeks abroad in South America. An employee of NASA’s Jet Propulsion Laboratory (JPL), Bikkannavar had been on a personal trip, pursuing his hobby of racing solar-powered cars. He had recently joined a Chilean team, and spent the last weeks of January at a race in Patagonia. Bikkannavar is a seasoned international traveller - but his return home to the US this time around was anything but routine. Bikkannavar left for South America on January 15th, under the Obama Administration. He flew back from Santiago, Chile to the George Bush Intercontinental Airport in Houston, Texas on Monday, January 30th, just over a week into the Trump Administration. Bikkannavar says he was detained by US Customs and Border Patrol and pressured to give the CBP agents his phone and access PIN. Since the phone was issued by NASA, it may have contained sensitive material that wasn’t supposed to be shared. Bikkannavar’s phone was returned to him after it was searched by CBP, but he doesn’t know exactly what information officials might have taken from the device. [ Polley : see also The Danger of U.S. Customs Searches for Returning Lawyers (ABA’s GP/Solo magazine, May/June 2013); and How to legally cross a US (or other) border without surrendering your data and passwords (Cory Doctorow on BoingBoing, 12 Feb 2017); and Can federal agents detain citizens at border checkpoints until they disclose their smartphone passcodes? (Orin Kerr, 13 Feb 2017). This is a fraught issue for lawyers; If you’ve heard of any lawyers having related problems, please email me; or, use Signal to my cellphone or Wickr to vpolley]

top

Diehard coders just rescued NASA’s earth science data (Wired, 13 Feb 2017) - On Saturday morning, the white stone buildings on UC Berkeley’s campus radiated with unfiltered sunshine. The sky was blue, the campanile was chiming. But instead of enjoying the beautiful day, 200 adults had willingly sardined themselves into a fluorescent-lit room in the bowels of Doe Library to rescue federal climate data . Like similar groups across the country-in more than 20 cities-they believe that the Trump administration might want to disappear this data down a memory hole. So these hackers, scientists, and students are collecting it to save outside government servers. But now they’re going even further. Groups like DataRefuge and the Environmental Data and Governance Initiative , which organized the Berkeley hackathon to collect data from NASA’s earth sciences programs and the Department of Energy, are doing more than archiving. Diehard coders are building robust systems to monitor ongoing changes to government websites. And they’re keeping track of what’s been removed-to learn exactly when the pruning began. * * *

top

Woman’s insurance canceled over Facebook pictures (Chicago ABC, 14 Feb 2017) - Do you put pictures of your kids, pets, or adventures on social media? If you do, be careful as you never know who is watching. Melina Efthimiadis along with her husband wanted to add personal umbrella liability insurance to their Nationwide homeowner’s policy. She says they have been low risk clients so she didn’t think it would be a problem. In the application process for Nationwide, Melina says they had to write down the number of dogs they owned and their breeds, which are Shih Tzu/ Yorkie, a Hound and Hound/Lab mix. Melina says they waited for approval, but instead got a cancellation letter from Nationwide. She says the reason, “We were being cancelled because we had an ineligible dog breed that we failed to disclose.” Nationwide claimed Melina had a potentially dangerous Rottweiler mix breed, which Nationwide considers that breed to be ineligible. Melina says she was told by Nationwide how they made that decision. “They sent us the pictures that they had taken off of my Facebook page of my dog Zeus who is a lab/hound mix. Melina called Nationwide to tell them they were wrong about Zeus’ breed. “They said that I would have to have a letter written by my veterinarian,” she said. That’s not a problem for Melina as she actually is a veterinarian. “Really, this is not something that can be proven just by looking at pictures,” she added. After confirming Zeus was not an ineligible breed, Nationwide rescinded the cancellation.

top

RESOURCES

The Right Tools: Europe’s Intermediary Liability Laws and the 2016 General Data Protection Regulation (Daphne Keller, Stanford Law School; SSRN; 8 Feb 2017) - Abstract: The so-called “Right to Be Forgotten” established by the Court of Justice of the European Union in 2014 is about to change. The EU’s General Data Protection Regulation, which goes into effect in 2018, introduces new notice-and-takedown rules for online information targeted by “Right to Be Forgotten” erasure requests. The new rules are ripe for abuse. They give private Internet platforms powerful incentives to remove user-generated content - whether or not that content, or the intermediaries’ processing of the content, violates any law. This threat to online expression and information could be reduced through procedural checks and balances in the OSPs’ removal operations and before regulators and courts. This article details the problematic GDPR provisions, examines the convergence of European Data Protection and Intermediary Liability Law, and proposes ways that the EU’s own Intermediary Liability laws can restore balanced protections for privacy and information rights under the new law.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Under-The-Rug Oversight (New York Times Editorial, 29 Dec 2006)—The wondrously named Privacy and Civil Liberties Oversight Board held its first public hearing the other day on the National Security Agency’s illegal eavesdropping program. If you expected it to discover any truths about the secret program, you can forget it. The board spent its time explaining why it was more important to work from within the administration than to challenge it. Thus wags the tail of a watchdog with neither bark nor bite. The board was created two years ago by the White House and the Republican Congress as a pale substitute for the independent monitor recommended by the Sept. 11 commission. Its members (four Republicans and one lone Democrat) serve at the pleasure of the administration. It has a paltry budget and no subpoena power, and any requests for documents can be vetoed by the attorney general. It’s so low on the totem pole that it didn’t even get a formal briefing on the administration’s eavesdropping on American citizens until October - almost a year after the warrantless surveillance program had been uncloaked for the nation by the news media. Hardly complaining, the oversight panel offered a parody of a hearing that laid bare its own toothlessness. Members studiously ducked the question of whether they condoned President Bush’s concoction of an inherent power to eavesdrop beyond court oversight. One spoke of the priority to “provide advice confidentially” to the White House, another even more vaguely of the “conservative tradition of checks and balances.” A frustrated witness informed the board it was “all bark and no bite.” But in truth, there’s no bark either. The board’s initial report to Congress in March will first be vetted by administration factotums. Right now, the panel is best suited to polishing up the handles on the White House doors. But its members make the point that the board is no more than Congress created it to be. All the more reason to repair the damage as Americans wonder precisely how many liberties they have already sacrificed. A bill to remake the board as an independent entity with subpoena power and a credible claim to oversight has been submitted by Representatives Carolyn Maloney, Democrat of New York, and Christopher Shays, Republican of Connecticut. It deserves a full and open review - which is more than the American public has been getting from its toothless watchdog.

top

Online Nordic banking theft stirs talk of Russian hacker (New York Times, 25 Jan 2007)—Word has started spreading in Sweden about the discovery last week of a $1 million online banking theft traced to a Russian hacker who goes by the sobriquet “the Corpse.” The case opens a window into the dark world of Russian programming and underlines risks in online banking. Nordea Bank, the Scandinavian financial services company involved, emphasized that only customers whose computers were not protected by antivirus programs had become victims. The Swedish police said the virus was distributed with spam e-mail and programmed to infiltrate home computers of customers at several European and American banks. Police officers have arrested Swedish nationals and foreigners who withdrew cash from Nordea branches after making online transfers. The Corpse’s identity is unknown to computer virus specialists. The virus in question, a so-called Trojan horse program, surreptitiously logged keystrokes while banking customers entered their passwords. The police identified the program as a variant of the Haxdoor Trojan. The Corpse is thought to be the author of the original Haxdoor program and several iterations, under names including A311 Death and Nuclear Grabber. Those are offered for sale on a Russian Web site at prices ranging from several hundred dollars to several thousand dollars, depending on the version. Thieves using the program in Sweden defrauded 250 customers of Nordea’s online banking service over a period of 15 months. The bank has compensated its clients. The case has drawn new attention to the bizarre world of Russian hacking. Russia’s weak laws and a strong tradition of scientific education have combined to create a flourishing culture of computer hacking, specialists in the programming industry say. The prevalence of pornography and fraud on the Russian Internet has contributed to the country’s image as a digital Wild West of spammers and hackers. And foiling Western banking security resonates with Russian programmers, technology specialists say. Russian hackers are driven by “curiosity, greed or the desire to prove they are clever,” said Denis Kalinin, chief executive of Rambler, a successful Russian search engine company. This latest version of the Haxdoor Trojan program was activated when a customer typed the bank’s address into a browser. The rogue software then recorded keystrokes to capture passwords. Later, money was transferred to newly opened accounts and cash was withdrawn at bank branches. The Corpse’s site carries a disclaimer in rough English that the programs are to be used “exclusively in the educational purposes.” Questions mailed to the site were not answered on Wednesday.