MIRLN --- 21 September – 11 October 2014 (v17.14

MIRLN --- 21 September - 11 October 2014 (v17.14) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

PROGRAMS | NEWS | RESOURCES | LOOKING BACK | NOTES

PROGRAMS

Practical technology tools for mediators and dispute resolution professionals (CIJT) - Practical Technology Tools is an experiential course designed to introduce affordable and accessible online dispute resolution (ODR) technology to the practice of alternative dispute resolution (ADR). Instructors Daniel Rainey and Larry Bridgesmith are world-renowned experts and have taught ADR courses for over a combined 30 years. Participants will engage in four real-time lectures and discussions over a five-week period, with forums, wikis, directional study, and instructor guidance. Real-time lectures will take place Wednesday nights at 8pm EDT on October 22 & 29 and November 12 &19, 2014. All live classes are recorded for future viewing. [ Polley : I was on the IBO’s Board of Directors until earlier this year, and highly commend them (and their offerings) to you.]

top

NEWS

N.Y. court authorizes service of legal documents via Facebook, when the physical address of the recipient is unknown (Eugene Volokh, 19 Sept 2014) - From Noel B. v. Anna Maria A. (N.Y. Fam. Ct. Sept. 12, 2014): The instant decision is with respect to this court’s determination as to substituted service, specifically service by via the Facebook social networking service. The Petitioner filed the instant action seeking to modify the order of child support based on the alleged emancipation of the sole subject child. The Petitioner appeared today and stated the he was unable to effect service upon the Respondent. He presented an affidavit dated July 6, 2014, in which the affiant noted that the Respondent was unknown to the occupant of the Respondent’s last known address, who is described as a tenant of one month. The Petitioner then described under oath the other efforts he made to try and locate the Respondent to effectuate service. * * * While this court is not aware of any published decision wherein a New York state court has authorized service of process by means of social media, other jurisdictions have allowed such service. See Whoshere, Inc. v. Orun , 2014 WL 670817 (E.D. Va.), Federal Trade Commission v. PCCare247 Inc. , 2013 WL 841037 (S.D.N.Y.). The court notes that in both those matters service via Facebook was directed to be made in connection with other means of service. Pursuant to CPLR § 308(5) the court authorizes substituted service by the following method: the Petitioner is to send a digital copy of the summons and petition to the Respondent via the Facebook account, and follow up with a mailing of those same documents to the previously used last known address. The Respondent can receive communications via social media, whereas her actual physical whereabouts are uncertain. The method detailed here by the court provides the best chance of the Respondent getting actual notice of these proceedings.

top

N.Y. financial regulator says to focus on cyber security (Reuters, 22 Sept 2014) - New York’s financial regulator said on Monday his agency will focus on cyber security over the next year, saying the possibility of a systemic attack to the financial system is one thing that keeps him awake at night. “It is impossible to take it seriously enough,” said Benjamin Lawsky, superintendent of the Department of Financial Services (DFS) for the state of New York. Cyberterrorism is “the most significant issue DFS will work on in the next year,” he said, speaking at a Bloomberg Markets event at the Museum of Jewish Heritage in lower Manhattan. A report earlier this year by DFS on cyber security in the banking sector found that most institutions surveyed have come under cyber attack at some point in the past three years. The attacks came irrespective of the institutions’ sizes, highlighting how prevalent an issue hacking has become.

top

- and -

FBI Director: China has hacked every big US company (Business Insider, 6 Oct 2014) - In his first major television interview, the director of the FBI has warned that Chinese hackers have embarked on a widespread campaign of cyberwarfare against the US. Speaking to CBS’ “60 Minutes,” James Comey had the following to say on Chinese hackers: “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.”

top

ISO’s new cloud privacy standard (Covington, 23 Sept 2014) - This summer, the International Standards Organization (ISO) adopted a new voluntary standard governing the processing of personal data in the cloud - ISO 27018. Although this recent development has gone mostly unnoticed by the technology and media press to date, the new cloud standard provides a useful privacy compliance framework for cloud services providers that addresses key processor (and some controller) obligations under EU data protection laws. ISO 27018 builds on existing information security standards, such as ISO 27001 and ISO 27002, which set out general information security principles (e.g., securing offices and facilities, media handling, human resources security, etc.). By contrast, ISO 27018 is tailored to cloud services specifically and is the first privacy-specific international standard for the cloud. ISO 27018 seeks to address such issues as keeping customer information confidential and secure and preventing personal information from being processed for secondary purposes (e.g., advertising or data analytics) without the customer’s approval. ISO 27018 also responds directly to EU regulators’ calls for the introduction of an auditable compliance framework for cloud processors to increase trust in the online environment (see the European Commission’s 2012 Cloud Strategy here ). More specifically, the standard requires cloud providers to, among other things: * * *

top

9th Circuit creates problematic “failure to warn” exception to Section 230 immunity (Venkat Balasubramani & Eric Goldman, 23 Sept 2014) - Doe sued Internet Brands, Inc., the owner of Model Mayhem, alleging that two unrelated individuals drugged and assaulted her (and recorded her for a pornographic video). It’s unclear precisely how the assailants used Model Mayhem, but the court merely says that they “used the website to lure [Doe] to a fake audition.” Doe asserted a negligence claim against Internet Brands, alleging that it knew of the specific assailants in question and had a duty to warn her. Specifically, Internet Brands had purchased Model Mayhem in 2008, and later sued the sellers for failing to disclose the potential for civil liability arising from the activities of these same two assailants. A copy of Doe’s complaint, which lays out the chronology, is here: [ pdf ]. The two individuals were arrested in 2007, Internet Brands bought the site in 2008, and sued the sellers in 2010. By August 2010, Doe claims that Internet Brands had the requisite knowledge. The district court dismissed on the basis of Section 230. See Internet Brand’s motion to dismiss . The Ninth Circuit reverses, concluding that Section 230 does not bar Doe’s duty to warn claim. According to the court, this isn’t a case that’s based on Model Mayhem’s failure to remove content. In fact, the assailants are not even have alleged to have posted any content ("The Complaint alleges only that “Jane Doe” was contacted by [the assailants] through ModelMayhem.com using a fake identity."). In contrast to being a case about the removal of third party content, the court says it’s about content (i.e., a warning) that Model Mayhem itself failed to provide. The court also says that imposing failure to warn liability is consistent with the overall purposes of Section 230, which as set forth in sections (c)(1) and (b) encourages self-regulation of offensive content and seeks to protect the free-flow of information via intermediaries. [I don’t know what the word is for when someone cites to authority that’s the exact opposite of what it is cited for, but this is what happened here.] * * * This is a bombshell ruling and is similar in some ways to Garcia v. Google . Both involve a sympathetic plaintiff and a bad (in this case, horrific) set of facts, but both rulings also totally diverge from established precedent, and both create gaping doctrinal holes. (Here, there were a bunch of cases dealing with the exact same fact pattern that go the other way, e.g., Doe v. MySpace ; Beckman v. Match.com ; Doe II v. MySpace .)

top

- and, Steptoe’s take on the case -

Ninth Circuit finds CDA not applicable to failure-to-warn claim (Steptoe, 9 Oct 2014) - The U.S. Court of Appeals for the Ninth Circuit has held, in Doe 14 v. Internet Brands, Inc. , that a modeling website may be liable for failing to warn users about a rape scheme targeting users of a website owned by Internet Brands, Inc. The plaintiff may now pursue her claim of negligent failure to warn, which the district court had originally ruled was barred by the immunity provision in Section 230 of the Communications Decency Act (CDA), which protects against claims that treat a website as the publisher or speaker of content provided by third parties. The Ninth Circuit held that the plaintiff’s “failure to warn claim had nothing to do with Internet Brands’ efforts, or lack thereof, to edit or remove user generated content,” meaning that Internet Brands cannot claim immunity under the CDA.

top

The State of Broadband 2014: Broadband for all (Benton Foundation, parsing an ITU report, 23 Sept 2014) - Over 50% of the global population will have Internet access within three years’ time, with mobile broadband over smartphones and tablets now the fastest growing technology in human history. More than 40% of the world’s people are already online, with the number of Internet users rising from 2.3 billion in 2013 to 2.9 billion by the end of this year. Over 2.3 billion people will access mobile broadband by end 2014, climbing steeply to a predicted 7.6 billion within the next five years. There are now over three times as many mobile broadband connections as there are conventional fixed broadband subscriptions. The popularity of broadband-enabled social media applications continues to soar, with 1.9 billion people now active on social networks. The Republic of Korea continues to have the world’s highest household broadband penetration at over 98%, up from 97% last year. Monaco now surpasses last year’s champion, Switzerland, as the world leader in fixed broadband penetration, at over 44% of the population. There are now four economies (Monaco, Switzerland, Denmark, Netherlands) where penetration exceeds 40%, up from just one (Switzerland) in 2013. The US ranks 19th globally in terms of number of people online, ahead of other OECD countries like Germany (20th) and Australia (21st), but behind the United Kingdom (12th), Japan (15th) and Canada (16th). The US has slid from 20th to 24th place for fixed broadband subscriptions per capita, just behind Japan but ahead of Macao (China) and Estonia. In total, there are now 77 countries where over 50% of the population is online, up from 70 in 2013. The top ten countries for Internet use are all located in Europe, with Iceland ranked first in the world with 96.5% of people online. The lowest levels of Internet access are mostly found in sub-Saharan Africa, with Internet available to less than 2% of the population in Ethiopia (1.9%), Niger (1.7%), Sierra Leone (1.7%), Guinea (1.6%), Somalia (1.5%), Burundi (1.3%), Eritrea (0.9%) and South Sudan (no data available). The list of the ten least-connected nations also includes Myanmar (1.2%) and Timor Leste (1.1%). [ Polley : the underlying ITU report is here .]

top

- and -

Akamai: average US broadband speed jumps to 11.4 mbps (TeleCompetitor, 30 Sept 2014) - The average U.S. broadband speed reached 11.4 Mbps in the second quarter of 2014, according to the latest Akamai State of the Internet report released today. That’s an increase of 8.9% over first quarter of 2014, which saw a 9% speed increase over the last quarter of 2013. The 11.4 Mbps average broadband speed represented a 39% increase over the same period in 2013. The jump in average connection speed was not high enough to put the U.S. back in the top 10 countries measured by that metric, however. After finding itself in the top 10 for quarter after quarter, the U.S. fell off the top 10 list in the first quarter of 2014.

top

FBI gags state and local police on capabilities of cellphone spy gear (Washington Post, 23 Sept 2014) - The FBI requires state and local police to keep quiet about the capabilities of a controversial type of surveillance gear that allows law enforcement to eavesdrop on cellphone calls and track individual people based on the signals emitted by their mobile devices, according to a bureau document released recently under a Freedom of Information Act request. The December 2012 document is a heavily redacted letter between the FBI and police in Tacoma, Wash., as the local department sought to acquire an IMSI catcher, sometimes described as a “fake cellphone tower” because it tricks individual phones into routing their calls and other data through the surveillance equipment. The Tacoma police were buying gear produced by Harris Corp., a Florida-based company that makes the StingRay and other IMSI catchers used by law enforcement agencies across the country. The FBI letter, which was not classified but was designated as “law enforcement sensitive,” told the Tacoma police chief that the Federal Communications Commission authorizes the sale of such surveillance equipment to state and local police departments on the condition that they first sign an FBI “non-disclosure agreement.” The FCC last month began investigating reports of illegal use of IMSI catchers, by foreign intelligence services and criminals but has said it does not oversee the use of the surveillance gear by federal government agencies. Last week, the marketers of a device that’s designed to detect IMSI catchers reported finding 18 in the Washington area over two days of searching. The locations, said the marketer of the GSMK CryptoPhone, included areas around the White House, the Capitol, the Russian Embassy and the cluster of defense contractors near Dulles International Airport. The CryptoPhone was not able to determine whether the IMSI catchers were being used by the federal government, local police or some other entity.

top

- and -

FCC and FBI disagree over NDA requirement for police StingRays (BeaconReader, 8 Oct 2014) - The Federal Communications Commission insists that it does not require police departments to sign a nondisclosure agreement with the FBI before acquiring or deploying cell phone trackers. The FCC’s response contradicts wording found in one such FBI nondisclosure agreement released last month by Tacoma police . The FBI and FCC have both declined to comment on the discrepancy, and the FBI has rejected another FOIA request for a log of agencies that have signed such nondisclosure agreements. * * *

top

General Motors appoints its first cybersecurity officer (Fortune, 24 Sept 2014) - Cybersecurity has been all over the news for the past few months. Attacks at Target and Home Depot have left customers rattled and wondering if their credit cards and bank accounts are safe from hackers. Some cybersecurity experts even believe that, sooner or later, hackers will be able to harm drivers through the computers that run modern vehicles. Now comes news that General Motors has appointed its first cybersecurity chief, Jeffrey Massimilla, who will be in charge of the efforts to protect the computers that run GM cars. GM says it has established “one integrated organization, Vehicle and Vehicle Services Cybersecurity, to deal with cybersecurity for vehicles and vehicle-connected services. This team will utilize our internal experts and work with outside specialists, to develop and implement protocols and strategies to reduce the risks associated with cybersecurity threats.” Protecting the computers that run inside of cars will become increasingly important as car companies start making more autonomous and semi-autonomous cars.

top

Build it yourself (InsideHigherEd, 24 Sept 2014) - When Lynn University couldn’t find a suitable gradebook and attendance-tracking application to fit its tablet-first campus, the institution decided to build one itself. Lynn is now two years removed from hosting the third presidential debate between President Obama and former Massachusetts Governor Mitt Romney, an event that prompted a major renovation of the university’s networking infrastructure. Since then, Lynn has gradually replaced textbooks with iPad minis, using content produced by its own faculty members hosted on Apple’s course management platform, iTunes U. The move to a tablet-centric model has not been without its growing pains. This winter, Lynn announced it would drop its learning management system , Blackboard Learn, and replace it with iTunes U—even though that platform doesn’t offer a way to track attendance or grades. While faculty members and students would like to see more customization options in their learning management systems, Apple’s software is defined by the company’s “walled garden” approach—Apple determines how its software should be used, and users sign on to those restrictions. Lynn therefore had to look to other providers. The university considered a number of replacements to plug the hole in its suite of administrative software. It looked at software from Jenzabar, which provides the university’s student information system; Canvas, Instructure’s learning management system; even apps in the K-12 space, such as Edmodo. “We really didn’t find any enterprise-ready solution that would work the way we envisioned it working for us,” said Chris Boniforti, Lynn’s chief information officer. “We decided late in the spring that we ought to just go and try to build this ourselves.”

top

- and -

USC, Condé Nast and WIRED launch master of integrated design, business and technology degree (USC, 1 Oct 2014) - The University of Southern California, Condé Nast and WIRED announced a partnership on Oct. 1, 2014, to create a new online master’s degree in Integrated Design, Business and Technology. The partnership creates an unprecedented learning experience, combining the expertise of the editors, writers, and designers at WIRED with the academic rigor of USC, a leading research university known for its pioneering interdisciplinary programs. The aim of the 18-24 month degree is to educate creative thinkers and technologists to better equip them to transform the world of industry and enterprise. The first cohort is scheduled to begin in the 2015-2016 academic year.

top

- and -

Crouching tiger, mobile university (InsideHigherEd, 2 Oct 2014) - The biggest news to come out of EDUCAUSE 2014 was the announcement that the sequel to Crouching Tiger, Hidden Dragon will be simultaneously released on Netflix streaming and IMAX theaters next summer. Apparently the bricks and mortar legacy movie theater providers have their knickers in a twist about the Netflix plan, with AMC apparently vowing to boycott showing the movie in its 147 IMAX theaters. They can boycott all they want, but the writing is on the wall. The future of entertainment belongs to subscriptions and streaming, which really means the future of entertainment belongs to mobile. What platforms are Netflix subscribers streaming their videos? In 2013 23% of streaming occurred on mobile phones, 15% on tablets, 44% on computers, 17% on smart TVs, and 16% on computers connected to a TV. What is remarkable is that Netflix mobile phone streaming jumped from a based of 11% in 2012. By the summer of 2015 what percentage of Crouching Tiger, Hidden Dragon: The Green Legend will be on mobile devices? I’m betting over 50%. It seems a safe prediction that by 2020 mobile devices will account for almost all media consumption. Anyone willing to trade an 72 ft by 53 ft IMAX screen for a 4.7 inch iPhone screen to watch Michelle Yeoh will have no problem moving from consuming information from the back of the lecture hall to consuming information on an app. If our classrooms are like movie theaters, then our classrooms are hurtling towards extinction. The future will belong to the small seminar and the competency based credential (consumed on a mobile device no doubt). The place-based but impersonal model of teaching (think big lecture classes) will go away. This form of teaching will be replaced by adaptive mobile learning. Good riddance.

top

Auto-forwarding email constitutes interception under wiretap act, court finds (Steptoe, 25 Sept 2014) - The U.S. District Court for the Southern District of New York has found that setting up auto-forwarding to receive copies of another person’s incoming emails is a violation of the federal Wiretap Act. In Zaratzian v. Abadir, the court granted the plaintiff’s motion for summary judgment on the issue of whether her ex-husband, Adel Ramsey Abadir, committed an illegal “interception” by auto-forwarding her emails to his account without her permission after their divorce. The court assumed (without deciding) that an interception must be contemporaneous with the transmission of a communication in order to violate the Wiretap Act. But it determined that auto-forwarding an email constituted an interception because copies of the emails were made and forwarded “‘within a second of each message’s arrival and assembly.’”

top

Alabama trial judge reverses course, vacates restraining order against publishing gas company information (Eugene Volokh, 25 Sept 2014) - From Alabama Gas Corp. v. Advertiser Co. (Ala. Cir. Ct. Sept. 23, 2014) : Pending is a Motion to Dissolve Temporary Restraining Order, filed by defendant, The Advertiser Company. In its motion, this defendant argues that the TRO entered on September 12, 2014, constitutes an improper prior restraint contrary to the rights afforded by the First Amendment to the U.S. Constitution and Article 1, § 4 of the Constitution of the State of Alabama. * * * At this stage, the court cannot see such a clear and present danger. In its motion for a temporary restraining order, the plaintiff raised the danger of terrorism and sabotage if data within its Distribution Integrity Management Plan were publicly disclosed. While such possibilities might exist, they now appear to be only vague phantoms. On reflection, the court finds that it too readily focused on such ghosts in entering the Temporary Restraining Order sought by the plaintiff. The plaintiff cites other grounds justifying the entry of the TRO here. It argues that the DIMP is private property not properly subject to public disclosure. While this may be true, it is also uncontested that the plaintiff voluntarily produced the DIMP to the Public Service Commission, thereby ceding unfettered control over its property. [ Polley : The rest of Prof. Volokh’s posting supplies context and analysis.]

top

PacerPro is a better way to use PACER (Lawyerist, 27 Sept 2014) - PacerPro ‘s creator, Gavin McGrane, doesn’t have many negative things to say about PACER. Without PACER, he points out, nearly all federal court filings would be effectively inaccessible. Fine, fine. PACER is still a horrible user experience. Today McGrane showed me around PacerPro, his free alternative to PACER’s clunky user interface. PacerPro is still adding courts, and McGrane wants to do much more with search, but even as-is, using PacerPro is light years better than using PACER. You can keep track of all your cases in one place, search multiple courts’ PACER databases from a single search box, get search results that actually give you the information you need, download an entire docket with one click, and much more (here’s the product overview PDF ). Even better, PacerPro won’t let users pay for a document more than once. If multiple users are watching the same docket, it will even run a round-robin to evenly distribute the PACER fees.

top

UK IT suppliers face cyber security requirement (ContractorUK, 29 Sept 2014) - All businesses must from next month meet a cyber security standard if they want to bid for government contracts involving handling information and providing IT services. In fact, ‘Cyber Essentials’ (CE) will be required of suppliers from October 1 st on government work that includes the handling of sensitive or personal data and the provision of “technical products or services.” The Cabinet Office adds that early adopters of the IT security certification include smaller firms like Nexor, Tier 3 and Skyscape, as well as larger ones like BAE Systems, Barclays, Vodafone and Hewlett Packard. The latter is already beginning to demand CE from its own supply chain, as HP Public Sector earlier this month said that the standard would become mandatory for all its suppliers, including 600 or so SMEs. Once these firms have the accreditation, it can also be used to show to “non-government customers” that they take IT security “seriously,” touted Francis Maude, the Cabinet Office minister. “It’s vital that we take steps to reduce the levels of cyber security risk in our supply chain,” he said, unveiling the two -tier accreditation for would-be government suppliers. “Cyber Essentials provides a cost-effective foundation of basic measures that can defend against the increasing threat of cyber attack.” A new accreditation body, QG, has been set up to help those wanting to get CE, and it joins CREST and the IASME Consortium in appointing firms who certify company applications.

top

FCC considers banning use of term ‘Redskins’ (The Hill, 30 Sept 2014) - The Federal Communications Commission is mulling whether TV and radio stations should be banned from repeatedly saying the name of the Washington Redskins. Earlier this month, the FCC received a petition to deny renewing the license of Washington sports radio station WWXX-FM because it “deliberately, repeatedly and unnecessarily broadcasts the word ‘R*dskins’ during most of its broadcasting day, and especially in prime time.” The word, which many consider to be an offensive slur against Native Americans, is no different from other racist, homophobic or sexist names, legal activist John F. Banzhaf III argued in his complaint. FCC Chairman Tom Wheeler told reporters on Tuesday that the commission is examining the complaint.

top

Ponemon institute releases second annual study on data breach preparedness (Covington, 1 Oct 2014) - The second annual study on data breach preparedness was released by the Ponemon Institute on September 24, and the study indicates that the number of companies that have had a data breach is on the rise. Ponemon Institute conducts independent research on privacy, data protection, and information security policy. For the September 2014 study, Is Your Company Ready for a Big Data Breach? , Ponemon Institute surveyed 567 U.S. executives from organizations ranging in size from less than 500 to more than 75,000 employees about how prepared they think their companies are to respond to a data breach. It appears that for an overwhelming number of the study’s participants, the answer to “Is your company ready for a big data breach?” is, unfortunately, “No.” Here are a few of the study’s key findings: * * *

top

Can you shoot down a drone on your land? New incident raises self-defense questions (GigaOM, 1 Oct 2014) - After a New Jersey man spotted his neighbor’s camera-equipped drone flying over his house this week, he fetched a shotgun and peppered the drone with holes, knocking it from the sky. Did he have a right to do so? Even though local police arrested the man on unlawful weapons charges, some people will feel he had the right to defend himself against an unlawful robot intrusion. More broadly, the episode highlights an emerging issue as more drones take to the skies: how to balance the rights of drone owners against people’s rights to privacy and self-defense. Under common law traditions, the New Jersey man appeared well within his rights to shoot down the drone. As the famous 17th century jurist Edward Coke explained, “whoever owns the soil, it is theirs up to Heaven” and “the house of an Englishman is to him as his castle” - implying that property owners can use force against invaders. These days, of course, it’s not so cut and dry. The arrival of airplanes meant property rights no longer extend right to the sky , while the so-called “ Castle doctrine “ typically requires a home owner to fear injury before she can use force. This means you better think twice before blasting away at the Phantom 2 hovering above your lawn. “Generally speaking, tort law frowns on self-help and that includes drones,” says Ryan Calo , a robotics and cyber-law scholar at the University of Washington. “You would probably have to be threatened physically, or another person or maybe your property, for you to be able to destroy someone else’s drone without fear of a counterclaim.” The reason you can’t simply shoot a person (or cow) who steps on your lawn is that the harm would likely outweigh the threat to your privacy and your property. But when using force against a drone, the calculation is different: the drone is likely recording and it may be armed and, unlike other trespassing vehicles, you can’t just tow it away. These are some of the factors that have led Michael Froomkin, a University of Miami law professor, to suggest that people have a greater right to use force against drones and other robotic intruders. “If one is entitled to assume the worst then, in the absence of persuasive notice that the robot is harmless, the victim of robotic trespass frequently will be privileged to employ violent self‐help,” wrote Froomkin, a co-author of a recent paper titled “Self Defense against Robots.” The paper doesn’t claim people have a right to waste anything that flies on their land, of course. But it does suggest that, especially in rural areas, courts may find a privilege to shoot down trespassing drones - a conclusion that would be a logical extension of the Castle doctrine.

top

The criminal indictment that could finally hit spyware makers hard (Wired, 1 Oct 2014) - The indictment this week of the man behind an app designed for surreptitiously monitoring cellphone activity is only the second federal case filed against someone involved in the commercial sale of so-called spyware and stalkingware. But the case could have negative implications for others who make and sell similar snooping tools, experts hope. The case involves StealthGenie, a spy app for iPhones, Android phones and Blackberry devices that until last week was marketed primarily to people who suspected their spouse or lover of cheating on them but it also could be used by stalkers or perpetrators of domestic violence to track victims. The app secretly recorded phone calls and siphoned text messages and other data from a target’s phone, all of which customers of the software could view online until the government succeeded to temporarily close the Virginia-based site (. pdf ) that hosted the stolen data. Authorities arrested CEO Hammad Akbar, a 31-year-old Pakistani resident, on Saturday in Los Angeles following his indictment in Virginia on federal wiretapping charges (. pdf ), which include conspiracy to market and sell a surreptitious interception device. “StealthGenie has little use beyond invading a victim’s privacy,” U.S. Attorney Dana J. Boente of the Eastern District of Virginia said in a statement about the case. “Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners.”

top

JPMorgan Chase hacking affects 76 million households (NYT, 2 Oct 2014) - A cyberattack this summer on JPMorgan Chase compromised the accounts of 76 million households and seven million small businesses, a tally that dwarfs previous estimates by the bank and puts the intrusion among the largest ever. The details of the breach - disclosed in a securities filing on Thursday - emerge at a time when consumer confidence in the digital operations of corporate America has already been shaken. Target , Home Depot and a number of other retailers have sustained major data breaches. Last year, the information of 40 million cardholders and 70 million others were compromised at Target, while an attack at Home Depot in September affected 56 million cards. But unlike retailers, JPMorgan, as the largest bank in the nation, has financial information in its computer systems that goes beyond customers’ credit card details and potentially includes more sensitive data. Until just a few weeks ago, executives at JPMorgan said they believed that only one million accounts were affected, according to several people with knowledge of the attacks. Hackers drilled deep into the bank’s vast computer systems, reaching more than 90 servers, the people with knowledge of the investigation said. As they analyze the contours of the breach, investigators in law enforcement remain puzzled, partly because there is no evidence that the attackers looted any money from customer accounts. By the time the bank’s security team discovered the breach in late July, hackers had already obtained the highest level of administrative privilege to dozens of the bank’s computer servers, according to the people with knowledge of the investigation. It is still unclear how hackers managed to gain such deep access. [ Polley : There are weird reports of strange aspects to this intrusion, and I believe there’s much yet to be learned about what’s happening here. E.g., Hackers’ attack cracked 10 financial firms in major assault (NYT, 3 Oct 2014).]

top

Cyber coverage experiences growing pains (Claims Journal, 3 Oct 2014) - In light of businesses increasing usage of information, asset and advancing technology insurers are pulling away from cyber coverage, according to Kevin Kalinich, global practice leader of cyber risk insurance at Aon Risk Solutions. “A big misconception is that these are creating worse exposures or more severe exposures, but they’re creating different exposures,” said Kalinich. He said insurers are reconsidering capacity and the scope of coverage as a result. “The smart insurers are differentiating the insureds now. The smart insurers are taking a look at IT security…who integrates their IT security into an overall risk management strategy that makes it part of the culture of the entity that they might insure,” Kalinich said. “The insurers are taking a strong, second look at each of their insureds now in the cyber insurance market.” While retailers and financial institutions gain significant media attention from data breaches, a recent review by Travelers’ of its claims data revealed that other industries also are regularly targeted for cyber-attacks, including professional services firms and educational institutions.

top

iPhone encryption and the return of the crypto wars (Bruce Schneier, 6 Oct 2014) - Last week Apple announced that it is closing a serious security vulnerability in the iPhone. It used to be that the phone’s encryption only protected a small amount of the data, and Apple had the ability to bypass security on the rest of it. From now on, all the phone’s data is protected. It can no longer be accessed by criminals, governments, or rogue employees. Access to it can no longer be demanded by totalitarian governments. A user’s iPhone data is now more secure . To hear U.S. law enforcement respond , you’d think Apple’s move heralded an unstoppable crime wave. See, the FBI had been using that vulnerability to get into peoples’ iPhones. In the words of cyberlaw professor Orin Kerr, “How is the public interest served by a policy that only thwarts lawful search warrants?” Ah, but that’s the thing: You can’t build a “back door” that only the good guys can walk through. Encryption protects against cybercriminals, industrial competitors, the Chinese secret police and the FBI. You’re either vulnerable to eavesdropping by any of them, or you’re secure from eavesdropping from all of them. Back-door access built for the good guys is routinely used by the bad guys. In 2005, some unknown group surreptitiously used the lawful-intercept capabilities built into the Greek cell phone system. The same thing happened in Italy in 2006. In 2010, Chinese hackers subverted an intercept system Google had put into Gmail to comply with U.S. government surveillance requests. Back doors in our cell phone system are currently being exploited by the FBI and unknown others.

top

Does using Gmail put attorney-client privilege at risk? (ABA Journal, 8 Oct 2014) - Imagine that a direct marketer has offered a lawyer free services, such as photocopying, in exchange for being allowed to scan client files for research purposes. Is client consent required? Is this project a good idea, even if clients do consent? The answers to those questions are obvious, and it is nearly as clear that lawyers may be taking a risk by using Gmail and Google Apps for Business, attorney Chris Castle writes in a recent Texas Lawyer (sub. req.) column. Lawyers are arguably required to obtain express client consent to Google’s data harvesting under Texas Disciplinary Rule of Professional Conduct 1.05. It says attorneys cannot use “privileged information of a client for the advantage of the lawyer or of a third person, unless the client consents after consultation,” Castle writes, and Google’s free email and business apps arguably constitute such an advantage for the lawyer. Meanwhile, in order to maintain attorney-client privilege, communications need to be confidential. Does Google’s scanning of email and data harvesting violate this requirement? That question has not been definitively answered, according to Castle, but risk-averse lawyers may want to rethink if they are relying on Gmail. While other alternatives may be more costly and less convenient, “it seems that the ethical issues surrounding obtaining a client’s consent to Gmail data harvesting may well be more trouble than Gmail is worth,” he writes. [ Polley : this is nuts; the comments are worth reading.]

top

Law firm Shook Hardy achieves ISO 27001 certification (Ride the Lightning, 8 Oct 2014) - Shook Hardy & Bacon recently announced that it had obtained ISO 27001 certification of its information security management system. A globally recognized standard for information security management systems, ISO 27001 certification requires that a company show a systematic and ongoing approach to managing sensitive information. Shook began pursuing certification 18 months ago. To maintain its standing, Shook must undergo annual audits to assess its maintenance of high standards. While the pursuit of ISO 27001 is gaining momentum among law firms, certification itself is not standard across the industry. According to a presentation at the International Legal Technology Association ‘s LegalSEC conference in June 2014, certification had been achieved by at least 12 large law firms, half of which are based in the United Kingdom. Another 16 U.S. firms were identified as “working toward or investigating certification.” While law firms have not exactly been racing toward certifications, it is clear that clients are beginning to demand evidence that law firms are taking cybersecurity seriously. Watch for more firms to follow suit - it is simply the cost of doing business - as the smarter firms are learning. Clients are more likely to hire and stay with a firm that they trust to safeguard their data.

top

Harvard Law Review claims copyright over legal citations; now challenged by public domain effort (TechDirt, 8 Oct 2014) - If you’re not a copyright geek, you might not be aware of the copyright saga revolving around the Harvard “Bluebook.” The Bluebook is basically the standard for legal citations in the US. It’s technically owned by an organization that is effectively made up of four top law schools. For a variety of reasons, the idea that citations can be covered by copyright is troubling to a lot of folks, but the Harvard Law Review, in particular, has stood by the copyright in The Bluebook (for which it makes a pretty penny each year). Last year, there was a fight over this, best summed up succinctly by Carl Malamud in this short BoingBoing post . * * * The story has now taken an interesting twist, as Malamud, with the help of NYU law professor Chris Sprigman, has now sent a new letter to Harvard , pointing out that the 10th edition of The Bluebook is actually in the public domain, seeing as someone forgot to renew the copyright. Now, the 10th edition is obviously way off from the current 19th edition… but since much of the 19th edition survives from the 10th edition, that would suggest that much of The Bluebook is also public domain. Malamud’s Public Resource is going to create an alternative to The Bluebook, called Baby Blue, which will make use of the public domain portions of the book.

top

Five hot tips for researching on Google Scholar (Attorney at Work, 8 Oct 2014) - If you are seeking ways to reduce your legal research costs, here is one good option: Google Scholar . It is an online research service you can use to find cases and secondary sources for free. If you want to know how to harness the power of Google Scholar - and impress your colleagues and clients with your stellar research skills - here are five good tips to get you started. 1. Extensive database of cases. Google Scholar has an extensive database of reported cases from state and federal courts. The database covers cases from the United States Supreme Court (since 1791), the U.S. Courts of Appeals and U.S. District Courts (since 1923), and supreme courts and intermediate appellate courts from all states (since 1950). If you can’t find any relevant cases within those date ranges, you probably should consider settling your lawsuit. 2. Reliable search algorithm and advanced searching. Google’s effective search algorithm powers Google Scholar. When searching for federal and state cases using keywords, the relevancy of the results is comparable to the results on WestlawNext and Lexis Advance (but let that be our little secret). Like those paid services, Google Scholar will likely return relevant results even if you do not use the proper terms of art. 3. Useful proximity connector. Most free services don’t allow users to run searches where various terms appear in the same sentence or paragraph. But Google Scholar has one proximity connector: AROUND. Apparently, Google wants only the “in-crowd” to know about this search functionality; in fact, it does not even mention the connector “AROUND” on the official Google Scholar Blog . After experimenting with this proximity connector, I learned a few useful things * * *

top

The Reader has no clothes (InsideHigherEd, 9 Oct 2014) - Chances are, you’ve heard the troubling news that the new version of Adobe Digital Editions is a privacy train wreck. Nate Hoffelder broke the news at The Digital Reader . The two key issues (apart from the fact that this software transmits an awful lot of data to the mothership about what exactly you are reading, including which pages you read and at what IP address) is that it hunts for all of the ebook files on your reading device and sends information about them to Adobe. And all of that data is sent in plain text, meaning that anyone who intercepts the information can read it without any trouble, which is not just a privacy violation, it’s a disturbingly amateurish way to do things on the internet. So it’s both embarrassing AND a huge privacy breach. A twofer. Librarians who have ebook collections need to inform their patrons right now that if they are using the latest Adobe Digital Editions software, their reading history, including ebooks they didn’t borrow from the library, belongs to Adobe and anyone else who’s watching. (See how librarians at Ryerson responded within 24 hours.) Next, they have to figure out what steps to take to fix the problem. Beyond that, we all need to have a serious conversation of whether our devotion to privacy is merely lip service, an old-fashioned hang-up we have decided doesn’t matter anymore and should scrub from the American Library Association website, or whether we will actually, you know, stand up for it. Because right now, that’s not happening. I couldn’t explain the problem better than Andromeda Yelton has , so I won’t try. I’ll just share a few of my thoughts. * * *

top

RESOURCES

Cybersecurity for government contractors (Covington, April 2014) - This Briefing Paper presents a comprehensive summary of the key legal issues and evolving compliance obligations that contractors now face in the federal cybersecurity landscape. It begins with an overview of the most prevalent types of cyber attacks and targets, as well as the federal cybersecurity budget. Next, the Paper outlines the current federal cybersecurity legal requirements applicable to Government contractors, including statutory and regulatory requirements, the President’s 2013 cybersecurity Executive Order (E.O.), and the resulting “cybersecurity framework” issued by the National Institute of Standards and Technology (NIST) in February 2014, as well as highlights further developments expected this year. Finally, it identifies and dis- cusses the real-world legal risks that contractors face when confronting cyber attacks and addresses the availability of possible liability backstops in the face of such attacks.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Most Third World e-Govt projects fail: World Bank (The Age, 8 Nov 2004)—Eighty-five percent of e-government projects in developing countries fail either partially or fully, a World Bank official says. “It is estimated approximately 35 percent of e-government projects in developing countries are total failures and approximately 50 percent are partial failures,” Robert Schware, World Bank lead informatics specialist, said on Friday. E-government refers to the use of information and communications technologies to improve the efficiency, effectiveness, transparency and accountability of government. The World Bank funds many e-government projects worldwide such as developing e-trade facilitation systems, e-procurement pilots and one-stop government gateways. “Only some 15 percent can be fully seen as success. There are equal numbers of very sad statistics about the number of failed implementations in the US and Europe,” Schware told delegates at a seminar on e-government. In India half of the ongoing 200 e-governance projects were bound to fail, he said. “By failure I mean the inability to deliver government services that provide benefit to citizens or business.”

top

Ban is eased on editing foreign work (New York Times, 5 April 2004)—The federal government has eased a ban on editing manuscripts from nations that are under United States trade embargoes, a move that appears to leave publishers free once again to edit scholarly works from Iran and other such countries. The Treasury Department sent a letter on Friday to a lawyer for the Institute of Electronic and Electrical Engineers, an international group representing more than 360,000 engineers and scientists, saying the organization’s peer review, editing and publishing was “not constrained” by regulations from the department’s Office of Foreign Assets Control. The group says its members produce 30 percent of the world’s literature in electrical and electronics engineering and computer science. The letter from the Treasury Department referred specifically to publishing by the institute, but Arthur Winston, the group’s president, said he believed the ruling would be “a relief for nearly everyone” in the scholarly publishing community. “The ruling eliminates potentially disturbing U.S. government intrusions on our scholarly publishing process,” Mr. Winston said. No one at the Treasury Department could be reached for comment Sunday night on the ruling. The department and publishers have long quarreled over the exemption of “information or informational materials” from the nation’s trade embargoes. Congress has generally allowed such exemptions. Nonetheless, the Treasury Department sent out advisory letters over the past year telling publishers who were editing material from a country under a trade embargo that they were forbidden to reorder paragraphs or sentences, correct syntax or grammar, replace “inappropriate words” or add illustrations. The advisories concerned Iran, but experts said the ruling seemed to extend to Cuba, Libya, North Korea and other nations with which most trade is banned without a government license. In theory, even routine editing on manuscripts from those countries could have subjected publishers to fines of $500,000 and 10 years in jail.

top