MIRLN --- 3-23 Jan 2016 (v19.02)

MIRLN --- 3-23 Jan 2016 (v19.02) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS/MOOCS | RESOURCES | LOOKING BACK | NOTES

Libraries lend mobile Wi-Fi hot spots to those who need Internet service (NPR, 29 Dec 2015) - The mobile Wi-Fi hot spots let people get Internet service anywhere there’s a cell connection. The library in Spring Hill, Tenn., is joining the likes of big-city libraries in New York and Chicago.

top

How to survive a software licensing audit (Information Week, 1 Jan 2016) - You’ve received a software licensing audit letter. What do you do now? You can disregard it, which is unwise, or react to it in a number of ways. There are better and worse ways of handling an audit, and if you don’t know the difference, your audit experience may be more costly, time-consuming, and frustrating than it needs to be. Most companies want to do the right thing, but that very desire may drive them to take actions that are not in the best interest of their organizations. Here are a few factors that can help or hurt. * * *

top

Pentagon grants contractors an extension on hack detection rules (Nextgov, 4 Jan 2016) - The Pentagon has updated data breach rules for defense contractors to allow companies an extra year-and-a-half to comply with one portion. The original regulations, titled “Network Penetration Reporting and Contracting for Cloud Services,” took effect Aug. 26, 2015, and cover more network problems and types of information than past guidelines. After hearing from 85 members of the public at an open meeting on Dec. 14, the Defense Department relaxed the regulations right before New Year’s Eve. This second rule has been issued “to provide immediate relief” from one stipulation that had required vendors to comply with certain standards as soon as they are awarded a contract, Pentagon officials said. “Contractors are at risk of not being able to comply with the terms of contracts that require the handling of covered defense information,” they said in the revision, which was published Dec. 30, 2015, in the Federal Register, the government’s daily journal At the meeting and in prior written comments, industry members emphasized they need an extension to institute certain National Institute of Standards and Technology security requirements (NIST SP 800-171). Those protections, which include multistep login procedures for systems, would have had to be in place before June 2016. The update moves back the deadline to “as soon as practical” but no later than Dec. 31, 2017. Now, contract awardees, within 30 days of winning work, must notify the department’s chief information officer if any of the required NIST security controls are lacking. Pentagon officials say they believe the heads-up should enable the military to spot difficulties contractors are experiencing with requirements and possibly adjust them.

top

- and -

The hidden cybersecurity risk for federal contractors (FCW, 12 Jan 2016) - After a rough year of cyberattacks and data breaches, the federal government is getting serious about protecting its sensitive information when in the hands of its contractors. As a result, contractors are being sent to the front lines of the fight. Already, the Defense Department has imposed requirements to protect “"unclassified controlled technical information"," and it recently expanded these obligations via interim rules with immediate effect. The National Archives and Records Administration is about to complete its new regulation to better protect sensitive but unclassified federal information. The National Institute of Standards and Technology has issued new cyber protection standards intended for commercial companies. And the General Services Administration stands poised to issue new rules for schedule holders. We are going to see new cyber protection requirements in many solicitations and contract modifications. And an unwary contractor might become a casualty when it certifies compliance, even implicitly, with “all IT security standards.” For example, the second draft request for proposals for GSA’s Alliant 2 subjects contractors to “all ordering activity IT security standards … and government wide laws or regulation applicable to the protection of government wide information security.” How can a contractor certify before it knows what “sensitive data and information” will be part of the performance of a task order? Or even what all the standards will be? Yet if a contractor does not certify or impliedly certify, it may lose the chance to compete for award. Agreement to the condition of providing cyber security that meets all the standards of any “sensitive data and information” could subject a contractor to risks under the False Claims Act.

top

The FBI’s ‘unprecedented’ hacking campaign targeted over a thousand computers (Motherboard, 5 Jan 2016) - In the summer of 2015, two men from New York were charged with online child pornography crimes. The site the men allegedly visited was a Tor hidden service, which supposedly would protect the identity of its users and server location. What made the case stand out was that the Federal Bureau of Investigation (FBI) had used a hacking tool to identify the IP addresses of the individuals. The case received some media attention , and snippets of information about other , related arrests started to spring up as the year went on. But only now is the true extent of the FBI’s bulk hacking campaign coming to light. In order to fight what it has called one of the largest child pornography sites on the dark web, the FBI hacked over a thousand computers, according to court documents reviewed by Motherboard and interviews with legal parties involved. “This kind of operation is simply unprecedented,” Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), told Motherboard in a phone interview. * * * “We’re not talking about searching one or two computers. We’re talking about the government hacking thousands of computers, pursuant to a single warrant,” said Soghoian, the ACLU technologist. * * * “Although the application for the NIT in this case isn’t public, applications for NITs in other cases are ,” said Soghoian. “Time and time again, we have seen the Department of Justice is very vague in the application they’re filing. They don’t make it clear to judges what they’re actually seeking to do. They don’t talk about exploiting browser flaws, they don’t use the word ‘hack.’” “And even if judges know what they’re authorizing, there remain serious questions about whether judges can lawfully approve hacking at such scale,” Soghoian added. But Fieman said that the warrant “effectively authorizes an unlimited number of searches, against unidentified targets, anywhere in the world.” While Soghoian warned about what this scale of hacking may signal for the future of policing. “This is a scary new frontier of surveillance, and we should not be heading in this direction without public debate, and without Congress carefully evaluating whether these kind of techniques should be used by law enforcement,” he said.

top

Why the blockchain, not bitcoin, is what’s fascinating builders (ReadWrite, 6 Jan 2016) - A few years ago, Bitcoin, the distributed digital currency, was the hottest thing to roll through the intersection of finance and technology. It gained significant interest amongst those keen to create a peer-to-peer, cashless currency But its attempt to enter the mainstream has been marred by reports of thefts , poor marketing , and a general lack of comprehension by the general populace That’s too bad, because Bitcoin is really just one application of a much broader technology: the distributed ledger known as the blockchain. And fortunately, people are beginning to understand the blockchain as a phenomenon distinct from Bitcoin specifically and digital currency in general. The blockchain’s strength lies in how it decentralizes transactions of all sorts, allowing all kinds of digital assets to be safely and permanently exchanged. It also promises the potential to create records that can’t be erased by attacking some central store of data. Because of the features, the blockchain possesses the potential to increase security and accountability in a range of industries Here are just a few new ways the blockchain is being used. Some may surprise you. * * *

top

- and -

A Bitcoin believer’s crisis of faith (NYT, 14 Jan 2016) - Mike Hearn, a British computer programmer, holed up in his two-bedroom apartment in Zurich over several days and nights last week, writing a cri de coeur. Two years ago, Mr. Hearn quit a cushy programming job at Google’s Swiss headquarters to devote himself full time to what was his great passion: the virtual currency Bitcoin. He was one of a handful of developers around the world dedicated to maintaining the basic software that governs both the creation of new Bitcoins and the network on which the financial transactions take place. But a nasty fight has torn apart the small brotherhood of Bitcoin developers and raised questions about the survival of the virtual currency. Mr. Hearn, until recently one of the most prominent leaders of the Bitcoin project, became so disillusioned that in December he sold the few hundred Bitcoins he had left and quietly took a job at a new start-up. The impassioned blog post he was working on last week was an announcement that he was leaving Bitcoin behind entirely: “Bitcoin has gone from being a transparent and open community to one that is dominated by rampant censorship and attacks on bitcoiners by other bitcoiners.” The dispute - which grew out of a question about the number of transactions the Bitcoin network can handle - may sound like something of interest only to the most die-hard techies. But it has exposed fundamental differences about the basic aims of the Bitcoin project, and how online communities should be governed. * * * [ Polley : VERY interesting issue, well-reported. Also see Bitcoin has ‘failed,’ says one of its most prominent developers (Business Insider, 15 Jan 2016)]

top

- and -

FinTech Bits: Bitcoin and terrorist financing (Steptoe, 15 Jan 2016) - Following the attacks in Paris and San Bernardino, polls show that Americans identify terrorism-more than any other issue-as the most important problem facing the US In this environment, some media outlets have predicted a pending “crackdown” on digital currencies, particularly by European governments, because of the risk that the technology could be used to fund terrorism. But do digital currencies like bitcoin actually pose a unique threat when it comes to funding terrorist networks? Jason Weinstein published a post on Medium earlier this week-” Combating Bitcoin Use by Terrorists? ”-that seeks to answer this question. Jason’s post applauds governments and law enforcement for increasing scrutiny on how terrorists communicate and fund their activities But a singular focus on digital currencies is misplaced According to a recent report from the UK Treasury, the money laundering risk posed by digital currencies is “low.” Traditional banks, charities, and cash (of course) all pose a greater risk The public, permanent nature of bitcoin’s distributed ledger actually makes it easier for law enforcement to “follow the money” without the need for a subpoena or cooperation from a foreign government Law-abiding companies and emerging coalitions like the Blockchain Alliance have a crucial role to play, both by educating law enforcement, the media, and the public and by building the capacity to go after criminals and terrorists who may try to use digital currencies for nefarious purposes.

top

- and -

Why you should buy back your Bitcoin (Lawfare, 16 Jan 2016) - Last week, we hated on bitcoin. This week we give it some love. This week, Brookings hosted a discussion on Bitcoin and the technology that undergirds the currency, specifically focusing on the promise of the distributed-ledger. The panel featured David Wessel, Michael Barr, Brad Peterson, Barry Silbert, and Margaret Liu, on how the blockchain could revolutionize payment flows and reduce the cost of financial transactions, all while securing information and enhancing privacy. They also tackle some of the most pressing policy questions facing the technology-from consumer protection to terrorists’ finances-and how those tensions can be addressed It’s a relatively positive take on Bitcoin and its future potential and an argument for why you should buy back your Bitcoin if you sold it after last week’s show featuring Lawfare’s Bitcoin skeptic, Nick Weaver

top

- and -

Call for papers: Demystifying Blockchain (ESTS Journal; 1 February 2016)

top

- and -

The technology behind bitcoin is coming to high finance faster than anyone predicted (Business Insider, 20 Jan 2016) - 11 top investment banks have used blockchain technology to do mock trades with each other, signaling a big step towards adopting the technology first developed for bitcoin into mainstream finance. R3, an industry-wide consortium of 42 investment banks looking at the technology , announced in an email that banks “simulated exchanging value, represented by tokenized assets on the distributed ledger without the need for a centralized third party.” In plain English: banks traded toy money and tokens representing shares and commodities with each other over this new, decentralized network that meant they didn’t need to go through third party settlement or clearing house. The trades were carried out in R3’s lab environment - a safe sandbox for them to experiment in. The 11 banks involved in the proof of concept were: Barclays, BMO Financial Group, Credit Suisse, Commonwealth Bank of Australia, HSBC, Natixis, Royal Bank of Scotland, TD Bank, UBS, UniCredit, and Wells Fargo. R3 says the “transition from vision to execution” represents “a major step forward for the application of distributed ledger technology across the entire industry.”

top

- and -

Dutch arrest 10 men suspected of using Bitcoin to launder money (Reuters, 20 Jan 2016) - Ten men suspected of using the digital currency Bitcoin to launder up to 20 million euros ($22 million) of criminal money made from online drug deals have been arrested in the Netherlands, Dutch prosecutors said on Wednesday. The men, described as all in their 20s and with Dutch nationality, were arrested on Tuesday in coordinated raids on 15 locations around the country, said spokeswoman Valentine Hoen of the country’s Fiscal Information and Investigation Service.

top

The world on your phone: Periscope offers a powerful new tool for bar associations (ABA’s Bar Leader, 7 Jan 2016) - Live video streaming with the Twitter-owned Periscope application is one way to bring bar members and others into the audience or behind the scenes at legal education seminars and bar association events.

By effectively turning your smartphone into a satellite news truck, enabling you to broadcast live video that is accessible from anywhere in the world, Periscope and similar social media platforms are augmenting the marketing and audience engagement strategies of organizations of all types and sizes, from Fortune 500 companies to media outlets to local nonprofits. Karen Korr, director of communications and outreach strategy at the San Diego County Bar Association , says Periscope and Meerkat , a similar application, were the focus of a presentation at a recent event the SDCBA organized with the local chapter of the Society of Professional Journalists . The event was designed to bring together lawyers, judges and reporters for learning and networking. * * * But for bar association staff members and others, Periscope also represents a potential new component of a successful marketing strategy. It provides an opportunity to educate those interested in your area of expertise and draw them into your circle. * * * [ Polley : there are IP issues associated with unrestricted use of Periscope-like services - e.g., in the performance rights for a CLE program. Bar associations (and others) need to factor this into their embrace of such tools.]

top

The Internet of Things that talk about you behind your back (Bruce Schneier, 8 Jan 2016) - SilverPush is an Indian startup that’s trying to figure out all the different computing devices you own. It embeds inaudible sounds into the webpages you read and the television commercials you watch. Software secretly embedded in your computers, tablets, and smartphones pick up the signals, and then use cookies to transmit that information back to SilverPush. The result is that the company can track you across your different devices. It can correlate the television commercials you watch with the web searches you make. It can link the things you do on your tablet with the things you do on your work computer. Your computerized things are talking about you behind your back, and for the most part you can’t stop them-or even learn what they’re saying. This isn’t new, but it’s getting worse. * * *

top

Why Amazon’s data centers are hidden in spy country (The Atlantic, 8 Jan 2016) - Once in a while-not quite often enough to be a crisis, but just often enough to be a trope-people in the United States will freak out because a huge number of highly popular websites and services have suddenly gone down. For an interminable period of torture (usually about 1-3 hours, tops) there is no Instagram to browse, no Tinder to swipe, no Github to push to, no Netflix to And Chill. When this happens, it usually means that Amazon Web Services is having a technical problem, most likely in their US-East region. What that actually means is that something is broken in northern Virginia. Of all the places where Amazon operates data centers, northern Virginia is one of the most significant, in part because it’s where AWS first set up shop in 2006. When I contacted AWS to ask specific questions about the data-center region, how they ended up there, and the process of deciding between building data centers from scratch versus leasing existing ones, they declined to comment. Unlike Google and Facebook, AWS doesn’t aggressively brand or call attention to their data centers. They absolutely don’t give tours, and their website offers only rough approximations of the locations of their data centers, which are divided into “regions.” Within a region lies at minimum two “availability zones” and within the availability zones there are a handful of data centers. I knew I wasn’t going to be able to find the entirety of AWS’ northern Virginia footprint, but I could probably find bits and pieces of it. My itinerary was a slightly haphazard one, based on looking for anything tied to Vadata, Inc., Amazon’s subsidiary company for all things data-center-oriented. Google’s web crawlers don’t particularly care about AWS’ preference of staying below the radar, and searching for Vadata, Inc. sometimes pulls up addresses that probably first appeared on some deeply buried municipal paperwork and were added to Google Maps by a robot. It’s also not too hard to go straight to those original municipal documents with addresses and other cool information, like fines from utility companies and documentation of tax arrangements made specifically for AWS. (Pro tip for the rookie data-center mapper: if you’re looking for the data centers of other major companies, Foursquare check-ins are also a surprisingly rich resource). * * * [ Polley : fascinating; good detective story, too.

top

OFAC issues cyber-related sanctions regulations (Steptoe, 8 Jan 2016) - On December 31, 2015, the US Treasury Department, Office of Foreign Assets Control (OFAC) issued the Cyber-Related Sanctions Regulations (CRSR), 31 C.F.R. Part 578 The CRSR formally implement the sanctions set forth in Executive Order (EO) 13694 of April 1, 2015, which authorizes sanctions against persons involved in malicious “cyber-enabled” activities, and are effective immediately.

top

Yes, PACER stinks … but is it also overcharging its customers? (David Post in WaPo, 9 Jan 2016) - As anyone who has ever used PACER - the “Public Access to Court Electronic Records” system under which you and I and the rest of the public can get access to ostensibly “public” information about cases in the US federal court system - knows quite well, the system is antiquated and inefficient Registration and login procedures are cumbersome, the interface is dreadful, and searching is truly state-of-the-art, circa 1995, relying, as it does, on an incomprehensible series of indexing conventions [You can get a taste of this by using the free “training sessions,” available here .] It is also quite expensive to use The system charges $0.10 per HTML page for all documents retrieved by a search - a charge that would perhaps make sense if this were a photocopying machine, but is pretty outrageous for the display of an electronic file [There is a cap of $3.00 per document - but insofar as there may be dozens or scores of documents pertaining to any individual case, the charges can mount up …] This is part of a much larger, and much more serious, problem - the absence of a publicly-accessible, searchable repository of authoritative information about the statutes, regulations, judicial opinions, etc. that constitute the law of this country But that is a story for another day. According to a lawsuit filed a couple of weeks ago in the Western District of Washington, that’s not the only problem The suit - filed on behalf of a class consisting of “all PACER users who, within the last six years, accessed a U.S. District Court, U.S. Bankruptcy Court, or the U.S. Court of Federal Claims and were charged for at least one docket report in HTML format,” asserts that PACER has been overcharging users for years, by systematically miscalculating the number of pages displayed by any given search. [see also US Courts Administrative Office sued because PACER’s bad math is overcharging users (TechDirt, 8 Jan 2016)]

top

Investors want AT&T to clarify policies on surveillance requests (OpenMic, 11 Jan 2016) - Citing concern about reports of behavior that appear inconsistent with AT&T’s pledge to protect customer privacy “to the fullest extent possible,” shareholders are asking the company to clarify how it provides information to law enforcement and intelligence agencies “above and beyond what is legally required by court order or other legally mandated process.” The shareholder proposal cites an August 2015 New York Times story which reported that as recently as 2013, AT&T shared 60 million foreign-to- foreign emails a day with the National Security Agency (NSA), on a voluntary basis, not required by court order. The Times article analyzed NSA documents, one of which stated that AT&T’s relationship with the NSA was “a partnership, not a contractual relationship.” The proposal was filed by Arjuna Capital , an investment manager Arjuna was a co-sponsor of a related 2014 shareholder proposal, which asked AT&T to publish semi-annual transparency reports on government requests for customer information. The proposal was withdrawn after AT&T, like Verizon Communications, agreed to publish transparency reports. “While AT&T must comply with its legal obligations, failure to persuade customers of a genuine and long-term commitment to privacy rights could present AT&T with serious financial, legal and reputational risks” the proposal states. AT&T is seeking to block a vote on the proposal by shareholders and has filed a request with the Securities and Exchange Commission for a “no-action” letter to allow the company to exclude the proposal from its 2016 proxy statement. Among other arguments, AT&T suggests that “implementing the Proposal would cause AT&T to violate federal laws intended to protect the intelligence-gathering activities of the United States.” [ Polley : see related story below in “ Looking Back ”]

top

Admissions officers check applicants on social media (InsideHigherEd, 14 Jan 2016) - About 40 percent of admissions officers say they research applicants on social media, according to a survey released Wednesday by Kaplan Test Prep. That’s quadruple the percentage from a 2008 Kaplan survey. At the same time, the survey found that most admissions officers who do check social media don’t use it often—of those who use social media to check on applicants, 89 percent said they did so “rarely.” Some of the reasons people check are potentially positive, such as investigating applicants’ abilities and interests. But Kaplan officials have heard anecdotal reports of “admissions sabotage” in which some people send tips to admissions officers that other applicants have images on Facebook or elsewhere that might give an admissions panel doubt about offering a spot.

top

Snopes’ field guide to fake news sites and hoax purveyors (Snopes, 14 Jan 2016) - The sharp increase in popularity of social media networks (primarily Facebook) has created a predatory secondary market among online publishers seeking to profitably exploit the large reach of those networks and their huge customer bases by spreading fake news and outlandish rumors. Competition for social media’s large supply of willing eyeballs is fierce, and a number of frequent offenders regularly fabricate salacious and attention-grabbing tales simply to drive traffic (and revenue) to their sites. Facebook has worked at limiting the reach of hoax-purveying sites in their customers’ news feeds, inhibiting (but not eradicating) the spread of fake news stories. Hoaxes and fake news are often little more than annoyances to unsuspecting readers; but sometimes circulating stories negatively affect businesses or localities by spreading false, disruptive claims that are widely believed. So long as social media allows for the rapid spread of information, manipulative entities will seek to cash in on the rapid spread of misinformation. Perhaps the most egregious of the many nonsense peddlers on social media are fake news sites, so here we offer a guide to several of the most frequent (and unapologetic) hoax purveyors cluttering up newsfeeds everywhere. * * *

top

Could ‘explorable explanations’ help tell a new kind of story? (Columbia Journalism Review, 14 Jan 2016) - Newsrooms have become increasingly focused on interactive journalism and creative graphics as they look for new ways to progress storytelling in the digital age. Now, they’re venturing into more advanced techniques, borrowing from tools commonly used in computer modeling and game development. Take, for example, the “ parole simulator ,” a collaborative effort from FiveThirtyEight and The Marshall Project, released last year. The two outlets joined forces on a project that explores the fairly dystopian methods of predictive policing. Their piece focused on Pennsylvania, which may become the first state to adopt a sentencing system that would uses big data to predict a defendant’s future criminality when assigning prison time. The simulator demonstrates how predictive policing already plays out during parole hearings, and allows readers to adjust parameters and see how outcomes change based on their choices. The parole simulator is unique from much of what is found in interactive journalism in that it uses real-world data to project uncertain outcomes based on reader input. One way to refer to this type of work is through the term “ explorable explanations ,” coined by former Apple designer Bret Victor to describe a genre and philosophy of the internet that encourages active readership. Nicky Case is both a practitioner and a champion of this philosophy. Case pulls from systems thinking, animation, modeling, game development, computational sociology, and a good dose of nonlinear thinking to create interactive models that float somewhere between journalism and gaming. “I’m a bee,” says Case. “I cross-pollinate fields.” In March, Case will begin a Mozilla Knight Open-News fellowship at PBS Frontline, with the intent of creating simple-to-use tools for journalists who want to experiment with explorable explanations. * * *

top

CFTC proposes cybersecurity testing (Steptoe, 14 Jan 2016) - Last month, the Commodity Futures Trading Commission (CFTC) approved for publication two proposed rules to amend existing regulations addressing cybersecurity The proposed rules would establish testing requirements for the automated systems used by designated contract markets (DCMs), swap execution facilities (SEFs), swap data repositories (SDRs), and derivatives clearing organizations (DCOs) In particular, the proposed rules would require DCMs, SEFs, SDRs, and DCOs to conduct five types of cyber testing: (1) vulnerability testing; (2) penetration testing; (3) controls testing; (4) security incident response testing; and (5) enterprise technological risk assessment The proposed rules also would establish minimum testing frequencies and independent contractor testing requirements for DCOs, SDRs, and covered DCMs ( i.e. , those whose total annual trading volume is five percent or more of the total annual trading volume of DCMs regulated by the CFTC for the year in question).

top

Clinic works w/law scholars to argue against copyright in legal codes (Harvard, 15 Jan 2016) - This week, the Harvard Law School Cyberlaw Clinic, on behalf of a group of esteemed law scholars, filed an amicus brief (pdf) in the United States District Court for the District of Columbia in American Society for Testing and Materials (ASTM) v. Public.Resource.org . Amici argue in the brief that model codes incorporated into law are not, and should not be, copyrightable. Several standards developing organizations (SDOs) - including ASTM , the National Fire Protection Association (NFPA) , and the American Society of Heating, Refrigerating, and Air Conditioning Engineers (ASHRAE) - filed the lawsuit against Public Resource back in 2013, alleging copyright and trademark infringement. After a lengthy discovery process, the federal District Court in D.C. is currently considering motions for summary judgment from both parties.

top

Patenting pedagogy? (InsideHigherEd, 15 Jan 2016) - A recent patent application by Khan Academy is raising questions about whether teaching methods can be patented, but patent law experts see the move as an influential player fortifying its position in the market. Ultimately, the U.S. Patent and Trademark Office will have the last say. The online education platform, which primarily focuses on K-12 education and test preparation, in March applied for a patent for “systems and methods for split testing educational videos”—in other words, the method of showing students two different clips and determining which one is more effective at teaching a certain topic. News of the patent application, first reported by Slashdot , was met with confusion from ed-tech analysts over the holidays. Why, they asked, would Khan Academy, a nonprofit whose mission is to “provide a free, world‑class education for anyone, anywhere” patent what effectively amounts to A/B testing in education? How would it affect other online education providers? Most importantly, could it even be patented? Intellectual property and patent law experts, pointing to supporting documents filed with the patent application, said the patent suggests Khan Academy is aware of the growing interest in online and adaptive education. Applying for a patent now, the experts said, could prevent legal issues in the future. * * * In order to actively sue another company for patent infringement unprovoked, Khan Academy would have to violate what is known as an innovator’s patent agreement. Introduced by Twitter in 2012 in an effort to make patents more palatable to developers, the agreement is a contract that ensures a company that holds a patent is unable to use it for “offensive” purposes—suing a company, for example—unless it gets permission from the employee who came up with the idea or invention. In this case, Khan Academy entered into an innovator’s agreement with Matt Faus, a developer. Khan Academy did not respond to a request from comment. A copy of the innovator’s patent agreement can be seen here .

top

This stunning map shows the flow of traffic across the globe using the anonymous network TOR (Business Insider, 18 Jan 2016) - The Tor Project is one of the most important organisations on the internet. It doesn’t have the same mainstream name recognition as Google or Facebook, but its work is arguably equally important - it provides a way to securely and anonymously browse the internet. It maintains the Tor network, a global network of computers that give its users a free and easy way to get online without being tracked. Traffic is routed through a series of relay servers, masking its original location, while the Tor Browser comes with an array of other privacy-centric features. Tor frequently gets bad press because it can help facilitate online drug dealing and other nefarious activities. But it’s also a godsend to activists, dissidents living in authoritarian regimes, journalists - and anyone else who needs to communicate online securely and anonymously. It debuted in 2002 and was based on technology from the US military. How is it used today? Uncharted, a data-visualisation company, has created a map of traffic on the network, Wired reports . By moving the slide, you can see how the traffic flow has changed as the network has grown. Double-click or use the buttons to zoom in for a better look. [ Polley : this is very interesting, especially when you move the slider from 2008 to today.]

top

Judge refuses to toss graffiti artist’s suit claiming his mural was used on dress worn by Katy Perry (ABA Journal, 19 Jan 2016) - A federal judge in California has refused to dismiss a lawsuit by a graffiti artist who claims the Moschino apparel brand used his work on a dress worn by pop star Katy Perry at an art gala. U.S. District Judge Stephen Wilson ruled for the graffiti artist known as Rime, whose real name is Joseph Tierney, in a Jan. 13 order (PDF), according to the Hollywood Reporter’s THR, Esq. blog. Tierney’s trademark and copyright infringement suit claims Moschino used portions of Tierney’s Detroit “vandal eyes” wall mural in the dress and used his tag “Rime” in the related clothing collection. Besides the intellectual property claims, the suit alleges negligence and violations of California law regarding unfair competition and appropriation of name and likeness. Moschino and its creative director had sought to dismiss the lawsuit partly on the basis of California’s anti-SLAPP statute, intended to protect defendants from lawsuits based on First Amendment activity.

top

Data breach logs: The new ‘hot’ document (Corporate Counsel, 19 Jan 2016) - Much has been written about Canada’s amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), which (subject to implementing regulations) will require most companies doing business in Canada to notify the national Privacy Commissioner and affected Canadian consumers if the breach of personal data creates “a real risk of significant harm to an individual.” But scant attention has been paid to another provision of this new law that was passed in June 2015: a requirement that companies maintain “a record of every breach of security safeguards involving personal information under its control.” This latter requirement continues to await implementation. Now that elections have taken place in Canada, the new government’s implementing order is expected soon. As U.S. cyber lawyers who counsel clients with operations, employees and customers in Canada, we view this requirement to create a “breach log” as potentially disrupting certain key risk-mitigation practices common among American companies. Understanding to whom this new law applies, how it applies and how vigorously it will be enforced will be critical to developing an internal strategy that addresses compliance requirements while appropriately protecting against creating a discoverable liability “roadmap” for private or government enforcers. A statutorily mandated “breach log” has the potential to be a game changer for U.S. companies. Companies are now experiencing their second or third significant breach (along with dozens of minor incidents), creating a history of cybersecurity performance ripe for examination. Because acquiring information about a company’s breach can be both expensive and time-consuming, regulators and class action plaintiffs are always looking for quick, inexpensive ways to gather that evidence. A breach log may prove to be not only a windfall to them, but also one of the most important documents in any breach. * * *

top

Mettle Fatigue: VW’s single-point-of-failure ethics (IEEE, January 2016; by Roland Trope and Eugene Ressler) - In September 2015, after issuing denials for more than a year, Volkswagen (VW) officials admitted that multiple makes and models of its diesel vehicles contained defeat device software. Defeat device is a US Environ- mental Protection Agency (EPA) term of art for any technology that causes a vehicle to behave differently in the lab than on the road. On 18 September 2015, the EPA and the California Air Resources Board (CARB) issued notices of violation (NoVs) to VW. The NoVs reveal a succession of dishonest actions. For seven years, from 2009 through 2015, VW personnel installed defeat devices, despite apparently knowing that doing so violated the federal Clean Air Act. And it appears that supervisors knew about and condoned these actions. As VW Chairman Dieter Hans Pötsch recently observed, there was “an attitude in some areas of our company that tolerated breaches of rules ... and I freely admit that is the factor that we all find the most difficult to accept.” * * * In this article, we develop a plausible explanation for how trained VW engineers could have decided to devise corrupt so ware to cheat emissions control tests rather than design an engine that could pass them. We construct two chronologies: one details the decisions that brought the defeat device so ware into production, and the other traces VW’s denials to regulators. We draw on facts the chronologies illuminate to explain the dysfunctional practices that appear to account for what happened inside VW. We then dis- cuss serious challenges posed by the use of defeat device so ware. e rst is that VW’s development of defeat devices constitutes a new form of insider cyberthreat: the use of corrupt so ware for dishonest purposes. e second is the ethical breakdown that occurred and how to prevent its recurrence.

top

NOTED PODCASTS/MOOCS

What’s hot in cybersecurity for law firms? (Ride the Lightning, 5 Jan 2016; 25 mins) - It’s not often that Jim Calloway, my co-host on the Legal Talk Network Digital Edge podcast, and I have a chance to interview my partner John Simek, but when a guest suddenly had to reschedule, we used the opportunity to have John talk about “ What’s Hot in Cybersecurity for Law Firms ?” The answer, of course, is “a lot.” We are seeing more and more law firms scrambling to get security certifications like the International Standards Organization (ISO) 27001 certification. Others self-certify or have third parties certify to compliance with the National Institute of Standards (NIST) small business standards. John offers helpful resources for small firms, talks about the data breaches of 2015, discusses e-mail encryption and the recent Texas ethics opinion, tells lawyers how to protect their networks from ransomware, cites the most common security mistakes in law firms and offers a view into the security world evolving from passwords to multi-factor authentication. If you want a fast run-down of security concerns for law firms in 2016, here it is in 25 minutes.

top

RESOURCES

What Made the Ostrich Lift Its Head? Significant Developments in Cybersecurity (ABA’s The Business Lawyer, by Roland Trope and Lixian Loong Hantover, Winter 2016) From the introduction: Roland Trope and Lixian Hantover lead off with a review of cybersecurity developments, wondering rhetorically in the title of their piece whether this might be the year when business and government finally begin to take seriously the threats posed by network intrusions.2 The November 2014 cyberattack against Sony Pictures Entertainment, which resulted in exposure of internal company data and unreleased films, focused public attention on the reality and seriousness of destructive cyberattacks, and offers context for the developments that Trope and Hantover review. They de- scribe an executive order that the attack prompted, calling for the imposition of sanctions against cyberattackers located outside the United States. They also describe the Securities and Exchange Commission’s new regulation, called System Compliance and Integrity, which is aimed at improving the resilience of the U.S. securities markets’ network infrastructure to cyberattacks.

top

Hoofnagle and Meleshinsky on native advertisement and endorsement (MLPB, 13 Jan 2016) - Chris Jay Hoofnagle, School of Information, University of California, Berkeley, and School of Law, Berkeley Center for Law & Technology, and Eduard Meleshinsky, Bryan Schwartz Law, have published Native Advertising and Endorsement: Schema, Source-Based Misleadingness, and Omission of Material Facts in Technology Science #2015121503 (December 15, 2015). Here is the abstract: Native advertising is the new term for “advertorials,” advertisements disguised as editorial content. Modern native advertising started in the 1950s, but its first uses were clearly signaled to the consumer. This paper explains why consumers might be misled by advertorials - even when labeled as such - when advertising material has elements of editorial content. Results summary: We surveyed consumers (N=598) with a realistic, labeled advertorial embedded in a blog. We found that just over one-quarter of respondents (27%) thought that the advertorial was written by a reporter or an editor. We find that labeling - even using a “sponsored content” disclosure - is insufficient to disabuse a significant minority of consumers about the provenance of the advertising material. Our findings are not generalizable, since we targeted the survey to internet users who appeared on marketing lists derived from behavioral tracking. However, our findings are compatible with those of other researchers who suggested that in addition to initial disclosures, elements in the advertorial itself must also signal to the consumer that this may be commercial material. While the advertorial we tested was a story about the potential of abuse of diet pills, the writing made dramatic claims about the effectiveness of named products for weight loss and included a portrait replicated from a real advertisement appearing in a health magazine. We found that merely using a blue background to frame the endorser’s portrait led many respondents to think her to be a medical expert. Traditionally, the appearance of a lab coat or stethoscope has signaled a medical expert endorsement, something subject to greater regulation. Our findings point to consumers using subtle clues about context to associate an endorser with an expert profession. We conclude by discussing regulatory options for the FTC, including a ban on advertorials, enhanced disclosure requirements, and approaches that put the burden on publishers to show that advertorials are not misleading.—We explain why consumers might be misled by advertorials - even when labeled - when advertising material has elements of editorial content.—We surveyed nearly 600 consumers online with an advertorial embedded on a blog site .—27% of consumers thought the advertorial was written by a reporter or editor.—60% of consumers thought the spokesperson was a medical expert with a background image of blue products versus 23% with a white background.—We present regulatory options for the FTC, including a ban on advertorials, enhanced disclosure requirements, and putting the burden on publishers to show that advertorials are not misleading.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

AT&T says cooperation with NSA could be legal (CNET, 22 August 2006)—An AT&T executive on Tuesday offered a glimpse into how a company could be required to cooperate with a federal entity such as the National Security Agency. James Cicconi, AT&T’s senior executive vice president for external and legislative affairs, said there are “very specific federal statutes that prescribe means, in black and white law, for provision of information to the government under certain circumstances.” “We have stringently complied with those laws,” Cicconi said. “It’s pretty obvious, you know, as far as the court case is going, that they’ve not reached a different conclusion.” That’s a slightly more detailed explanation than AT&T has publicly offered so far. In February, AT&T declined to answer related questions from CNET News.com. In May, an AT&T spokesman told News.com: “Without commenting on or confirming the existence of the program, we can say that when the government asks for our help in protecting national security, and the request is within the law, we will provide that assistance.” Because Cicconi was AT&T’s general counsel before the merger with SBC Communications, he would have been responsible for reviewing the legality of cooperating with the NSA. A longtime Republican, Cicconi worked as deputy chief of staff to President George H.W. Bush and as an assistant to President Ronald Reagan. He’s recently served as co-chairman of Progress for America, a prominent group devoted to electing Republican politicians. Cicconi’s remarks--in response to a question at the Progress and Freedom Foundation’s annual summit here--seem to indicate that AT&T received formal authorization from the U.S. Department of Justice to authorize the program. The existence of such a letter has never been confirmed. Cicconi may have been referring to an obscure section of federal law, 18 U.S.C. 2511, which permits a telecommunications company to provide “information” and “facilities” to the federal government as long as the attorney general authorizes it. The authorization must come in the form of “certification in writing by...the Attorney General of the United States that no warrant or court order is required by law.” If a letter of certification exists, AT&T could be off the hook in its lawsuits. Federal law says that a “good faith” reliance on a letter of certification “is a complete defense to any civil or criminal” lawsuit, including one brought against the company by the Electronic Frontier Foundation. (Other officials, including the deputy attorney general and state attorneys general, also are authorized to write these letters.)

top

US drops plan to restrict foreign researchers (InfoWeek, 9 June 2006)—The Commerce Department has withdrawn proposed changes to export rules that would have tighten restrictions on foreign researchers working in the U.S. The department’s Bureau of Industry and Security (BIS) said last week it is withdrawing two “deemed” exports proposals that originated with the Defense Department. They would have limited foreign researchers’ access to sensitive U.S. technologies. According to the Commerce Department, “An export of technology or source code (except encryption source code) is ‘deemed’ to take place when it is released to a foreign national within the United States.” The bureau said in a ruling published in the Federal Register that it “determined that the current licensing requirement based upon a foreign national’s country of citizenship or permanent residency is appropriate.” The Pentagon was seeking to tighten restrictions on deemed exports to restrict the flow of technical knowledge to potential enemies. The new restrictions would have among other things affected contracts for classified scientific research involving foreign nationals. Universities and research groups vigorously opposed the plan in comments filed with the Commerce Department. BIS said its decision to withdraw the proposals reflected most of the public comments filed in response to a proposed rulemaking.

top