MIRLN began in 1997 and I’ve have published around 250 times, using an evolving, idiosyncratic approach to stories (not too new, not too obvious, etc.), with an also-idiosyncratic cross-section of readers (steady at about 3000: techies, lawyers, judges, international types, people in the IC, two former US AGs, etc.).

With the close of 2018 I’ve ceased regular production of MIRLN. With curated Twitter/RSS feeds (@vpolley) you may not miss it at all.

It’s been fun; thanks for reading!

{Body} {Body2}

MIRLN—- 28 Nov - 22 Dec 2018 (v21.16)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Facebook’s New ‘Supreme Court’ Could Revolutionize Online Speech (Lawfare, 19 Nov 2018) - The Supreme Court of Facebook is about to become a reality. When Facebook CEO Mark Zuckerberg first mentioned the idea of an independent oversight body to determine the boundaries of acceptable speech on the platform-“almost like a Supreme Court,” he said-in an April 2018 interview with Vox , it sounded like an offhand musing. But on Nov. 15, responding to a New York Times article documenting how Facebook’s executives have dealt with the company’s scandal-ridden last few years, Zuckerberg published a blog post announcing that Facebook will “create a new way for people to appeal content decisions to an independent body, whose decisions would be transparent and binding.” Supreme Court of Facebook-like bodies will be piloted early next year in regions around the world, and the “court” proper is to be established by the end of 2019, he wrote. It is difficult to overstate the potential this has to transform understandings of online speech governance, international communication and even the very definition of “free speech.” Zuckerberg’s blog post literally asks more questions about the anticipated tribunal than it answers. (He writes, “Starting today, we’re beginning a consultation period to address the hardest questions, such as: how are members of the body selected? How do we ensure their independence from Facebook, but also their commitment to the principles they must uphold? How do people petition this body? How does the body pick which cases to hear from potentially millions of requests?”) But it’s worth unpacking the underlying ideas behind the proposal and the most difficult challenges that will need to be resolved in how it’s set up. top

Today in brighter crypto news: SEC says tokens are securities (TechCrunch, 21 Nov 2018) - Crypto news got a little boost last week after a dark month of crashes , stablecoins and birthdays . The SEC ruled that two ICO issuers, CarrierEQ Inc. and Paragon Coin Inc., were in fact selling securities instead of so-called utility tokens. “Both companies have agreed to return funds to harmed investors, register the tokens as securities, file periodic reports with the Commission, and pay penalties,” wrote Pamela Sawhney of the SEC. “These are the Commission’s first cases imposing civil penalties solely for ICO securities offering registration violations.” top

- and -

Ohio becomes the first state to accept bitcoin for tax payments (TechCrunch, 28 Nov 2018) - Starting Monday, businesses in Ohio will be able to pay their taxes in bitcoin - making the state that’s high in the middle and round on both ends the first in the nation to accept cryptocurrency officially. Companies that want to take part in the program simply need to go to OhioCrypto.com and register to pay in crypto whatever taxes their corporate hearts desire. It could be anything from cigarette sales taxes to employee withholding taxes, according to a report in The Wall Street Journal , which first noted the initiative. The brainchild of current Ohio state treasurer Josh Mandel, the bitcoin program is intended to be a signal of the state’s broader ambitions to remake itself in a more tech-friendly image. Already, Ohio has something of a technology hub forming in Columbus, home to one of the largest venture capital funds in the Midwest, Drive Capital . And Cleveland (the city once called “the mistake on the lake”) is trying to remake itself in cryptocurrency’s image with a new drive to rebrand the city as “Blockland.” top

Jury dismissed after Crown looks up jurors on LinkedIn (The Globe & Mail, 22 Nov 2018) - A prosecutor’s use of LinkedIn to conduct background checks on jurors is raising new questions about improper vetting after a second jury in a week was dismissed in Atlantic Canada over the issue. Both cases - a murder trial, and one of criminal negligence causing death - are now being tried by judge alone after the prosecution was obliged to drop its earlier objection to defence requests for such a trial. The newest instance came on Thursday in an important case in Nova Scotia - the first in that province under a federal Criminal Code provision drafted after the 1992 Westray methane explosion that killed 26 miners in Plymouth, N.S. Elie Hoyeck, the owner of an auto-repair shop, is charged with criminal negligence causing the death of an employee, Peter Kempton, in a 2013 vehicle fire. The 2004 “Westray law” says that anyone who directs another person in a task must take reasonable steps to ensure the person’s safety. The earlier instance was revealed in a ruling on Monday in a high-profile case in New Brunswick - the retrial of Dennis Oland, charged with second-degree murder of his wealthy father, Richard. He had been found guilty in 2015, but an appeal court set aside the conviction and ordered a new trial in 2016. A police officer conducted checks in a local police database with information on all police contacts (as a witness, complainant, or suspect), and did not share the information with Mr. Oland’s defence team. A judge dismissed the jury and declared a mistrial; a new trial started Tuesday. Vancouver lawyer Eric Gottardi, the past chair of the Canadian Bar Association’s criminal-justice section, said that even one or two such cases are concerning. “You have to think it’s like the tip of an iceberg just because of how unlikely it is that these practices would come to light,” he said in an interview. It is not a new area of law, and the message is clear to police and prosecutors about what they may and may not do. In 2012, the Supreme Court of Canada ruled that prosecutors and police must share with defence lawyers anything they find inadvertently when checking whether potential jurors have criminal records. It made a similar ruling in 1997. The idea is that the prosecution should not have an advantage over the defence, or interfere with jurors’ privacy. top

French tax officials to start digging through social media posts for expensive cars it thinks you can’t afford (TechDirt, 26 Nov 2018) - In a weird announcement threatening the commencement of pointless government monitoring, a French official says tax cheats will now be outed by their own selfies . (via Reason ): France’s tax administrators will start searching through social media accounts in early 2019, a pilot project in the fight against tax avoidance, Budget Minister Gerald Darmanin told weekly business TV show Capital. [...] “(The fiscal administration) will be able to see that if you have numerous pictures of yourself with a luxury car while you don’t have the means to own one, then maybe your cousin or your girlfriend has lent it to you… or maybe not,” Darmanin said. I guess French tax collectors will be scrolling through social media profiles with lists of tax dodgers and a keen appraiser’s eye. There may be several reasons people have expensive items showcased on social media, and not all of them will have anything to do with ill-gotten net gains. A very common internet pastime is presenting your life as more exciting, dynamic, and filled with material goods than it actually is. Photoshop may be involved . Some of what tax officials come across will be evidence of nothing more than self-esteem issues. top

Online dispute resolution bolstering access to justice (Lawyers Weekly/Australia, 27 Nov 2018) - Despite the reluctance many jurisdictions have about utilising tech in dispute resolution matters, the chair of Canada’s Civil Resolution Tribunal has shared how doing so has aided in the country’s access to justice crisis. Speaking to Lawyers Weekly ahead of her appearance at last week’s ODR: The State of the Art International Symposium, the tribunal’s chair Shannon Salter spoke about what has been described as the access to justice crisis and the need for the development of creative solutions to combat the problem. Ms Salter said this is what led Canada’s British Columbia to develop The Civil Resolution Tribunal (CRT) - Canada’s first online tribunal. * * * top

Pennsylvania Supreme Court recognizes Common Law duty to safeguard employees’ personal data (Nat’l Law Review, 27 Nov 2018) - The Pennsylvania Supreme Court has drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard its employees’ personal information stored on an internet-accessible computer. The court further held that Pennsylvania’s economic loss doctrine permits recovery for “purely pecuniary damages” on a negligence claim premised on a breach of such a duty. This decision is likely to have a very significant impact on cybersecurity-related litigation in and beyond Pennsylvania, as negligence is now a viable cause of action for inadequate data security under Pennsylvania law. The court rejected the notion that it was creating a “new affirmative duty” under common law, and instead held that it was applying the “existing duty to a novel factual scenario.” The plaintiffs alleged that-as a condition of employment at UPMC-they were required to provide certain financial and personal information. They further alleged that UPMC collected and stored that information on its internet-accessible computer system without the use of adequate security measures, including proper encryption, adequate firewalls, or adequate authentication protocols. The court held that where an employer’s affirmative collection of employee personal information creates a foreseeable risk of a data breach (even by cybercriminals), the employer has a duty of reasonable care to secure its employees’ personal information “against an unreasonable risk of harm arising out of [the employer’s data collection practices].” UPMC should have realized, the court concluded, that “a cybercriminal might take advantage of the vulnerabilities in UPMC’s computer system and steal [its employees’] information; thus, the data breach was ‘within the scope of the risk created by’ UPMC.” As to the ‘duty’ element of the negligence claim, “the criminal acts of third parties in executing the data breach do not alleviate UPMC of its duty to protect [its employees’] personal and financial information from that breach.” top

When the Internet Archive forgets (Gizmodo, 28 Nov 2018) - On the internet, there are certain institutions we have come to rely on daily to keep truth from becoming nebulous or elastic. Not necessarily in the way that something stupid like Verrit aspired to, but at least in confirming that you aren’t losing your mind, that an old post or article you remember reading did, in fact, actually exist. It can be as fleeting as using Google Cache to grab a quickly deleted tweet, but it can also be as involved as doing a deep dive of a now-dead site’s archive via the Wayback Machine. But what happens when an archive becomes less reliable, and arguably has legitimate reasons to bow to pressure and remove controversial archived material? A few weeks ago, while recording my podcast, the topic turned to the old blog written by The Ultimate Warrior, the late bodybuilder turned chiropractic student turned pro wrestler turned ranting conservative political speaker under his legal name of, yes, “Warrior.” As described by Deadspin’s Barry Petchesky in the aftermath of Warrior’s 2014 passing, he was “an insane dick,” spouting off in blogs and campus speeches about people with disabilities, gay people, New Orleans residents, and many others. But when I went looking for a specific blog post, I saw that the blogs were not just removed, the site itself was no longer in the Internet Archive, replaced by the error message: “This URL has been excluded from the Wayback Machine.” Apparently , Warrior’s site had been de-archived for months, not long after Rob Rousseau pored over it for a Vice Sports article on the hypocrisy of WWE using Warrior’s image for their Breast Cancer Awareness Month campaign. The campaign was all about getting women to “Unleash Your Warrior,” complete with an Ultimate Warrior motif , but since Warrior’s blogs included wishing death on a cancer-survivor, this wasn’t a good look. Rousseau was struck by how the archive was removed “almost immediately after my piece went up, like within that week,” he told Gizmodo. * * * top

GCHQ: We don’t tell tech companies about every software flaw (ZDnet, 29 Nov 2018) - The UK intelligence services has revealed how it chooses which security vulnerabilities to reveal to technology vendors—and which aren’t disclosed because the UK’s national interest is better served by what GCHQ describes as ‘retaining’ the knowledge. For the first time ever, GCHQ and its cyber arm the National Cyber Security Centre (NCSC) has revealed process that is used to determine if a vulnerability is disclosed or not disclosed when discovered. It ultimately means that sometimes GCHQ won’t tell a company if their software is vulnerable to cyber attacks and hacking if it’s deemed to be the better option for national security. When a previously unknown vulnerability is discovered, the default position is to disclose it—but if it serves the national interest, knowledge of the vulnerability may not be disclosed. GCHQ states that the decision to withhold vulnerabilities is not taken lightly and always involves ‘rigorous assessment’ by a panel of experts from GCHQ, the NCSC and the Ministry of Defence. top

- and -

Principles for a more informed exceptional access debate (Lawfare, 29 Nov 2018) - This is part of a series of essays from the Crypto 2018 Workshop on Encryption and Surveillance. In any discussion of cyber security, details matter. Unfortunately, it’s the details that are missing from the discussion around lawful access to commodity end-to-end encrypted services and devices (often called the “going dark” problem). Without details, the problem is debated as a purely academic abstraction concerning security, liberty, and the role of government. There is a better way that doesn’t involve, on one side, various governments, and on the other side lawyers, philosophers, and vendors’ PR departments continuing to shout at each other. If we can get all parties to look at some actual detail, some practices and proposals-without asking anyone to compromise on things they fundamentally believe in-we might get somewhere. As commodity technology starts to really drive the evolution of our daily lives and more of our personal data, our industry and our economy is on the internet, we will repeatedly run into challenges of how to explain complex and subtle technical concepts to non-experts. That’s likely to cover everything from how the internet economy could affect personal privacy through how the mass of data our smart stuff will be generating affects national security to how agencies charged with public protection can do their job in a way that meets the public’s expectation. To do that, we need to have open and honest conversations between experts that can inform the public debate about what’s right and we’ll need a framework in which to do that. We hope the U.K.‘s principles for access to encrypted services may help start that off. These are not intended as general principles for government access to data covering every case; and they do not address the ‘discovery’ problem around how governments establish which services and identities are being used by criminals and other valid targets. They’re specifically for mass-scale, commodity, end-to-end encrypted services, which today pose one of the toughest challenges for targeted lawful access to data and an apparent dichotomy around security. * * * top

Making a ransomware payment? It may now violate US sanctions (Bleeping Computer, 30 Nov 2018) - Thinking about making a ransomware payment? If so, you may want to think twice before doing so as it could land you in trouble for violating U.S. government sanctions. This week the Department of Justice unsealed a grand jury hackers allegedly responsible for the SamSam Ransomware . As part of this indictment, for the first time the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) also publicly attributed cryptocurrency addresses to individuals who were involved in the converting ransomware cryptocurrency payments to fiat currency. “While OFAC routinely provides identifiers for designated persons, today’s action marks the first time OFAC is publicly attributing digital currency addresses to designated individuals” stated the Department of Treasury’s announcement . In this particular case, the cryptocurrency addresses are being attributed to Iran-based individuals named Ali Khorashadizadeh and Mohammad Ghorbaniyan who the U.S. government states have facilitated the exchange of ransomware payments into Iranian Rial. The addresses attributed to these individuals are 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V and 149w62rY42aZBox8fGcmqNsXUzSStKeq8C and contain a combined total of 5,901 bitcoins. At the current prices of bitcoins this is equivalent to over $23 million USD. top

Secret Service announces test of face recognition system around White House (ACLU, 4 Dec 2018) - In yet another step toward the normalization of facial recognition as a blanket security measure, last week the Department of Homeland Security published details of a U.S. Secret Service plan to test the use of facial recognition in and around the White House. According to the document , the Secret Service will test whether its system can identify certain volunteer staff members by scanning video feeds from existing cameras “from two separate locations on the White House Complex, and will include images of individuals passing by on public streets and parks adjacent to the White House Complex.” The ultimate goal seems to be to give the Secret Service the ability to track “subjects of interest” in public spaces. top

The sneaky fight to give cable lines free speech rights (Susan Crawford, Wired, 4 Dec 2018) - It seems counterintuitive that a phone line could be a “speaker.” But the cable industry very much wants to ensure that the act of transmitting speech from Point A to Point B is protected by the First Amendment, so that making a cable connection carry any speech it isn’t interested in amounts to unconstitutional “forced speech.” The addition of Justice Brett Kavanaugh to the Supreme Court roster gives the industry a significant boost. In a 2017 DC Circuit dissenting opinion , Justice Kavanaugh made it clear that he supports giving internet access providers “speaker” privileges, saying that “the First Amendment bars the Government from restricting the editorial discretion of Internet service providers.” top

Cybersecurity: Who’s fessed up to a “Material Weakness?” (The CorporateCounsel.net, 6 Dec 2018) - The SEC’s recent Cyber 21(a) Report highlighted cybersecurity internal control shortcomings at 9 different companies. This Audit Analytics blog looks at which companies have disclosed a “material weakness” following a data breach. This excerpt says that not many have: The investigative report stopped short of recommending any enforcement action and did not name the companies that were investigated. Moreover, the report does not provide sufficient details to determine the identity of the companies. Although we are unable to identify the companies, we were curious whether we can find similar cases. Using Audit Analytics’ cyber breaches dataset, we looked at recent examples & disclosures of companies that fell victims to the attacks described in the report. In total, we looked at nine companies that disclosed incidents of similar breaches. Six of these companies disclosed the breaches in filings furnished with the SEC, though only one made the disclosure in a current report (8-K). Of the six companies that disclosed their cyber breaches in SEC filings, just three disclosed that the breach rose to the level of a material weakness in the companies’ internal controls. The blog also reviews the disclosures made by companies that determined a material weakness existed following a data breach. top

Four tips for law firms in responding to overreaching client audits (Law.com, 7 Dec 2018) - As you know, there can be a lot of effort on the law firm’s end in responding to these security inquiries. How do legal IT professionals identify scenarios where clients are overreaching reasonable bounds of information or action? In cases of overreaching, how should a firm respond to the client? These are all areas where law firms may struggle, as reputation among other clients, professional responsibility concerns, or even bar admittance could be on the line if managed poorly. Here are four tips to better enable your firm to handle these inquiries. * * * top

RESOURCES

Teaching Cybersecurity Law and Policy: My Revised 62-Page Syllabus/Primer (UT’s Bobby Chesney, 4 Dec 2018) - Cybersecurity law and policy is a fun subject to teach. There is vast room for creativity in selecting topics, readings and learning objectives. But that same quality makes it difficult to decide what to cover, what learning objectives to set, and which reading assignments to use. With support from the Hewlett Foundation, I’ve spent a lot of time in recent years wrestling with this challenge, and last spring I posted the initial fruits of that effort in the form of a massive “syllabus” document. Now, I’m back with version 2.0. . At 62 pages (including a great deal of original substantive content, links to readings, and endless discussion prompts), it is probably most accurate to describe it as a hybrid between a syllabus and a textbook. Though definitely intended in the first instance to benefit colleagues who teach in this area or might want to do so, I think it also will be handy as a primer for anyone-practitioner, lawyer, engineer, student, etc.-who wants to think deeply about the various substrands of this emergent field and how they relate to one another. top

- and -

Privacy and Security: A Pedagogic Cybersecurity Framework (Peter Swire, Oct 2018) - This column proposes a Pedagogic Cybersecurity Framework (PCF) for categorizing and teaching the jumble of non-code yet vital cybersecurity topics. From my experience teaching cybersecurity to computer science and other majors at Georgia Tech, the PCF clarifies how the varied pieces in a multidisciplinary cybersecurity course fit together. The framework organizes the subjects that have not been included in traditional cybersecurity courses, but instead address cybersecurity management, policy, law, and international affairs. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

NBC offers wide online access for Beijing Olympics (Washington Post, 28 June 2008) - NBC is making more than 2,200 hours of live competition from Beijing available online, giving Olympic junkies more action than they could ever devour in a day. After barely tipping its toe in the digital world during past Olympics, the network will dive into the deep end: live blogging, 3,000 hours of highlights on demand, daily recaps and analysis and even fantasy league gaming. That’s in addition to the 1,400 hours of coverage planned on six television networks, more than the combined total of every previous Summer Olympics. NBC’s digital plans, however, have angered media outlets that worry the company is being heavy-handed in enforcing its rights to exclusive Olympic access. There’s been some brewing tension about the rights of other media organizations to cover the event; NBC paid $3.5 billion to the International Olympics Committee to televise the five Olympics through Beijing. Other TV networks have a limited window in which to show Olympics highlights, but no video of Olympic events is permitted to be shown on any Web site besides NBCOlympics.com. NBC has allowed video of Olympic trials events to be shown on other Web sites, but each site is required to link to NBCOlympics.com. All of that video must come down Aug. 7, the day before the Beijing Games start. That’s going to limit the ability of Swimming World magazine, which has a heavy online component, to offer material to its users, said Brent Rutemiller, the magazine’s publisher. He’s also upset that limits have been placed on where other organizations can interview athletes, and that they were extended to coaches and officials. top

Biglaw firm recruits on Facebook (ABA Journal, 26 August 2008) - Screen shot of firm’s Facebook page. Looking for a way to better promote itself to the next generation of lawyers, Curtis, Mallet-Prevost, Colt & Mosle has launched a Facebook page as part of its broader law school recruiting efforts. “We are pleased to be capitalizing on the popularity of the most widely used social networking site,” Nancy Delaney, a Curtis partner who is a member of the firm’s personnel committee, says in a release (PDF) about the page. “As a Firm, we recognized the power of this format of communication and the wide use being made of it by future lawyers.” As of this posting, the page had 32 fans. The page promotes the 178-year-old firm with historical information and the benefits of starting a career in New York. It also includes links to news, awards, policies and questions and answers about other office locations and on-campus schedules. On his LawSites blog, Robert Ambrogi posits that Curtis may be the first Am Law 200 firm to feature Facebook as a central recruiting tool. top

MIRLN—- 28 Oct - 17 Nov 2018 (v21.15)

permalink

ANNOUNCEMENTS | NEWS | LOOKING BACK | NOTES

ANNOUNCEMENT

MIRLN began in 1997 and I’ve have published around 250 times, using an evolving, idiosyncratic approach to stories (not too new, not too obvious, etc.), with an idiosyncratic cross-section of readers (steady at about 3000: techies, lawyers, judges, international types, people in the IC, two former US AGs, etc.). This year probably will be MIRLN’s last. (With curated Twitter/RSS feeds you may not miss it at all.) It’s been fun; thanks for reading! top

NEWS

Ohio’s new cybersecurity law: creating a data breach safe harbor (Mayer Brown, 23 Oct 2018) - Policymakers long have wrestled with how to enhance private-sector cybersecurity without imposing prescriptive one-size-fits-all requirements that undermine effective cyber risk management. With the passage of its Cybersecurity Safe Harbor Act (the “Act”) on August 3, 2018, Ohio has enacted legislation-the first of its kind-that is intended to use the promise of relief from legal liability to incentivize companies to adopt appropriate cyber protections. Specifically, the Act gives companies that take certain steps to create, maintain and comply with a written cyber program an affirmative defense to data breach claims sounding in tort (such as negligence) brought under the laws or in the courts of Ohio. It remains to be seen whether the Act will have a practical impact on companies’ approaches to cyber risk management or their liability exposure after a data breach. The Act nonetheless is important because it suggests a new approach to the regulation of cybersecurity practices and liability after a data breach. * * * top

FTC offers small businesses free cybersecurity resources (DarkReading, 26 Oct 2018) - The Federal Trade Commission’s (FTC) newly launched national initiative to educate small business owners about cybersecurity threats and defenses began with a “listening tour” last year. What it learned became the foundation for the agency’s new Cybersecurity for Small Business website and related resources, which draw from a dozen different security topics FTC officials gathered from its discussions with small and midsize business (SMB) owners nationwide, said Jon Miller Steiger, director of the FTC’s East Central Region, who spoke at the 2018 Cyber Security Conference for small businesses in Charlottesville, Va., earlier this week. Among their hot-button concerns, Steiger said, are their ability to train employees properly for security awareness, cyberthreats, and human error leading to a cyberattack. “They want to get one unified message from the federal government” on cybersecurity as well, he said. The new website , created in cooperation with the US Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST), and the Small Business Administration (SBA), was officially launched on Oct. 18. It includes cybersecurity basics and best practices including the NIST cybersecurity framework for SMBs , and covers security threats, such as phishing, ransomware, email spoofing, and tech support scams. The FTC site also includes free resources, such as quizzes and educational videos. top

- and -

Law firm cybersecurity: Are your vendors posing the threat of a data breach? (Nat’l Law Review, 30 Oct 2018) - If you’ve been paying attention, chances are your law firm security is up-to-date and fairly strong. While that takes care of the firm itself, these days it is just as important that your cybersecurity policy takes into account the cybersecurity of your vendors. “A responsible firm must also reduce the risk of a data breach at their third-party vendors,” according to Ishan Girdhar, CEO and founder of Privva , a cloud-based platform that streamlines the data security assessment process throughout the value chain. * * * Girdhar’s article ” Vendor Risk Management for Law Firms: 7 Steps to Success ,” lists the following steps needed to be included in cybersecurity policy for law firms: * * * top

- and -

Solo, small firms are concerned about the cloud’s confidentiality and security (Law.com, 13 Nov 2018) - In the lead-up to its scheduled January release of its annual Legal Technology Survey Report, the American Bar Association recently released a report examining the tech usage of solo lawyers and small firms with two to nine lawyers. In the report, 63 percent of all lawyer-respondents who use cloud technology said they are concerned about cloud-based services’ confidentiality and security. Among those not using cloud-based services, confidentiality and security (56 percent) and lack of control over the data (40 percent) were cited as key barriers preventing them from using the technology. To be sure, cloud technology has been adopted by many solo lawyers and lawyers in small firms alike. The ABA reported 59 percent of solo practitioners and 58 percent of lawyers in small firms use cloud-based computing for their work. On the cybersecurity front, the report found that 14 percent of solos and 24 percent of small law firms said they experienced a breach. Of those, 66 percent of solos and 65 percent of small firms said no significant business disruption or loss occurred due to the breach. About half, 51 percent of lawyers in small law firms, said they had data retention policies, while only 33 percent of solo practitioners reported the same. The ABA also found that most, 70 percent, of solo practitioners and 63 percent of small firms don’t use use password management tools. But most firms surveyed said they were required under ethical competency rules to stay abreast of the benefits and risks of technology, which may fuel faster technology retention by lawyers. top

The Vote With Me app looks up your contacts’ voting records (BuzzFeed, 29 Oct 2018) - The app Vote With Me connects to your phone’s contact list and matches names and phone numbers with state voter rolls - telling you which party your friends are registered to and which of the last elections they actually voted in. The idea is that you can use this information to encourage friends to go vote, and will prewrite a text message to them through the app. Great, right? Except that upon deeper reflection, I found this creepy and believe it’s a strange invasion of my and my friends’ privacy. Just because the voter records of our friends (or really, anyone on our phones, which is a lot of random people!) are a matter of public record doesn’t mean they expect other people to look for them. Even weirder is getting a text from someone telling you that they saw you didn’t vote in the last election! Mikey Dickerson, executive director of The New Data Project, the non-profit group that made Vote With Me, says that he knows his app might seem a little, well, creepy to some people, but he’s ok with that. “Establishing the social norm of voting is important enough that a little bit of discomfort is warranted,” he told BuzzFeed News. “It feels new because it hasn’t been easy to have [voter records] publicly viewed before, but we think that’s for the public good.” Voter rolls are technically a matter of public record, but it’s not easy to look up your friends’ information. There simply isn’t a single free website where you can enter a name and get a voter record. There’s voterrecords.com , but it only covers 14 states plus D.C. On certain official state websites, you can look up registrations, but only if you know extra information like a person’s actual full name and, say, their zip code or birth date. And all of these just say if you’re registered or not, not which years you voted. (Who you voted for is, of course, always secret and not part of any of this information.) Vote With Me gets its info by paying for a licensed set of records from a commercial entity that provides this as a service to campaigns or other groups. In a Medium post , the group that made Vote With Me called the Project describeshow they obtained the voter data: “Campaigns have used these records for decades, and sometimes have taken steps to prevent you from realizing it. We feel that as long as this data exists, regular people not on a political payroll should be able to see and use it, too.” top

Project provides access to all US case law, covering 360 years (Robert Ambrogi, 29 Oct 2018) - Launching today is the capstone to a massive project executed over the last three years to digitize all U.S. case law, some 6.4 million cases dating all the way back to 1658, a span of 360 years. The Caselaw Access Project site launching today makes all published U.S. court decisions freely available to the public in a consistent digitized format. The site is the product of a partnership started in 2015 between Harvard Law School’s Library Innovation Lab and legal research service Ravel Law to digitize Harvard’s entire collection of U.S. case law, which Harvard says it the most comprehensive and authoritative database of American law and cases available anywhere outside the Library of Congress. The collection includes all federal and state courts, and all territorial courts for American Samoa, Dakota Territory, Guam, Native American Courts, Navajo Nation, and the Northern Mariana Islands. For now, the collection is text only, although Harvard plans to add images at a later time. top

SEC Section 21(a) report focuses on cyber threats and internal accounting controls - measures to consider taking to mitigate risk (MoFo, 30 Oct 2018) - The Securities and Exchange Commission’s October 16, 2018 Section 21(a) report focusing on public companies victimized by cyber-related attacks underscores the importance of devising and implementing proper internal accounting controls with an eye on addressing such cyber threats. The report, after detailing the SEC Enforcement Division’s investigations of nine public companies that had lost millions of dollars as victims of cyber fraud, did not announce any action against the victims of the cyberattacks, but makes clear the Enforcement Division will continue to scrutinize how public companies create and implement internal controls relating to cybersecurity. [1] Indeed, the SEC’s press release announcing the report specifically cautioned public companies that they “should consider cyber threats when implementing internal accounting controls.” [2] Section 21(a) reports are not enforcement actions, but the SEC often utilizes such reports to signal an area of emphasis in its enforcement program, with enforcement actions relating to the same subject matter likely to follow. For example, the SEC’s July 25, 2017 Section 21(a) report known as the “DAO Report,” which reminded readers of the federal securities laws’ registration requirements and their application to sales of certain “tokens,” heralded the SEC’s recent spate of enforcement actions relating to crypto-currency transactions. Companies would be wise, therefore, to read the SEC’s latest Section 21(a) report as a reminder to revisit their internal accounting controls to ensure compliance with the federal securities laws. The SEC has previously provided guidance on cybersecurity disclosures, cybersecurity risk management, and the insider-trading implications of cybersecurity incidents, [3] and it has pursued enforcement actions against regulated firms for failure to safeguard customer information in the wake of cybersecurity incidents and companies for alleged delays in the disclosure of a material data breach. The Section 21(a) report focuses on a different dimension of cybersecurity, specifically, cyber fraud schemes targeting public company personnel, and provides a window into how the SEC Enforcement Division would look at whether a company’s vulnerabilities to cyber fraud could signal an underlying failure in its internal accounting controls. top

US-CERT issues guide on how to properly dispose of your electronic devices (ZDnet, 31 Oct 2018) - This week, the United States Computer Emergency Readiness Team (US-CERT), a division part of the Department of Homeland Security (DHS), has published an official advisory with instructions and recommendations for properly deleting data from electronic devices that a user wishes to dispose of in one form or another. These instructions are universal and can be applied to computers, smartphones, tablets, cameras, media players, external storage devices, and even gaming consoles. Many of these recommendations are also common knowledge for IT industry veterans, but the guide was also written with non-technical users in mind. So let’s take a deep dive into the proper device sanitization procedures. * * * top

Copyright Office extends anti-circumvention DMCA exemptions to all filmmakers, not just documentarians (TechDirt, 2 Nov 2018) - Earlier this year, we wrote a bunch of posts on the Copyright Office’s request for comment on changes needed to the DMCA’s anti-circumvention exemption list. There were lots of interesting submissions, but one that caught my attention was a whole bunch of film association groups, most of them for documentarians, advocating that the anti-circumvention they enjoyed to be able to use clips from other films and content be expanded to include filmmakers generally. This would address the copyright industries’ cynical attempt to route around Fair Use usage by filmmakers by simply locking up their content behind all kinds of DRM that, unless you’re a documentarian, you can’t circumvent. The MPAA, as you would expect, said that allowing for this would kick off “widespread hacking” of all the DVDs on the planet, while all it was really concerned about was the licensing agreements it was able to secure by filmmakers who didn’t want to violate the DMCA to get the Fair Use clips they wanted. Well, the Copyright Office made its decision and the exemption will now be offered to filmmakers en masse . top

‘Modern-day neighborhood watch’ (C&G Newspapers, 5 Nov 2018) - Each year, criminals get a little smarter and more advanced in their scheming. You know it’s true - you’ve got a chip in your credit card, a mind-numbingly complex login password, and a missed call log full of spoofed “local” numbers from overseas scam callers to prove it. The only way to fight unlawful technology is with gadgets for good. Police departments across the country are taking advantage of the growing availability of surveillance systems to keep a closer eye on neighborhoods. Several weeks ago, Bloomfield Township police launched a registry list for homeowners and businesses with outdoor surveillance systems called Extra Eyes. Residents and business owners simply add their address and phone number to the list, and if police investigate a crime in their neighborhood, they could be called to see if their camera system recorded anything suspicious. * * * Aside from a lack of awareness, Pizzuti said he’s had an issue with explaining the program to residents, who mistakenly think that by signing up they are granting the department access to their camera systems. “That’s not true at all. We couldn’t have access to your cameras, nor would we want it,” he explained. “This is just a faster way for us to see who in the area has cameras, instead of us canvassing neighborhoods one home at a time looking for (witnesses).” How Extra Eyes works is this: When a crime is committed and police begin to investigate, officers would normally go door to door looking for clues, asking neighbors if they’d seen anything that could be helpful to the case. With the registry, officers can see who in the area might have surveillance cameras and they can contact the owners for help. “It can work one of two ways: They can view the camera themselves and tell us if they saw anything suspicious. Maybe we can say, ‘Did you see this vehicle go by at this time?’ Or they can offer for us to come over and take a look at the footage with them. We never have direct access. It’s more of a modern-day neighborhood watch program.” top

- and -

The DEA and ICE are hiding surveillance cameras in streetlights (Quartz, 9 Nov 2018) - The US Drug Enforcement Administration (DEA) and Immigration and Customs Enforcement (ICE) have hidden an undisclosed number of covert surveillance cameras inside streetlights around the country, federal contracting documents reveal. According to government procurement data , the DEA has paid a Houston, Texas company called Cowboy Streetlight Concealments LLC roughly $22,000 since June 2018 for “video recording and reproducing equipment.” ICE paid out about $28,000 to Cowboy Streetlight Concealments over the same period of time. It’s unclear where the DEA and ICE streetlight cameras have been installed, or where the next deployments will take place. ICE offices in Dallas, Houston, and San Antonio have provided funding for recent acquisitions from Cowboy Streetlight Concealments; the DEA’s most recent purchases were funded by the agency’s Office of Investigative Technology, which is located in Lorton, Virginia. * * * Earlier this week, the DEA issued a solicitation for “concealments made to house network PTZ [Pan-Tilt-Zoom] camera, cellular modem, cellular compression device,” noting that the government intended to give the contract to Obsidian Integration LLC, an Oregon company with a sizable number of federal law enforcement customers. On November 7, the Jersey City Police Department awarded a contract to Obsidian Integration for “the purchase and delivery of a covert pole camera.” The filing did not provide further design details. * * * In addition to streetlights, the DEA has also placed covert surveillance cameras inside traffic barrels , a purpose-built product offered by a number of manufacturers. And as Quartz reported last month , the DEA operates a network of digital speed-display road signs that contain automated license plate reader technology within them. top

West Virginians abroad in 29 countries have voted by mobile device, in the biggest blockchain-based voting test ever (WaPo, 6 Nov 2018) - Nearly 140 West Virginians living abroad in 29 countries have cast their election ballots in an unprecedented pilot project that involves voting remotely by mobile device, according to state officials. The statewide pilot, which covers 24 of West Virginia’s 55 counties, uses a mixture of smartphones, facial recognition and the same technology that underpins bitcoin - the blockchain - in an effort to create a large-scale and secure way for service members, Peace Corps volunteers or other Americans living overseas to participate in the midterm elections. West Virginia is the first state to run a blockchain-based voting project at such a scale, state officials say. And if adopted more widely, the technology could make it easier to vote and potentially reduce long lines at the polls. But many security experts worry that the technology may not be ready for broader use - and could even contain vulnerabilities that risks the integrity of elections. As many as 300,000 U.S. voters located overseas requested ballots in the 2016 elections but failed to submit them. West Virginia sought to solve the problem by turning to Voatz, a company that in January received $2.2 million from Medici Ventures, a blockchain-focused investment firm owned by the online retailer Overstock.com. The Voatz app has been used on a limited basis in a number of other settings, such as student council races and West Virginia’s May primary. top

Flickr says it won’t delete Creative Commons photos (7 Nov 2018) - will spare both the Flickr Commons and Creative Commons photos from deletion, the now SmugMug-owned company announced today. However, its new storage limitations on free accounts may impact its use as a home for photos with a Creative Commons license in the future. When the company unveiled its big revamp last week, one of the immediate concerns among users was what the changes meant for the Creative Commons photos hosted on Flickr. Under its new management, Flickr decided to stop offering free users a terabyte of storage, and instead will begin charging users who want to host more than 1,000 photos on its site. Users with more than 1,000 photos either had to choose to upgrade to a Pro account to retain those photos on the site or see them deleted. Ryan Merkley, CEO at Creative Commons, expressed some concern last week over what this meant for the millions of CC images hosted on Flickr. Would they be gone, too? Flickr today says the answer is “no.” It vows not to delete either its own Flickr Commons archive or any photos uploaded with a Creative Commons license before November 1, 2018. The Flickr Commons is a resource consisting of photos from institutions that want to share their digital collections with the world, such as NASA, the National Parks Service, the UK National Archives and The British Library, for example. These organizations were either already Pro account holders or have now received a free Pro account from Flickr, the company says. top

As state actors continue to wage cyberwar on the United States, they have a powerful ally-gaps and ambiguities in the law (Harvey Rishikof, et al., in the ABA Journal, Nov 2018) - A major hack on the firms Cravath, Swaine & Moore and Weil Gotshal & Manges a few years ago was linked to foreign nationals with ties to the Chinese government. Their target? Proprietary client information. In 2014, a group with links to the Russian state energy sector hacked into a website belonging to the British law firm 39 Essex Chambers looking for information. Last year, the Department of Justice opened an investigation into whether the Chinese government had attempted to hack Clark Hill, a law firm representing a Chinese dissident. And those are just the directed assaults. Law firms also are vulnerable to more broad-based attacks. DLA Piper was devastated in 2017 by a ransomware worm that placed nearly 3,600 of their lawyers on temporary lockdown. The worm later was found to be the work of hackers linked to North Korea. Cyber exploitations and attacks happen every day on a global scale. How do we characterize this new cyber reality? Are these network violations criminal activity or espionage? Or are they acts of war? Our existing international laws, domestic statutes and law of armed conflict frameworks, all conceived in the pre-internet age, are struggling to find principles to bring order to our digital era. The legal rules for cyber incidents below the threshold of an “armed attack” live in a gray zone as practitioners and scholars struggle to fill the legal doctrinal gaps on nonintervention under international law. The roles, responsibilities, authorities, accountability or standards for attribution are not universal, and there are no agreed-upon responses or norms for unlawful acts in cyberspace. As the U.S. attorney general’s 2018 Cyber-Digital Task Force Report makes clear, although many government agencies are working on cybersecurity, and much has been accomplished, the DOJ is “keenly aware” that the current “tools and authorities are not sufficient by themselves” to keep America safe from cyberthreats. * * * top

Pentagon draws back the veil on APT malware with sudden embrace of VirusTotal (Threatpost, 8 Nov 2018) - The Pentagon has suddenly started uploading malware samples from APTs and other nation-state sources to the website VirusTotal, which is essentially a malware zoo that’s used by security pros and antivirus/malware detection engines to gain a better understanding of the threat landscape. The Cyber National Mission Force (CNMF), which is under the auspices of the U.S. Cyber Command, posted its first malware samples to VirusTotal on Monday, after opening its account there. It also set up a “malware alert” Twitter feed to go along with the new effort. No advanced announcement of a new initiative accompanied the move, which is unusual for government entities. “Recognizing the value of collaboration with the public sector, the CNMF has initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity,” CNMF said in a brief statement . The first two samples are files called rpcnetp.dll and rpcnetp.exe, which are both detected as dropper mechanisms for what was formerly known as the Computrace backdoor trojan, often associated with the Russia-based APT28/Fancy Bear group. “The particular pair of samples, Computrace/LoJack/Lojax, is actually a trojanized version of the legitimate software ‘LoJack,’ from a company formerly called Computrace (now called Absolute). The trojanized version of the legitimate LoJack software is called LoJax or DoubleAgent,” a spokesperson from Chronicle told Threatpost. Releasing such samples is a bold move for a Department of Defense that has long kept its cyber-activities and knowledge very close to the vest, according to Tom Kellermann, chief cybersecurity officer at Carbon Black. “This is a huge leap forward for the cybersecurity community,” he told Threatpost. “For too long, the U.S. has over-classified cyber- threat intelligence. This empowers the cybersecurity community to mobilize on clandestine threats in real time, thus aiding the U.S government in protecting and securing American cyberspace.” [ Polley : Bruce Schneier writes about this: “This feels like an example of the US’s new strategy of actively harassing foreign government actors. By making their malware public, the US is forcing them to continually find and use new vulnerabilities.” ] top

The New York Times turns to Google Cloud to digitize its photo archive (BetaNews, 9 Nov 2018) - The New York Times is to digitize more than a century’s worth of photographs, and it is going to use Google Cloud to do so. The NYT has a massive collection of photos dating back decades, and the plan is to digitize millions of images—some dating back to the late nineteenth century—to ensure they can be accessed by generations to come. The digitization process will also prove useful for journalists who will be able to delve into the archives far more easily in future. top

Judges need not recuse themselves just because they are Facebook “friends” with a lawyer (Volokh Conspiracy, 15 Nov 2018) - “The establishment of a Facebook ‘friendship’ does not objectively signal the existence of the affection and esteem involved in a traditional ‘friendship.’” Indeed, as the court points out in today’s Law Offices of Herssein & Herssein, P.A. v. United Servs. Auto. Ass’n , even traditional “friendship” doesn’t always require recusal (though perhaps very close friendship might): Though the court doesn’t give these as examples, state and federal Supreme Court Justices are often on close terms with their former clerks, who routinely practice in front of them, and in many small towns all the judges and lawyers may know each other well, especially since judges are usually former local lawyers. Note, though, that these rules vary from state to state; as the majority points out, its position is the dominant view among those states that have considered it, but other states do require recusal in such situations (as the 3-Justice dissent in the Florida Supreme Court would have). top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Moody’s error gave top ratings to debt products (Financial Times, 20 May 2008) - Moody’s awarded incorrect triple-A ratings to billions of dollars worth of a type of complex debt product due to a bug in its computer models, an Financial Times investigation has discovered. Internal Moody’s documents seen by the FT show that some senior staff within the credit agency knew early in 2007 that products rated the previous year had received top-notch triple A ratings and that, after a computer coding error was corrected, their ratings should have been up to four notches lower. top

SEC to require electronic financial reporting in 2009 (Duane Morris article, 24 June 2008) - Certain companies will soon be required to submit their financial results, including annual and quarterly required submissions, electronically using XBRL, a language for communication of financial data. On May 14, the Securities and Exchange Commission unanimously agreed to propose the mandatory use of this technology, which has been in development since 1998, to ensure that investors receive essential financial information in a more timely fashion, with increased levels of reliability and at a lower cost. This interactive reporting vehicle will not only provide information to investors more rapidly but will aid companies in preparing their financial reporting packages more accurately and efficiently. Interactive data will revolutionize how the SEC collects data and will change the backbone of the financial reporting system, improve analytic capabilities and put vital information at the fingertips of investors. top

SEC provides guidance regarding use of company websites to disclose information for investors (Duane Morris advisory, 15 August 2008) - The Securities and Exchange Commission (the “SEC”) has published an interpretive release, Commission Guidance on the Use of Company Web Sites, Release No. 34-58288 (the “Release”), providing guidance to companies and issuers of securities on the use of company websites to disclose information to investors. The Release, which became effective August 7, 2008, is intended to encourage companies to develop their websites in compliance with the federal securities laws so that such websites can serve as effective analytical tools for investors by being a vital source of information about a company’s business, financial condition and operations. The Release is intended to provide guidance to those companies that are utilizing websites to supplement their required SEC filings. Since the adoption of the Securities Act of 1933 and the Securities Exchange Act of 1934 (the “Exchange Act”), the foundation of securities regulation in the United States has rested upon timely disclosure of relevant information to investors and the securities markets. Historically, companies have disclosed information to investors and the markets by mailing reports to stockholders, filing periodic reports with the SEC and issuing press releases. As technology has advanced, the Internet, the SEC’s Electronic Data Gathering, Analysis and Retrieval (“EDGAR”) system, and electronic communications have modernized the disclosure system. More and more investors are turning to the Internet and company websites as their main source of information before making investment decisions. The Release provides guidance to companies posting information on their websites, including (1) when information posted on their website is considered “public” for purposes of the “fair disclosure” requirements of Regulation FD; (2) the application of the antifraud provisions of the federal securities laws to information posted on company websites; (3) the types of controls and procedures advisable with respect to posting information; and (4) the appropriate format of the information presented on the website. top

MIRLN—- 7-27 Oct 2018 (v21.14)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

NEWS

California bill bans bots during elections (SC Magazine, 3 Oct 2018) - A California bill that will ban the use of undeclared bots during elections is set to take effect on July 1, 2019, after Gov. Jerry Brown signed it into law Friday. “This bill would, with certain exceptions, make it unlawful for any person to use a bot to communicate or interact with another person in California online with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication in order to incentivise a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election,” according to the Senate Bill No. 1001 . top

- and -

California bans default passwords on any internet-connected device (Engadget, 5 Oct 2018) - In less than two years, anything that can connect to the internet will come with a unique password - that is, if it’s produced or sold in California. The ” Information Privacy: Connected Devices ” bill that comes into effect on January 1, 2020, effectively bans pre-installed and hard-coded default passwords. It only took the authorities about two weeks to approve the proposal made by the state senate. The new regulation mandates device manufacturers to either create a unique password for each device at the time of production or require the user to create one when they interact with the device for the first time. According to the bill, it applies to any connected device, which is defined as a “physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” top

Microsoft to host the government’s classified data early next year (NextGov, 9 Oct 2018) - Microsoft is making moves to target a growing multibillion market: hosting, storing and running the U.S. government’s most sensitive classified secrets and data. On Tuesday, the software giant announced it will join rival Amazon as the only commercial cloud providers with the security capabilities to host secret classified data by the end of the first quarter of 2019. Microsoft’s announcement comes days before the Pentagon will accept bids on its $10 billion Joint Enterprise Defense Infrastructure contract, which it will award to a single cloud service provider. The announcement doubles as a public declaration of Microsoft’s intent to bid on the contract one day after Google pulled out of the competition in part because it can’t meet the Pentagon’s security requirements stipulated for JEDI quickly enough. Most experts consider Amazon Web Services the favorite to win the contract, in part because it operates the CIA’s C2S Cloud, but Microsoft isn’t pulling any punches. The company also announced its intent to meet additional security controls to host the government’s data classified as top secret, which include the military and Defense Department’s most sensitive information. The ability to host both secret and top secret data is a prerequisite to compete for JEDI. top

Can lawyers ethically accept cryptocurrency? (Attorney at Work, 10 Oct 2018) - Several years back we added credit card billing to our options for client bill payment, including through an online secured platform. Our bill collection rates dramatically increased along with how fast a bill was paid with emailed invoices. It was great! We recently saw some companies accepting bitcoin and other cryptocurrencies as payment for goods and services. While we don’t expect a high volume of clients to pay with this new “currency,” we are thinking about offering it as an option. If nothing else, it shows we are keeping ahead of the curve on modern trends. Should we be pumping the brakes, or do we have the green light to accept cryptocurrency as payment? At first glance, it may seem like you would be in the clear to accept alternative payments for the legal services rendered. Why not, since you can accept nonmonetary items such as a goat for preparing a family’s estate planning documents, so long as the goat was reasonable compensation for the legal services provided. Yes, I’m sure someone at some time bartered hooved animals for the services of an attorney and counselor at law. No? What ethics rules might be considered in how you are paid for your work? What makes cryptocurrency different from currency (or bovine for that matter)? At least one state bar has issued an advisory opinion on the topic of cryptocurrency as payment for legal services or otherwise being held for clients by a law firm. In Nebraska Ethics Advisory Opinion for Lawyers No. 17-03, the ethics committee concluded that attorneys “may receive and accept digital currencies such as bitcoin as payment for legal services” with some caveats. The leading concern with the often volatile cryptocurrency values comes in ensuring the fees being paid by a client are reasonable, as required by ABA Model Rule 1.5 . Bitcoin is one of the less volatile of these currencies, and still it has been known to have swings of 10 percent or greater occurring every few hours. As the opinion gives the example, “An arrangement for payment in bitcoin for attorney services could mean that the client pays $200 an hour in one month and $500 an hour the next month, which the client could very easily allege as unconscionable.” The opinion suggests the following actions to mitigate the risk of volatility and possible unethical overpayment for services: * * * top

New bots from DoNotPay includes one that lets you sue in any small claims court at the press of a button (Robert Ambrogi, 10 Oct 2018) - DoNotPay , the company that created a chat bot to automatically appeal parking tickets, is today launching a series of legal and consumer-protection bots, in the form of an iOS app, that includes one that will enable individuals to file an action in any small claims court in the United States. In addition, DoNotPay is announcing that it has acquired Visabot , a service launched shortly after the election of Donald Trump to help individuals obtain visas and green cards. DoNotPay is relaunching Visabot and eliminating all fees for the service, which previously ranged from $110 to $150. The new small claims bot covers small claims courts in all 3,000 counties in all 50 states. There is no charge to use the product, so users keep 100 percent of anything they recover. Joshua Browder, the self-taught coder who founded DoNotPay as a 17-year-old in 2015, said the initial idea for this product came from an app he created in the wake of the Equifax breach to help people file small claims lawsuits against the credit rating company. top

Microsoft makes its 60,000 patents open source to help Linux (The Verge, 10 Oct 2018) - Microsoft announced today that it’s joining the Open Invention Network (OIN), an open-source patent group designed to help protect Linux from patent lawsuits. In essence, this makes the company’s library over 60,000 patents open source and available to OIN members, via ZDNet . OIN provides a license platform for Linux for around 2,400 companies - from individual developers to huge companies like Google and IBM - and all members get access to both OIN-owned patents and cross-licenses between other OIN licensees, royalty-free. Microsoft joining is a big step forward for both sides: OIN gets thousands of new patents from Microsoft, and Microsoft is really helping the open-source community that it has shunned in the past. As Scott Guthrie, Microsoft’s executive vice president of the cloud and enterprise group, commented in an interview to ZDNet , “We want to protect open-source projects from IP lawsuits, so we’re opening our patent portfolio to the OIN.” There are exceptions to what Microsoft is making available - specifically, Windows desktop and desktop application code, which makes sense for many reasons - but otherwise, Microsoft is going open source. And ultimately, that’s a good thing for the whole developer community. top

Amicus brief on burdens of proof for compelled decryption (Orin Kerr on Volokh Conspiracy, 11 Oct 2018) - I recently posted a draft article on the Fifth Amendment and compelled entering of passwords: Compelled Decryption and the Privilege Against Self-Incrimination . My article flagged but did not answer a closely-related question: What is the burden of proof to show a foregone conclusion when the government compels entering a password? Coincidentally, the Massachusetts Supreme Judicial Court happened to invite amicus briefs on this issue in a pending case shortly after I posted my draft. It’s a question of first impression among state supreme courts and federal circuit courts, and it relates closely to the underlying Fifth Amendment standard. In for a penny, in for a pound, I say. So today I submitted an amicus brief on the proper burden of proof in compelled decryption cases. You can read my brief here: Amicus Brief of Professor Orin Kerr on Standards for Compelled Decryption Under the Fifth Amendment . It argues that the government’s burden should be to prove by clear and convincing evidence, based on a totality of the circumstances, that the subject of the order knows the password. top

Seventy years after Howey: An overview of the SEC’s developing jurisdiction over digital assets (ABA’s BLT, 12 Oct 2018) - On June 14, 2018, Director William Hinman of the SEC’s Division of Corporation Finance delivered a speech at the Yahoo! Finance All Markets Summit in San Francisco, during which he shared his view that current offer and sale of bitcoin and ether, the two most valuable and prominent digital assets today, does not constitute a securities transaction. Reiterating the facts-and-circumstances approach the SEC takes in applying securities laws to digital assets, Hinman admitted that the evolvement and the decentralized nature of digital assets could at some point render the application of securities laws requirements insensible and unnecessary. Hinman’s speech is the first public statement from SEC leadership that offers clear assurance that certain types of digital assets are not within the purview of SEC regulations. The SEC has been following and monitoring the development of ICOs and digital assets closely. This article traces the series of SEC actions leading up to Hinman’s speech and analyzes how the SEC’s jurisprudence in this field has developed overtime. * * * top

- and -

SEC launches new strategic hub for innovation and financial technology (SEC, 18 Oct 2018) - The U.S. Securities and Exchange Commission today announced the launch of the agency’s Strategic Hub for Innovation and Financial Technology ( FinHub ). The FinHub will serve as a resource for public engagement on the SEC’s FinTech-related issues and initiatives, such as distributed ledger technology (including digital assets), automated investment advice, digital marketplace financing, and artificial intelligence/machine learning. The FinHub also replaces and builds on the work of several internal working groups at the SEC that have focused on similar issues. * * * top

- and -

Cybersecurity: Fortune 100 disclosure practices (TheCorporateCounsel.net, 23 Oct 2018) - The SEC continues to ratchet up its scrutiny of cybersecurity issues. It issued disclosure guidance earlier this year & recently turned its attention to internal control implications of cybersecurity lapses. But are companies getting the message? This recent EY report provides some clues on the disclosure front. It analyzes cybersecurity-related disclosures of Fortune 100 companies in proxy statements and Form 10-K filings. Not surprisingly, disclosure practices vary widely. Here are some key findings: * * * top

Federal court ruling in Georgia shows judges have a role to play in election security (Lawfare, 12 Oct 2018) - In the wake of Russia’s interference in U.S. elections, questions persist as to whether Russia changed vote totals and changed the outcome of the election. Former Homeland Security Secretary Jeh Johnson and the Senate intelligence committee each say there is no evidence that the Russians did so. But as technologist Matt Blaze told the New York Times , that’s “less comforting than it might sound at first glance, because we haven’t looked very hard.” And experts agree that our outdated voting technology certainly exposes voters to the risk of interference, as election security experts and election administrators have known for more than a decade. Last month, the U.S. District Court for the Northern District of Georgia recognized that the risk of election hacking is of constitutional significance-and that courts can do something about it. In Curling v. Kemp , two groups of Georgia voters contend that Georgia’s old paperless voting machines are so unreliable that they compromise the plaintiffs’ constitutional right to vote. In ruling on the voters’ motion for preliminary injunction, Judge Amy Totenberg held that the plaintiffs had demonstrated a likelihood of success on the merits-in other words, Georgia’s insecure voting system likely violated their constitutional rights. While the court declined to order relief in time for the 2018 elections, the ruling suggests that Georgia may eventually be ordered to move to a more secure voting system. top

Real estate lawyers have become big “phish” for cyberfraudsters (Attorney at Work, 12 Oct 2018) - Cyberfraud is a major issue in any industry, but especially in real estate where property transactions can net a hacker hundreds of thousands of dollars in a single wire diversion. Attorneys who practice real estate law and their clients have become prime targets for hackers. According to published FBI data , $969 million was diverted or attempted to be diverted to “criminally controlled” accounts in real estate transactions in fiscal year 2017. Compare that with 2016, when comparable real estate wire transfer frauds amounted to just $19 million. * * * It’s extremely difficult to recover funds that have been wired to a fraudulent account, though not impossible. Those who realize the mistake immediately have a better chance. As is the case with many things in life, prevention is the best tactic. Here are ways to lower the risk of real estate cyberfraud. * * * top

3D printers have ‘fingerprints,’ a discovery that could help trace 3D-printed guns (Science Daily, 18 Oct 2018) - Like fingerprints, no 3D printer is exactly the same. That’s the takeaway from a new study that describes what’s believed to be the first accurate method for tracing a 3D-printed object to the machine it came from. The advancement could help law enforcement and intelligence agencies track the origin of 3D-printed guns, counterfeit products and other goods. top

Appeals court says of course Georgia’s laws (including annotations) are not protected by copyright and free to share (TechDirt, 19 Oct 2018) - The 11th Circuit appeals court has just overturned a lower court ruling and said that Georgia’s laws, including annotations, are not covered by copyright, and it is not infringing to post them online. This is big, and a huge win for online information activist Carl Malamud whose Public.Resource.org was the unfortunate defendant in a fight to make sure people actually understood the laws that ruled them. The details here matter, so let’s dig in: * * * [ Polley : This is an important victory, and Carl deserves our thanks. Hats off to Alston & Bird, David Halperin (Public Resource), and the ACLU. See also 11th Circuit: Georgia can’t copyright annotated legal code (Law.com, 22 Oct 2018), and Court tells Georgia it can’t charge people to read the law (ACLU, 22 Oct 2018)] top

ABA ethics opinion offers guidance on data breaches (ABA Journal, 17 Oct 2018) - Lawyers have to safeguard client data and notify clients of a data breach, and the ABA Standing Committee on Ethics and Professional Responsibility has issued a formal opinion that reaffirms that duty. In Formal Opinion 483 , issued Tuesday, the standing committee also provided new guidance to help attorneys take reasonable steps to meet this obligation. “Lawyers today face daunting challenges from the risk of data breaches and cyber attacks that can lead to disclosure of client confidences,” says Barbara S. Gillers, chair of the standing committee. “Formal Opinion 483 offers helpful guidance on how the ABA Model Rules of Professional Conduct should inform lawyers’ approaches to these risks in order to comply with the duty to protect client information.” This opinion builds on the standing committee’s Formal Opinion 477R released in May 2017, which set forth a lawyer’s ethical obligation to secure protected client information when communicating digitally . “When a breach of protected client information is either suspected or detected, Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach,” Formal Opinion 483 says. To that end, this week’s new formal opinion only discusses the breach of client data, not other data breaches that may also require action on the part of an attorney or firm. “As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach,” states the opinion. “The decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach.” The opinion ends on a somber reminder that even if attorneys follow the Model Rules and make “reasonable efforts” to prevent disclosure and access to client information, they may still experience a data breach. “When they do, they have a duty to notify clients of the data breach under Model Rule 1.4 in sufficient detail to keep clients ‘reasonably informed’ and with an explanation ‘to the extent necessary to permit the client to make informed decisions regarding the representation,’” the opinion closes. [ Polley : The Opinion also contains language suggesting that lawyers must “monitor” internet activity-e.g., using IDS tools.] top

New copyright exemptions let you legally repair your phone or jailbreak voice assistants (The Verge, 25 Oct 2018) - In a big victory for hacker, tinkerers, and the right to repair movement, the US Copyright Office has ruled some major changes to the legal exemption to the DMCA, making it far easier for owners to build software tools to hack, modify, and repair their own devices, as explained by iFixit founder Kyle Wiens . Under section 1201 of the Digital Millennium Copyright Act (DMCA), it is “unlawful to circumvent technological measures used to prevent unauthorized access to copyrighted works.” Because software has become so integral to all the devices we use - everything from phones to speakers to even trackers - device manufacturers have long used section 1201 to prevent owners from taking apart or repairing their own devices, arguing that breaking the software locks as part of replacing parts or modifying your gadgets is a violation of that statute. But as part of that law, citizens are allowed to petition for exemptions to section 1201 every three years, when the Copyright Office rules what kind of repairs and software tools are and aren’t allowed by the law. The final ruling for this cycle was just released (it goes into effect as law on October 28th), and it enacts broad new protections for repairing devices. Wiens’ post breaks down the biggest changes, which include: * * * top

RESOURCES

Clarke and Piper on A Legal Framework to Govern Online Political Expression by Public Servants @Carleton_U (MLPB, 23 Oct 2018) - Amanda Clarke, Carleton University School of Public Policy and Administration, and Benjamin Pipe, National Judicial Institute, have published A Legal Framework to Govern Online Political Expression by Public Servants at 21 Canadian Labour and Employment Law Journal 1 (2018). Here is the abstract: This paper considers the extent to which public servants should be allowed to engage in political activities in online fora such as Facebook, Twitter, and YouTube. The question of the appropriate balance between the principle of political neutrality binding public servants and their Charter-protected right to political expression has been extensively addressed in the case law. However, the framework set out in the existing jurisprudence was developed in the context of more traditional forms of political engagement, and fails to provide clear guidance in an age when the political activities of public servants, like those of Canadians as a whole, have to a large degree migrated to social media and other platforms on the web. In an effort to remedy this deficiency, the authors lay the foundation for a revised framework for assessing the permissibility of online political activity by public servants, consisting of four analytical factors: the level and nature of a public servant’s position; the visibility of the online activity; the substance of the online activity; and the identifiability of the online actor as a public servant. Adopting this test, the authors contend, would enable adjudicators to strike a reasonable balance between freedom of expression and the principle of political neutrality, by recognizing that in today’s world both politics and life as a public servant play out online. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Smartphones, seat belts, searches, and the Fourth Amendment (ArsTechnica, 24 Jan 2008) - When Steve Jobs introduced the iPhone as a “revolutionary” device, he probably wasn’t thinking of its effect on the Fourth Amendment. But a new paper by Adam Gershowitz, a professor at the South Texas College of Law, argues that unless courts or legislators make significant changes to the rules governing law enforcement searches, the increasing ubiquity of devices like Apple’s übergadget will permit police to routinely gather massive amounts of citizens’ sensitive personal data without a warrant. The Fourth Amendment guarantees that Americans will not be subject to “unreasonable searches and seizures.” Normally, this means police must show a judge that there is “probable cause” to believe a search will uncover evidence of a crime before tapping our phones or digging through our papers. But the courts have always recognized a variety of special circumstances under which a search may be reasonable even without a court warrant. One important such exception is for “search incident to arrest.” This allows police to search the person and immediate vicinity of anyone being placed under arrest, to ensure that the arrestee can’t destroy evidence or pull a concealed weapon. The problem with this, argues Gershowitz, is that with the proliferation of iPhone-like devices, the officer digging through your coat pocket suddenly has access to gigabytes worth of potentially sensitive e-mail, videos, photographs, browsing histories, and other documents. If you’re in the habit of keeping your passwords saved, they may even be able to reach bank statements, file servers, and that Nerve Personals account you opened “just for fun.” Though the underlying rationale for searches incident to arrest is officer safety, courts have adopted a “bright line” rule permitting an arresting officer to search any object in a suspect’s possession, such as a cigarette pack, even if it unlikely to conceal a miniature Glock. And since the Supreme Court has ruled that police have broad authority to arrest people for even trivial infractions, such as failure to wear a seat belt, the current rule gives law enforcement officers broad discretion to transform a routine traffic stop into a highly intrusive excavation of your digital life. top

Google makes health service publicly available (SiliconValley.com, 19 May 2008) - Google is now offering the general public electronic access to their medical records and other health-related information. The Mountain View-based Web search leader announced the public launch of Google Health during a Webcast today. It lets users import records from a variety of care providers and pharmacies. Google tested the service by storing medical records for a few thousand patient volunteers at the not-for-profit Cleveland Clinic. [Editor in 2008 : Now, I want Google to offer search for health-care providers, by cost and reputation; then, they’ll offer health care insurance coverage.] top

MIRLN—- 16 Sept - 6 Oct 2018 (v21.13)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENT

MIRLN began in 1997 and I’ve have published around 250 times, using an evolving, idiosyncratic approach to stories (not too new, not too obvious, etc.), with an idiosyncratic cross-section of readers (steady at about 3000: techies, lawyers, judges, international types, people in the IC, two former US AGs, etc.). This year probably will be MIRLN’s last. (With curated Twitter/RSS feeds you may not miss it at all.) It’s been fun; thanks for reading!

NEWS

2018 corporate counsel breach statistics - prepare to groan (RideTheLightning, 17 Sept 2018) - Here’s the news in a nutshell: Data breaches of in-house legal departments have doubled in the last year. Assuming that elicited a groan, the source is the 2018 survey by the Association for Corporate Counsel , which reported one-third of in-house counsel offices experienced a data breach in 2017, up from 15 percent in 2016. A related recent ABA Journal article quoted Sterling Miller, general counsel of Marketo Inc., an online marketing technology company: “The possibility that your outside law firm could be breached and your sensitive data stolen is a huge nightmare for in-house lawyers. Outside counsel need to start taking this very seriously. If a breach happens, that law firm is probably no longer working for you and the malpractice claim could be very large.” It doesn’t really matter whether you are in-house or outside counsel - the odds are that you need to up your security game. That ABA article analyzed the ABA TechReport 2017 and found that “only 26 percent of responding firms had an incident response plan in place to address a security breach, and only two-thirds with 500 lawyers or more had such a plan in place. These plans were not a priority with smaller firms, as 31 percent of firms with 10 to 49 lawyers, 14 percent of firms with two to nine lawyers, and 10 percent of solo practices had such plans.”

Roca Labs’ anti-review clause violates FTC Act-FTC v. Roca Labs (Eric Goldman, 17 Sept 2018) - Good news: a court ruled that Roca Labs anti-review clause violates the law. It’s shocking that Roca Labs chose to defend this practice in court, so it’s not surprising that the judge didn’t endorse it. Bad news: the court relied on the “unfairness” prong of the FTC Act, and the FTC’s unfairness authority can be the basis of FTC overreaching. Good news: the Consumer Review Fairness Act will apply to future cases (this case was initiated before the CRFA’s effectiveness), so this topic won’t require the FTC to stretch its unfairness authority in the future. Thus, this case reinforces the prevailing wisdom: anti-review clauses are legally toxic; they don’t belong in any business’ toolkit; and if your contract still contains them, shame on you. * * *

When art created by artificial intelligence sells, who gets paid? (Artsy.net, 17 Sept 2018) - Christie’s will auction off an artificial intelligence (AI) artwork for the first time this October, hard on the heels of a pioneering all-AI art exhibition held at New Delhi gallery Nature Morte . While the market is eager to move the work, the field raises questions about ownership, obsolescence, and the art world jobs that algorithms can’t do. Many makers of AI art use generative adversarial networks (GANs), technology that allows a computer to study a library of images or sounds, make its own content according to what it has learned, test its own success against the original media, and then try again, improving incrementally through trial and error. The artworks resulting from this back-and-forth between two artificial neural networks-which include prints on paper, videos, and multimedia installations-are often disquietingly lifelike, the flora and fauna of the uncanny valley. Munich-based Mario Klingemann, for instance, trained an algorithm on portraits of Old Masters paintings before exposing it to webcam footage of himself. The process results in a video of melting, many-eyed grotesques that are often compared to the works of Francis Bacon . * * * In press materials for “Gradient Descent,” Nature Morte stated that the works are created “entirely by AI in collaboration with artists.” Obvious even signed their work with the mathematical equation for the algorithm they used, rather than the collective’s name. As much as artists and gallerists may enjoy attributing authorship to AI, and emphasize that they cannot anticipate just what an AI algorithm will produce, legally, there is no doubt as to whether it’s the human artist or the AI who owns the finished work. AI is simply a tool artists use, the way a photographer uses a camera or Adobe Photoshop in the creation of their images, says Jessica Fjeld, assistant director of the Cyberlaw Clinic at Harvard Law School. “Humans are deeply involved with every aspect of the creation and training of today’s AI technologies, and this will continue to be true tomorrow and for the foreseeable future,” Fjeld says. “For me, the far more interesting question is who among these people acquire rights in the outputs, not whether the software itself could have any claim of ownership,” she adds.

Congressional Research Service reports now officially publicly available (TechDirt, 18 Sept 2018) - For many, many years we’ve been writing about the ridiculousness of the Congressional Research Service’s reports being kept secret . If you don’t know, CRS is a sort of in-house think tank for Congress, that does, careful, thoughtful, non-partisan research on a variety of topics (sometimes tasked by members of Congress, sometimes of its own volition). The reports are usually quite thorough and free of political nonsense. Since the reports are created by the federal government, they are technically in the public domain, but many in Congress (including many who work at CRS itself) have long resisted requests to make those works public. Instead, we were left with relying on members of Congress themselves to occasionally (and selectively) share reports with the public, rather than giving everyone access to the reports. Every year or so, there were efforts made to make all of that research available to the public, and it kept getting rejected . Two years ago, two members of Congress agreed to share all of the reports they had access to with a private site put together by some activists and think tanks, creating EveryCRSReport.com , which was a useful step forward . At the very least, we’ve now had two years to show that, when these reports are made public, the world does not collapse (many people within CRS feared that making the reports public would lead to more political pressure). Earlier this year, in the Consolidated Appropriations Act of 2018 , there was a nice little line item to officially make CRS reports publicly available . And, this week, it has come to pass. As announced by Librarian of Congress Carla Hayden , there is now an official site to find CRS reports at crsreports.congress.gov . It appears that the available catalog is still limited, but they’re hoping to expand backwards to add older reports to the system (a few quick test searches only shows fairly recent reports). But all new reports will be added to the database.

Philippa Ryan: Developing trust through blockchain (ABA Journal, 19 Sept 2018) - Philippa Ryan thinks a lot about trust. A barrister in Australia, she lectures on the subject, and her PhD thesis focused on the breach of trust and the liability of third parties. So when Ryan heard about trustless relationships enabled by blockchain technology, her interest was piqued. However, when she typed “trustless relationships” into her search engine, she says, “the only thing that came up was an ad for Ashley Madison,” the notorious dating website for married people looking to keep infidelity discreet. She deleted her search history. Today, Ryan, a lecturer at the University of Technology Sydney, can find more suitable material online. In fact, she’s helping fill the gap by writing and speaking around the world on the subject. With knowledge in law and blockchain, she is a leading member of the International Organization for Standardization technical committee on blockchain and distributed ledger technologies. Being a part of Standards Australia and the committee’s secretariat, she says the work intends to produce high-level guidelines for governments and technologists to use when legislating or developing the technology around the globe. “What we will be hoping to support is interoperability” between technical and legal systems, says Ryan, 52, who also leads the smart contracts working group at the ISO alongside a German delegation.

- and -

Walmart is betting on the blockchain to improve food safety (TechCrunch, 24 Sept 2018) - Walmart has been working with IBM on a food safety blockchain solution and today it announced it’s requiring that all suppliers of leafy green vegetable for Sam’s and Walmart upload their data to the blockchain by September 2019 . Most supply chains are bogged down in manual processes. This makes it difficult and time consuming to track down an issue should one like the E. coli romaine lettuce problem from last spring rear its head. By placing a supply chain on the blockchain, it makes the process more traceable, transparent and fully digital. Each node on the blockchain could represent an entity that has handled the food on the way to the store, making it much easier and faster to see if one of the affected farms sold infected supply to a particular location with much greater precision. * * *

- and -

Blockchains for Business Process Management (Cebe’s KIT, 1 Oct 2018) - This title is probably a good way to describe most non-cryptocurrency applications of distributed ledgers, and deserves to be adopted. It is the title of a paper (the full title is ” Blockchains for Business Process Management—Challenges and Opportunities “), co-authored by a record 32 researchers and published in the February 2018 the ACM Transactions on Management Information Systems (TMIS). The authors summarize their conclusions as follows: “The BPM and Information Systems communities have a unique opportunity to help shape this fundamental shift toward a distributed, trustworthy infrastructure to promote interorganizational processes.”

Law firms can learn from other industries’ missteps on cybersecurity awareness and prevention (ABA Journal, 19 Sept 2018; part of the Digital Dangers series) - Equifax. Yahoo. Anthem. Sony. In the past few years, these companies experienced some of the most significant data breaches to date. And all of these companies found themselves subject to intense worldwide media coverage over their failure to secure their information. The industries affected-from health care to entertainment-know all too well that the struggle to secure data in the digital age never ends. While individual businesses within these industries will continue to find themselves vulnerable to breaches, they have an advantage over law firms. They have been fighting this battle for a long time. The legal industry is lagging well behind when it comes to data security, says Rich Santalesa, a member of the boutique cybersecurity firm SmartEdgeLaw Group and of counsel to the New York City-based Bortstein Legal Group. “Law firms as a whole can learn a lot about cybersecurity by looking at other industries,” says Santalesa. “Unfortunately, other industries have had to learn their lessons the hard way-by having breaches that have received media attention.” Santalesa says data security involves three different, simultaneous focuses: “the technology, the people you have, and needs of the industry in which you work.” In addition, data security can’t be a one-size-fits-all situation. The cybersecurity needs of a small law firm will be different than the needs of an international firm, just like the needs of Target are different from the needs of a small retail website. However, all law firms, just like all businesses, must pay close attention to the applicable privacy laws, Santalesa says.

- and -

Cybersecurity: Your ethical obligations outlined by legal tech experts (ABA Journal, 25 Sept 2018) - Data breaches are an everyday event, and legal professionals have a specific obligation to protect themselves and their clients from exposure to these threats. The webinar “Darkest Hour? Shining a Light on Cyber Ethical Obligations,” is one in a five-part series sponsored by the ABA Cybersecurity Task Force and supported by “The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals, Second Edition.” The first thing lawyers must know is that it’s not usually obvious when a firm has been hacked. “The vast majority of the time, (hackers) are using your stolen credentials, as opposed to breaking through technical walls,” said panelist Arlan McMillan, chief security officer at Kirkland & Ellis in Chicago. “Then they act like you in the firm’s network, accessing all the files you have access to.” Another common threat comes through malware in an email, also known as a phishing attack, where an individual is asked to click on a link or open an attachment that has been weaponized in such a way that the attacker gains access to your computer. Nation-state attackers target private businesses in 21 percent of breaches to steal data to advance their espionage activities or interests. And firm employees often don’t realize they’ve been hacked for weeks or months, and they usually find out after being contacted by the FBI. “This is not an IT issue,” McMillan said. “This is a risk management issue about how you protect your data.” He recommends five steps to improve a firm’s security posture: * * *

- and -

Teaming up on cybersecurity (AttorneyAtWork, 26 Sept 2018) - Cybersecurity, the new “IT” word (see what we did there?) has everyone’s attention, from small firm lawyers to the BigLaw front office. It’s also the focus of the 2018 College of Law Practice Management (COLPM) Futures Conference, “Cybersecurity: This Way There Be Dragons.” The Futures Conference, presented with Suffolk University School of Law, will take place Oct. 25-26 in Boston. While the two-day event is chock-full of useful information, one session in particular caught my attention: “Security as a Team Sport: Collaboration - An Essential Tool and a Security Hole.” It raises an interesting question: Can all the departments that make up a law firm advance its cybersecurity efforts? Not just IT, but management, finance, human resources, marketing, PR?

Interplanetary spacecraft (Patently-O, 23 Sept 2018) - Patent application publication US 2017/0259946 A1 * * * I’m looking forward to reading the first office action in this case - pretty cool approach for thinking through how to use a hollowed-out asteroid for a manned interplanetary spaceship. In his IDS, inventor Wayne White includes a set of interesting references - including a citation to the Greg Bear’s 1985 SciFi novel EON that included an alien hollowed-out asteroid.

Do laws requiring people to report crimes violate the First Amendment? (Eugene Volokh, 26 Sept 2018) - Generally speaking, Americans don’t have a legal duty to report crimes they witness or learn about. We must generally testify when subpoenaed, but we need not ourselves alert the authorities. But some states have enacted statutes requiring such reporting (at least as to certain serious crimes); still more require certain job categories (such as teachers, whether in public or private schools) to report certain crimes. Do these laws violate the First Amendment protection against compelled speech? The Supreme Court has generally said that requiring people to say certain things is presumptively unconstitutional; and it has also held , in some contexts, that “compelled statements of ‘fact’” are generally treated the same as “compelled statements of opinion.” But requirements to convey facts to the government— in tax returns, census questionnaires, draft registrations, and a vast range of other contexts, federal and state—are so commonplace that it’s not clear that the Supreme Court means to cast them all in doubt. (Recall that if something is treated as a presumptively unconstitutional speech compulsion, the government may rebut that presumption only by showing that the compulsion is the least burdensome means of serving a compelling government interest ; even if there is a compelling interest in collecting federal and state taxes, conducting the census, and so on, courts have never required a showing that the laws are the least burdensome means.) And indeed, when mandatory crime reporting laws have been challenged, state courts have upheld them, generally concluding that compelled reporting of facts to the government doesn’t really trigger the compelled speech doctrine. See State v. Grover (Minn. 1989) (“The statute [which requires reporting of suspected child abuse] does not compel the dissemination of an ‘ideological point of view,’ but only mandates the reporting of information-a requirement not altogether dissimilar from that imposed by the Internal Revenue Code.”); White v. State (Tex. Ct. App. 2001) (taking the same view). But in May of this year, the Second Circuit handed down a decision, Burns v. Martuscello , that suggests the laws are unconstitutional after all. In Burns , prison guards placed Burns in involuntary protective custody because he refused to agree to report on future misbehavior by other prisoners. And this penalty, the court held, violated the First Amendment right not to be compelled to speak, even taking into account prisoners’ sharply reduced First Amendment rights:

SEC charges firm with deficient cybersecurity procedures (SEC, 26 Sept 2018) - The Securities and Exchange Commission today announced that a Des Moines-based broker-dealer and investment adviser has agreed to pay $1 million to settle charges related to its failures in cybersecurity policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers. The SEC charged Voya Financial Advisors Inc. (VFA) with violating the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft. This is the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule. According to the SEC’s order, cyber intruders impersonated VFA contractors over a six-day period in 2016 by calling VFA’s support line and requesting that the contractors’ passwords be reset. The intruders used the new passwords to gain access to the personal information of 5,600 VFA customers. The SEC’s order finds that the intruders then used the customer information to create new online customer profiles and obtain unauthorized access to account documents for three customers. The order also finds that VFA’s failure to terminate the intruders’ access stemmed from weaknesses in its cybersecurity procedures, some of which had been exposed during prior similar fraudulent activity. According to the order, VFA also failed to apply its procedures to the systems used by its independent contractors, who make up the largest part of VFA’s workforce. “This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Robert A. Cohen, Chief of the SEC Enforcement Division’s Cyber Unit. “They also must review and update the procedures regularly to respond to changes in the risks they face.”

Judging judges - how Gavelytics’ judicial analytics are reshaping litigation (Robert Ambrogi, 28 Sept 2018) - What if a lawyer could know how a judge is likely to rule in a case or how heavy is a judge’s workload? Rick Merrill was a litigator at a large law firm who became frustrated over his inability to get meaningful information about the judges before whom he appeared. So last year, he launched Gavelytics , a California company that uses analytics and artificial intelligence to analyze docket data and provide lawyers with a range of insights about judges’ propensities, workloads and leanings. In this episode of LawNext, I visited Gavelytics’ office in Santa Monica, where I sat down with Merrill, now the company’s CEO, and Justin Brownstone , VP of sales and litigation counsel, to talk about the product one year after its launch, how lawyers use analytics for strategic and competitive purposes, and how analytics and AI are being used more broadly in law. * * *

New Zealand travellers refusing digital search now face $5000 Customs fine (RNZ, 1 Oct 2018) - Travellers who refuse to hand over their phone or laptop passwords to Customs officials can now be slapped with a $5000 fine. The Customs and Excise Act 2018 - which comes into effect today - sets guidelines around how Customs can carry out “digital strip-searches”. Previously, Customs could stop anyone at the border and demand to see their electronic devices. However, the law did not specify that people had to also provide a password. The updated law makes clear that travellers must provide access - whether that be a password, pin-code or fingerprint - but officials would need to have a reasonable suspicion of wrongdoing. “It is a file-by-file [search] on your phone. We’re not going into ‘the cloud’. We’ll examine your phone while it’s on flight mode,” Customs spokesperson Terry Brown said. If people refused to comply, they could be fined up to $5000 and their device would be seized and forensically searched.

- and -

More on the Five Eyes statement on encryption and backdoors (Bruce Schneier, 1 Oct 2018) - Earlier this month, I wrote about a statement by the Five Eyes countries about encryption and back doors. (Short summary: they like them.) One of the weird things about the statement is that it was clearly written from a law-enforcement perspective, though we normally think of the Five Eyes as a consortium of intelligence agencies. Susan Landau examines the details of the statement, explains what’s going on, and why the statement is a lot less than what it might seem.

RESOURCES

ICYMI: The Cyber Threat to UK Legal Sector (Nat’l Cyber Security Centre, 19 July 2018) - In common with many other industries, the cyber threat to the UK legal sector is significant and the number of reported incidents has grown substantially over the last few years. According to the 2017 PricewaterhouseCoopers Law Firm survey, 60% of law firms reported an information security incident in the last year, up from 42% in 2014. The financial and reputational impact of cyber attacks on law firms is also significant. The costs arise from the attack itself, the remediation and repairing reputational damage by regaining public trust. The SRA reports that over £11 million of client money was stolen due to cyber crime in 2016-17. There are several factors that make law firms an attractive target for cyber attack - they hold sensitive client information, handle significant funds and are a key enabler in commercial and business transactions. The risk may be greater for law firms that advise particularly sensitive clients or work in locations that are hostile to the UK. For example, firms acting for organisations that engage in work of a controversial nature such as Life Sciences or the energy sector may also be targeted by groups with a political or ideological agenda. The move to offer legal services digitally will not only provide new opportunities but also further avenues for malicious cyber exploitation. The primary threat to the UK legal sector stems from cyber criminals with a financial motive. However, nation states are likely to play an increasingly significant role in cyber attacks at a global level, to gain strategic and economic advantage. There has also been some growth in the hacktivist community targeting law firms to achieve political, economic or ideological ends. The most significant cyber threats that law firms should be aware of are: * * *

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Oregon: Publishing our laws online is a copyright violation (Ars Technica, 16 April 2008) - The State of Oregon takes exception to Web sites that republish the state’s Revised Statutes in full, claiming that the statutes contain copyrighted information in the republication causes the state to lose money it needs to continue putting out the official version of the statutes. Oregon’s Legislative Counsel, Dexter Johnson, has therefore requested that legal information site Justia remove the information or (preferably) take out a paid license from the state. All citizens are legally presumed to know the law, so claiming copyright over it might seem like an odd position for a state to take; wouldn’t massive copying be a goal rather than a problem? But in his letter to Justia, Johnson makes a more nuanced case. While the text of the law is not copyrighted, the “arrangement and subject-matter compilation of Oregon statutory law, the prefatory and explanatory notes, the leadlines and numbering for each statutory section, the tables, index and annotations and other such incidents” are under copyright. A quick visit to the Legislative Counsel’s web site shows that Johnson is serious about two things: order forms and copyright. The only items in red on the entire page are a copyright notice that includes “Oregon Laws, the Oregon Revised Statutes, and all specialty publications” and a set of links to order forms for such scintillating works as Landlord and Tenant Laws of Oregon 2008. The state also makes the complete text of its laws available online, and it welcomes sites like Justia to link these up. Republishing them, though, is strongly frowned upon, and Johnson indicates his hope that “it will not be necessary to litigate this matter” (translation: “we are willing to litigate this matter”).

French court eviscerates website immunity for user-generated content (Steptoe & Johnson’s E-Commerce Law Week, 24 April 2008) - In France, as in the United States, Internet companies are supposed to enjoy legal protection from suits over content provided by third parties. But, if recent U.S. decisions have chipped away at the immunity available to websites under section 230(c)(1) of the Communications Decency Act, a recent French decision has blown a gaping hole in the defenses available under French law. Article 6-I-2 of the French Law for Confidence in the Digital Economy (LCEN) (which mirrors Article 14 of the EU E-Commerce Directive) states that public providers of “communications services” cannot be held liable for “information stored at the request of a recipient of those services” if the provider “did not have actual knowledge of [the] illegal nature” of the information, or if the provider “acted expeditiously to remove the data or make access impossible” after learning of its illegality. But the Paris Court of First Instance held last month that Bloobox.net was not immune for hosting a user-submitted link on its Fuzz.fr service, and was liable as an editor for its putative involvement in the “organization and presentation” of the link and associated headline. This decision extends a trend in which European courts have increasingly been willing to find Internet companies liable for user-generated content. If this trend continues, websites and Internet providers will be looking at major legal problems in Europe.

MIRLN—- 26 Aug - 15 Sept 2018 (v21.12)—- by Vince Polley and KnowConnect PLLC

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Intel rips up microcode security fix license that banned benchmarking (The Register, 23 Aug 2018) - Intel has backtracked on the license for its latest microcode update that mitigates security vulnerabilities in its processors - after the previous wording outlawed public benchmarking of the chips. The software, released this month , counters the Foreshadow aka L1TF Spectre-related flaws in its CPUs. However, its terms of use and redistribution were problematic. Following The Register ‘s report on Tuesday that Linux distro Debian decided to withhold packages containing the microcode security fix over concerns about its license, open-source pioneer Bruce Perens out Intelfor trying to gag netizens. Intel’s gagging order came in the form of this license clause: “You will not, and will not allow any third party to … publish or provide any Software benchmark or comparison test results.” That made it impossible for free-software bastion Debian to push Intel’s microcode to its users as a security update. The reason for Intel’s insistence on a vow of silence is that - even with the new microcode in place - turning off hyper-threading is necessary to protect virtual machines from attack via Foreshadow - and that move comes with a potential performance hit. Red Hat, which evidently didn’t get the memo to shut up about benchmarks, earlier this month noted : “The performance impact when HT is disabled is dependent on many factors. Measured impact ranges from a +30 per cent gain, to -50 per cent loss and beyond. Most HT testing, however, showed losses in the 0-30 per cent range.” Predictably, Intel’s contractual omertà had the opposite effect and drew attention to the problem. “Performance is so bad on the latest Spectre patch that Intel had to prohibit publishing benchmarks,” said Lucas Holt, MidnightBSD project lead, via Twitter. top

Patent office shows new respect for software (Patently-O, 27 Aug 2018) - Software patents and applications are making a quiet comeback under Director Andrei Iancu’s leadership of the U.S. Patent and Trademark Office. This is a welcome shift, since thousands of applications have been held captive in the Office in the wake of Supreme Court decisions culminating in Alice v. CLS Bank , 134 S.Ct. 2347 (2014). In the hands of reductionists, the Alice formula for rejection/invalidation was easy to apply. Every invention can be reduced to an abstract idea. Whatever is left can be explained away as “routine” or “conventional.” In the last four years, many software patent applications suffered repeated rejection and the ignoble death of abandonment for lack of will or lack of funds. Even when granted, many software patents were mowed down in inter partes review (IPR) in the Patent Trial and Appeal Board (PTAB). The Federal Circuit’s February 2018 decision in Berkheimer , 881 F.3d 1360 (citing Alice and other authority), paved the way for recent progress, holding that when there are genuine issues of material fact concerning alleged routineness or conventionality, evidence of the same must be presented before patent claims properly can be invalidated on such grounds. * * * top

Microsoft will soon automatically transcribe video files in OneDrive for Office 365 subscribers (TechCrunch, 28 Aug 2018) - today announced a couple of AI-centric updates for OneDrive and SharePoint users with an Office 365 subscription that bring more of the company’s machine learning smarts to its file storage services. The highlight of these announcements is that starting later this year, both services will get automated transcription services for video and audio files. While video is great, it’s virtually impossible to find any information in these files without spending a lot of time. And once you’ve found it, you still have to transcribe it. Microsoft says this new service will handle the transcription automatically and then display the transcript as you’re watching the video. The service can handle over 320 file types, so chances are it’ll work with your files, too. top

Open internet saves accused copyright infringer from liability (Patently-O, 29 Aug 2018) - Cobbler Nevada, LLC v. Gonzales ( 9th Cir. 2018 ) This copyright lawsuit involves cute Adam Sandler movie titled The Cobbler. In the movie, Sandler’s character free-rides off of the experiences of others by using a magical shoe-cobbling machine. The movie copyright holders did not reciprocate that freedom when American Pirates began downloading and distributing the movie through BitTorrent. Cobbler-Nevada was able to trace the Internet Protocol (IP) address associated with the infringing activity and then filed suit in a John Doe lawsuit. Comcast responded to a subpoena in the case with information that the IP address was assigned to its customer Thomas Gonzales. The Copyright holder then amended its complaint to name Gonzales - accusing him of copyright infringement as well as contributory copyright infringement (for failing to secure his internet connection). Note here that Gonzales operates an adult care home and that the internet service was open to residents and visitors. The appeal here focuses on the pleadings and whether the complaint states a claim. In Iqbal , the Supreme Court explained that a complaint must be plausible - allegation of plausible facts that create a plausible “entitlement to relief.” Reviewing the allegations here, the 9th Circuit found that the facts alleged against Gonzalez here are “not enough to raise a right to relief above a speculative level.” (quoting Twombly ): * * * top

Bitcoin and other cryptocurrencies are useless (The Economist, 30 Aug 2018) - An old saying holds that markets are ruled by either greed or fear. Greed once governed cryptocurrencies. The price of Bitcoin, the best-known, rose from about $900 in December 2016 to $19,000 a year later. Recently, fear has been in charge. Bitcoin’s price has fallen back to around $7,000; the prices of other cryptocurrencies, which followed it on the way up, have collapsed, too. No one knows where prices will go from here. Calling the bottom in a speculative mania is as foolish as calling the top. It is particularly hard with cryptocurrencies because, as our Technology Quarterly this week points out, there is no sensible way to reach any particular valuation. It was not supposed to be this way. Bitcoin, the first and still the most popular cryptocurrency, began life as a techno-anarchist project to create an online version of cash, a way for people to transact without the possibility of interference from malicious governments or banks. A decade on, it is barely used for its intended purpose. Users must wrestle with complicated software and give up all the consumer protections they are used to. Few vendors accept it. Security is poor. Other cryptocurrencies are used even less. With few uses to anchor their value, and little in the way of regulation, cryptocurrencies have instead become a focus for speculation. Some people have made fortunes as cryptocurrency prices have zoomed and dived; many early punters have cashed out. Others have lost money. It seems unlikely that this latest boom-bust cycle will be the last. Economists define a currency as something that can be at once a medium of exchange, a store of value and a unit of account. Lack of adoption and loads of volatility mean that cryptocurrencies satisfy none of those criteria. That does not mean they are going to go away (though scrutiny from regulators concerned about the fraud and sharp practice that is rife in the industry may dampen excitement in future). But as things stand there is little reason to think that cryptocurrencies will remain more than an overcomplicated, untrustworthy casino. top

- and -

Marshall Islands warned against adopting digital currency (BBC, 11 Sept 2018) - The Republic of the Marshall Islands has been warned against adopting a digital currency as a second form of legal tender. The International Monetary Fund (IMF) said the country, which consists of hundreds of islands in the Pacific Ocean, should “seriously reconsider”. Currently, only the US dollar counts as legal tender in the islands. A law to adopt a digital currency named “Sovereign” alongside the dollar was passed in February. The first virtual coins are due to be issued to members of the public via an initial coin offering (ICO) later this year. However, IMF directors said the potential benefits of the move were much smaller than the potential costs of “economic, reputational and governance risks”. “[Marshall Island] authorities should seriously reconsider the issuance of the digital currency as legal tender,” wrote the directors in their report, which was first spotted by cryptocurrency news site Coindesk . There is just one domestic commercial bank in the country and it is at risk of losing its only correspondent banking relationship with another bank in the US. top

- and -

FINRA takes down an unregistered cryptocurrency security (TechCrunch, 12 Sept 2018) - FINRA, the non-profit organization that tasks itself with policing the securities industry, is charging Timothy Tilton Ayre of Agawam, Mass. with fraud and unlawful distribution of unregistered cryptocurrency securities. Ayre claimed that users could buy equity in his company, Rocky Mountain Ayre, Inc., buy purchasing HempCoin, a cryptocurrency. From the release : In the complaint, FINRA alleges that, from January 2013 through October 2016, Ayre attempted to lure public investment in his worthless public company, Rocky Mountain Ayre, Inc. (RMTN) by issuing and selling HempCoin - which he publicized as “the first minable coin backed by marketable securities” - and by making fraudulent, positive statements about RMTN’s business and finances. RMTN was quoted on the Pink Market of OTC Markets Group and traded over the counter. According to the complaint, FINRA also alleges that in June 2015, Ayre bought the rights to HempCoin and repackaged it as a security backed by RMTN common stock. Ayre marketed HempCoin as “the world’s first currency to represent equity ownership” in a publicly traded company and promised investors that each coin was equivalent to 0.10 shares of RMTN common stock. Investors mined more than 81 million HempCoin securities through late 2017 and bought and sold the security on two cryptocurrency exchanges. FINRA charges Ayre with the unlawful distribution of an unregistered security because he never registered HempCoin and no exemption to registration applied. Because FINRA is not a government body its charges are rarely very onerous but, in the case of brokerage fraud, Ayre could face further scrutiny if he tries to sell securities in the future. The company, Rocky Mountain Ayre, seems to be associated with a restaurant and medical marijuana sales operation, although it is unclear what the company actually does. top

FBI fights viral influence campaigns with informational videos (Nextgov, 31 Aug 2018) - With midterm elections fast approaching, the FBI on Thursday released a dozen informational videos detailing ways political campaigns can protect themselves against cyberattacks from foreign powers. The Protected Voices initiative covers a wide range of cybersecurity topics-including software patching, secure communications, password protection and browser safety-that can help campaigns fend off the most common attacks. “Foreign influence operations … are not a new problem,” officials said on the site, “but the interconnectedness of the modern world, combined with the anonymity of the Internet, have changed the nature of the threat and how the FBI and its partners must address it.” In the videos, FBI personnel explain how foreign actors use phishing emails, public Wi-Fi and insecure routers to infiltrate and disrupt campaigns, and how virtual private networks, cloud services and cyber hygiene principles could mitigate those threats. They stress that anyone who goes online regularly could benefits from such cyber best practices, not just political campaigns. [ Polley : these 5-minute videos are very good, and usable by everybody, not just election campaigns.] top

Court shuts down feds’ attempt to expand the ‘border search’ exception to cover inland GPS monitoring (TechDirt, 6 Sept 2018) - Cyrus Farivar of Ars Technica has put together a hell of a read from a suppression order obtained by defendants in a drug case . It involves a truckload of cheese danishes, cocaine trafficking, and the US government’s attempt to apply the “border exception” everywhere in the United States. At the heart of it is a GPS tracking device. The government installed it on a truck driven by suspected drug smugglers when it crossed the Canadian border into the US. It then used that device to track the truck as it traveled down to California. The resulting bust only uncovered some bags of sugar, but a previous stop of the same truck had turned up 194 kilos of cocaine. The defendants in the case have had the evidence suppressed. The ruling [PDF] was handed down late last month. It points to the Supreme Court’s 2012 Jones decision , which held that placing GPS devices on vehicles was a search under the Fourth Amendment. Warrants are needed to place the devices. Long-term tracking is also out of the question if warrants aren’t obtained. The government argued it didn’t need a warrant because it placed the device on the truck at the Canadian border. This would be the ” border exception ” to the Fourth Amendment—one carved out by the courts which allows all kinds of warrantless searches to be performed in the name of border security. But the judge doesn’t buy this attempt to salvage ill-gotten evidence. The government cites a number of cases involving searches of vehicles performed at the border—some more invasive than others—where warrants weren’t needed. The court finds these citations unavailing because they don’t actually address what happened here: the placement of a GPS device at the border which was subsequently used to track a vehicle as it traveled far beyond the Canadian border. top

Prosecutors charge Russian accused of hacking JP Morgan, Dow Jones (TechCrunch, 10 Sept 2018) - New York prosecutors have extradited a Russian hacker accused of breaking into one of the world’s largest banking institutions. Moscow resident Andrei Tiurin, 35, was charged Friday after he was extradited from neighboring Georgia, with the theft of over 80 million records from the bank in 2014. The alleged hacker is said to have been under the direction of Gery Shalon, who was separately indicted a year later following the breach. Tiurin was also charged wire and securities fraud, and aggravated identity theft, racking up the maximum possible prison time to over 80 years. Although the indictment did not name the New York-based financial news agency, The Wall Street Journal previously reported the victim as its parent company Dow Jones , following the following the first round of charges in 2015. Tiurin was also accused of trying to artificially inflate the “price of certain stocks publicly traded in the United States,” and obtained “hundreds of millions of dollars in illicit proceeds” from various hacking campaigns. top

Vizio, sued for making creepy smart TVs, will notify customers via the TVs (ArsTechnica, 10 Sept 2018) - In what is likely a first in the industry, Vizio is on the verge of agreeing to display a class-action lawsuit message through its previously sold “Smart TV” televisions as part of a legal settlement. This message is meant to alert customers who bought the TV that they will be party to the forthcoming settlement and likely will get a small amount of money. As Ars has reported previously, the manufacturer has been under scrutiny since a revelation that it was snooping on its customers. The tracking started in February 2014 on both new TVs and previously sold devices that didn’t originally ship with ACR software installed. The software periodically appended IP addresses to the collected data and also made it possible for more detailed personal information-including age, sex, income, marital status, household size, education level, home ownership, and home values-to be associated. In a court filing submitted last Wednesday, lawyers for both sides asked the judge to push back approval of the preliminary settlement to October 3. “The Parties are developing a class notice program with direct notification to the class through VIZIO Smart TV displays, which requires testing to make sure any TV notice can be properly displayed and functions as intended,” they wrote. “The additional time requested will allow the parties to confirm that the notice program proposed in the motion for preliminary approval is workable and satisfies applicable legal standards.” top

In a few days, credit freezes will be fee-free (Krebs on Security, 11 Sept 2018) - Later this month, all of the three major consumer credit bureaus will be required to offer free credit freezes to all Americans and their dependents. Maybe you’ve been holding off freezing your credit file because your home state currently charges a fee for placing or thawing a credit freeze, or because you believe it’s just not worth the hassle. If that accurately describes your views on the matter, this post may well change your mind. * * * top

UK’s mass surveillance regime violated human rights law, finds ECHR (TechCrunch, 13 Sept 2018) - In another blow to the UK government’s record on bulk data handling for intelligence purposes the European Court of Human Rights (ECHR) has ruled that state surveillance practices violated human rights law. Arguments against the UK intelligence agencies’ bulk collection and data sharing practices were heard by the court in November last year . In today’s ruling the ECHR has ruled that only some aspects of the UK’s surveillance regime violate human rights law. So it’s not all bad news for the government - which has faced a barrage of legal actions (and quite a few black marks against its spying practices in recent years) ever since its love affair with mass surveillance was revealed and denounced by NSA whistleblower back in 2013. The judgement reinforces a sense that the government has been seeking to push as close to the legal line as possible on surveillance, and sometimes stepping over it - reinforcing earlier strikes against legislation for not setting tight enough boundaries to surveillance powers, and likely providing additional fuel for fresh challenges. The complaints before the ECHR focused on three different surveillance regimes: 1) The bulk interception of communications (aka ‘mass surveillance’); 2) Intelligence sharing with foreign governments; and 3) The obtaining of communications data from communications service providers. * * * top

Security risks of government hacking (Bruce Schneier, 13 Sept 2018) - Some of us—myself included—have proposed lawful government hacking as an alternative to backdoors. A new report from the Center of Internet and Society looks at the security risks of allowing government hacking. They include: Disincentive for vulnerability disclosure; Cultivation of a market for surveillance tools; Attackers co-opt hacking tools over which governments have lost control; Attackers learn of vulnerabilities through government use of malware; Government incentives to push for less-secure software and standards; and Government malware affects innocent users. These risks are real, but I think they’re much less than mandating backdoors for everyone. From the report’s conclusion: Government hacking is often lauded as a solution to the “going dark” problem. It is too dangerous to mandate encryption backdoors, but targeted hacking of endpoints could ensure investigators access to same or similar necessary data with less risk. Vulnerabilities will never affect everyone, contingent as they are on software, network configuration, and patch management. Backdoors, however, mean everybody is vulnerable and a security failure fails catastrophically. In addition, backdoors are often secret, while eventually, vulnerabilities will typically be disclosed and patched. The key to minimizing the risks is to ensure that law enforcement (or whoever) report all vulnerabilities discovered through the normal process, and use them for lawful hacking during the period between reporting and patching. Yes, that’s a big ask, but the alternatives are worse. This is the canonical lawful hacking paper [from 2014]. top

How the Times verifies eyewitness videos (Sept 14, 2018) - Was a video of a chemical attack really filmed in Syria? What time of day did an airstrike happen? Which military unit was involved in a shooting in Afghanistan? Is this dramatic image of glowing clouds really showing wildfires in California? These are some of the questions the video team at The New York Times has to answer when reviewing raw eyewitness videos, often posted to social media. It can be a highly challenging process, as misinformation shared through digital social networks is a serious problem for a modern-day newsroom. Visual information in the digital age is easy to manipulate, and even easier to spread. What is thus required for conducting visual investigations based on social media content is a mix of traditional journalistic diligence and cutting-edge internet skills, as can be seen in our recent investigation into the chemical attack in Douma, Syria . The following provides some insight into our video verification process. It is not a comprehensive overview, but highlights some of our most trusted techniques and tools. * * * top

RESOURCES

New draft article: “Compelled Decryption and the Privilege Against Self-Incrimination” (Volokh Conspiracy, Orin Kerr, 12 Sept 2018) - I recently posted to SSRN a new draft article, ” Compelled Decryption and the Privilege Against Self-Incrimination ,” forthcoming in the Texas Law Review . Here’s the abstract: This essay considers the Fifth Amendment barrier to orders compelling a suspect to enter in a password to decrypt a locked phone, computer, or file. It argues that a simple rule should apply: An assertion of privilege should be sustained unless the government can independently show that the suspect knows the password. The act of entering in a password is testimonial, but the only implied statement is that the suspect knows the password. When the government can prove this fact independently, the assertion is a foregone conclusion and the Fifth Amendment poses no bar to the enforcement of the order. This rule is both doctrinally correct and sensible policy. It properly reflects the distribution of government power in a digital age when nearly everyone is carrying a device that comes with an extraordinarily powerful lock. As regular readers may note, I’ve blogged about these issues before. The new draft builds on the themes of my blog posts, elaborating on the argument and offering my responses to several counteraguments. Comments are very welcome, especially critical ones (and especially from techies). top

Ethics of Using Artificial Intelligence to Augment Drafting Legal Documents (David Hricik in TAMU’s Journal of Property Law, 2018) - Skynet is not and may never be self-aware, but machines are already doing legal research, drafting legal documents, negotiating disputes such as traffic tickets and divorce schedules, and even drafting patent applications. Machines learn from us, and each other, to augment the ability of lawyers to represent clients - and even to replace lawyers completely. While it also threatens lawyers’ jobs, the exponential increase in the capacity of machines to transmit, store, and process data presents the opportunity for lawyers to use these services to provide better, cheaper, or faster legal representation to clients. By way of familiar example, instead of determining whether a precedential opinion remains “good law” by manually going through multiple books - “Shepardizing a case” as an older lawyer would put it - lawyers can use on-line legal services to instantly learn, not just whether an earlier decision has been limited or overruled, but the depth of analysis given to the issue by a later court opinion. Because technology may be able to do some tasks better, or at a lower cost, or both, lawyers should use technology when it will, considering the risks, benefit clients. That obligation requires lawyers to stay “keep abreast of changes in. . . practice, including the benefits and risk associated with relevant technology. . . .” Assessing the benefits and risks of a particular technology obviously requires due diligence into the practical and legal risks of the technology, and comparing that to the benefits it brings to a representation. That assessment requires applying existing ethical rules in a process that can best be analyzed as comprising two stages. The first step requires determining whether the technology does what it is supposed to do in a reasonably competent manner. For example, just as a lawyer could not use a paralegal to use a form to create the first draft of a contract for a client if the paralegal’s work was known to be unreliable or unreasonably expensive, a lawyer cannot use an automated contract drafting service with the same shortcomings. The first step, in other words, requires reasonable efforts by the lawyer to determine the competency of the service. If the service does not provide competent assistance, the lawyer obviously cannot use it. The second step requires determining whether a competent service can be used while complying with the ethical obligations of the lawyer, beyond competency. Just as a lawyer must ensure that non-lawyer employees and agents maintain the confidentiality of client information consistent with the lawyer’s ethical obligations, he must do so with all services provided by third parties, including automated services. Likewise, lawyers must ensure non-lawyer assistants - even those who are independent contractors hired for a particular matter, and not firm employees - must not have conflicts of interest or violations of other ethical rules. This article focuses on the second step in the due diligence process. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Steal this Wi-Fi (Wired, Article by Bruce Schneier, 10 Jan 2008) - Whenever I talk or write about my own security setup, the one thing that surprises people - and attracts the most criticism - is the fact that I run an open wireless network at home. There’s no password. There’s no encryption. Anyone with wireless capability who can see my network can use it to access the internet. To me, it’s basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it’s both wrong and dangerous. top

FTC adopts final Can-Spam rules (Steptoe & Johnson’s E-Commerce Law Week, 22 May 2008) - The Federal Trade Commission announced on May 12 that it had approved new rules governing the regulation of commercial email under the CAN-SPAM Act. Most notably, the rules modify the definition of “sender” to address situations where a single email message contains advertisements from multiple parties. In such a situation, if only one person is identified in the “from” line of the commercial email, then this person will generally be considered the “sole sender” of the email and will be exclusively responsible for handling opt-out requests. Moreover, the rules state that a sender may not require a recipient of a commercial email message to pay a fee, provide information other than an email address and opt-out preferences, or take any steps other than sending a reply email or visiting a single webpage in order to opt-out of future emails. The rules become effective July 7, 2008. top

MIRLN—- 29 July - 25 August 2018 (v21.11)—- by Vince Polley and KnowConnect PLLC

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

South Carolina requires insurers to have plans safeguarding customer data (ABA Journal, 6 July 2018) - Less than a year from now, insurers doing business in South Carolina will be required to have a “comprehensive information security program” that protects consumer data. As of Jan. 1, 2019, insurers licensed in the state will be required to create and maintain data security standards based on an ongoing risk assessment, oversee third-party service providers, investigate breaches and notify regulators within 72 hours of a cyber event that affects more than 250 state residents. “It provides some consumer protection to further help safeguard that extremely important and private information,” said South Carolina Department of Insurance director Ray Farmer after the passage of the Insurance Data Security Act in May, according to the South Carolina Radio Network . “It requires insurance companies to beef up their data security.” * * * The law was based on model legislation created by the National Association of Insurance Commissioners, a standards setting body. The committee that drafted the legislation was chaired by Farmer. Maria Sasinoski, an associate at the Pittsburgh office of McGuireWoods LLP, told Bloomberg BNA that insurers like the NAIC model because it will “ward off” a patchwork of different state-level laws. She said that Rhode Island is also considering a version of the legislation. In South Carolina, the law, including its notification requirement, goes into effect Jan. 1, 2019, and insurers will be required to provide written security plans to state regulators starting July 1, 2019. top

- and -

Cyber experts: Attacks inevitable, preparation for law firms essential (ABA Journal, 4 Aug 2018) - After the 9/11 attack on the United States, a national commission that analyzed the tragedy found that the country’s national security apparatus failed in two major regards: it showed a lack of imagination for the unthinkable and no unity in communication and cooperation to face the developing terrorist threat. Fast forward 17 years. A panel at the American Bar Association Annual Meeting in Chicago raised concerns Saturday that U.S. businesses—and law firms particularly—might be going down a similar pre-9/11 path by failing to comprehend the full threat, vulnerabilities and consequences of cyberattacks from around the globe. The program, Cybersecurity Wake Up Call: The Business You Save May Be Your Own , included two key players in the cybersecurity space during the Obama administration - Rajesh De, former general counsel of the National Security Agency, and Suzanne Spaulding, former undersecretary for National Protection and Programs Directorate in the Department of Homeland Security. Also participating were lawyers Thomas Smedinghoff and moderator Ruth Hill Bro, both members of the ABA Cybersecurity Legal Task Force , which sponsored the 90-minute program. The consensus of the panel was that cyberattacks are inevitable, and that preparation for law firms was necessary not only to avoid the hardware issues but also post-attack consequences. A post-attack communications plan was essential, the panelists said. So is thorough due diligence and planning with vendors and others in the supply chain to avoid legal consequences after a breach. The panelists also explored legal issues related to payments and other issues dealing with “ransomware,” the concept of criminals shaking down businesses and others for money and bitcoins through cyber breaches. De noted this is a corporate governance issue, and that there should be a plan when an incident occurs on notifying authorities, deciding whether a payment should be made and how to communicate the situation to stakeholders, including governing boards. “It is always the disclosure issues that tend to trip people up,” said De, a partner at Mayer Brown in Washington, D.C. Bro, who co-chairs the task force which recently published a book, ” The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals ,” reminded the audience that cybersecurity “is a process not a product” requiring persistent vigilance and constant review. She touted the motto of the Boy Scouts: “Be prepared.” top

- and -

Ohio enacts law giving affirmative defense to businesses which beef up cybersecurity (Ride The Lightning, 8 Aug 2018) - Columbus Business First reported on August 3 rd that Ohio Governor John Kasich had signed into law a bill that aims to prod businesses to beef up security by giving companies something of a “safe harbor” if they voluntarily invest in better cybersecurity to protect customer information. The Ohio Data Protection Act provides an affirmative legal defense for companies that suffer a data breach who are then sued for not implementing reasonable security protocols. Eligible organizations may rely on conformity to certain cybersecurity frameworks as an affirmative defense against tort claims in data breach litigation. To qualify for this new defense, the organization must implement a written cybersecurity program designed to (1) protect the security and confidentiality of personal information, (2) protect against anticipated threats or hazards to the security or integrity of personal information, and (3) protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or fraud. The scale of the cybersecurity program should be appropriate to the organization based on its size and complexity, the nature and scope of its activities, the sensitivity of the personal information protected under the program, the cost and availability of tools to improve its information security and the resources available to the organization. This is a good recognition that one size does not fit all, but makes conforming to the safe harbor more difficult to establish. * * * top

- and -

NIST Small Business Cybersecurity Act becomes law (Security Week, 16 Aug 2018) - Donald Trump signed the NIST Small Business Cybersecurity Act, S. 770 (formerly known as the MAIN STREET Cybersecurity Act ) into law on Tuesday (August 14, 2018). It requires NIST to “disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks.” The resources to be provided are informational. They must be generally applicable to a wide range of small businesses; vary with the nature and size of small businesses; promote cybersecurity awareness and workplace cybersecurity culture; and include practical application strategies. The resources must further be technology-neutral and compatible with COTS solutions; and as far as possible consistent with international standards and the Stevenson-Wydler Technology Innovation Act of 1980. Use of these resources by small businesses is voluntary. * * * Small businesses, and many large organizations, struggle to comply with the existing NIST Security Framework. “This change sets the stage for greater compliance and readiness from smaller organizations who previously thought that NIST compliance was too costly or complex to obtain,” adds Dr. Bret Fund, founder and CEO at SecureSet. The basic problem is small organizations cannot afford extensive cybersecurity resources in-house, while many still believe they will not be a target for cyber attackers. * * * Counterintuitively, small businesses suffer more from a successful attack than do the larger companies. “In fact,” suggests Anupam Sahai, Vice President of Product Management at Cavirin, “recent reports shows that smaller businesses lose proportionately more to cyberattacks since they are targeted just as often, and are less able to recover due to less resilient infrastructures.” top

5 lessons learned on data breach management after 2 months of GDPR: Friday is calling (Mayer Brown, 25 July 2018) - The GDPR mandates controllers and processors to have technical and organizational measures in place to ensure an appropriate level of security for personal data. They should have the ability to detect, address and report data breaches in a timely manner. Many internal procedures were drafted in anticipation of the entry into force of the GDPR. Now, two months after GDPR Day, here are five lessons learned from data breach management, as, yes, numerous personal data breaches have occurred since then, of which authorities were notified, in pretty significant numbers and in a variety of sectors. * * * [ Polley : Interesting; also notable for quickly conveying some useful lessons. More to come, I’m sure.] top

Welcome to the Quiet Skies (Boston Globe, 28 July 2018) - Federal air marshals have begun following ordinary US citizens not suspected of a crime or on any terrorist watch list and collecting extensive information about their movements and behavior under a new domestic surveillance program that is drawing criticism from within the agency. The previously undisclosed program, called “Quiet Skies,” specifically targets travelers who “are not under investigation by any agency and are not in the Terrorist Screening Data Base,” according to a Transportation Security Administration bulletin in March. But some air marshals, in interviews and internal communications shared with the Globe, say the program has them tasked with shadowing travelers who appear to pose no real threat - a businesswoman who happened to have traveled through a Mideast hot spot, in one case; a Southwest Airlines flight attendant, in another; a fellow federal law enforcement officer, in a third. It is a time-consuming and costly assignment, they say, which saps their ability to do more vital law enforcement work. Already under Quiet Skies, thousands of unsuspecting Americans have been subjected to targeted airport and inflight surveillance, carried out by small teams of armed, undercover air marshals, government documents show. The teams document whether passengers fidget, use a computer, have a “jump” in their Adam’s apple or a “cold penetrating stare,” among other behaviors, according to the records. Air marshals note these observations - minute-by-minute - in two separate reports and send this information back to the TSA. All US citizens who enter the country are automatically screened for inclusion in Quiet Skies - their travel patterns and affiliations are checked and their names run against a terrorist watch list and other databases, according to agency documents. top

Fending off cyberattacks in international arbitration (NY Law Journal, 3 Aug 2018) - In the context of ever-escalating data breaches, international arbitration is not immune to cyberattacks. One widely reported cyberattack targeted the Permanent Court of Arbitration in The Hague (PCA) in July 2015, while the court was administering a hearing between the Philippines and China over disputed territorial waters in the South China Sea. During that arbitration, a malicious software originating in China targeted the PCA’s website, the Philippines Department of Justice, the law firm representing the Philippines in the arbitration, and anyone visiting a specific page of the PCA devoted to the dispute, allowing the hackers to access classified information. A similar cyberintrusion occurred in 2008 in the case of Libananco Holdings Co. v. Rep. of Turkey (ICSID Case No ARB/06/9) , where, in the course of a separate court-ordered money laundering investigation, the Turkish government intercepted privileged communications and materials that had been exchanged between Libananco and its counsel in connection with the arbitration. It is therefore of no surprise that international arbitration may become a prime target for cybercriminals. This is for various reasons. First , as a neutral forum for the resolution of complex international disputes, international arbitration often involves parties that are themselves prominent targets of cyberattacks such as multinational corporations, governments, state entities, and public figures. Second , in these types of disputes, digital discovery is the norm and inevitably involves the exchange of highly sensitive information such as trade secrets, business plans, and case strategy, which have the potential of influencing politics and moving financial markets. Third , the risk of exposure to cyberattacks is relatively high because of the way international arbitration is conducted. The information collected is typically organized in easily searchable data sets, such as pleadings, witness statements, expert reports, transcripts of hearings, and arbitral deliberation materials, including draft and final awards. Each fixed or portable device (computers, laptops, smartphones, tablets), cloud-based storage (file-sharing platforms, virtual data rooms), and courtroom technology (real-time translations, live e-transcripts, telepresence technologies) is a digital portal allowing for unauthorized access to arbitration-related materials. The fact that the information is hosted and exchanged by a variety of digitally interdependent players such as in-house and outside counsel, government officers and agencies, arbitral institutions and tribunals, experts and witnesses, and other custodians of large electronic information repositories only increases the likelihood that a data breach of one participant will impact all participants. The data custodians involved in the process also tend to sit in different jurisdictions and communicate through various means, including unencrypted email. Therefore, large amounts of information travel around the world in an unsecured way. Even larger amounts of information may be compromised if U.S.-style discovery takes place. top

Videorecording public servants in public (Volokh Conspiracy, 4 Aug 2018) - I think the federal circuit court decisions recognizing a right to videorecord in public places—decisions that have so far dealt with recording police officers—are correct: A right to speak must include some right to gather the information needed to speak (what is often labeled the “right to gather news”), and recording what government officials do in public places is important to be able to speak credibly about it. * * * But courts haven’t figured out how far this extends, especially when we get beyond recording the police. Here is an interesting 2017 opinion ( People v. Rivas ) from the New York intermediate appellate court; Rivas was convicted of fourth-degree stalking, which punishes anyone who “intentionally, and for no legitimate purpose, engages in a course of conduct directed at a specific person, and knows or reasonably should know that such conduct ... is likely to cause reasonable fear of material harm to the physical health, safety or property of such person,” and of first-degree harassment, which punishes anyone who “intentionally and repeatedly harasses another person by following such person in or about a public place or places or by engaging in a course of conduct or by repeatedly committing acts which places such person in reasonable fear of physical injury.” * * * top

Legal protection for ethical hackers (Ride The Lightning, 6 Aug 2018) - The Washington Post (sub. req.) reported on August 3 rd about a new project called Disclose.io which is dedicated to providing legal protection to ethical hackers. The site itself says disclose.io is a collaborative and vendor-agnostic project to standardize best practices around safe harbor for good-faith security research. The project originated with the cybersecurity firm Bugcrowd and a University of California researcher. It aims to protect well-intentioned hackers from legal action when they reveal security vulnerabilities in an organization’s networks or software. The project offers companies, academic institutions or even government agencies a standard legal agreement they can post that fundamentally says that it’s okay to hack us if you do it in good faith. It tells ethical hackers that they won’t get sued or face criminal charges if they find a flaw on an organization’s systems and report it responsibly. Laws such as the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act don’t contain protections for researchers who disclose bugs, creating a legal gray area discouraging ethical hacking. In recent years, companies have sued or threatened legal action against researchers who have uncovered serious vulnerabilities - sometimes to prevent an embarrassing flaw from being disclosed publicly. In one example last year, the FBI investigated security researchers in Georgia who discovered that millions of voter registration records were publicly accessible on the state’s election website. And boy oh boy, was that something that needed to be disclosed! Understandably, researchers are sometimes reluctant to report potentially serious security flaws because they fear the repercussions. Disclose.io offers a template with boilerplate language that spells out in plain terms what security researchers can and can’t do if they decide to probe for bugs, and offers them legal safe harbor if they play by the rules. The template is open sourced - anyone is free to use it or modify it. top

The Defense Department has produced the first tools for catching deepfakes (Technology Review, 7 Aug 2018) - The first forensics tools for catching revenge porn and fake news created with AI have been developed through a program run by the US Defense Department. Forensics experts have rushed to find ways of detecting videos synthesized and manipulated using machine learning because the technology makes it far easier to create convincing fake videos that could be used to sow disinformation or harass people. Video trickery involves using a machine-learning technique known as generative modeling, which lets a computer learn from real data before producing fake examples that are statistically similar. A recent twist on this involves having two neural networks, known as generative adversarial networks, work together to produce ever more convincing fakes. The tools for catching deepfakes were developed through a program-run by the US Defense Advanced Research Projects Agency (DARPA)-called Media Forensics . The program was created to automate existing forensics tools, but has recently turned its attention to AI-made forgery. “We’ve discovered subtle cues in current GAN-manipulated images and videos that allow us to detect the presence of alterations,” says Matthew Turek, who runs the Media Forensics program. top

SpiderOak’s Warrant Canary died (Bruce Schneier, 8 Aug 2018) - ” I have never quite trusted the idea of a warrant canary. But here it seems to have worked. (Presumably, if SpiderOak wanted to replace the warrant canary with a transparency report, they would have written something explaining their decision. To have it simply disappear is what we would expect if SpiderOak were being forced to comply with a US government request for personal data.)”

* * * which leads to the underlying Boing Boing story:

SpiderOak warrant canary to be replaced by ‘transparency report’ (Boing Boing, 6 August 2018) - SpiderOak is a cloud backup service with a warrant canary : a formal statement that assured users that the company and its operators had never been made to secretly cooperate with the government , law enforcement or other surveilling authority. The canary reportedly disappeared this weekend , then reappeared, along with a statement saying it was being replaced by a ” transparency report .”

* * * which leads to:

a 3 August tweet from @SpiderOak, that itself says ” the final version of the canary is available at spideroak.com/canary .” In turn, the slightly-convoluted canary includes this language: “On top of this, the canary’s effectiveness as a tool has been questioned, the usage of it at other companies is not consistent, and verifying it and keeping track of it is complicated for users.” [ Polley : First, I’m struck by Schneier’s comment: suggests that canaries can work, if done carefully. Digging into the actual postings by SpiderOak on their Twitter feed suggests a fascinating back-story. Would have been fun being on that legal team. (Sorry for the recursive structure.)] top

Security flaws on Comcast’s login page exposed customers’ personal information (BuzzFeed, 8 Aug 2018) - Comcast Xfinity inadvertently exposed the partial home addresses and Social Security numbers of more than 26.5 million customers, according to security researcher Ryan Stevenson, who discovered the security flaws. Two previously unreported vulnerabilities in the high-speed internet service provider’s online customer portal made it easy for even an unsophisticated hacker to access this sensitive information. After BuzzFeed News reported the findings to Comcast, the company patched the flaws. Spokesperson David McGuire told BuzzFeed News, “We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.” While Comcast has not found any foul play yet, its review is ongoing. top

The “Arrest and Alleged Charges No Longer Exist—as If It Never Happened” (Volokh Conspiracy, 8 Aug 2018) - Expungement laws let people who have been arrested-and often even ones who have been convicted-get their records removed from government databases, or sometimes sealed so that some government agencies can access them but the public can’t. There’s an interesting and important policy debate about whether this should happen, and when it should happen. But the expungement laws do not require private organizations, such as newspapers, to delete information about the arrest or conviction from their archives. (In a few places, they cover private databases of information, sometimes just ones that charge money to remove material from those database; that itself poses First Amendment problems, but those laws are sharply limited and don’t purport to cover newspapers.) Nor does an expungement make the original report of the arrest or conviction libelous; it may change what facts the government keeps in its files, or what facts the criminal justice system can later use about the arrest, but it doesn’t change reality of the original arrest, and it doesn’t bar people from keeping up articles about the arrest. Yet some lawyers’ demand letters, unsurprisingly, argue the contrary; here, for instance, is a letter sent in November by New York lawyer Gregg M. Sidoti to the Stillwater (Okla.) News Press about an expungement of a 19-year-old’s arrest for public intoxication. * * * top

GCs are flirting with the big four - but they remain wary (Corporate Counsel, 9 Aug 2018) - Within the past couple of months, Adobe Systems Inc . has taken a less traditional path in handling some of its corporate legal work overseas. The company has shifted some matters away from traditional international and regional law firms and hired one of the Big Four accounting firms to take on this work instead. What prompted the switch? According to Lisa Konie, senior director of legal operations for Adobe, it was primarily a predictable alternative fee arrangement . The San Jose, California-based software company pays the firm, which Konie declined to name, an annual fixed fee that depends on the country where the work is being done and the services being provided. “What I don’t think a lot of law firms appreciate is that we are held accountable to our CFO,” Konie said. “When I come in and tell my CFO that we have 75 percent accountability with billing I come off looking like a rock star.” While some companies, like Adobe, are on board with the Big Four, others are hanging back, despite the apparent advantages that these accounting behemoths have over traditional law firms, including more predictable and flexible pricing and Scrooge McDuck-sized bank vaults. Those who remain hesitant say they’re still waiting for the Big Four to prove that they offer a better alternative to the traditional firm model. top

Hack causes pacemakers to deliver life-threatening shocks (ArsTechnica, 9 Aug 2018) - Life-saving pacemakers manufactured by Medtronic don’t rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients’ lives, security researchers said Thursday. At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer , a device doctors use to control pacemakers after they’re implanted in patients. Because updates for the programmer aren’t delivered over an encrypted HTTPS connection and firmware isn’t digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients. top

West Virginia to offer mobile blockchain voting app for overseas voters in November election (WaPo, 10 Aug 2018) - West Virginia will provide a mobile blockchain voting option, in addition to absentee ballots, for overseas military service members in elections this November, after receiving audit results this week from a pilot program. It will be the first state to offer this technology to improve voting accessibility for deployed members of the military and their families, according to West Virginia’s secretary of state. Eligible voters will be able to cast their ballots through a mobile application that uses blockchain technology , which stores data on a decentralized database, meaning there’s no owner, allowing for more transparent transactions. Information is stored publicly, but to ensure privacy, West Virginia voters’ personal information will remain anonymous. * * * West Virginia is offering blockchain ballots only to overseas military members, and state officials remain wary of advocating the technology for in-state voters or other state elections. “This is a solution to West Virginia’s problems [with overseas voters] specifically. We didn’t have the money to build a new system or buy a new one that’s already created,” Kersey said. “I don’t know if blockchain is the answer. It was just the answer we found here.” top

- and -

The World Bank is getting in on blockchain (CNN, 10 Aug 2018) - The international lender is planning to issue what it says is the world’s first global blockchain bond, a notable mainstream endorsement of the emerging technology. Blockchain is best known as the technology underpinning bitcoin and other cryptocurrencies. It serves as a digital record of financial transactions. The World Bank has hired Commonwealth Bank of Australia ( CBAUF ) to manage the bond , which is expected to raise as much as 100 million Australian dollars ($73 million). They have named it the “Blockchain Offered New Debt Instrument,” or “bond-i,” a nod to Sydney’s famous Bondi Beach. The World Bank follows German automaker Daimler, which used blockchain technology to issue a type of German bond in a pilot project last year. Blockchain could hugely streamline the process of issuing bonds, which has been heavily reliant on physical paperwork for the past 200 years, according to James Wall, a senior institutional banking executive at Commonwealth Bank. Moving the process to the blockchain could cut costs and speed up trading for both bond issuers and investors. top

Fax machines may be vulnerable to hackers, new report finds (WaPo, 13 Aug 2018) - The fax ma­chine is wide­ly con­sid­ered to be a di­no­saur of in­ter­of­fice com­mu­ni­ca­tions, but it may also pres­ent a vul­nera­ble point where hack­ers can in­fil­trate an or­gan­i­za­tion’s net­work, ac­cord­ing to a new re­port from Israel-based soft­ware com­pany Check Point. The com­pany said that the vul­ner­a­bil­i­ty was iden­ti­fied as a re­sult of re­search in­tend­ed to dis­cover po­ten­tial se­curi­ty risks, and not as the re­sult of any attack. Hack­ers can gain ac­cess to a net­work using the phone line con­nected to a fax ma­chine, which is of­ten con­nected to the rest of an or­gan­i­za­tion’s net­work. By send­ing an image file that con­tains ma­li­cious soft­ware over the phone line, hack­ers can take con­trol of the de­vice and ac­cess the rest of the net­work. The re­search­ers were able to do this using only a fax num­ber, which is of­ten wide­ly dis­tri­but­ed by or­gan­i­za­tions on busi­ness cards and websites. top

US court authorizes service by Twitter on WikiLeaks (Volokh Conspiracy, 13 Aug 2018) - Folkman is a leading expert on (among other things) international service of process, a technical but tremendously important field of civil procedure; read his post for more details on this issue, but here’s the introduction: The Democratic National Committee has obtained leave of court to serve process on Wikileaks via Twitter in its lawsuit against Russia, Wikileaks, Julian Assange and others. I have written previously about the FSIA [Foreign Sovereign Immunities Act] issue in the case and the issues about serving process on Mr. Assange in the Ecuadoran embassy in London. But serving process on Wikileaks poses difficulties, too. The DNC’s motion gives several reasons for seeking leave to serve process by Twitter rather than by a more traditional means. Wikileaks, it says, is an “organization of unknown structure” that has “more of a virtual than a physical presence.” It has post office boxes in California and in Australia, but it is unclear to the DNC whether Wikileaks uses them for business. Lawyers who have represented Wikileaks in prior US litigation have said they no longer represent the organization or are not authorized to accept service. And Wikileaks, or someone purporting to act on its behalf, does have an active Twitter presence…. [ Polley : see also DNC serves WikiLeaks with lawsuit via Twitter (CBS, 10 Aug 2018)] top

Hundreds of researchers from Harvard, Yale and Stanford were published in fake academic journals (Motherboard, 14 Aug 2018) - In the so-called ” post-truth era ,” science seems like one of the last bastions of objective knowledge, but what if science itself were to succumb to fake news? Over the past year, German journalist Svea Eckert and a small team of journalists went undercover to investigate a massive underground network of fake science journals and conferences. In the course of the investigation, which was chronicled in the documentary ” Inside the Fake Science Factory ,” the team analyzed over 175,000 articles published in predatory journals and found hundreds of papers from academics at leading institutions, as well as substantial amounts of research pushed by pharmaceutical corporations, tobacco companies, and others. Last year, one fake science institution run by a Turkish family was estimated to have earned over $4 million in revenue through conferences and journals. * * * top

Public utility’s recording of home energy consumption every 15 minutes is a “search,” Seventh Circuit rules (Orin Kerr on Volokh Conspiracy, 17 Aug 2018) - In a fascinating new decision, Naperville Smart Meter Awareness v. City of Naperville, the Seventh Circuit has held that a public utility commits a “search” of a home when it records every 15 minutes how much electricity the utility is providing the home, at least until the smart readers that enable this data collection come into general public use. At the same time, the court says, the utility’s search of the home is reasonable and therefore permitted without any cause or suspicion. The Seventh Circuit’s analysis relies on Carpenter v. United States for a significant step in its reasoning. Given that, the new decision is an interesting measure of where Fourth Amendment law may be going in the post- Carpenter era. * * * [ Polley : There’s much more here, and Prof. Kerr’s take on it is interesting, as always.] top

RESOURCES

Adler on Why Art Does Not Need Copyright - (MLPB, 1 Aug 2018) - Amy Adler, New York University School of Law, is publishing Why Art Does Not Need Copyright in volume 86 of the George Washington Law Review (2018). Here is the abstract: This Article explores the escalating battles between visual art and copyright law in order to upend the most basic assumptions on which copyright protection for visual art is grounded. It is a foundational premise of intellectual property law that copyright is necessary for the “progress” of the arts. This Article demonstrates that this premise is flatly wrong when it comes to visual art. United States courts and scholars have come to understand copyright law almost universally in utilitarian terms; by this account, the reason we grant copyright to authors is to give them economic incentives to create culturally valuable works. But legal scholars have failed to recognize that their paradigm makes no sense when applied to visual art, one of the highest profile and most hotly contested fields in intellectual property law. This is because scholars have failed to take into account the single most important value for participants in the art market: the norm of authenticity, which renders copyright law superfluous. The fundamental assumption of copyright law - that the copy poses a threat to creativity - is simply not true for visual art. By juxtaposing copyright theory with the reality of the art market, this Article shows why copyright law does not - and cannot - incentivize the creation of visual art. In fact, copyright law, rather than being necessary for art’s flourishing, actually impedes it. top

Twenty years of web scraping and the Computer Fraud and Abuse Act (BU Journal of Science and Technology Law, 14 Aug 2018) - Abstract: “Web scraping” is a ubiquitous technique for extracting data from the World Wide Web, done through a computer script that will send tailored queries to websites to retrieve specific pieces of content. The technique has proliferated under the ever-expanding shadow of the Computer Fraud and Abuse Act (CFAA), which, among other things, prohibits obtaining information from a computer by accessing the computer without authorization or exceeding one’s authorized access. Unsurprisingly, many litigants have now turned to the CFAA in attempt to police against unwanted web scraping. Yet despite the rise in both web scraping and lawsuits about web scraping, practical advice about the legality of web scraping is hard to come by, and rarely extends beyond a rough combination of “try not to get caught” and “talk to a lawyer.” Most often the legal status of scraping is characterized as something just shy of unknowable, or a matter entirely left to the whims of courts, plaintiffs, or prosecutors. Uncertainty does indeed exist in the caselaw, and may stem in part from how courts approach the act of web scraping on a technical level. In the way that courts describe the act of web scraping, they misstate some of the qualities of scraping to suggest that the technique is inherently more invasive or burdensome. The first goal of this piece is to clarify how web scrapers operate, and explain why one should not think of web scraping as being inherently more burdensome or invasive than humans browsing the web. The second goal of this piece is to more fully articulate how courts approach the all-important question of whether a web scraper accesses a website without authorization under the CFAA. I aim to suggest here that there is a fair amount of madness in the caselaw, but not without some method. Specifically, this piece breaks down the twenty years of web scraping litigation (and the sixty-one opinions that this litigation has generated) into four rough phases of thinking around the critical access question. The first runs through the first decade of scraping litigation, and is marked with cases that adopt an expansive interpretation of the CFAA, with the potential to extend to all scrapers so long as a website can point to some mechanism that signaled access was unauthorized. The second, starting in the late 2000s, was marked by a narrowing of the CFAA and a focus more on the code-based controls of scraping, a move that tended to benefit scrapers. In the third phase courts have receded back to a broad view of the CFAA, brought about by the development of a “revocation” theory of unauthorized access. And most recently, spurred in part by the same policy concerns that led courts to initially constrain the CFAA in the first place, courts have begun to rethink this result. The conclusion of this piece identifies the broader questions about the CFAA and web scraping that courts must contend with in order to bring more harmony and comprehension to this area of law. They include how to deal with conflicting instructions on authorization coming different channels on the same website, how the analysis should interact with existing technical protocols that regulate web scraping, including the Robots Exclusion Standard, and what other factors beyond the wishes of the website host should govern application of the CFAA to unwanted web scraping. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Offshore hosting firm Havenco lost at sea (The Register, 25 Nov 2008) - Controversial hosting provider HavenCo - which operated from the ‘nation’ of Sealand, an old naval fort off the coast of Suffolk which was declared a ‘sovereign principality’ by its quirky owner Roy Bates - has finally gone offline. As of last week, the HavenCo website is gone and the domain is now hosted outside the Sealand subnet. Founded in 2000 by Bates’ son and Michael with $1m in seed money, the company initially offered an everything goes-policy along with an offshore fat-pipe data haven. Child pornography, spamming and malicious hacking were strictly prohibited, but with no restrictions on copyright or intellectual property for data hosted on its servers, file-sharing certainly looked like a possibility. Many existing customers had left by 2003. With no investment backing bandwidth never materialised, and the location was vulnerable to DoS attacks. However, what probably scared most potential customers was the fact all internet connectivity went through the UK and that the UK claimed the platform was within its territorial waters. HavenCo was one of many failed business ventures in an attempt to profit from the world’s smallest country. A scheme to build a hotel and gambling complex never materalised. Since last year, the principality has been put up for sale. Last year, Swedish bittorrent search site The Pirate Bay said it was in negotiations with Prince Michael of Sealand about purchasing the principality to use it as a base for its own operations, but Bates declared he would never sell the micronation - currently priced at €750m - to a BitTorrent tracker. top

Ohio official sues e-voting vendor for lost votes (Computerworld, 8 August 2008) - Ohio Secretary of State Jennifer Brunner has filed a lawsuit against an electronic-voting machine vendor, saying the vendor should pay damages for dropped votes in the state’s March primary election. E-voting machines from Premier Election Solutions, formerly known as Diebold Election Systems, dropped hundreds of votes in 11 Ohio counties during the primary election, as the machine’s memory cards were uploaded to vote-counting servers, Brunner’s office said. Officials in Brunner’s office later discovered the dropped votes in other counties after voting officials in Butler County discovered about 150 dropped votes, said Jeff Ortega, Brunner’s assistant director of communications. Brunner’s lawsuit, filed in Franklin County Common Pleas Court in Ohio on Wednesday, is a counter claim to an earlier lawsuit filed by Premier. In May, Premier filed a lawsuit against Brunner’s office and Cuyahoga County, Ohio, seeking a judgment that Premier did not violate any contracts or warranties. Brunner’s lawsuit accuses Premier of not fulfilling its contracts with election officials. The lawsuit also alleges breach of warranty and fraud. Premier e-voting machines are used in half of Ohio’s 88 counties. Butler County officials discovered the dropped votes in post-election checks. That set off a statewide investigation, which found dropped votes in 11 other counties, according to information from Brunner’s office. Butler County officials sent letters to Premier on April 4 and 9, seeking an explanation for the dropped votes, and on May 16, Premier issued a report, suggesting human error or conflicts with antivirus software were to blame. Brunner and Butler County officials have suggested that the May report and a follow-up issued by Premier lacked evidence that antivirus software caused the problems. A Premier report on May 29 suggested counties disable antivirus software on vote-tabulation servers, but the servers had been certified in Ohio with the antivirus software installed, Brunner said. In December, Brunner’s office issued a report questioning the security of touch-screen e-voting machines like those sold by Premier. Machines from Premier and two other vendors had “critical security failures,” the report said. top

MIRLN—- 8-28 July 2018 (v21.10)—- by Vince Polley and KnowConnect PLLC

permalink

ANNOUNCEMENTS | NEWS | PODCASTS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENTS

ABA attendees at the Chicago annual meeting next week may want to attend a showcase program (August 4 10:00-11:30 Central), featuring Raj De (former NSA GC), Suzanne Spaulding (former DHS Undersecretary), and others. ” Cybersecurity Wake-up Call: The Business You Save May Be Your Own.” Info here . See you there!

NEWS

In world first, Danish court rules stream-ripping site illegal (Torrent Freak, 10 July 2018) - While millions of users still obtain pirate music from peer-to-peer platforms such as BitTorrent, in recent years a new challenge has appeared on the horizon. Sites like YouTube, which offer millions of copies of almost every song imaginable, are now an unwitting player in the piracy ecosystem. Every day, countless people use special tools to extract music from video tracks before storing them on their local machines. This so-called ‘stream-ripping’ phenomenon is now cited as being one of the greatest piracy threats to the record labels but thus far, no single action has been able to stem the tide. Over in Denmark, however, there has been a breakthrough of sorts following action by local anti-piracy outfit RightsAlliance taken on behalf of IFPI, collecting society KODA , the Danish Artist Union , and the Danish Musicians Association . The action targeted Convert2MP3 , a site that allows users to download audio and video from platforms including YouTube. The recording industry groups wanted the stream-ripping platform blocked by Internet service providers in Denmark but first, they needed it to be declared illegal in the country. That decision came last week from a court in Frederiksberg. * * * top

US government drops prohibition on files for 3D printed arms (Volokh Conspiracy, 10 July 2018) - Last week the U.S. Department of Defense and U.S. Department of State settled a lawsuit and agreed to end their prior restraint of distribution of computer files for the production of 3D printed firearms. The “International Traffic in Arms Regulations (ITAR)” are a collection of regulations covering the export of military weapons from the United States. The regulations are based on the 1976 Arms Export Control Act. The ITAR export controls apply to all arms on the U.S. Munitions List [“USML”], which is created by the State Department. An ITAR export permit costs at least $2,250 annually. Starting in 2012, the Department of Defense issued regulations asserting that many U.S. gunsmiths are required to obtain ITAR export permits even if they never export anything. Details are available on the website of Prince Law Offices, P.C., which specializes in firearms commerce regulation. Under the Obama administration, the U.S. Munitions List grew to include many ordinary firearms, as well as the computer files for 3D printing of ordinary firearms. In 2015, a lawsuit against the ban on distributing 3D printing files within the U.S. was brought by the Second Amendment Foundation (a civil rights litigation organization) and by Defense Distributed (a producer of 3D printing files). Plaintiffs’ attorneys included Alan Gura (winner of the Heller and McDonald cases) and Josh Blackman (law professor at South Texas College of Law). There were many arguments in the case, but the principle one was that ban constituted a prior restraint of speech, contrary to the First Amendment. The plaintiffs sought a preliminary injunction against the restraint on speech. The U.S. government prevailed in the District Court, and before a Fifth Circuit panel. A petition for rehearing en banc was rejected by a 9-5 vote. Fifth Circuit Judges voting to grant the petition were Jones, Smith, Clement, Owen, and Elrod. Voting against the petition were Stewart, Jolly, Dennis, Prado, Southwick, Haynes, Graves, Higginson, and Costa. In January 2018, the U.S. Supreme Court denied the petition for certiorari. The preliminary injunction having been utterly defeated, the next stage for the case was factual development in district court. In the view of attorney Alan Gura, the main reason for the loss on the preliminary injunction was reluctance to upset the status quo, rather than an expectation that the government could prevail on the merits of the First Amendment issue. Documents in the case are available here . In May 2018, the Trump administration proposed revising revise the ITAR regulations. The move for regulatory reform actually began under the Obama administration, but the proposed reforms were never published. Now they have been. Export controls for many ordinary firearms and accessories will be removed from the ITAR list. Exports of such items will instead by controlled by the Department of Commerce. Among the items remaining under the ITAR system are automatic firearms, firearms of greater than .50 caliber, magazines with more than 50 rounds, and sound moderators (a/k/a “silencers”). Non-automatic firearms of.50 caliber or less will no longer be covered under ITAR; among the firearms no longer under ITAR is the semiautomatic AR-15 rifle, the most common rifle in American history. Its typical calibers are .223 and .308—well under the new .50+ caliber rule. Accordingly, the government defendants revisited the Defense Distributed case. If a particular arm (e.g., the AR-15) is no longer part of ITAR, then it would be illogical for ITAR to be applied to instructions for making the arm. Under today’s settlement agreement, plaintiffs and others may freely publish 3D printing instructions for firearms that are not covered under ITAR. Restrictions on distribution of 3D printing information for items that are still under ITAR, such as machine guns or rifles over .50 caliber, remain in place. [ Polley : I.e., this is NOT a 1st Amendment case.] top

SEC probes why Facebook didn’t warn sooner on privacy lapse (WSJ, 12 July 2018) - Securities regulators are investigating whether Facebook Inc. adequately warned investors that developers and other third parties may have obtained users’ data without their permission or in violation of Facebook policies, people familiar with the matter said. The Securities and Exchange Commission’s probe of the social-media company, first reported in early July , follows revelations that Cambridge Analytica, a data-analytics firm that had ties to President Donald Trump’s 2016 campaign, got access to information on millions of Facebook users. The SEC has requested information from Facebook as it seeks to understand how much the company knew about Cambridge Analytica’s use of the data, these people said. The agency also wants to know how Facebook analyzed the risk it faced if developers were to share data with others in violation of its policies, they added. The SEC, one of several government agencies investigating Facebook and its handling of user data, enforces securities laws governing what must be disclosed to shareholders so they can make informed investment decisions. It could close its investigation, which is in its early stages, without taking enforcement action against Facebook. top

Top voting machine vendor admits it installed remote-access software on systems sold to states (Motherboard, 17 July 2018) - The nation’s top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them. In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had “provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006,” which was installed on the election-management system ES&S sold them. The statement contradicts what the company told me and fact checkers for a story I wrote for the New York Times in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. “None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software,” the spokesperson said. ES&S is the top voting machine maker in the country, a position it held in the years 2000-2006 when it was installing pcAnywhere on its systems. The company’s machines were used statewide in a number of states, and at least 60 percent of ballots cast in the US in 2006 were tabulated on ES&S election-management systems. It’s not clear why ES&S would have only installed the software on the systems of “a small number of customers” and not all customers, unless other customers objected or had state laws preventing this. top

Businesses cannot contractually ban “abusive” consumer reviews (Eric Goldman, 17 July 2018) - An article recently posted to SSRN argues that the Consumer Review Fairness Act (CRFA) purportedly lets businesses contractually ban “abusive” reviews. If this is correct, it could affect millions of businesses and hundreds of millions of consumers. However, the article’s argument is clearly wrong, and this error exposes millions of businesses to potentially severe liability. This post explains why and how. Note: unavoidably, this blog post counterproductively draws greater attention to a bad argument. Because of the stakes, I concluded a public correction was, on balance, necessary. However, to reinforce my view that the article doesn’t merit your independent review, I’ve deliberately not identified the article’s author or title or linked to it (is there a blogging equivalent of subtweeting?). I recommend reading the article as “enthusiastically” as I “recommend” watching The Emoji Movie . TL;DR top

Ponemon Institute: Average cost of a data breach exceeds $3.8 million (Ride the Lightning, 19 July 2018) - The 2018 Cost of a Data Breach Study is available for download from IBM here . The study was done by the Ponemon Institute and IBM. This year’s study reports that the global average cost of a data breach is up 6.4% over the previous year to $3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8% over the previous year to $148. IBM Security and Ponemon conducted interviews with nearly 500 companies that experienced data breaches, and they collected information on hundreds of cost factors surrounding a breach, including technical investigations and recovery, notifications, legal and regulatory requirements, cost of lost business, and loss of reputation. As reported by VentureBeat, the study found that hidden costs in data breaches - such as lost business, negative impact on reputation and employee time spent on recovery - are difficult and expensive to manage. For example, the study found that a third of the cost of “mega breaches” (over 1 million lost records) were derived from lost business. And that is course why the C-Suite has nightmares about data breaches. The reputational damages can be extraordinary. In the past five years, the amount of mega breaches (breaches of more than 1 million records) has increased from nine mega breaches in 2013 to 16 mega breaches in 2017. Due to the small amount of mega breaches in the past, the Cost of a Data Breach study historically analyzed data breaches of around 2,500 to 100,000 lost records. The vast majority of the mega-breaches (10 out of 11) were caused by malicious attacks rather than technical failures or human error. The average time to detect and contain a mega breach was 365 days - almost 100 days longer than a smaller scale breach (266 days). top

Cyber security advice issued to law firms in first legal threat report (GCHQ, 19 July 2018) - The NCSC’s first legal threat report has been issued to law firms. Law firms have been urged to follow expert cyber security guidance after a report published today (19 July) showed the scale of the threat they face. The National Cyber Security Centre (NCSC) has published its first report into the cyber threat to the UK legal sector, which reveals that more than £11 million of client money was stolen by cyber criminals between 2016-17. In the last year, 60% of law firms reported an information security incident - an increase of almost 20% from the previous 12 months. The report outlines clear and actionable guidance that firms can follow, such as how to defend your practice against phishing, reduce the risk of malware infection and take effective control of your supply chain. top

US energy regulator wants more disclosure of cyber attacks (Reuters, 19 July 2018) - The Federal Energy Regulatory Commission (FERC), an energy industry regulator, called for the power industry’s regulating body, the North American Electric Reliability Corp, to expand rules that require reporting of cyber security incidents to include attempts that might facilitate future efforts to disrupt the grid. FERC requested the increased disclosure after the administration of President Donald Trump blamed the Russian government in March for a campaign of cyber attacks stretching back at least two years that targeted the U.S. power grid. That marked the first time the United States had publicly accused Moscow of hacking into American energy infrastructure. Current NERC rules only mandate reporting of cyber attacks if they compromise or disrupt a “core activity” toward maintaining the reliability of the electric grid, according to a 67-page report issued by FERC. That threshold “may understate the true scope of cyber-related threats” facing the industry, the report said. top

Some colleges cautiously embrace Wikipedia (Chronicle of Higher Ed, 19 July 2018) - Anna Davis remembers when people didn’t want to talk to her at academic conferences: “I had this woman one time who held her folder up over her head and was like, ‘Don’t let my department chair see me talking to you guys, but I’m so glad you’re here.’” Davis works for Wikipedia, the online encyclopedia that was once considered anathema to the academic mission. She’s director of programs for its higher-education-focused nonprofit arm, Wiki Education. Academics have traditionally distrusted Wikipedia, citing the inaccuracies that arise from its communally edited design and lamenting students’ tendency to sometimes plagiarize assignments from it. Now, Davis said, higher education and Wikipedia don’t seem like such strange bedfellows. At conferences these days, “everyone’s like, ‘Oh, Wikipedia, of course you guys are here.’” One initiative Davis oversees at Wiki Education aims to forge stronger bonds between Wikipedia and higher education. The Scholars program, which began in 2015, pairs academics at colleges with experienced Wikipedia editors. Institutions provide the editors with access to academic journals, research databases, and digital collections, which the editors use to write and expand Wikipedia articles on topics of mutual interest. A dozen institutions, including Rutgers University, Brown University, and the University of Pittsburgh, are participating. * * * Scholars’ skepticism about Wikipedia also stems from its community-authorship model, said Amanda Rust, a digital-humanities librarian at Northeastern University. Not all academics felt that way about Wikipedia in its fledgling days, but a critical mass perceived the online encyclopedia as a threat, Rust said. As Wikipedia has matured, however, that consensus began to shift. And students’ widespread use of Wikipedia has forced some cynics to acknowledge its role in higher education. “Whether or not you think a crowdsourced encyclopedia can work, that ship has sailed, and students are using it all the time,” Rust said. top

- and -

Flabbergasted Twitter trashes Forbes story that suggests replacing libraries with Amazon (Mashable, 23 July 2018) - There are bad takes, and then there’s the take by Forbes contributor Panos Mourdoukoutas (who also serves as Chair of the Department of Economics at Long Island University) that local libraries should be replaced by Amazon book stores . Among the reasons Mourdoukoutas offers are: libraries don’t have as many public events as they used to because of school auditoriums; people go to places like Starbucks to hang out and work and read now instead of their library; and because technology makes physical books obsolete. * * * [ Polley : wild idea, wild story, great Tweets/comments (some NSFW).] top

- and -

Growing role of Amazon in library acquisitions (InsideHigherEd, 23 July 2018) - Research on where academic libraries buy their books has revealed the increasingly important role of nontraditional vendors such as Amazon. A preliminary study , published last week by Ithaka S+R, found that Amazon was the second most popular venue through which academic libraries purchased books in 2017. GOBI Library Solutions, a popular acquisition-management platform, took the No. 1 spot. It controls nearly half of the market share. The research included data from 54 libraries at a range of institutions—from small private liberal arts colleges to public research universities. During 2017, these 54 libraries purchased 178,120 academic books. The clear majority of these were in print format (96 percent) rather than ebooks (4 percent). Ebooks were found to be significantly more expensive than print titles. In a blog post , Katherine Daniel, an analyst at Ithaka S+R, explained that the study was prompted by questions of whether libraries are really buying fewer books, or simply purchasing them in ways that are not currently captured in acquisition analyses. Further research will include data from large research institutions and will be published in a final report this fall. top

Public domain advocate gets appellate win in bid to publish copyrighted standards referenced in laws (ABA Journal, 19 July 2018) - A federal appeals court on Tuesday told a federal judge to reconsider whether the fair use doctrine allows a nonprofit to post technical standards created by private industry groups that are later referenced in government regulations. The U.S. Court of Appeals for the D.C. Circuit vacated injunctions that had prevented Public.Resource.org, known as PRO, from publishing copyrighted best-practice standards developed by six organizations. PRO had purchased copies of the technical standards that had been incorporated into laws, scanned them into digital files, and posted them online. Its founder, public domain advocate Carl Malamud, tweeted this about the appellate decision: “I bought the law, and the law won.” The appeals court ruled in a combined appeal of two lawsuits. A federal judge had ruled the standards organizations held valid and enforceable copyrights, and PRO failed to create a triable issue of fact on whether its publication of the materials constituted fair use. On appeal, PRO argued incorporation of the standards by reference make the works a part of the law, and the law can never be copyrighted. PRO asserted that allowing private ownership of the law is inconsistent with the First Amendment principle that citizens should be able to freely discuss the law and a due process notion that citizens must have free access to the law. PRO also argued that, even if the standards remain copyrighted, its copying qualifies as a fair use because it facilitates public discussion about the law. The appeals court said PRO “raises a serious constitutional concern,” but it is better to first address the fair use issue. The district court had concluded PRO distributed the standards to undermine the organizations’ ability to raise revenue. According to the appeals court, the record does not support that blanket conclusion. “Rather, by all accounts, PRO distributed these standards for the purpose of educating the public about the specifics of governing law,” the court said in an opinion by Judge David Tatel. In addition, Tatel said, the district court failed to account for the variation among the standards at issue and consider the legal status of each incorporated work. In a concurrence, Judge Gregory Katsas strongly supported PRO. “As a matter of common-sense, this cannot be right: access to the law cannot be conditioned on the consent of a private party, just as it cannot be conditioned on the ability to read fine print posted on high walls,” he wrote, referencing a book about the Roman emperor Caligula. PRO was represented by the Electronic Frontier Foundation, the law firm of Fenwick & West, and attorney David Halperin. An EFF press release is here . [ Polley : congrats, Carl.] top

The blockchain begins finding its way in the enterprise (TechCrunch, 23 July 2018) - the blockchain is in the middle of a major hype cycle at the moment, and that makes it hard for many people to take it seriously, but if you look at the core digital ledger technology, there is tremendous potential to change the way we think about trust in business. Yet these are still extremely early days and there are a number of missing pieces that need to be in place for the blockchain to really take off in the enterprise. Suffice it to say that it has caught the fancy of major enterprise vendors with the likes of SAP, IBM, Oracle, Microsoft and Amazon all looking at providing some level of Blockchain as a service for customers. While the level of interest in blockchain remains fluid, a July 2017 survey of 400 large companies by UK firm Juniper Research found 6 in 10 respondents were “either actively considering, or are in the process of, deploying blockchain technology.” In spite of the growing interest we have seen over the last 12-18 months, blockchain lacks some basic underlying system plumbing, the kind any platform needs to thrive in an enterprise setting. Granted, some companies and the open source community are recognizing this as an opportunity and trying to build it, but many challenges remain. * * * [ Polley : see Resources ” below.] top

1Password’s travel mode (Bruce Schneier, 23 July 2018) - The 1Password password manager has just introduced “travel mode,” which allows you to delete your stored passwords when you’re in other countries or crossing borders: Your vaults aren’t just hidden; they’re completely removed from your devices as long as Travel Mode is on . That includes every item and all your encryption keys. There are no traces left for anyone to find. So even if you’re asked to unlock 1Password by someone at the border, there’s no way for them to tell that Travel Mode is even enabled. In 1Password Teams, Travel Mode is even cooler. If you’re a team administrator, you have total control over which secrets your employees can travel with. You can turn Travel Mode on and off for your team members, so you can ensure that company information stays safe at all times. The way this works is important. If the scary border police demand that you unlock your 1Password vault, those passwords/keys are not there for the border police to find. The only flaw—and this is minor—is that the system requires you to lie. When the scary border police ask you “do you have any other passwords?” or “have you enabled travel mode,” you can’t tell them the truth. In the US, lying to a federal office is a felony. I previously described a system that doesn’t require you to lie. It’s more complicated to implement, though. This is a great feature, and I’m happy to see it implemented. top

Canadian court affirms citizens still have an expectation of privacy in devices being repaired by third parties (TechDirt, 23 July 2018) - A Canadian appeals court has decided in favor of greater privacy protections for Canadians. The case involves the discovery of child porn by a computer technician who was repairing the appellant’s computer. This info was handed over to the police who obtained a “general warrant” to image the hard drive to scour it for incriminating evidence. Yes, “general warrants” are still a thing in the Crown provinces. The same thing we fought against with the institution of the Fourth Amendment exists in Canada. These days, it has more in common with All Writs orders than the general warrants of the pre-Revolution days, but there’s still a hint of tyrannical intent to them. (Again, much like our All Writs orders, which date back to 1789.) “General warrants” are something the government uses when the law doesn’t specifically grant permission for what it would like to do. * * * The appellant’s challenge of the general warrant (rather than a more particular search warrant) almost went nowhere, but this decision grants him (and others like him) the standing to challenge the warrant in the first place. As the court notes , handing a computer over to a technician doesn’t deprive the device’s owner of an expectation of privacy. * * * So, while this didn’t end up giving the defendant the suppression he was seeking, it did at least affirm an expectation of privacy in devices being handled and repaired by third parties. Better, the opinion contains the government’s concession that this privacy expectation exists. Hopefully, this will help deter violations—erroneous or not—in the future. top

How clients are pushing their outside counsels to adopt stricter cybersecurity standards and protections (ABA Journal, 25 July 2018) - In a profession defined by zealous representation of clients, it’s no surprise that clients are starting to push their outside counsels to beef up cybersecurity. “The possibility that your outside law firm could be breached and your sensitive data stolen is a huge nightmare for in-house lawyers,” says Sterling Miller, general counsel of Marketo Inc., an online marketing technology company. “Outside counsel need to start taking this very seriously. If a breach happens, that law firm is probably no longer working for you and the malpractice claim could be very large.” These aren’t just idle words. In fact, they underline how serious clients have become when it comes to cybersecurity. * * * The legal industry is one of the most targeted sectors for a cyberattack because of the trove of information it possesses about clients and cases. In a profession based on precedent and history, the legal sector often has been slow to adapt to new risks and technological changes. One alarming statistic is that cybersecurity company Mandiant estimates at least 80 of the 100 largest firms in the country, by revenue, have been hacked since 2011. As law firms wade into cybersecurity best practices, the glaring reality is most law firms are not prepared to respond to a major breach. According to the ABA TechReport 2017 , only 26 percent of responding firms had an incident response plan in place to address a security breach, and only two-thirds with 500 lawyers or more had such a plan in place. These plans were not a priority with smaller firms, as 31 percent of firms with 10 to 49 lawyers, 14 percent of firms with two to nine lawyers, and 10 percent of solo practices had such plans. * * * top

Carpenter and the end of bulk surveillance of Americans (Sharon Bradford Franklin on Lawfare, 25 July 2018) - Writing for the majority in Carpenter v. United States , Chief Justice John Roberts called the court’s momentous Fourth Amendment decision “a narrow one.” The specific holding-that a warrant is required for law enforcement to access historical cell site location information (CSLI)-may indeed be narrow, and the decision rightfully cautions that “the Court must tread carefully” when considering new technologies. Yet, despite its limited scope, the opinion provides a framework for recognizing that the digital trails Americans create through their daily lives are protected by the Fourth Amendment. The decades-old “third-party doctrine,” under which Fourth Amendment rights are extinguished whenever individuals share their information with third parties such as banks and telephone companies, has appropriately been confined to the pre-digital age scenarios in which it arose. As others have already argued , the Carpenter decision does not provide a clear legal standard for when the Fourth Amendment applies to data shared with a third party, and it raises many questions about the future of Fourth Amendment doctrine. But the decision does offer a resounding declaration that Fourth Amendment analysis must take account of the “seismic shifts in digital technology” and the power of modern surveillance tools. In particular, the Carpenter decision should foreclose, once and for all, any claim that bulk surveillance of Americans-or bulk collection of their digital records-would be constitutional. Through the USA Freedom Act of 2015, Congress ended the government’s bulk telephone records program, known as the Section 215 program, and provided new authority for collection of call detail records using a “specific selection term.” With reauthorization of this act to be considered next year, Carpenter’s analysis should preclude any attempt to retreat from the narrowing of surveillance authorities achieved under the 2015 law. From the fall of 2013 through January 2017, I served as executive director of the Privacy and Civil Liberties Oversight Board (PCLOB). I was part of a skeletal staff of attorneys who supported the board in its examination of the Section 215 program. The PCLOB’s January 2014 report on the Section 215 program found that the program was illegal; this report was highly influential in the debates in Congress that led to the ultimate demise of the program. Still, the report stopped short of finding that the program was unconstitutional. The board noted that “[t]o date ... the Supreme Court has not modified the third-party doctrine or overruled its conclusion that the Fourth Amendment does not protect telephone dialing records.” Its recommendation for ending the Section 215 program was based on statutory and policy analyses. When the Second Circuit considered the Section 215 program in ACLU v. Clapper in May 2015, it too found that the program was illegal under the terms of the statute and declined to reach the constitutional questions. * * * top

NOTED PODCASTS/MOOCS

Reclaim Your Data (NPR podcast, 23 July 2018; 47 minutes) - Michael Chertoff, former Homeland Security Secretary and co-author of the Patriot Act, says data collection has gotten out of control. [ Polley : Spotted by MIRLN reader Corinne Cooper - @ucc2] top

RESOURCES

Blockchain for law students (website by Walter Effross at American U) - Offers: (1) a list of recommended resources (for self-directed study and research, as well as for constructing or supplementing syllabi); (2) summaries of and/or excerpts from the emerging body of caselaw concerning blockchain and cryptocurrency; (3) a collection of legal issues and responsive law review articles (and other sources), ordered by field of law; (4) a categorization of major types of participants in the blockchain economy; (5) suggestions on selecting law school courses relevant to blockchain practice; and (6) various questions, opinions, and observations about blockchain-related legal issues. If any reader would like to contribute a guest post on how law students (or practitioners new to this area) can best prepare (e.g., recommended reading, potential paper topics, organizations to become active in, suggestions for programming courses or tutorials), please e-mail .(JavaScript must be enabled to view this email address). top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Larger prey are targets of phishing (New York Times, 16 April 2008) - An e-mail scam aimed squarely at the nation’s top executives is raising new alarms about the ease with which people and companies can be deceived by online criminals. Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive’s name, company and phone number, and commands the recipient to appear before a grand jury in a civil case. A link embedded in the message purports to offer a copy of the entire subpoena. But a recipient who tries to view the document unwittingly downloads and installs software that secretly records keystrokes and sends the data to a remote computer over the Internet. Another piece of the software allows the computer to be controlled remotely. According to researchers who have analyzed the downloaded file, less than 40 percent of commercial antivirus programs were able to recognize and intercept the attack. The tactic of aiming at the rich and powerful with an online scam is referred to by computer security experts as whaling. The term is a play on phishing, an approach that usually involves tricking e-mail users - in this case the big fish - into divulging personal information like credit card numbers. Phishing attacks that are directed at a particular person, rather than blasted out to millions, are also known as spear phishing. Security researchers at several firms indicated they believed there had been at least several thousand victims of the attack whose computers had been compromised. “I think that it was well done in terms of something people would feel compelled to respond to,” said Steve Kirsch, the chief executive of Abaca, an antispam company based in San Jose, Calif. Mr. Kirsch himself received a copy of the message and forwarded it to the company lawyer. “It had my name, phone number, company and correct e-mail address on it and looked pretty legitimate,” Mr. Kirsch said. “Even the U.R.L. to find out more looked legitimate at first glance.” The software used in the latest attack tries to communicate with a computer in Singapore. That system was still functioning on Tuesday evening, but security researchers said many Internet service providers had blocked access to it. top

Avatars, virtual reality technology, and the US military: Emerging policy issues (Congressional Research Service, 9 April 2008) - This report describes virtual reality technology, which uses three-dimensional user- generated content, and its use by the U.S. military and intelligence community for training and other purposes. Both the military and private sector use this new technology, but terrorist groups may also be using it to train more realistically for future attacks, while still avoiding detection on the Internet. The issues for Congress to consider may include the cost-benefit implications of this technology, whether sufficient resources are available for the communications infrastructure needed to support expanded use of virtual reality technology, and whether there might be national security considerations if the United States falls behind other nations in developing or adopting this new technology. This report will be updated as events warrant. [Editor: the USG is beginning a detailed analysis of legal, policy, and technical implications from VR applications.] top

MIRLN—- 17 June - 7 July 2018 (v21.09)—- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENTS

Register now for the next cybersecurity ABA CLE webinar ” Bumps in the Night: Cybersecurity Legal Requirements, Government Enforcement, and Litigation “. This second in a 5-part series airs July 18, followed by other episodes in August, September, and October. Each 90-minute episode parses related parts of the best-selling (and winner of the 2018 ACLEA “Best Publication” award) ” ABA Cybersecurity Legal Handbook ”. For more information, visit ambar.org/cyberwakeup to register. Get 20% off if you subscribe to the full series (recordings of earlier ones are available), along with a free e-copy of the handbook.

ABA attendees at the Chicago annual meeting will also want to attend our showcase program (August 4 10:00-11:30 Central), featuring Raj De (former NSA GC), Suzanne Spaulding (former DHS Undersecretary), and others. Info here . top

NEWS

Why destruction of information is so difficult and so essential: The case for defensible disposal (ABA’s Business Law Today, 15 June 2018) - IN BRIEF: (1) Information is growing unfettered for most businesses and impacting their ability to function; (2) Lawyers must find a way to get rid of information without creating greater business and legal issues for their clients; (3) Defensible disposition rids businesses of information that no longer has business or legal value without employees having to involve themselves in classification. * * * top

A student, a worried girlfriend, a shared password and an admissions lawsuit (InsideHigherEd, 18 June 2018) - Most admissions lawsuits are about applicants who are rejected. But Eric Abramovitz won 375,000 Canadian dollars (about $284,000) last week over an admissions offer he turned down. Actually, his then girlfriend turned it down, pretending to be Abramovitz. That set up the unusual court ruling. As outlined in the ruling issued by a Canadian judge last week, Abramovitz and Jennifer Lee met in 2013 and became a couple while both were studying music at McGill University. While they were involved, Abramovitz shared his laptop—and his passwords—with Lee. Abramovitz was a star student of clarinet, winning numerous prizes. He aspired to finish his bachelor’s degree at Colburn Conservatory of Music, in Los Angeles, where he hoped to study with Yehuda Gilad, who only accepts two students a year. In December 2013, Abramovitz applied and went to Los Angeles when he was invited to audition. On March 27, 2014, he was admitted—and his admission brought with it a full scholarship. On that fateful day, Lee checked Abramovitz’s email before he did. Using his email account, she turned down the offer and created a fake email account in Gilad’s name. Then she sent an email, pretending to be Gilad, rejecting Abramovitz. Lee could not be reached for comment. She did not contest Abramovitz’s suit. The court ruling says that she was apparently afraid he would move to Los Angeles, leaving her behind at McGill, in Montreal. Eventually, Abramovitz did leave for Los Angeles and enrolled in a certificate program at the University of Southern California in which Gilad also taught. That program charged about $25,000, which Abramovitz paid. (He couldn’t afford USC’s master’s degree program, which would have cost him about twice as much in tuition.) Abramovitz was “completely taken in,” the court decision says, and only went to USC after staying in Montreal—with Lee—to finish his bachelor’s degree. The scheme unraveled when Abramovitz met Gilad, who is not used to being turned down. As Abramovitz told National Post , when he auditioned for Gilad to enter the USC program, Gilad asked him, “Why did you reject me?” When Gilad showed him the email Lee had sent, Abramovitz was stunned. But he also had Lee’s passwords, and he found the fake emails. He also found she had done the same thing when he won admission to the Juilliard School—another institution that few admitted applicants turn down. The Canadian court judged that Lee was responsible for the tuition paid by Abramovitz to USC, the lost opportunities of the scholarship to the conservatory and for delaying the start of his career. The court ruling found that Lee’s conduct was “morally reprehensible.” top

Why your FOIA request might not get text messages (Ride the Lightning, 19 June 2018) - Hat tip to my friend Doug Austin at CloudNine for a marvelous post on his EDiscovery Daily Blog . As Doug asks, what percentage of Freedom of Information Act (FOIA) requests actually result in receiving all of the information requested? According to the 2018 Public Sector Text & Mobile Communications Survey from Smarsh, 70 percent of federal, state, county and city government organizations surveyed report allowing SMS/text for official business communication. But, almost half of those (46 percent) are not formally capturing and retaining these messages. There were 236 total respondents in the survey. The information below is directly from Doug’s post. And I fully agree with his conclusion at the end! “The vast majority of agencies allow organizational e-mail (97 percent) on mobile devices, but right behind it is SMS/text messaging, with 70 percent allowing it for official government business. Social channels Facebook and Twitter are the next most frequently cited, with 58 percent and 44 percent, respectively. Two-thirds of surveyed organizations allow employees to use their own BYOD devices for official business, for those devices, only 35 percent of respondents are retaining SMS/text messages (as opposed to 62 percent for Corporate Owned Personally Enabled (COPE) devices). The top four reasons SMS/Text records are NOT captured are: 1) Don’t currently have budget this year, 2) SMS/text isn’t required to be retained by law, 3) Waiting for Capstone/FOIA guidance, 4) Existing capture technologies are too complicated. The majority of respondents, 62 percent or nearly 2/3, lacked confidence that they could provide specifically requested mobile text messages promptly if responding to a public records or litigation request. Agencies with no retention solution in place have very little confidence in their ability to fulfill requests. 23 percent reported that if requested, it was unlikely they could produce SMS/text messages from their organizational leader at all. When you hear these stats, you might be surprised the numbers aren’t higher. Last year, Federal Freedom of Information Act (FOIA) litigation jumped 26 percent over the previous year. In 2018, that number is on track to increase again. While an average of 2.08 lawsuits were filed each day in 2017, 2018 has seen the average increase to 2.72 lawsuits per day. Last year, there were 823,222 Federal FOIA requests - 78 percent of those requests yielded censored files or no records at all. In other words, only 22 percent of FOIA requestors got everything they asked for. 22 percent! And, the Federal government spent $40.6 million in legal fees defending its withholding of files in 2017. Freedom of information isn’t free, apparently.” top

Verizon will stop selling real-time location data to third-party brokers (The Verge, 19 June 2018) - Verizon has pledged to stop selling data that can pinpoint the location of its mobile users to third-party intermediaries, according to The Associated Press . Verizon is the first carrier to end the controversial practice after Sen. Ron Wyden (D-OR) revealed that one of the companies that purchased the real-time location-tracking data from carriers wasn’t verifying if its users had legal permission to track cellphone users through its service. In a letter to carriers and the FCC, Sen. Wyden said that Securus Technologies - a company that mainly monitors phone calls to inmates in jails and prisons across the country and also sells real-time location data to law enforcement agencies who must upload legal documents such as a warrant stating they have the right to access the data - wasn’t actually verifying if those documents were legitimate. Securus did not “conduct any review of surveillance requests,” Wyden wrote in his letter to the FCC. A sheriff in Missouri was charged with illegally tracking people 11 times without court orders using Securus, according to The New York Times. While all four major carriers have now cut off access to Securus, only Verizon has said it will stop selling data to geolocation aggregators who can then turn around and sell that data to someone else. Verizon said 75 companies obtained data from the two companies it sells location data directly to: LocationSmart and Zumigo. Last month, KrebsOnSecurity reported that LocationSmart - which supplies Securus with the location-tracking data - was leaking the real-time location data of customers on every major US carrier through a free demo tool on its website, which was subsequently taken down. “Verizon did the responsible thing and promptly announced it was cutting these companies off,” Wyden said in a statement to the AP. [ see also , AT&T and Sprint to follow Verizon in ending its sale of user location data to third-party brokers (The Verge, 19 June 2018)] top

Are free societies at a disadvantage in national cybersecurity (Bruce Schneier, 19 June 2018) - Jack Goldsmith and Stuart Russell just published an interesting paper , making the case that free and democratic nations are at a structural disadvantage in nation-on-nation cyberattack and defense. From a blog post : It seeks to explain why the United States is struggling to deal with the “soft” cyber operations that have been so prevalent in recent years: cyberespionage and cybertheft, often followed by strategic publication; information operations and propaganda; and relatively low-level cyber disruptions such as denial-of-service and ransomware attacks. The main explanation is that constituent elements of U.S. society—a commitment to free speech, privacy and the rule of law; innovative technology firms; relatively unregulated markets; and deep digital sophistication—create asymmetric vulnerabilities that foreign adversaries, especially authoritarian ones, can exploit. These asymmetrical vulnerabilities might explain why the United States so often appears to be on the losing end of recent cyber operations and why U.S. attempts to develop and implement policies to enhance defense, resiliency, response or deterrence in the cyber realm have been ineffective. I have long thought this to be true. There are defensive cybersecurity measures that a totalitarian country can take that a free, open, democratic country cannot. And there are attacks against a free, open, democratic country that just don’t matter to a totalitarian country. That makes us more vulnerable. (I don’t mean to imply—and neither do Russell and Goldsmith—that this disadvantage implies that free societies are overall worse, but it is an asymmetry that we should be aware of.) I do worry that these disadvantages will someday become intolerable. Dan Geer often said that “the price of freedom is the probability of crime.” We are willing to pay this price because it isn’t that high. As technology makes individual and small-group actors more powerful , this price will get higher. Will there be a point in the future where free and open societies will no longer be able to survive? I honestly don’t know. EDITED TO ADD (6/21): Jack Goldsmith also wrote this . top

GDPR and browser fingerprinting: How it changes the game for the sneakiest web trackers (EFF, 19 June 2018) - Browser fingerprinting is on a collision course with privacy regulations. For almost a decade, EFF has been raising awareness about this tracking technique with projects like Panopticlick . Compared to more well-known tracking “cookies,” browser fingerprinting is trickier for users and browser extensions to combat: websites can do it without detection, and it’s very difficult to modify browsers so that they are less vulnerable to it. As cookies have become more visible and easier to block, companies have been increasingly tempted to turn to sneakier fingerprinting techniques. But companies also have to obey the law. And for residents of the European Union, the General Data Protection Regulation (GDPR), which entered into force on May 25th, is intended to cover exactly this kind of covert data collection. The EU has also begun the process of updating its ePrivacy Directive, best known for its mandate that websites must warn you about any cookies they are using. If you’ve ever seen a message asking you to approve a site’s cookie use, that’s likely based on this earlier Europe-wide law. This leads to a key question: Will the GDPR require companies to make fingerprinting as visible to users as the original ePrivacy Directive required them to make cookies? The answer, in short, is yes. Where the purpose of fingerprinting is tracking people, it will constitute “personal data processing” and will be covered by the GDPR. top

Should media publish government’s child-detention photos? (WaPo, 19 June 2018) - Based on the photographic evidence, living conditions inside government-run detention centers for immigrant children separated from their parents in south Texas look reasonably orderly and clean. But there’s a major catch: All of the photographs depicting life inside the facilities have been supplied by the government itself. There’s been no independent documentation; federal officials, citing the children’s privacy, have barred journalists from taking photographs or video when they’ve been permitted inside. This has left news organizations with a quandary: Do they publish the handouts supplied by U.S. Customs and Border Protection (CBP) - which has an incentive to make its facilities look as humane and comfortable as possible - or do they reject the photos as essentially propaganda? The New York Times, for one, has taken the latter course. On Monday, it said it would not publish CBP-supplied photos. “We thought it was a bad precedent to accept government handout photos when [photojournalists aren’t] allowed in,” Dean Baquet , the paper’s editor, said in an interview. “It would hurt any future case for access. And given the sensitivity of this story, I don’t think we can assure readers that we are seeing a full picture when the government makes the choice of what we see and show. Readers want to know what these places look like, from the view of journalists who are witnesses.” One of the government-supplied photos - a shot of children sprawled on thin mattresses under mylar blankets - was featured prominently by many news organizations on Tuesday. top

Bad news cut from Michigan State alumni magazine (InsideHigherEd, 21 June 2018) - After a review by Michigan State University interim president John Engler, an upcoming edition of the university’s alumni magazine will not include planned long-form essays exploring how the Larry Nassar sexual abuse case has tainted the university, multiple anonymous administration sources told the Detroit Free Press . It will also apparently not include a striking black-and-white cover image of a woman wearing teal lipstick—teal is the color that Nassar survivors and supporters wear to show solidarity. Sources told the Free Press that Engler saw the planned image, among others, and said, “Get that teal shit out of here.” While the magazine issue will address the crisis, sources said, it will showcase positive moves Engler has made since taking over, such as adding more counselors. Several people close to Engler who were not authorized to speak to the media said the effort is part of his push to “pivot toward positive news” in the wake of the scandal. top

SEC provides further guidance on when digital assets may be deemed securities (Nixon Peabody, 21 June 2018) - On June 14, 2018, William Hinman, Director of the Securities and Exchange Commission’s (SEC’s) Division of Corporation Finance, provided important but nonbinding guidance on when a digital asset may be deemed a security in his remarks at the Yahoo Finance All Markets Summit in San Francisco, California. Slowly, the SEC has continued to reveal its views on the approaches taken by some crypto and digital asset industry participants―such as the pioneers of the Simple Agreement for Future Tokens (or SAFT), who have attempted to structure digital asset sales in such a way that the digital asset is not a security. As noted by Director Hinman in his remarks, these are still the “early days” of crypto, but with this latest guidance, the SEC has provided more clarity around securities law-compliant digital asset sales. The following is a summary of certain key takeaways from Director Hinman’s remarks and related analysis. * * * top

MIT to conduct an environmental scan of open source publishing (MIT, 22 June 2018) - The MIT Press has announced the award of a grant from The Andrew W. Mellon Foundation to conduct a landscape analysis and code audit of all known open source (OS) authoring and publishing platforms. By conducting this environmental scan, the MIT Press will be providing a comprehensive and critical analysis of OS book production and hosting systems to the scholarly publishing community. As noted by Amy Brand, director of the MIT Press, “Open source book production and publishing platforms are a key strategic issue for not-for-profit scholarly publishers, and the wide-spread utilization of these systems would foster greater institutional and organizational self-determination. The MIT Press has long been a leader in digital publishing. We are very grateful for the generous support from The Mellon Foundation for this project.” The grant affords the MIT Press the unique opportunity to provide the university press community and other not-for-profit scholarly publishers with a comprehensive overview of the numerous OS publishing platforms that are currently in use or under development. These systems, which produce and host platforms for scholarly books and journals, have proliferated in the last decade. The forthcoming analysis will highlight the availability, affordances, and current limitations of these systems, and thereby encourage the adoption and continued development of OS publishing technologies. Open infrastructure could prove to be a durable alternative to complex and costly proprietary services. The results of the environmental scan and the accompanying code audit, expected later this year, will be made openly accessible. The final report will inform the MIT Press’s roadmap for the publishing platform PubPub currently being codeveloped with the MIT Media Lab. top

FirstNet launches, giving police and firefighters a dedicated wireless network and infinite possibilities (WaPo, 25 June 2018) - Though it’s not a renowned high-tech hub, Brazos County, Tex., has become the showroom for what technology can do for police officers, paramedics and firefighters nationwide, through the newly created FirstNet wireless network. When Brazos sheriff’s deputies entered a standoff with an armed man inside his home, they positioned four cars around the building and streamed live video through FirstNet back to their command center from their phones. When firefighters launched a swiftwater rescue recently, they were able to show it in real time through FirstNet to their supervisors. When a man tried to fraudulently register a stolen car, a patrol lieutenant was able to patch into the government center cameras through FirstNet and watch the crime in progress. “It’s given us some incredible communication,” said Brazos Sheriff Chris Kirk, “that we’ve been able to put to good use. It makes us much more efficient.” The idea for FirstNet was long in gestation, beginning with the terrorist attacks of Sept. 11, 2001, but has rapidly come to fruition in the year since AT&T won a contract to build it for the federal government. The idea was a dedicated wireless network exclusively for first responders, enabling them to communicate in emergencies on a secure system built to handle massive amounts of data. Former Boston police commissioner Ed Davis witnessed two major problems of emergency communication firsthand. On 9/11, police helicopters flying over the World Trade Center could see the danger of building collapse but could not reach firefighters inside the towers, who were using a different radio system. And after the Boston Marathon bombing, cellular networks were overwhelmed with traffic, and police could not communicate with each other, Davis said. FirstNet addresses both problems. The government agency was created after 9/11 to devise the interoperability of first responders, and then to enable video, data and text capabilities in addition to voice. In March 2017, FirstNet accepted AT&T’s $40 billion bid to build out the network. The governments of all 50 states and the District of Columbia opted in, and in March of this year, the core network went live. More than 1,000 agencies in 52 states and U.S. territories have signed up, including Boston police and fire and the Texas Department of Public Safety. top

Potential clients are confident in law firms’ cybersecurity. Should they be? (Legal Tech News, 25 June 2018) - Despite an increasingly malicious cyberthreat environment, most potential law firm clients are confident in the legal industry’s ability to protect client data, according to a survey of more than 1,000 small business owners and the U.S. general public conducted by data disposal company Shred-it and market research company Ipsos Public Affairs. Almost half of the respondents, 47 percent, said data protection considerations were “very important” when deciding which law firm to hire, while 36 percent said such considerations were at least “somewhat important.” But a majority, 61 percent, expressed little or no concern about providing sensitive information to lawyers, underscoring the widespread trust potential clients have in law firms ability to protect their data. * * * What’s more, overconfidence may already be harming law firms security preparations, according to ALM Intelligence’s “Challenges at the Intersection of Cybersecurity and Legal Services,” a survey of 194 law firms and legal departments. While the survey found that most law firms were confident they had adequate cybersecurity protections in place, their cybersecurity programs failed to meet client expectations. top

- and -

Legal Tracker LDO Index (ThomsonReuters, July 2018) - The volume of work for legal departments continues to grow, yet the overall legal department budget is not increasing at the same rate. Legal departments are dealing with how to do more with less. To address this challenge, departments are focusing on legal operations. With an operational focus, legal departments are looking at process improvements and technology to deliver on key department initiatives like controlling outside counsel costs and simplifying workflow and manual processes. Sixty-eight percent of organizations say the volume of legal work - defined by the number of legal matters - is increasing. Fifty-four percent of survey respondents report the percentage of work handled in-house is increasing, while 48% of survey respondents report increasing outside counsel spending. Seventy-one percent of organizations report that outside counsel hourly rates are increasing, while only 8% of organizations report decreases. With the increases in volume of work, 35% of legal departments report increasing the total legal department budget in the last 12 months, 25% report a budget decrease, and 40% report flat legal department budgets. When it comes to the budget for technology, 34% report increasing the budget, 52% are flat, and 13% report decreasing the technology budget. We asked legal departments to rank a variety of initiatives from no priority to high priority. The top five priorities among legal departments surveyed are: * * * [ Polley : Lots of interesting data here; spotted by MIRLN reader Gordon Housworth ] top

AT&T collaborates on NSA spying through a web of secretive buildings in the US (TechCrunch, 25 June 2018) - A new report from The Intercept sheds light on the NSA’s close relationship with communications provider AT&T. The Intercept identified eight facilities across the U.S. that function as hubs for efforts to collaborate with the intelligence agency. The site first identified one potential hub of this kind in 2017 in lower Manhattan. The report reveals that eight AT&T data facilities in the U.S. are regarded as high-value sites to the NSA for giving the agency direct “backbone” access to raw data that passes through, including emails, web browsing, social media and any other form of unencrypted online activity. The NSA uses the web of eight AT&T hubs for a surveillance operation code-named FAIRVIEW, a program previously reported by The New York Times . The program, first established in 1985, “involves tapping into international telecommunications cables, routers, and switches” and only coordinates directly with AT&T and not the other major U.S. mobile carriers. top

How social networks set the limits of what we can say online (Wired, 26 June 2018) - Content moderation is hard. This should be obvious, but it’s easily forgotten. It is resource intensive and relentless; it requires making difficult and often untenable distinctions; it is wholly unclear what the standards should be, especially on a global scale; and one failure can incur enough public outrage to overshadow a million quiet successes. We as a society are partly to blame for having put platforms in this situation. We sometimes decry the intrusions of moderators, and sometimes decry their absence. Even so, we have handed to private companies the power to set and enforce the boundaries of appropriate public speech. That is an enormous cultural power to be held by so few, and it is largely wielded behind closed doors, making it difficult for outsiders to inspect or challenge. Platforms frequently, and conspicuously, fail to live up to our expectations. In fact, given the enormity of the undertaking, most platforms’ own definition of success includes failing users on a regular basis. The social media companies that have profited most have done so by selling back to us the promises of the web and participatory culture. But those promises have begun to sour. While we cannot hold platforms responsible for the fact that some people want to post pornography, or mislead, or be hateful to others, we are now painfully aware of the ways in which platforms invite, facilitate, amplify, and exacerbate those tendencies. For more than a decade, social media platforms have portrayed themselves as mere conduits, obscuring and disavowing their active role in content moderation. But the platforms are now in a new position of responsibility-not only to individual users, but to the public more broadly. As their impact on public life has become more obvious and more complicated, these companies are grappling with how best to be stewards of public culture, a responsibility that was not evident to them-or us-at the start. For all of these reasons, we need to rethink how content moderation is done and what we expect of it. And this begins by reforming Section 230 of the Communications Decency Act-a law that gave Silicon Valley an enormous gift, but asked for nothing in return. * * * top

Instagram now lets you 4-way group video chat as you browse (TechCrunch, 26 June 2018) - latest assault on Snapchat, FaceTime and Houseparty launches today. TechCrunch scooped back in March that Instagram would launch video calling, and the feature was officially announced at F8 in May. Now it’s actually rolling out to everyone on iOS and Android, allowing up to four friends to group video call together through Instagram Direct. With the feed, Stories, messaging, Live, IGTV and now video calling, Instagram is hoping to become a one-stop-shop for its 1 billion users’ social needs. This massive expansion in functionality over the past two years is paying off, SimilarWeb told TechCrunch in an email, which estimates that the average U.S. user has gone from spending 29 minutes per day on the app in September 2017 to 55 minutes today. More time spent means more potential ad views and revenue for the Facebook subsidiary that a Bloomberg analyst just valued at $100 billion after it was bought for less than $1 billion in 2012. top

8 states impose new rules on Equifax after data breach (NYT, 27 June 2018) - Equifax agreed to a number of data security rules under a consent order with eight state financial regulators that was announced on Wednesday, the latest regulatory response to the breach that allowed hackers to steal sensitive personal information on more than 147 million people. The order describes specific steps the credit bureau must take, including conducting security audits at least once a year, developing written data protection policies and guides, more closely monitoring its outside technology vendors, and improving its software patch management controls. Equifax has said that the attackers gained access to its systems last year through a known software flaw that was inadvertently left unfixed for months. If Equifax falls short on any of its new promises, regulators in the states - Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas - will be able to take punitive action. Equifax said that “a good number” of the measures it agreed to in the order had already been completed. Equifax has spent nearly $243 million so far on the fallout from the data breach, including its spending on legal costs, new security tools and credit monitoring services it offered for free after the break-in was revealed in September. The company’s chief executive and several other top officials were forced out in the aftermath. Government regulators and law enforcement officials are still looking into Equifax’s data safeguards. The company remains under investigation by the Federal Trade Commission, the Consumer Finance Protection Bureau and the Securities and Exchange Commission, among others. top

Homeland Security subpoenas Twitter for data breach finder’s account (ZDnet, 2 July 2018) - Homeland Security has served Twitter with a subpoena, demanding the account information of a data breach finder, credited with finding several large caches of exposed and leaking data. The New Zealand national, whose name isn’t known but goes by the handle Flash Gordon , revealed the subpoena in a tweet last month . The pseudonymous data breach finder regularly tweets about leaked data found on exposed and unprotected servers. Last year, he found a trove of almost a million patients’ data leaking from a medical telemarketing firm. A recent find included an exposed cache of law enforcement data by ALERRT, a Texas State University-based organization, which trains police and civilians against active shooters. The database, secured in March but reported last week, revealed that several police departments were under-resourced and unable to respond to active shooter situations. Homeland Security’s export control agency, Immigration and Customs Enforcement (ICE), served the subpoena to Twitter on April 24, demanding information about the data breach finder’s account. Twitter informed him of the subpoena, per its policy on disclosing legal processes to its users. A legal effort to challenge the subpoena by a June 20 deadline was unsuccessful. Attorneys from the Electronic Frontier Foundation provided Flash Gordon legal assistance. ICE demanded Twitter turn over his screen name, address, phone number—and any other identifying information about the account, including credit cards on the account. The subpoena also demanded the account’s IP address history, member lists, and any complaints filed against the Twitter account. The subpoena did not demand the account’s private messages or any other content, which typically requires a court order or a search warrant. It’s not known why the subpoena was issued. Twitter spokesperson Emily Horne said the company does not comment on individual accounts for privacy and security reasons. top

Carpenter v. United States: Big data is different (GW Law Review, 2 July 2018) - A central truism of U.S. privacy law is that if you share information, you do not have an expectation of privacy in it. This reasoning runs through both Fourth Amendment jurisprudence and privacy tort cases, and has repeatedly been identified as a central failing of American privacy law in the digital age. On June 22, in Carpenter v. United States , the Supreme Court did away with this default. While repeatedly claiming to be fact-bound and incremental, Chief Justice Roberts’s opinion has paradigm-shifting implications not only for Fourth Amendment law, but also for private-sector privacy law. In short, the Court in Carpenter has declared that Big Data is different. Just how different remains to be seen. The question addressed in Carpenter- whether obtaining historic location information from cellular phone service providers constitutes a search under the Fourth Amendment-arose at the confluence of two lines of cases. One addresses location tracking in public spaces, and the other addresses records that have been shared with third parties. Until recently, neither doctrinal thicket looked particularly good for Timothy Carpenter, or for privacy. But the Carpenter decision does not come out of thin air. Starting with the Court’s recent GPS-tracking decision in United States v. Jones- and what has been referred to as the Jones “shadow majority”-the Supreme Court has recently appeared to take a different approach to Big Data. Carpenter cements this change. * * * [ see also Gorsuch’s dissent in ‘Carpenter’ case has implications for the future of privacy (The Hill, 26 June 2018), and When does a Carpenter search start-and when does it stop? (Orin Kerr on Lawfare, 6 July 2018)] top

It’s time for a chemistry lesson. Put on your virtual reality goggles. (NYT, 3 July 2018) - There was a time when biochemists had a lot in common with sculptors. Scientists who had devoted their lives to studying a molecule would building a model, using metal and a forest of rods to hold up the structure of thousands of atoms. ” Slow work, but at the end you really know the molecule ,” said Michael Levitt, who shared the Nobel Prize in Chemistry in 2013. These days simulations on screens have replaced such models, sacrificing some of their tactile value while gaining the ability to show movement. But what if you could enter a virtual reality environment where the molecules lie before you, obeying all the laws of molecular physics as calculated by supercomputers, and move them around in three dimensions? In a new paper in the journal Science Advances , researchers report that they have constructed just such an environment, and that users who manipulate the proteins in VR can perform simple tasks nearly ten times faster in virtual reality than on a screen. The researchers asked users to perform three separate manipulations of molecules and timed how long each took. They had to thread a molecule of methane through a simulated carbon nanotube; unwind a helical molecule and wind it up in the opposite direction; and tie a knot in a simulated protein. They also did the same tasks on computers using a touchscreen or a mouse. Each task resembles research that is current in biology and chemistry. In tallying the time each task took, the researchers found that in VR, threading the nanotube and tying the knot went much quicker. The knot task, in particular, was completed nearly ten times as rapidly. By using 2D screen-based simulations of molecules, said Dr. Glowacki, “we might actually be doing things a lot slower than we could be.” Scientists who use VR to get familiar with molecules may be able to gain intuition about their movements more quickly. [ Polley : pretty interesting animation videos on the website version of the story.]

RESOURCES

Tech Competence (Robert Ambrogi) - In 2012, something happened that I called a sea change in the legal profession: The American Bar Association formally approved a change to the Model Rules of Professional Conduct to make clear that lawyers have a duty to be competent not only in the law and its practice, but also in technology. * * * On this page, I track the states that have formally adopted the revised comment to Rule 1.1. The total so far is 31. [ Polley : nice interactive map of the states.] top

Grimmelmann on Whether Robot Transmissions Are Speech For First Amendment Purposes (MLPB, 20 June 2018) - James Grimmelmann, Cornell Law School, is publishing Speech in, Speech Out in Robotica: Speech Rights and Artificial Intelligence (Ronald K. L. Collins and David M. Skover, eds., Cambridge University Press 2018). Here is the abstract: This invited short response was published as part of Ronald K.L. Collins and David M. Skover’s book Robotica: Speech Rights and Artificial Intelligence (Cambridge University Press 2018). Collins and Skover make a two-step argument about “whether and why First Amendment coverage given to traditional forms of speech should be extended to the data processed and transmitted by robots.” First, they assert (based on reader-response literary criticism) that free speech theory can be “intentionless”: what matters is a listener’s experience of meaning rather than a speaker’s intentions. Second, they conclude that therefore utility will become the new First Amendment norm. The premise is right, but the conclusion does not follow. Sometimes robotic transmissions are speech and sometimes they aren’t, so the proper question is not “whether and why?” but “when?” Collins and Skover are right that listeners’ experiences can substitute for speakers’ intentions, and in a technological age this will often be a more principled basis for grounding speech claims. But robotic “speech” can be useful for reasons that are not closely linked to listeners’ experiences, and in these cases their proposed “norm of utility” is not really a free speech norm. top

Lola v. Skadden and the Automation of the Legal Profession (Yale Journal of Law & Technology) - Technological innovation has accelerated at an exponential pace in the last few decades, ushering in an era of unprecedented advancements in algorithms and artificial intelligence technologies. Traditionally, the legal field has protected itself from technological disruptions by maintaining a professional monopoly over legal work and limiting the “practice of law” to only those who are licensed. This article analyzes the long-term impact of the Second Circuit’s opinion in Lola v. Skadden, Arps, Slate, Meagher & Flom LLP , 620 F. App’x 37 (2d Cir. 2015), on the legal field’s existing monopoly over the “practice of law.” In Lola , the Second Circuit underscored that “tasks that could otherwise be performed entirely by a machine” could not be said to fall under the “practice of law.” By distinguishing between mechanistic tasks and legal tasks, the Second Circuit repudiated the legal field’s oft-cited appeals to tradition insisting that tasks fall under the “practice of law” because they have always fallen under the practice of law. The broader implications of this decision are threefold: (1) as machines evolve, they will encroach on and limit the tasks considered to be the “practice of law”; (2) mechanistic tasks removed from the “practice of law” may no longer be regulated by professional rules governing the legal field; and (3) to survive the rise of technology in the legal field, lawyers will need to adapt to a new “practice of law” in which they will act as innovators, purveyors of judgment and wisdom, and guardians of fairness, impartiality, and accountability within the law. The article proceeds by first discussing the procedural history and decision in Lola v. Skadden . It then explains the technological advances that will impact the legal field and the tools used by the legal field to perpetuate its self-regulating monopoly. The article then turns to the socioeconomic implications of technological disruption within the legal field and concludes with a discussion on how lawyers may prepare themselves for, and thrive within, an inevitably automated future. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Patent Office agrees to review infamous JPEG patent (TechDirt, 12 March 2008) - Last month, we noted that there was some effort being made to get the Patent Office to do a re-exam of a patent that attorney Ray Niro had been using to go after any site that had a JPEG image. While the patent itself had been re-examed before, one claim had been left intact, which Niro has said covers anyone using JPEG compression. It appears that the effort to get the USPTO to look into the patent once again has succeeded, though it’s a long and rather involved process that won’t come to fruition for quite a long time. The request includes a long list of prior art on that one particular claim, which the Patent Office admits it did not look at earlier and that raise substantial questions about the patentability of the remaining claim in the patent. This is rather good news. top

Administration shutting down economic indicators site (TechDirt, 14 Feb 2008) - While there was some decent news suggesting the economy might not be falling into a recession, there are still plenty of knowledgeable folks who think some sort of recession is likely. Last week, in New York, plenty of folks I spoke to seemed to believe we were already in one. Of course, to actually call a recession, the general consensus is that there would need to be two consecutive quarters of negative economic growth. So how would you measure that growth? Well, apparently the White House would prefer to make it as difficult as possible. Reader Jon writes in to note the rather inconvenient timing of the Administration suddenly deciding to shut down its own website that aggregated economic indicators. The site, EconomicIndicators.gov had even won awards from Forbes as a great resource. top

MIRLN—- 27 May - 16 June 2018 (v21.08)—- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENTS

Register now for the upcoming ABACLE webinar series “Cybersecurity Wake-Up Call: The Business You Save May Be Your Own”. This 5-part series starts June 27 (with ethics CLE credit!), followed by other episodes in July, August, September, and October. Each episode parses related parts of the best-selling ” ABA Cybersecurity Legal Handbook ”. For more information, visit ambar.org/cyberwakeup to register. The “colleagues” discount is 15% - use code FACMARK at checkout. Get 20% off if you subscribe to the full series, along with a free e-copy of the handbook.

NEWS

Law firm cybersecurity ‘an imperative’ as clients make demands clear (Law.com, 21 May 2018) - As corporate clients fret over the potential threat posed by cyber breaches, Pennsylvania law firms are increasingly making data privacy and cybersecurity a top priority, putting time and resources behind the effort. Legal software company Aderant this month released its second “Business of Law and Legal Technology” survey , which showed general optimism among law firm professionals. But when respondents were asked about the key challenges they faced, more than 32 percent of them named cybersecurity as a top concern. Pennsylvania law firms are grappling with the issue- and the cost -along with the rest of the industry. Law firm technology professionals and firm management in the region say the days are gone when clients could treat their outside lawyers’ cybersecurity efforts as an afterthought. Devin Chwastyk, chair of the privacy and data security group at McNees Wallace & Nurick , said the driver for law firm clients has been demands from their customers for assurance of data privacy. More and more, he said, clients are putting data security addenda on their fee agreements. “Every RFP now requires us to disclose how we protect confidential information,” said Jeff Lobach, managing partner of Barley Snyder. And that requires a greater investment of time and money, he said. Lobach said clients have never been dissatisfied with the measures his firm has put in place. But if they were, he said, the firm would likely be expected to change its practices to keep the work. Cybersecurity as a line item has certainly become a bigger expense for us,” Chwastyk said. “That was inevitable regardless of client demands.” top

- and -

The law firm cybersecurity audit grows up (Law.com, 29 May 2018) - A few years ago, law firms faced a wake-up call. More and more, their networks were being infiltrated, their staff exposed to a new threat called ransomware. They saw the crosshairs on their backs, understood the risks of their coveted position as holders of clients’ sensitive information. But they didn’t come to this realization entirely on their own. Clients in heavily regulated industries, like finance, demanded protections for crucial sensitive data. And slowly, through client security audits and questionnaires, a high of standard cybersecurity awareness at law firms became the norm. * * * But in response, law firm cybersecurity requirements have evolved, too. There are now more in-depth cybersecurity assessments, more expectations around transparency, and more engagement between client and law firm. Cybersecurity questionnaires and audits have been, and still remain, the foundation of law firm cybersecurity assessments. Now, though, they are performed far more rigorously than they were in the past. For one thing, the time between audits is shrinking. “Typically, audits used to be once every three years, then they became once every two years. Now, with big clients, they increasingly tend to be every year,” says Paul Greenwood, chief information officer at Clifford Chance. Clients have also become more demanding, seeing cybersecurity reviews as more of a collaborative and custom process than a simple matter of housekeeping. “It’s more of an engagement than a point-in-time audit,” says Robert Kerr, chief information officer at Cooley. “It used to be a check-the-box type of exercise; now it’s an interactive exercise where they seek clarifications.” And often, these audits will get into the weeds. Brett Don, chief information officer at Stradley Ronon, says that from his experience working with information security prior to entering the law firm world, corporations have “gotten more granular, they’ve gotten more specific in terms of the information they are trying to glean from their business partners, including law firms.” The details that clients usually ask from a law firm will vary, but oftentimes will focus around the technical minutiae of their data security. “The client security questionnaires will ask how we protect their data, and our protocol is to share the results of our ongoing penetration tests and vulnerability scans with them,” says Andrea Markstrom, chief information officer at Blank Rome. This means that, at a minimum, modern law firms need to hold “routine and regular scans of vulnerabilities in their systems,” Don adds. But demanding and detailed audits, even yearly, may not be enough in today’s cyberthreat world. “The other thing that I think we’re seeing more of is these one-off, what I call ‘diligence inquiries’ around high risk vulnerabilities,” Don says, pointing to “Spectre” and “Meltdown” microprocessor vulnerabilities that were disclosed in January 2018 as examples. Such inquiries come “outside the questionnaire process,” he explains, and may encompass several questions about the firm’s susceptibility to the vulnerability. In some cases, he says, clients ask the firm directly to certify that they’ve addressed a particular vulnerability. top

Pentagon cracks down on personal mobile devices (FCW, 23 May 2018) - The Defense Department is cracking down on personal mobile devices inside secure areas of the Pentagon. Under a new policy memo released May 22, DOD personnel, contractors and visitors to the building and supporting facilities in Arlington County, Va., are restricted from having mobile devices in areas designated or accredited for “processing, handling, or discussion of classified information.” Personal and unclassified government-issued mobile devices are prohibited in secure spaces but may be used in common areas. Government-issued unclassified devices being used as desktop replacements must have approved “interim mitigations applied until replaced with compliant devices” within 180 days. Mitigations include disabling the camera, microphone and Wi-Fi settings. Government-issued classified mobile devices can continue to operate per previous authorization while exemptions are reviewed. top

Chase Bank sues Landry’s for $20M over data breach (Houston Chronicle, 23 May 2018) - Chase and its credit card payment processor Paymentech filed a breach-of-contract lawsuit Thursday in federal court in Houston, claiming Landry’s failed to comply with credit card data security standards and is refusing to reimburse the Ohio-based financial institutions for assessments imposed by Visa and MasterCard in the wake of the data breach. Hackers in 2014 and 2015 compromised point-of-sale systems at more than 40 Landry’s properties, including Bubba Gump, McCormick & Schmick’s, Rainforest Cafe and Saltgrass restaurants. In response, Landry’s hired a cyber security firm to examine its payment-card systems and implemented enhanced security measures for processing credit cards, including end-to-end encryption. top

This Frida Kahlo digital collection is massive & free (Remezcle, 25 May 2018) - More than six decades after her death, there is still immense interest in Frida Kahlo . And a new retrospective will allow fans to learn more about the Mexican artist right from their homes. Google Arts & Culture has collaborated with 33 museums from seven countries across the world to bring us Faces of Frida , the largest collection of photographs, documents, and artworks associated with Kahlo. The collection promises to give us a multi-faceted look at the queer, feminist, and disabled icon. “It’s a true global effort,” said Jesús García, Google’s Head of Hispanic Communications, according to Forbes . “Frida’s name kept coming up as a top contender when we started to think of what artists would be the best to feature in a retrospective. There’s so much of her that was not known and could still be explored from an artistic perspective and life experience.” Excitingly, the collection gives us a look into items and artworks that have rarely been displayed, including a sketch Kahlo made of New York in 1932 for Mexican actress Dolores del Río . She sketched what she saw from the Barbizon Plaza Hotel. If you’ve also wanted to visit La Casa Azul , where she lived and worked, but haven’t had a chance, Google also has you covered. “This expertly curated online exhibition presents an intimate view of Frida Kahlo’s life and loves through her vibrant letters, candid photographs, and unpublished essays,” added Kate Haw, director of the Smithsonian Archives of American Art. “Through the story threads of these original records - a total of 54 rare documents drawn from our collections - we gain a deeper understanding of Frida’s relationships with historian Florence Arquin, artist Emmy Lou Packard, photographer Nickolas Muray, art collector Chester Dale, and writer John Weatherwax.” Enjoy it in its full glory here . top

Four days into GDPR, US publishers are starting to feel the effects (Columbia Journalism Review, 29 May 2018) - For something that has been in the works for more than two years , the EU’s General Data Protection Regulation seemed to take at least some people by surprise when it went into effect May 25th-including more than a few publishers. And some warn the long-term effects of the regulations could be severe: Ad exchanges used by many news sites reportedly saw an immediate drop in demand of between 25 and 40 percent, and many believe this could help increase the dominance of platforms like Google and Facebook, since they are better prepared for the data-handling rules and have deeper pockets. When the new rules on how to handle user information went into effect, a number of news sites responded by simply shutting off access to anyone who appeared to be coming from a European address, and for many that continued to be the case right through the Memorial Day weekend. As of Monday, for example, several of the papers belonging to the tronc chain-including the Los Angeles Times and Chicago Tribune- were still showing EU visitors a message saying : “Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism.” Other news sites such as USA Today’s responded to the new rules-under which multi-million-dollar fines can be issued for improper use of data-by removing some or all of the ad-related software that harvests information from users and tracks their behavior. According to one web engineer , the US version of the USA Today site was 5.5 megabytes in size and included more than 800 ad-related requests for information involving 188 different domains. The EU version was less than half a megabyte in size and contained no third-party content at all, meaning it not only didn’t track as much data but also loaded much faster. top

A trip to the ER with your phone may mean injury lawyer ads for weeks (ArsTechnica, 29 May 2018) - With digital traps in hospitals, there’s no need for personal injury lawyers to chase ambulances these days. Law firms are using geofencing in hospital emergency rooms to target advertisements to patients’ mobile devices as they seek medical care, according to Philadelphia public radio station WHYY. Geofencing can essentially create a digital perimeter around certain locations and target location-aware devices within the borders of those locations. Patients who unwittingly jump that digital fence may see targeted ads for more than a month, and on multiple devices, the outlet notes. While the reality may seem like a creepy nuisance to some, privacy experts are raising alarms. “Private medical information should not be exploited in this way,” Massachusetts Attorney General Maura Healey told WHYY. “Especially when it’s gathered secretly without a consumer’s knowledge-without knowledge or consent.” Last year, Healey’s office barred a digital firm from using geofencing in healthcare settings in the state after the firm was hired by a Christian pregnancy counseling and adoption agency to use digital perimeters to target ads to anyone who entered reproductive health facilities, including Planned Parenthood clinics . The goal was to make sure “abortion-minded women” saw certain ads on their mobile devices as they sat in waiting rooms. The ads had text such as “Pregnancy Help” or “You Have Choices,” which, if clicked, would direct them to information about abortion alternatives. top

Cybersecurity: Why it matters in M&A transactions (Schonherr, 30 May 2018) - At a time when we are all dependent on our IT systems and when digital assets are of central importance, cybersecurity is one of the most critical aspects to protect our businesses, know-how and data from being stolen, disclosed, deleted and/or manipulated. In light of the global threats that potentially could affect every business (“no one is safe”), public regulators have started adopting regulations on cybersecurity (e.g. the Austrian Financial Market Authority published guidelines for IT security in financial institutions ). In addition, the GDPR specifically deals with data breach issues. Still, it feels that awareness of cybersecurity issues is lacking. This is particularly true for private M&A transactions. A recent regulation of the New York Department of Financial Services (” NYDFS ”) now specifically addresses cybersecurity risks in M&A transactions . The NYDFS’s regulation was issued in the context of the 2014 large-scale data breach of Yahoo! and Yahoo!‘s failure to disclose the breach until September 2016, shortly before the sale of its operating unit to Verizon Communications Inc. The non-disclosure of the 2014 data breach had a direct impact on the sale, i.e. Yahoo! and Verizon agreed to a USD 350 million reduction in the acquisition price , among other things because Yahoo! had positively represented to Verizon in the publicly available stock purchase agreement that, to the best of its knowledge, there had been no security breaches. In its FAQ , the NYDFS now has clarified the importance of cybersecurity also in M&A transactions: “when Covered Entities are acquiring or merging with a new company, Covered Entities will need to do a factual analysis of how these regulatory requirements apply to that particular acquisition. Some important considerations include, but are not limited to, what business the acquired company engages in, the target company’s risk for cybersecurity including its availability of PII, the safety and soundness of the Covered Entity, and the integration of data systems. The [NYDFS] emphasizes that Covered Entities need to have a serious due diligence process and cybersecurity should be a priority when considering any new acquisitions.” Now, the NYDFS regulation underlines that cybersecurity has become an issue to be also considered in M&A processes, namely in the due diligence and in the transaction documents. top

New data show substantial gains and evolution in internet use (NTIA, 6 June 2018) - The digital divide is showing signs of giving way as more Americans from all walks of life connect to the Internet. Several historically disadvantaged groups showed significant increases in online adoption, according to initial results from NTIA’s most recent survey on Internet use conducted by the U.S. Census Bureau. The survey, which was conducted in November 2017, reveals new contours of Americans’ Internet use. In 2017, more households had a mobile data plan than wired broadband service. Additionally, for the first time since NTIA began tracking use of different types of computing devices, tablets were more popular than desktop computers among Americans, and the number of people who used multiple types of devices also increased substantially. The data show that 78 percent of Americans ages 3 and older used the Internet as of November 2017, compared with 75 percent in July 2015, when our previous survey was conducted. This increase of 13.5 million users was driven by increased adoption among low-income families, seniors, African Americans, Hispanics, and other groups that have been less likely to go online. For example, among Americans living in households with family incomes below $25,000 per year, Internet use increased from 57 percent in 2015 to 62 percent in 2017, while households earning $100,000 or more showed no change during this period. While the trend is encouraging, low-income Americans are still significantly less likely to go online (see Figure 1). top

Special counsel Robert Mueller’s team is requesting that witnesses turn in their personal phones to inspect their encrypted messaging programs (Benton, 7 June 2018) - Apparently, special counsel Robert Mueller’s team is requesting that witnesses turn in their personal phones to inspect their encrypted messaging programs and potentially view conversations between associates linked to President Donald Trump. Since as early as April, Mueller’s team has been asking witnesses in the Russia probe to turn over phones for agents to examine private conversations on WhatsApp, Confide, Signal and Dust, apparently. Fearing a subpoena, the witnesses have complied with the request and have given over their phones. While it’s unclear what Mueller has discovered, if anything, through this new request, investigators seem to be convinced that the apps could be a key to exposing conversations that weren’t previously disclosed to them. [ see also , Are any encrypted messaging apps fail-safe? Subjects of Mueller’s investigation are about to find out. (WaPo, 8 June 2018)] top

FTC rebuked in LabMD case: What’s next for data security? (Wiley Rein, 7 June 2018) - On June 6, the U.S. Court of Appeals for the Eleventh Circuit decided the long-awaited LabMD saga. As Wiley Rein attorneys recently explained in a webinar on agency priorities, this case is an important milestone and inflection point for the new Federal Trade Commission (FTC) leadership. The FTC’s authority and role in data security has been key to ongoing debates over federal privacy and security policy domestically and globally. This case raised issues going to FTC power and practice, but ultimately turned on the remedy imposed by the agency which was found to be so vague as to be unenforceable. The court did not address the key substantive questions: (1) First, in a data breach case, what type of consumer injury gives rise to “unfairness” under Section 5 of the FTC Act, an issue sometimes identified as the “informational injury” question? (2) Second what type of notice is the FTC required to provide regarding reasonable data security measures? Despite its failure to answer these questions, the decision has implications for those issues and the agency’s overall approach to data security. In particular the Eleventh Circuit’s decision was a rebuke to the agency’s remedial efforts, which lean heavily on consent decrees to prod action the agency could not otherwise mandate. The Court found that the FTC’s cease and desist order “mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished.” According to three appeals court judges, “[t]his is a scheme that Congress could not have envisioned.” * * * [ Polley : good analysis.] top

Blockchain’s once-feared 51% attack is now becoming regular (Telegra.ph, 8 June 2018) - Monacoin, bitcoin gold, zencash, verge and now, litecoin cash. At least five cryptocurrencies have recently been hit with an attack that used to be more theoretical than actual, all in the last month. In each case, attackers have been able to amass enough computing power to compromise these smaller networks, rearrange their transactions and abscond with millions of dollars in an effort that’s perhaps the crypto equivalent of a bank heist. More surprising, though, may be that so-called 51% attacks are a well-known and dangerous cryptocurrency attack vector. While there have been some instances of such attacks working successfully in the past, they haven’t exactly been all that common. They’ve been so rare, some technologists have gone as far as to argue miners on certain larger blockchains would never fall victim to one. The age-old (in crypto time ) argument? It’s too costly and they wouldn’t get all that much money out of it. But that doesn’t seem to be the case anymore. NYU computer science researcher Joseph Bonneau released research last year featuring estimates of how much money it would cost to execute these attacks on top blockchains by simply renting power, rather than buying all the equipment. One conclusion he drew? These attacks were likely to increase. And, it turns out he was right. [ see also , Bitcoin’s price was artificially inflated, fueling skyrocketing value, researchers say (NYT, 13 June 2018)] top

Not just corporate: Law firms too are struggling with GDPR compliance (Law.com, 11 June 2018) - Despite the yearslong build up to the EU’s General Data Protection Regulation (GDPR), which came into force on May 25, many organizations are still behind in their compliance efforts. And while much attention has been paid to corporations’ compliance shortcomings, a recent Wolters Kluwer survey found that law firms are also lagging in meeting GDPR mandates. Conducted among 74 medium (26-100 staff members) to large (100-plus) law firms, the survey found that only 47 percent of law firms said they were “fully prepared” to meet the GDPR’s requirements. While 16 percent said they were “somewhat prepared,” more than a third, 37 percent, said they have not prepared specifically for the GDPR at all. Barry Ader, vice president of product management and marketing at Wolters Kluwer, noted that part of the reason why many law firms were unprepared for GDPR was because they thought there would be an extension to the deadline. “Many of the law firms kind of half expected that there would be a delay, and they wouldn’t have had to solve the problem by May 25 , ” he said. However, Ader noted that the lack of preparation was also a sign that “law firms just don’t have the necessary skills, people, and budget to figure out how to handle GDPR.” Indeed, law firms are in a unique situation when it comes to the GDPR, given that many not only have to ensure their own firm’s compliance while also managing and directing their clients’ GDPR compliance efforts. Such ” double duty ” is forcing some firms to staff up and overextend their attorneys. Yet even with added staff and hours, firms can find it challenging to meet GDPR demands. London-based Squire Patton Boggs partner Ann LaFrance, for example, told The American Lawyer that hiring cannot keep up with the wide-ranging compliance needs of their clients. “It still isn’t enough, and there isn’t enough experience out there.” Still, while firms may have a lot of GDPR preparation to do, 60 percent had already assigned a point person, consultant or team to spearhead GDPR compliance efforts, while 72 percent were investing in cybersecurity. What’s more, 43 percent assigned a data protection officer (DPO), though they were not required to under the regulation. Such a mandate only applies to companies classified as “data controllers” who determine the purposes for, and the means of, processing EU personal data. One area where many firms’ GDPR preparations lagged behind is with employee training. The survey found that only 43 percent of law firms conducted security and privacy training annually, while 24 percent had done training in the past three years. An additional 15 percent said that while they did not currently train employees, they were planning to do so in the near future. Seventeen percent did not and had no plans to train at all. [ Polley : Spotted by MIRLN reader Gordon Housworth ] top

On Facebook, a place for civil discussion (NYT, 12 June 2018) - In the run-up to the 2016 election, Russian trolls wielding ads and memes used Facebook as a tool to darken lines of division. More recently, one corner of Facebook has emerged in pursuit of the opposite: civil conversation, even among those who disagree. It has become part of Bethany Grace Howe’s morning routine, right alongside her yogurt and cup of tea. The New York Times’s Reader Center put out a call early last December inviting readers to apply to join a Facebook group where they could offer feedback on The Times’s coverage and talk about how the news affects them. Ms. Howe, 49 - a longtime media scholar, journalist and reader of The Times since she was 13 - was among the first 100 people chosen to join the group. “It was like, O.K., this is too good to be true,” she said. And it soon became clear that the group was a lot more than just a place to talk about the Gray Lady. “I joined because I thought I was going to learn a lot about The New York Times from the people who work at The Times,” Ms. Howe said. “What’s ended up happening is I’ve learned an amazing amount about this country by talking to the readers of The Times.” It has come to mean enough that she is now working to organize a real life meet-up of group members near her in Oregon, where she is a doctoral student of mass media studies examining questions of transgender identity and depictions in media. The Reader Center group is one of four Facebook groups that The Times has created since last spring. There’s NYT Australia , where the focus is Australia but the discussion regularly stretches wider, run by the journalists in The Times’s Australia bureau. There’s Now Read This , an online book club co-managed by The New York Times Book Review and “PBS Newshour” where members discuss a different book every month, guided in part by questions from the two news organizations. And there’s The New York Times Podcast Club (which I help run), where podcast lovers can talk about what they’re listening to and Times employees select a show every week for discussion. These are different from The Times’s institutional Facebook page, or pages run by sections like Styles or Science, which you might follow to see their news articles show up in your feed. In these groups, people at The Times - and collaborators - guide discussions and often engage with group members. Administrators must approve people before they can join, and must sign off on individual posts, too. They can also delete comments or remove members if things get nasty or inappropriate. top

Apple will update iOS to block police hacking tool (The Verge, 13 June 2018) - For months, police across the country have been using a device called a GrayKey to unlock dormant iPhones, using an undisclosed technique to sidestep Apple’s default disk encryption. The devices are currently in use in at least five states and five federal agencies , seen as a breakthrough in collecting evidence from encrypted devices. But according to a new Reuters report , Apple is planning to release a new feature to iOS that would make those devices useless in the majority of cases, potentially sparking a return to the encryption standoff between law enforcement and device manufacturers. Under the new feature, iPhones will cut off all communication through the USB port if they have not been unlocked in the past hour. Once the hour expires, the USB port can only be used to charge the device. The result will give police an extremely short window of time to deploy GrayKey devices successfully. According to a Malware Bytes report published in March, GrayKey works by installing some kind of low-level software through the iPhone’s Lightning port. After plugging into the GrayKey device briefly, the target iPhone will continue to run the GrayKey software on its own, displaying the device’s passcode on-screen between two hours and three days after the software was installed. While politically sensitive, the change will close off an entire class of attacks through the iPhone’s Lightning port, including attacks that copy GrayKey’s techniques. Apple described the change as a general security update rather than a response to law enforcement specifically. top

Google adds federal data to college searches (Inside Higher Ed, 13 June 2018) - Search for a four-year college on Google, and you’ll now be presented with data on admission rates, graduation rates and tuition costs, in addition to the usual link to Wikipedia. Google said the addition of more information to college search results would make it easier for prospective students to choose the right institution for them. Writing in a blog post Tuesday, Jacob Schonberg, product manager for Google, said the process for finding information on colleges is “confusing” and that it is “not always clear what factors to consider and which pieces of information will be most useful for your decision.” Schonberg said Google used data from the U.S. Department of Education’s College Scorecard and Integrated Postsecondary Education Data System (IPEDS). Though IPEDS is one of the most comprehensive sources of data on four-year colleges, its numbers are often criticized for not being representative of student populations, particularly at open-access colleges, as IPEDS data tend to reflect only first-time, full-time students. In addition to data from IPEDS, Google has introduced new college-search features such as lists of notable alumni and suggestions for “similar colleges.” top

How Firefox is using Pocket to try to build a better news feed than Facebook (The Verge, 13 June 2018) - On this week’s episode of Converge , Pocket founder and CEO Nate Weiner tells us why he sold his company to Mozilla, and how he’s working to build a better version of Facebook’s News Feed into the Firefox browser. Pocket, which lets you save articles and videos you find around the web to consume later, now has a home inside Firefox as the engine powering recommendations to 50 million people a month. By analyzing the articles and videos people save into Pocket, Weiner believes the company can show people the best of the web - in a personalized way - without building an all-knowing, Facebook-style profile of the user. “We’re testing this really cool personalization system within Firefox where it uses your browser history to target personalized [recommendations], but none of that data actually comes back to Pocket or Mozilla,” Weiner said. “It all happens on the client, inside the browser itself. There is this notion today… I feel like you saw it in the Zuckerberg hearings. It was like, ‘Oh, users. They will give us their data in return for a better experience.” That’s the premise, right? And yes, you could do that. But we don’t feel like that is the required premise. There are ways to build these things where you don’t have to trade your life profile in order to actually get a good experience.” Pocket can analyze which articles and videos from around the web are being shared as well as which ones are being read and watched. Over time, that gives the company a good understanding of which links lead to high-quality content that users of either Pocket or Firefox might enjoy. In a world where trust in social feeds has begun to collapse, Pocket offers a low-key but powerful alternative. And as Mozilla has integrated it deeper into Firefox, Pocket has become a significant source of traffic for some publishers, The Verge included. [ Polley : I love Pocket.] top

Free MOOCs face the music (Inside Higher Ed, 14 June 2018) - Massive open online courses got a little less open with edX’s recent announcement that it is introducing support fees for some of its MOOCs. Midway through an innocuous-looking blog post , Anant Agarwal, CEO of edX, said the nonprofit would be “moving away from our current model of offering virtually everything for free.” On May 3, edX began testing the introduction of a “modest support fee” that will “enable edX and partners to continue to invest in our global learning platform.” Adam Medros, edX COO and president, said in an interview that the support fee was just one option being explored to ensure the long-term sustainability of the MOOC provider. Previously edX users were able to take most of its courses at no cost, an option that edX calls “auditing” a course. Those who want a certificate to show they have completed a course typically pay between $50 and $300. Some options, such as edX’s MicroMasters programs , cost over $1,000. Now some users will be asked to pay a support fee, “from $9 up to some portion of the certification cost,” said Medros. The price of the support fee “will be aligned to the value and experience” that a course gives to a learner, said Medros, suggesting that the best courses will also be the most expensive. By introducing a support fee, Medros said, there is a possibility that completion rates may go up. “There is a lot of evidence showing that having some ‘skin in the game’ is beneficial in online learning,” said Medros. Medros did not say how many courses the support fee would be applied to, but he said it was edX’s intention that “some portion” of its content “will always be free.” He said edX had not decided which content will remain free and what proportion of the total catalog it will represent. top

Beware of buying a competitor’s name to market your law practice (MyShingle.com, 14 June 2018) - Can lawyers use a competitor’s name as a keyword to market their own law practice? Although Google allows law firms’ to purchase competitors’ names as keywords, at least two states - North Carolina and South Carolina - forbid this practice, finding it inherently deceptive. By contrast, Florida and Texas -allow lawyers to use keywords to advertise with the caveat that the ads must be designed so as not to trick consumers into thinking they are going to one firm’s website when they are instead lead to another. But the bar regulations don’t much matter because increasingly, law firms whose names have been appropriated are suing competitors and winning. As the Daily Report Online reports, a Georgia court recently enjoined a Texas marketing firm called ELM from running ads for a law firm that used a rival firm’s trade name to draw traffic to the advertising firm’s site. Further compounding the confusion, the marketing company used photos of the rival firm’s site as background for the ads and included phone numbers to call centers where operators were instructed to use a generic greeting so that callers would believe that they had reached the rival firm’s answering service. top

RESOURCES

Encryption Workarounds (Orin Kerr and Bruce Schneier, Georgetown Law Journal, revised 13 May 2018) - Abstract : The widespread use of encryption has triggered a new step in many criminal investigations: The encryption workaround. We define an encryption workaround as any lawful government effort to reveal unencrypted plaintext of a target’s data that has been concealed by encryption. This Article provides an overview of encryption workarounds. It begins with a taxonomy of the different ways investigators might try to bypass encryption schemes. We classify six kinds of workarounds: find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. For each approach, we consider the practical, technological, and legal hurdles raised by its use. The remainder of this Article develops lessons about encryption workarounds and the broader public debate about encryption in criminal investigations. First, encryption workarounds are inherently probabilistic. None work every time, and none can be categorically ruled out every time. Second, the different resources required for different workarounds will have significant distributional effects on law enforcement. Some techniques are inexpensive and can be used often by many law enforcement agencies; some are sophisticated or expensive and likely to be used rarely and only by a few. Third, the scope of legal authority to compel third-party assistance will be a continuing challenge. And fourth, the law governing encryption workarounds remains uncertain and underdeveloped. Whether encryption will be a game changer or a speed bump depends on both technological change and the resolution of important legal questions that currently remain unanswered. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

CIA monitors YouTube for intelligence (Information Week, 6 Feb 2008) - In keeping with its mandate to gather intelligence, the CIA is watching YouTube. U.S. spies, now under the Director of National Intelligence (DNI), are looking increasingly online for intelligence; they have become major consumers of social media. “We’re looking at YouTube, which carries some unique and honest-to-goodness intelligence,” said Doug Naquin, director of the DNI Open Source Center (OSC), in remarks to the Central Intelligence Retirees’ Association last October. “We’re looking at chat rooms and things that didn’t exist five years ago, and trying to stay ahead. We have groups looking at what they call ‘Citizens Media’: people taking pictures with their cell phones and posting them on the Internet.” In November 2005, the OSC subsumed the CIA’s Foreign Broadcast Information Service, which housed the agency’s foreign media analysts. The OSC is responsible for collecting and analyzing public information, including Internet content. Steven Aftergood, director of the Federation of American Scientists project on government secrecy, posted transcript of Naquin’s remarks on his blog. “I found the speech interesting and thoughtful,” he said in an e-mail. “I would not have thought of YouTube as an obvious source of intelligence, but I think it’s a good sign that the Open Source Center is looking at it, and at other new media.” top

Google, UN unveil project to map movement of refugees (SiliconValley.com, 8 April 2008) - Internet search giant Google Inc. unveiled a new feature Tuesday for its popular mapping programs that shines a spotlight on the movement of refugees around the world. The maps will aid humanitarian operations as well as help inform the public about the millions who have fled their homes because of violence or hardship, according to the office of the U.N. High Commissioner for Refugees, which is working with Google on the project. “All of the things that we do for refugees in the refugee camps around the world will become more visible,” U.N. Deputy High Commissioner for Refugees L. Craig Johnstone said at the launch in Geneva. Users can download Google Earth software to see satellite images of refugee hot spots such as Darfur, Iraq and Colombia. Information provided by the U.N. refugee agency explains where the refugees have come from and what problems they face. Google says more than 350 million people have already downloaded Google Earth. The software was launched three years ago and originally intended for highly realistic video games, but its use by rescuers during Hurricane Katrina led the company to reach out to governments and nonprofit organizations. top

MIRLN—- 6-26 May 2018 (v21.07)—- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENTS

Take a look at the new ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals (2nd Edition). Published in November, it’s already out-sold the 1st edition, probably because cyberattacks on law firms are in the news every day. The Handbook contains actionable information about “reasonable” security precautions for lawyers in every practice setting (solos, smalls, and large firms; in-house, government, and public-interest practitioners). Produced by the ABA Cybersecurity Legal Task Force (which I co-chair), it complements other resources for ABA members. Learn more here: ambar.org/cyber

NEWS

Working group releases draft protocol on cybersecurity in international arbitration (NY City Bar, 16 April 2018) - Stating that “nternational arbitration in the digital landscape warrants consideration of what constitutes reasonable cybersecurity measures to protect the information exchanged during the process,” a Working Group on Cybersecurity has released a Draft Cybersecurity Protocol for International Arbitration. The Working Group, consisting of the International Council for Commercial Arbitration (ICCA), the International Institute for Conflict Prevention & Resolution (CPR), and the New York City Bar Association, presented the Draft Protocol at the ICCA Congress in Sydney, Australia, on April 15, local time. “International arbitration is not uniquely vulnerable to cyber breaches, but the stakes are often quite high,” said Mark Morril, an independent arbitrator who represents the New York City Bar Association along with independent arbitrator Stephanie Cohen and Lea Haber Kuck of Skadden Arps Slate Meagher & Flom LLP. “Like any sector that involves high value data, international transmissions and multiple actors, it will require strong security going forward.” * * * Ms. Cohen noted that the Protocol purposefully avoids specific cybersecurity recommendations. She said, “We considered but unanimously rejected the ‘one size fits all approach.’ The Protocol guides parties and arbitrators through a risk-based approach to determine reasonable cybersecurity measures that fit each individual matter.” [ Polley : see also, TDM Call for Papers: Special Issue on Cybersecurity in International Arbitration (TDM 18 Amy 2018); spotted by MIRLN reader Phil Ray - @philray66] top

Corporate America takes action as awareness of risk to key assets grows (Kilpatrick Townsend, 24 April 2018) - Continuing to respond to the ever-increasing targeted attacks on organizations’ most vital confidential information - their “knowledge assets” - Kilpatrick Townsend & Stockton and the Ponemon Institute released today their findings from The Second Annual Study on the Cybersecurity Risk to Knowledge Assets . The first study, Cybersecurity Risk to Knowledge Assets , was released in July 2016. top

Washington utility boosts security after Bitcoin mining moratorium (GT Magazine, 3 May 2018) - Bitcoin belligerence is on the rise, according to Chelan County PUD staff reports, prompting a boost in employee safety and security measures that include bulletproof panels and security cameras at PUD headquarters. The reported bad behavior stems from two cryptocurrency-related groups - unauthorized miners whose power has been disconnected and high-density load service applicants denied because of the current moratorium. “PUD employees in the field and those in the office who are handling issues related to high-density load service have encountered an increasing number of upset customers and potential customers,” said PUD spokeswoman Kimberlee Craig. “In some cases people can get agitated and argumentative. Our goal always is to provide excellent customer service, as well as to keep customers, the public and employees safe, especially when emotions may be running high.” None of the incidents have escalated to the point of calling law enforcement, she said. “The volume of requests and the sense of urgency by applicants has changed the dynamics of the interaction by staff with the cryptocurrency customers,” she said. As a result, staff is taking some proactive steps, which PUD Security Director Rich Hyatt outlined for commissioners on Monday. The increase in tension follows steps taken to put the brakes on blockchain operations that use specialized computer equipment and require a large amount of electricity, running continuously, which can put a strain on the system. The PUD commissioners in March declared an emergency moratorium on new high-density load hookups to give staff time to develop a plan for dealing with the demand for electricity from digital currency miners. The demand spiked when Bitcoin values topped $19,000 last fall. It’s now down to about $7,000, but still up from $500 in 2013. Staff also reported concerns about unauthorized bitcoin operators overloading the system, creating fire hazards and damaging power grid infrastructure. [ Polley : Remember 15 years ago or so when some employees were punished for unauthorized use of computer power (via screensavers like [email protected]) to solve computer problems for others (like folding proteins)? Some of these bitcoin apps sound like that, on steroids. See also, Cryptojacking campaign exploits Drupal bug, over 400 websites attacked (Threat Post, 7 May 2018)] top

The role of norms in internet security: Reputation and its limits (Lawfare, 8 May 2018) - Who maintains the security and stability of the internet-and how do they do it? It’s a simple question, but a difficult one to answer. Internet security, writ large, comprises a diverse set of social and technical tools and an equally diverse set of industry norms around mitigating and remediating abusive behavior. Those tools are developed and used by what I term operational security communities-groups of individuals, largely unaffiliated with governments, that do the day-to-day work of maintaining the security and stability of the internet. What these communities actually do, and the scope and nature of the challenges that they face, is often poorly understood, even among sophisticated state actors. But one of the key mechanisms on which operational security communities rely is a surprisingly familiar one: reputation. * * * [ Polley : Interesting. I’ve been involved with some international norms-development activities in the cyber-warfare arena, and the process is glacial.] top

Law firm data is catnip for hackers (Security Boulevard, 8 May 2018) - Dig into a law firm, and you’ll find secrets. Sometimes these secrets are mundane, like who’s getting divorced, or who’s getting cut out of the will. Sometimes, however, these secrets can shake nations and economies. Huge companies are merging and getting acquired, national leaders are hiding graft in numbered accounts, and you might find all those secrets within the server at a nondescript law firm - which might be possibly the most unsafe place to hide it. Law firms may be extremely discrete when protecting their clients’ identities from judges, the media, and other lawyers, but their track record is less than stellar when it comes to the digital realm. Those who’ve heard of the firm Mossack Fonseca or the Panama Papers (a 2TB data leak that exposed how the wealthy avoid paying taxes) may know that the firm in question was: (1) running a version of WordPress that was 2 years out of date; (2) running a version of Drupal that was three years out of date; (3) running its web server on the same network as its mail server; (4) running its web server without a firewall; (5) running an out-of-date plugin known as “Revolution Slider,” which contained a file upload vulnerability that had been documented since 2014. This multitude of sins collectively led to a scandal that, among other things, brought down the Icelandic Prime Minister. What’s more troubling, however, is that Mossack Fonseca wasn’t a standout among law firms. Many if not most law firms have an equally bad security posture. [ see ANNOUNCEMENTS , above.] top

Important Fourth Circuit ruling on cell phone border searches (Orin Kerr on Volokh Conspiracy, 9 May 2018) - The Fourth Circuit handed down a significant ruling today in United States v. Kolsuz on how the Fourth Amendment applies to cell phone searches of cell phones seized at the border. Although the court ultimately affirmed the conviction based on the good-faith exception, the court also introduced a new and significant limit on border searches. Judge Pamela Harris penned the majority opinion, and Judge Wilkinson added a concurrence. There’s a lot going on in the opinion, and it merits a close read, but I’ll try to offer some highlights and commentary here. * * * [ Polley : Orin Kerr is THE expert on this area of the law in the US; his article is thorough, and interesting. See also, Fourth Circuit rules that suspicionless forensic searches of electronic devices at the border are unconstitutional (EFF, 9 May 2018)] top

- and -

Eleventh Circuit creates circuit split on cell phone border searches (Orin Kerr on Volokh Conspiracy, 23 May 2018) - The Eleventh Circuit has handed down an important new ruling on cell phone searches at the border, United States v. Touset . In an opinion by Judge William Pryor, the court disagrees with the Fourth Circuit and Ninth Circuit caselaw requiring suspicion to conduct a forensic search at the border. The basic issue in these cases is this: When the government seizes a computer or cell phone at the border, and they want to search it using forensic equipment, do they need some sort of suspicion that evidence or contraband is on the device? Or does the traditional border search exception (which ordinarily permits searches of property crossing the border without suspicion) apply? Regular readers of this blog have heard a lot about this question over the years. Just two weeks ago, I post on the Fourth Circuit’s May 9th ruling in United States v. Kolsuz , by Judge Pamela Harris, which required some kind of suspicion to conduct such a search. And I’ve blogged extensively about the Ninth Circuit’s en banc ruling from 2013 in United States v. Cotterman , authored by Judge Margaret McKeown, which required reasonable suspicion for forensic searches at the border. The new Eleventh Circuit decision disagrees with Kolsuz and Cotterman , arguing that no suspicion should be required for a forensic border search. * * * top

SEC not looking to file many cybersecurity cases, official says (BNA, 9 May 2018) - The SEC isn’t planning to make cybersecurity cases part of the “bread and butter” of its enforcement activity, despite its multimillion-dollar penalty against the former Yahoo! Inc. in a first-of-its-kind case in the space, a senior Securities and Exchange Commission official said May 9. The remarks by SEC Cyber Unit Chief Robert Cohen at an enforcement conference in New York came after Yahoo successor Altaba Inc. reached a $35 million settlement with the agency in April to resolve claims that it delayed telling investors about a massive data breach. Cohen didn’t rule out more SEC cases like the one against Yahoo. But, he said, the commission looks to bring cybersecurity cases in which the “facts are particularly bad and when the conduct really violates the statute very clearly.” Insider trading, market manipulation, and accounting fraud are the kinds of matters that will continue to populate a majority of the SEC’s case roster, Cohen said. “We’re not looking to bring dozens and dozens of cybersecurity cases every year,” he said at the conference organized by the Practising Law Institute. The agency in February issued new guidance on how to inform investors about cyber threats and breaches. The document stressed that companies should have procedures to notify company leaders and shareholders about cyberattacks. The SEC, however, doesn’t seek to “second-guess good-faith, reasonable decisions” on cybersecurity disclosure, Cohen said, echoing similar comments from other SEC officials. top

Alexa and Siri can hear this hidden command. You can’t. (NYT, 10 May 2018) - Many people have grown accustomed to talking to their smart devices, asking them to read a text, play a song or set an alarm. But someone else might be secretly talking to them, too. Over the last two years, researchers in China and the United States have begun demonstrating that they can send hidden commands that are undetectable to the human ear to Apple’s Siri, Amazon’s Alexa and Google’s Assistant. Inside university labs, the researchers have been able to secretly activate the artificial intelligence systems on smartphones and smart speakers, making them dial phone numbers or open websites. In the wrong hands, the technology could be used to unlock doors , wire money or buy stuff online - simply with music playing over the radio. A group of students from University of California, Berkeley, and Georgetown University showed in 2016 that they could hide commands in white noise played over loudspeakers and through YouTube videos to get smart devices to turn on airplane mode or open a website. This month, some of those Berkeley researchers published a research paper that went further, saying they could embed commands directly into recordings of music or spoken text. So while a human listener hears someone talking or an orchestra playing, Amazon’s Echo speaker might hear an instruction to add something to your shopping list. top

IBM bans all removable storage, for all staff, everywhere (The Register, 10 May 2018) - IBM has banned its staff from using removable storage devices. In an advisory to employees, IBM global chief information security officer Shamla Naidoo said the company “is expanding the practice of prohibiting data transfer to all removable portable storage devices (e.g.,: USB, SD card, flash drive).” The advisory stated some pockets of IBM have had this policy for a while, but “over the next few weeks we are implementing this policy worldwide.” Big Blue’s doing this because “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.” IBMers are advised to use Big Blue’s preferred sync ‘n’ share service to move data around. But the advisory also admitted that the move may be “disruptive for some.” She’s not wrong: The Register understands that frontline IBM staff sometimes need to download patches so they can be installed on devices they manage for clients and that bootable USB drives are one means of installing those patches. Indeed, IBM offers advice on how to install Linux on its own POWER 9 servers using a USB key. top

The Santa Clara Principles on transparency and accountability in content moderation (Benton Foundation, 10 May 2018) - The Santa Clara Principles offer guidance to internet platforms on how to provide users with meaningful due process when their posts are taken down or their accounts are suspended, and to help ensure that the enforcement of company content guidelines is fair, unbiased, and respectful of users’ free expression rights. The three principles urge companies to: (a) Publish the numbers of posts removed and accounts permanently or temporarily suspended due to violations of their content guidelines; (b) Provide clear notice to all users about what types of content are prohibited , and clear notice to each affected user about the reason for the removal of their content or the suspension of their account; and (c) Enable users to engage in a meaningful and timely appeals process for any content removals or account suspensions. top

Industry insight: Collaboration tools might be the next great security risk (PC Magazine, 14 May 2018) - Collaboration tools have become hugely popular with all kinds of businesses because they enable strategies like virtual teams and keep employees working tightly together no matter how far apart they might be physically. But whether it’s a workflow-based utility such as Asana or a chat-oriented app such as Slack, these tools have also created new opportunities for cybercriminals looking to access your company’s most vital information. Bad actors can infiltrate your collaboration software through application programming interfaces (APIs) or through accidental authorizations that leak private information outside of your organization. In other words, even if they’re being hosted elsewhere, your collaboration tools might still be putting a huge security hole in your network. Greg Arnette is the Director of Data Protection Platform Strategy at Campbell, Calif-based Barracuda Networks, a security, networking, and storage products provider. We recently sat down with Arnette to discuss the sort of attacks that could happen via collaboration services and how businesses can protect themselves. top

20 years of the Laws of Cyberspace (Harvard, 16 May 2018) - It’s been two decades since Harvard Law School Professor Lawrence Lessig published “The Laws Of Cyberspace,” which, in the words of Professor Jonathan Zittrain, “imposed some structure over the creative chaos of what maybe was a field that we’d call cyberlaw.” Lessig’s groundbreaking paper describes four types of constraints that together regulate behavior - law, social norms, the market, and architecture - and argues that due to its special architecture, cyberspace is different from “real” space and thus subject to new possibilities for control by governments and other centers of power. “The world we are entering is not a world where freedom is assured,” Lessig wrote in 1998, but instead, “has the potential to be the most fully, and extensively, regulated space in our history.” On April 16, the Berkman Klein Center of Internet & Society hosted a special event commemorating the 20th anniversary of the publication of “The Laws of Cyberspace,” with Lessig, Harvard Law School Professors Ruth Okediji and Jonathan Zittrain , and Dr. Laura DeNardis of American University. The panelists reflected on the paper, and where the field of cyberlaw has taken us over the last two decades, and they considered how some of the concerns raised in 1998 might apply today. top

Do attorneys need mandatory technology CLEs? N.C. Bar says yes (Bloomberg, 21 May 2018) - Lawyers need technological expertise, whether to protect a client’s sensitive information, apply a data analytics tool during discovery, or simply to be adept at using a word processing program. But though lawyers are ethically bound to understand the technology they use to practice, only one state requires continuing legal education on technology. A new proposal would make North Carolina the second. The North Carolina State Bar later this year will ask the state’s high court to approve an amendment that would require attorneys to complete a one-hour class devoted to technology training, as part of their 12-hour annual CLE requirements. North Carolina would join Florida in requiring technology CLE credits. The Florida Supreme Court in 2016 amended the rules regulating the state bar to require that lawyers obtain three hours of technology CLE credits every three years, of the 33-hour total. The new CLE requirement is a step towards encouraging attorneys to stay current with technological advancements, academics told Bloomberg Law. “The change sends an important message: that lawyers need to understand how technology is affecting the delivery of legal services,” Andrew M. Perlman, dean of Suffolk University School of Law in Boston, told Bloomberg Law. Perlman is also chair of the American Bar Association’s Center for Innovation. top

Play-Doh smell trademarked (Lowering the Bar, 21 May 2018) - Bad news for those of you who currently emit a sweet, slightly musky, vanilla fragrance, with slight overtones of cherry, combined with the smell of a salted, wheat-based dough. You need to stop doing that immediately, because that particular smell has just been trademarked by the Hasbro Corporation . Hasbro announced on Friday that the trademark it claimed for the “iconic” Play-Doh scent had been officially recognized by the U.S. Patent and Trademark Office. That makes it one of only about a dozen scent trademarks that the PTO has recognized to date, including Verizon’s “flowery musk” store scent, the bubble-gum smell of Grendene jelly sandals, and the scent of strawberries with which Lactona toothbrushes are “impregnated.” Why so few trademarks, when there are so many smells? Well, it isn’t easy to trademark a smell, and the concept itself is a little controversial. The main problem seems to be the requirement that a trademarked feature be “nonfunctional,” designed to keep trademarks from limiting competition too much and probably also to keep them from overlapping with patents. This, ironically, means that the smell of a perfume cannot be trademarked, because the PTO considers that to be its function. It is possible to patent a scent molecule , as we have discussed here before. See ”’ Pretty Sure Stank Is Patented,’ Lawyer Claims-But It’s Complicated ,” Lowering the Bar (Oct. 18, 2017). But that too is rare. top

The Wayback Machine is deleting evidence of malware sold to stalkers (Motherboard, 22 May 2018) - The Internet Archive’s goal, according to its website, is “universal access to all knowledge.” As part of that mission, the non-profit runs the Wayback Machine , an online tool that anyone can use to digitally preserve a snapshot of a website. It provides an important public service, in that if a company tries to quietly change its policy, or perhaps a government tries to scrub a position from its website, the Wayback Machine can provide robust proof of the switch. But the Internet Archive has been purging its banks of content related to a company which marketed powerful malware for abusive partners to spy on their spouses . The news highlights the broader issue of the fragility of online archives, including those preserving information in the public interest. “Journalists and human rights defenders often rely on archiving services such as the Wayback Machine as tools to preserve evidence that might be key to demand accountability,” Claudio Guarnieri, a technologist at human rights charity Amnesty International, told Motherboard in an online chat. The company in question is FlexiSpy, a Thailand-based firm which offers desktop and mobile malware. The spyware can intercept phone calls, remotely turn on a device’s microphone and camera, steal emails and social media messages, as well as track a target’s GPS location. Previously, pages from FlexiSpy’s website saved to the Wayback Machine showed a customer survey, with over 50 percent of respondents saying they were interested in a spy phone product because they believe their partner may be cheating. That particular graphic was mentioned in a recent New York Times piece on the consumer spyware market. In another example, a Wayback Machine archive of FlexiSpy’s homepage showed one of the company’s catchphrases: “Many spouses cheat. They all use cell phones. Their cell phone will tell you what they won’t.” Now, those pages are no longer on the Wayback Machine. Instead, when trying to view seemingly any page from FlexiSpy’s domain on the archiving service, the page reads “This URL has been excluded from the Wayback Machine.” (After Motherboard published a series of articles about the consumer spyware market, FlexiSpy purged its own website of content relating to illegal spying on spouses.) top

Privacy Policy (Writers HQ, 23 May 2018) - ” Wow has anyone ever read one of these? We have to have one of these dealios to explain how we comply with the GDPR (General Data Protection Regulation), the DPA (Data Protection Act) and the PECR (Privacy and Electronic Communications Regulations) because God knows there’s not enough actual interesting things in the world to read, you need to read 1,000 words of legalese nonsense that makes literally not one bit of difference to anyone, ever. Also we don’t really know what these things are. We’re just two under-heighted writers who thought we’d have a laugh and get other people writing with us. The best bit about the GDPR is that all this has to be “concise, transparent, intelligible and easily accessible” so hold on to your hats, motherf*&^ers, this is going to be the shortest, clearest and best freakin’ privacy policy you ever did see. So. Here we go… * * * [ Polley : Hilarious. And possibly compliant.] top

Take a look at your Twitter timeline 10 years ago (TechCrunch, 25 May 2018) - Here’s a fun thing for a Friday: go back and see what your Twitter timeline looked like 10 years ago. Twitter has pretty powerful search settings, but Andy Baio - of Kickstarter fame and more - did the heavy-lifting for us all by sharing a link that lets you look at your timeline exactly a decade ago, assuming you followed the same people. Try it here . (The search will work even if you didn’t have an account 10 years ago.) top

Thanks to Google, you can now view Frida Kahlo’s artwork from the comfort of your home (Mashable, 25 May 2018) - There’s nothing quite like going to a museum to view a retrospective of a renowned artist. But for those who cannot do so, Google’s offered up a neat solution. The Arts & Culture arm of the tech company has worked with museums and collections around the world to create an online exhibit dedicated to the life and art of Frida Kahlo. The exhibition is called ” Faces of Frida ,” and features Kahlo’s paintings, snippets of her diary , reimagined works , and editorial pieces exploring hidden meaning behind her paintings and her relationship to folk art . According to Forbes , there are 800 items in total, and the exhibit is a joint effort between 33 museums spanning 7 countries. top

RESOURCES

Encryption Workarounds (Orin Kerr and Bruce Schneier, Georgetown Law Journal, revised 13 May 2018) - Abstract : The widespread use of encryption has triggered a new step in many criminal investigations: The encryption workaround. We define an encryption workaround as any lawful government effort to reveal unencrypted plaintext of a target’s data that has been concealed by encryption. This Article provides an overview of encryption workarounds. It begins with a taxonomy of the different ways investigators might try to bypass encryption schemes. We classify six kinds of workarounds: find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. For each approach, we consider the practical, technological, and legal hurdles raised by its use. The remainder of this Article develops lessons about encryption workarounds and the broader public debate about encryption in criminal investigations. First, encryption workarounds are inherently probabilistic. None work every time, and none can be categorically ruled out every time. Second, the different resources required for different workarounds will have significant distributional effects on law enforcement. Some techniques are inexpensive and can be used often by many law enforcement agencies; some are sophisticated or expensive and likely to be used rarely and only by a few. Third, the scope of legal authority to compel third-party assistance will be a continuing challenge. And fourth, the law governing encryption workarounds remains uncertain and underdeveloped. Whether encryption will be a game changer or a speed bump depends on both technological change and the resolution of important legal questions that currently remain unanswered. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Google begins blurring faces in street view (CNET, 13 May 2008) - Google has begun testing face-blurring technology for its Street View service, responding to privacy concerns from the search giant’s all-seeing digital camera eye. The technology uses a computer algorithm to scour Google’s image database for faces, then blurs them, said John Hanke, director of Google Earth and Google Maps, in an interview at the Where 2.0 conference here. Google has begun testing the technology in Manhattan, the company announced on its LatLong blog. Ultimately, though, Hanke expects it to be used more broadly. Dealing with privacy-both legal requirements and social norms-is hard but necessary, Hanke said. Street View poses other privacy issues besides just faces. Some people aren’t eager to have their houses on display, for example. But much of the hubbub seems to have waned since Google launched Street View in May 2007, and indeed other companies such as Blue Dasher are working on similar technology. Street View presents a view of dozens of United States cities from a driver’s perspective. It appears Google has begun collecting imagery in Europe as well, along with detailed 3D maps, including Milan, Rome, and Paris. top

FBI’s net surveillance proposal raises privacy, legal concerns (CNET, 25 April 2008) - The FBI director and a Republican congressman sketched out a far-reaching plan this week for warrantless surveillance of the Internet. During a House of Representatives Judiciary Committee hearing, the FBI’s Robert Mueller and Rep. Darrell Issa of California talked about what amounts to a two-step approach. Step 1 involves asking Internet service providers to open their networks to the FBI voluntarily; step 2 would be a federal law forcing companies to do just that. Both have their problems, legal and practical, but let’s look at step 1 first. Issa suggested that Internet providers could get “consent from every single person who signed up to operate under their auspices” for federal police to monitor network traffic for attempts to steal personal information and national secrets. Mueller said “legislation has to be developed” for “some omnibus search capability, utilizing filters that would identify the illegal activity as it comes through and give us the ability to pre-empt” it. These are remarkable statements. The clearest reading of them points to deep packet inspection of network traffic—akin to the measures Comcast took against BitTorrent and to what Phorm in the United Kingdom has done, in terms of advertising—plus additional processing to detect and thwart any “illegal activity.” “That’s very troubling,” said Greg Nojeim, director of the project on freedom, security, and technology at the Center for Democracy and Technology. “It could be an effort to achieve, through unknowing consent, permission to monitor communications in a way that would otherwise be prohibited by law.” Unfortunately, neither Issa nor Mueller recognized that such a plan is probably illegal. California law, for instance, says anyone who “intentionally and without the consent of all parties to a confidential communication” conducts electronic surveillance shall be imprisoned for one year. (I say “probably illegal” because their exchange didn’t offer much in the way of details.) “I think there’s a substantial problem with what Mueller’s proposing,” said Al Gidari, a partner at the Perkins Coie law firm who represents telecommunications providers. “He forgets the states have the power to pass more restrictive rules, and 12 of them have. He also forgets that we live in a global world, and the rest of the world doesn’t quite see eye to eye on this issue. That consent would be of dubious validity in Europe, for instance, where many of our customers reside.” top

MIRLN—- 15 April - 5 May 2018 (v21.06)—- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENTS

Join me in Washington, D.C. on May 9-10 at the ABA’s Internet of Things National Institute. Conference keynotes include US Sen. Mark Warner and Rep. Jerry McNerney (who introduced the Securing IoT Act), Rep. Robin Kelly (Ranking Member of the Subcommittee on Information Technology), Commerce Department GC Peter Davidson, and former FTC Commissioner Terrell McSweeny. DC Bar ABA members get a discount with DCBAR2018iot . Learn more here: ambar.org/iot2018

NEWS

Oil and gas cybersecurity projects went ‘to the bottom of the pile’ in energy slump (Houston Chronicle, 12 April 2018) - Oil companies put cybersecurity initiatives on hold while crude prices languished at multi-year lows in 2015 and 2016, falling behind in hardening their systems while state-sponsored hacking groups only got more proficient at probing U.S. energy networks, security experts say. As oil companies cut thousands of jobs and pared back drilling operations in the downturn, cybersecurity teams faced funding shortfalls for projects to secure computer networks that run rigs, pipelines and other oil field assets, increasing pressure for a field already challenged by finite resources and competing priorities. In an oil bust, “projects, capabilities and needs that aren’t exactly on top of mind go to the bottom of the pile,” said Paul Brager Jr., a cybersecurity professional at Houston oil field services firm Baker Hughes, a GE company. But among federal agencies and security professionals called in to respond to online attacks, there’s no longer any doubt foreign adversaries in Russia, Iran and North Korea have planned and executed attacks to plant themselves in U.S. critical infrastructure, which includes pipelines, refineries and petrochemical plants. top

Facebook and Cambridge Analytica (Bruce Schneier, 15 April 2018) - In the wake of the Cambridge Analytica scandal, news articles and commentators have focused on what Facebook knows about us. A lot, it turns out. It collects data from our posts, our likes, our photos, things we type and delete without posting, and things we do while not on Facebook and even when we’re offline. It buys data about us from others. And it can infer even more: our sexual orientation, political beliefs, relationship status, drug use, and other personality traits—even if we didn’t take the personality test that Cambridge Analytica developed. But for every article about Facebook’s creepy stalker behavior, thousands of other companies are breathing a collective sigh of relief that it’s Facebook and not them in the spotlight. Because while Facebook is one of the biggest players in this space, there are thousands of other companies that spy on and manipulate us for profit. Harvard Business School professor Shoshana Zuboff calls it “surveillance capitalism.” And as creepy as Facebook is turning out to be, the entire industry is far creepier. It has existed in secret far too long, and it’s up to lawmakers to force these companies into the public spotlight, where we can all decide if this is how we want society to operate and—if not—what to do about it. There are 2,500 to 4,000 data brokers in the United States whose business is buying and selling our personal data. Last year, Equifax was in the news when hackers stole personal information on 150 million people, including Social Security numbers, birth dates, addresses, and driver’s license numbers. You certainly didn’t give it permission to collect any of that information. Equifax is one of those thousands of data brokers, most of them you’ve never heard of, selling your personal information without your knowledge or consent to pretty much anyone who will pay for it. Surveillance capitalism takes this one step further. Companies like Facebook and Google offer you free services in exchange for your data. Google’s surveillance isn’t in the news, but it’s startlingly intimate. We never lie to our search engines. Our interests and curiosities, hopes and fears, desires and sexual proclivities, are all collected and saved. Add to that the websites we visit that Google tracks through its advertising network, our Gmail accounts, our movements via Google Maps, and what it can collect from our smartphones. That phone is probably the most intimate surveillance device ever invented. It tracks our location continuously, so it knows where we live, where we work, and where we spend our time. It’s the first and last thing we check in a day, so it knows when we wake up and when we go to sleep. We all have one, so it knows who we sleep with. Uber used just some of that information to detect one-night stands; your smartphone provider and any app you allow to collect location data knows a lot more. Surveillance capitalism drives much of the internet. It’s behind most of the “free” services, and many of the paid ones as well. Its goal is psychological manipulation, in the form of personalized advertising to persuade you to buy something or do something, like vote for a candidate. And while the individualized profile-driven manipulation exposed by Cambridge Analytica feels abhorrent, it’s really no different from what every company wants in the end. This is why all your personal information is collected, and this is why it is so valuable. Companies that can understand it can use it against you. * * * [ Polley : Good perspective.] top

OLPC’s $100 laptop was going to change the world - then it all went wrong (The Verge, 16 April 2018) - It was supposed to be the laptop that saved the world. In late 2005, tech visionary and MIT Media Lab founder Nicholas Negroponte pulled the cloth cover off a small green computer with a bright yellow crank. The device was the first working prototype for Negroponte’s new nonprofit One Laptop Per Child, dubbed “the green machine” or simply “the $100 laptop.” And it was like nothing that Negroponte’s audience - at either his panel at a UN-sponsored tech summit in Tunis, or around the globe - had ever seen. After UN Secretary-General Kofi Annan offered a glowing introduction, Negroponte explained exactly why. The $100 laptop would have all the features of an ordinary computer but require so little electricity that a child could power it with a hand crank. It would be rugged enough for children to use anywhere, instead of being limited to schools. Mesh networking would let one laptop extend a single internet connection to many others. A Linux-based operating system would give kids total access to the computer - OLPC had reportedly turned down an offer of free Mac OS X licenses from Steve Jobs. And as its name suggested, the laptop would cost only $100, at a time when its competitors cost $1,000 or more. Then, Negroponte and Annan rose for a photo-op with two OLPC laptops, and reporters urged them to demonstrate the machines’ distinctive cranks. Annan’s crank handle fell off almost immediately. As he quietly reattached it, Negroponte managed half a turn before hitting the flat surface of the table. He awkwardly raised the laptop a few inches, trying to make space for a full rotation. “Maybe afterwards…” he trailed off, before sitting back down to field questions from the crowd. The moment was brief, but it perfectly foreshadowed how critics would see One Laptop Per Child a few years later: as a flashy, clever, and idealistic project that shattered at its first brush with reality. If you remember the OLPC at all, you probably remember the hand crank. It was OLPC’s most striking technological innovation - and it was pure vaporware. Designers dropped the feature almost immediately after Negroponte’s announcement, because the winding process put stress on the laptop’s body and demanded energy that kids in very poor areas couldn’t spare. * * * top

Virtual annual meetings: updated “best practices” (CorporateCounsel.net, 16 April 2018) - Like it did back in 2012, Broadridge recently convened a group of 17 different stakeholders to look at the state of virtual annual meetings - both “virtual only” and hybrid. The end product is this set of ” Principles & Best Practices for Virtual Annual Meetings. ” Like before, the report’s conclusions are not that profound - but can be useful to help guide those considering virtual meetings (and it includes a useful appendix that summarizes each state’s laws governing electronic participation in shareholder meetings). top

Cybersecurity standards for private companies: Taking notes from the SEC’s public company guidance (Nixon Peabody, 18 April 2018) - The Securities and Exchange Commission (“SEC”) recently updated and expanded its guidance to public companies on cybersecurity risks and incidents in its ” Commission Statement and Guidance on Public Company Cybersecurity Disclosures ” (the “2018 Guidance”). The 2018 Guidance represents a broad recognition of the critical role that cybersecurity plays in the health of companies and the stability of markets. “There is no doubt that the cybersecurity landscape and the risks associated with it continue to evolve,” said a statement released by SEC Chairman Jay Clayton . “Public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion.” To support this effort, the SEC has created a cybersecurity website with helpful alerts and bulletins, compliance toolkits, and educational resources. In addition, the Unit charged with targeting a wide range of cyber-related misconduct, such as market manipulation through the spread of false information, hacking, and intrusions and attacks on trading platforms and market infrastructure. While a private company can be reassured that a member of the Cyber Unit will not show up at its door, the 2018 Guidance offers useful insights about the evolving risks in the digital marketplace, as well as effective controls and procedures to manage these risks-all of which can inform a private company that must navigate similar pitfalls in the modern e-commerce environment. Cybersecurity is, as the SEC’s website states, “a responsibility of every market participant.” To that end, the following are some key takeaways for private companies from the 2018 Guidance: * * * top

- and -

Cybersecurity: NIST’s new framework (Version 1.1) (CorporateCounsel.net, 20 April 2018) - Recently, NIST released an updated cybersecurity framework . This popular framework is entitled “Version 1.1” rather than the “2.0” that some have been calling it (including us) when the proposal was released last year. Here’s an excerpt from this Wachtell Lipton memo : The updated Framework, entitled Version 1.1, is intended to clarify and refine (rather than replace) NIST’s original 2014 Cybersecurity Framework, Version 1.0, and builds on the original version’s five core cybersecurity functions-Identify, Protect, Detect, Respond, and Recover-and tiered implementation system. Instead of a “one-size-fits-all” approach, the Framework continues to be a flexible platform that can be customized to address the particular cybersecurity risks faced by any company. Of broader import, the updated Framework encourages companies to integrate cybersecurity objectives into strategic planning and governance structures and to ensure that cybersecurity is a central part of overall risk management. In terms of other specific changes, Version 1.1 provides new guidance on how to use the Framework to conduct self-assessments of internal and third-party cybersecurity risks and mitigation strategies, includes an expanded discussion of how to manage cyber risks associated with third parties and supply chains, advances new standards for authentication and identity proofing protocols, and addresses how to apply the Framework to a wide range of contexts, such as industrial controls, the use of off-the-shelf software, and the Internet of Things. top

- and -

New standard accepted by Federal Energy Regulatory Commission for critical infrastructure protection (SC Media, 23 April 2018) - The Federal Energy Regulatory Commission (FERC) approved a new standard to improve electronic access controls to low impact Bulk Electronic Systems (BES), mandatory security controls for mobile devices and develop modifications to critical infrastructure protection (CIP) reliability standards. Work on the new standard began in October 2017 when FERC asked NERC to clarify electronic access controls, adopt mandatory requirements for transient electronic devices and to require the creation of a response policy in case of a system threat. The genesis of this request comes from a group of bipartisan bills that were advanced out of the House Energy and Commerce subcommittee to improve the government’s response to cybersecurity attacks on the electric grid. Particularly against less critical facilities. “CIP-003-7 pushes forward on FERC’s concern that even the less critical assets covered by these standards (referred to as low impact facilities) present risks to the bulk electric system that need to be addressed,” said Daniel Skees, a partner at the law firm Morgan Lewis. Skees represents electric utilities before FERC. FERC officially approved the new CIP reliability standard CIP-003-7 (Cybersecurity Security Management Controls that were submitted by the North American Electric Reliability Corporation (NERC). By accepting the standard NERC is tasked with implementing the new standards. FERC noted that the new rules developed by NERC improve upon the prior CIP reliability standards by clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems, adopting mandatory security controls for transient electronic devices such as thumb drives, laptop computers, and other portable devices used frequently with a low impact BES Cyber Systems; and for adding the requirement to have responsible entities have in place a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. top

- and -

BSA releases international cybersecurity framework to promote strong and consistent cybersecurity governance (BSA, 25 April 2018) - The Software Alliance released an International Cybersecurity Policy Framework to serve as a tool both for policymakers considering foundational cybersecurity legislation and for those examining gaps and shortfalls in existing policies. top

- and -

DOD releases new guidance giving teeth to cybersecurity rules to protect data within the supply chain (CSO, 30 April 2018) - The US Department of Defense issued new guidance on how it might penalize business partners that do not adequately adhere to new security rules codified in NIST SP 800-171. NIST has prescribed a set of 110 security requirements that are derived from a larger standard called NIST SP 800-53 that governs cybersecurity standards for government systems. December 31, 2017 was the designated deadline for implementing the controls as part of DFARS 252.204-7012 to protect confidential unclassified information (CUI). To facilitate gradual adoption, DoD allowed businesses to specify a future date for implementing security controls through the Plan of Actions & Milestones (POAM) artifact. Many organizations have resorted to “POAM’ing” requirements in a checkbox exercise and generated System Security Plans that are very light and do not adequately describe the security posture of the vendor. The new DOD guidance for reviewing system security plans and the NIST SP 800-171 security requirements not yet implemented assigns risk scores to controls. Security controls that are deemed high risk and have not been implemented pose a continued risk to the government. The latest guidance helps ensure that businesses can assess and prioritize how they wish to go about implementing the 110 security controls. The new guidance also provides specific information on the downsides of not implementing the new security controls. The “Assessing the State of a Contractor’s Internal Information System in a Procurement Action” document outlines the specific conditions during the request for proposals (rfp), source selection and subsequent contract award that will looked at by government officials related to NIST SP 800-171 compliance. top

Facebook moves 1.5bn users out of reach of new European privacy law (The Guardian, 19 April 2018) - Facebook has moved more than 1.5 billion users out of reach of European privacy law, despite a promise from Mark Zuckerberg to apply the “spirit” of the legislation globally. In a tweak to its terms and conditions, Facebook is shifting the responsibility for all users outside the US, Canada and the EU from its international HQ in Ireland to its main offices in California. It means that those users will now be on a site governed by US law rather than Irish law. The shift highlights the cautious phrasing Facebook has applied to its promises around GDPR. Earlier this month , when asked whether his company would promise GDPR protections to its users worldwide, Zuckerberg demurred. “We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing,” he said. A week later, during his hearings in front of the US Congress, Zuckerberg was again asked if he would promise that GDPR’s protections would apply to all Facebook users. His answer was affirmative - but only referred to GDPR “controls”, rather than “protections”. Worldwide, Facebook has rolled out a suite of tools to let users exercise their rights under GDPR, such as downloading and deleting data, and the company’s new consent-gathering controls are similarly universal. top

- and -

Survey reveals that many companies are behind schedule to achieve Global Data Protection Regulation compliance (McDermott Will & Emery, 20 April 2018) - A major survey sponsored by international law firm McDermott Will & Emery and carried out by the Ponemon Institute has revealed that many companies are behind schedule to achieve Global Data Protection Regulation (GDPR) compliance by the looming May deadline. The survey results show that 40% of companies only expect to achieve compliance with the regulation after May 25th when the Regulation comes into effect. The McDermott-Ponemon study surveyed companies across the US and Europe on their understanding of the impact of GDPR and their readiness for it. Key findings of this important benchmark survey are: * * * [ Polley : thorough report , as usual. I was surprised how un-ready so many organizations are - it’s almost laughable. Reminds me of how long organizations were running without full compliance with the DPD, dating from 1995.] top

- and -

Here’s why you’re getting all those terms of service update emails (Mashable, 25 April 2018) - Get the feeling you’re suddenly being bombarded with emails from companies about updated terms of service policies? You are. And there’s a good reason: the European Union’s forthcoming efforts to protect our personal data. And though the law is based in the EU, the GDPR has a worldwide impact because any global online company that collects data from someone living in the EU will be held accountable. While the specific updates made to each terms of service policy will be individual to every company, the law expands the definition of what information is considered personal data. This means companies will likely be adjusting their privacy policies to inform users that less basic information such as IP addresses, location data, web browsing cookies, and other details are also defined as personal data. Though the new internet regulations don’t go into effect until May 25, 2018, companies like Facebook, Instagram, Google, and more, are starting to prepare by updating their terms of services and privacy policies now. top

Federal judge adopts CFTC position that cryptocurrencies are commodities (ABA’s Business Law Today, 20 April 2018) - A New York federal judge held that virtual currencies are commodities that can be regulated by the Commodity Futures Trading Commission (“CFTC”), enjoining the defendants, an individual and affiliated entity, from trading cryptocurrencies on their own or others’ behalf or soliciting funds from others, and ordering an expedited accounting. CFTC v. McDonnell , No. 18-cv-0361, Dkt. 29 (E.D.N.Y. Filed Jan 18, 2018). While the CFTC announced its position that cryptocurrencies are commodities in 2015, this case marks the first time a court has weighed in on whether cryptocurrencies are commodities. Having answered that question in the affirmative, the court went on to hold that the CFTC has jurisdictional authority over defendants’ alleged cryptocurrency fraud under 7 U.S.C. § 9(1), which permits the CFTC to regulate fraud and manipulation in underlying commodity spot markets. top

- and -

Goldman Sachs to open a bitcoin trading operation (NYT, 2 May 2018) - Most big banks have tried to stay far away from the scandal-tainted virtual currency Bitcoin. But Goldman Sachs, perhaps the most storied name in finance, is bucking the risks and moving ahead with plans to set up what appears to be the first Bitcoin trading operation at a Wall Street bank. In a step that is likely to lend legitimacy to virtual currencies - and create new concerns for Goldman - the bank is about to begin using its own money to trade with clients in a variety of contracts linked to the price of Bitcoin. While Goldman will not initially be buying and selling actual Bitcoins , a team at the bank is looking at going in that direction if it can get regulatory approval and figure out how to deal with the additional risks associated with holding the virtual currency. * * * Over the last two years a growing number of hedge funds and other large investors around the world have expressed an interest in virtual currencies. Tech companies like Square have begun offering Bitcoin services to their customers, and the commodity exchanges in Chicago started allowing customers to trade Bitcoin futures contracts in December. But until now, regulated financial institutions have steered clear of Bitcoin, with some going so far as to shut down the accounts of customers who traded Bitcoin. Jamie Dimon, the chief executive of JPMorgan Chase, famously called it a fraud, and many other bank chief executives have said Bitcoin is nothing more than a speculative bubble. top

Abbott issues software patches for more cardiac devices (Gov Info Security, 20 April 2018) - Abbott Laboratories has issued software updates for certain implantable cardiac devices to address cybersecurity flaws and battery issues that pose potential safety risks to patients. The products were previously sold by device maker St. Jude Medical, which Abbott acquired last year. More than 382,000 of these affected devices are distributed in the U.S., including 350,000 devices that are currently implanted in patients, according to the Food and Drug Administration and Abbott. The remainder of the devices are in inventories and will be updated “in-box,” an Abbott spokeswoman says. The device problems were also the subject of previous warnings by the FDA and the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team , which both issued new advisories on April 17 about the availability of the Abbott software patches. The impacted devices include certain families of Abbott implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators, which are devices that provide pacing for slow heart rhythms and electrical shock or pacing to stop dangerously fast heart rhythms, the FDA notes in its alert. Last August, Abbott also issued software updates to address similar cybersecurity vulnerabilities in certain implantable cardiac pacemaker devices (see A FDA First: Cyber Recall for Implantable Devices ). top

Newly disclosed documents on the Five Eyes Alliance and what they tell us about intelligence-sharing agreements (Lawfare, 23 April 2018) - The United States is party to a number of international intelligence sharing arrangements-one of the most prominent being the so-called “Five Eyes” alliance. Born from spying arrangements forged during World War II, the Five Eyes alliance facilitates the sharing of signals intelligence among the U.S., the U.K., Australia, Canada and New Zealand. The Five Eyes countries agree to exchange by default all signals intelligence they gather, as well as methods and techniques related to signals intelligence operations. When the Five Eyes first agreed to this exchange of intelligence-before the first transatlantic telephone cable was laid-they could hardly have anticipated the technological advances that awaited them. Yet, we remain in the dark about the current legal framework governing intelligence sharing among the Five Eyes, including the types of information that the U.S. government accesses and the rules that govern U.S. intelligence agencies’ access to and dissemination of Americans’ private communications and data. In July 2017, Privacy International and Yale Law School’s Media Freedom & Information Access Clinic filed a lawsuit against the National Security Agency, the Office of the Director of National Intelligence, the State Department, and the National Archives and Records Administration seeking access to records related to the Five Eyes alliance under the Freedom of Information Act. Over the past few months, we have begun to receive limited disclosure from the NSA and the State Department. While we have not seen the text of the current agreement-as well as other records that would shed important light on how the agreement operates-the disclosures to date give us insight into the nature and scope of U.S. intelligence sharing agreements. Below, we summarize a few of these disclosures and talk through their implications. In particular, we highlight how, taken together, they suggest that the U.S. government takes an inconsistent approach to legal classification and therefore publication of these types of agreements. We also take a closer look at one agreement-the 1961 General Security Agreement between the Government of the United States and the Government of the United Kingdom-which further illuminates our understanding of the privatization of intelligence activities and provides us with a rare glimpse of the “third party rule,” an obstacle to oversight and accountability of intelligence sharing. top

US regulator fines Altaba $35 million over 2014 Yahoo email hack (Reuters, 24 April 2018) - U.S. regulators fined Altaba Inc, the company formerly known as Yahoo! Inc, $35 million on Tuesday to settle charges that kept its massive 2014 cyber security breach a secret from investors for more than two years. The Securities and Exchange Commission’s case marks the first time it has gone after a company for failing to disclose a cyber security breach. Steven Peikin, co-director the SEC’s enforcement division, said cyber breaches were a priority for the agency and hoped companies facing similar issues would take note. top

How hackers could cause chaos on America’s roads and railways (Pew Trusts, 24 April 2018) - When hackers struck the Colorado Department of Transportation in a ransomware attack in February and again eight days later, they disrupted the agency’s operations for weeks. State officials had to shut down 2,000 computers, and transportation employees were forced to use pen and paper or their personal devices instead of their work computers. Staffers whose computers were infected didn’t have access to their files or data, unless it was stored on the internet, and the attack affected the payroll system and vendor contracts. It could have been a lot worse: The Colorado hacks didn’t affect traffic signals, cameras or electronic message boards, and state information technology officials, who refused to pay the ransom, said the system had been 95 percent restored as of last week. Transportation systems are ripe targets for cybercriminals, according to cybersecurity experts, and many state and local government officials are only now waking up to the threat and realizing they need to beef up their defenses. In February, Maryland Department of Transportation Secretary Pete Rahn told a meeting of the American Association of State Highway and Transportation Officials that security breaches are a big concern for his agency, which oversees public transit, highways, tolls, a port, an airport and the motor vehicle administration. If hackers get into the network, he said, “they can play with our trains, traffic signals, variable message boards. We’ve never had to think about these things before.” * * * top

Top federal IT contractors leave emails vulnerable to phishing, spoofing (Global Cyber Alliance press release, 25 April 2018) - Only one of the largest federal contractors have fully implemented the top defense against email phishing and spoofing, according to research released today by the Global Cyber Alliance (GCA). In an examination of the top 50 information technology (IT) contractors to the United States government , GCA found that only one contractor is using email-validation security - the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol - at its highest level. DMARC weeds out fake emails (known as direct domain spoofing) deployed by spammers and phishers targeting the inboxes of workers in all sectors of society. According to the 2017 Symantec ISTR report , 1 in 131 emails contained malware, the highest rate in 5 years. Late last year, the Department of Homeland Security mandated that all federal agencies implement DMARC . Security experts praised DHS and Senator Ron Wyden, who called for agencies to implement DMARC , for pushing government agencies to quickly implement DMARC at the highest level possible. Contractors’ failure to follow suit could make them more enticing to threat actors looking for new ways to access government information. top

Building on sand isn’t stable: Correcting a misunderstanding of the National Academies report on encryption (Lawfare’s Susan Landau, 25 April 2018) - The encryption debate is messy. In any debate that involves technology-encryption, security systems and policy, law enforcement, and national security access-the incomparable complexities and tradeoffs make choices complicated. That’s why getting the facts absolutely right matters. To that end, I’m offering a small, but significant, correction to a post Alan Rozenshtein wrote on Lawfare on March 29. Rozenshtein argued that in opposing an exceptional-access mandate-the ability for law enforcement to access an encrypted communication or locked device with a warrant-the computer-security community had deluded itself into thinking that such systems couldn’t be built securely. As evidence of this, Rozenshtein pointed to the recent National Academies study on the tradeoffs involved in government access to encrypted content. (Note: I served on the study committee.) He wrote that the report made an important point that many missed: “High-level experts in the information-security community itself are trying to build secure third-party-access systems.” But this is not what the report said. The Academies report does discuss approaches to “building ... secure systems” that provide exceptional access-but these are initial approaches only. The report states as much in writing that computer scientists have “begun to explore” this area of research. The presentations to the Academies committee were brief descriptions of ideas by three smart computer scientists, not detailed architectures of how such systems would work. There’s a huge difference between a sketch of an idea and an actual implementation-Leonardo da Vinci’s drawings for a flying machine as opposed to the Wright brothers’ plane at Kitty Hawk. The presentations that the Academies saw are more akin to sketches than a system architecture. None of the three presentations involved anything more than the thoughts of a single individual. The study did not hear presentations about engineering teams “trying to build secure third-party-access systems”-there is no such effort at present. (This does not include key-recovery solutions such as those provided in Apple’s FileVault or Microsoft’s BitLocker ; these solve a different problem from the “going dark” issue.) An exceptional-access system is not merely a complex mathematical design for a cryptosystem; it is a systems design for a complex engineering task. * * * [ Polley : pretty interesting post, and Landau is quite expert in this field.] top

- and -

Encryption policy and its international impacts: A framework for understanding extraterritorial ripple effects (Lawfare, 2 May 2018) - Encryption technologies play a complicated role in today’s connected, mobile, data-driven world. My colleagues, Herbert Burkert and Urs Gasser, and I have written a paper offering a conceptual framework that can help policy-makers better understand and anticipate the international ramifications of domestic encryption policies. There is no doubt that encryption has enabled our digital economy, securing everything from online commerce, financial transactions, connected devices, and more. At the same time, examples abound of concerns from law enforcement and intelligence agencies that encryption technologies are making it harder to address crime and terrorism. The 2016 battle between Apple and the FBI over the availability of essentially unbreakable encryption on consumer devices like the iPhone is perhaps the most public, but far from the only example of the complex challenges that encryption poses for legislators, law enforcement agencies, national security agencies, and other policymakers. In response to these technological and legal challenges, decisionmakers and leaders of all kinds-legislators, regulators, intelligence and law enforcement agencies, and companies-are increasingly faced with difficult decisions that ultimately have both direct and indirect impacts on the effectiveness and availability of encryption tools. For example, legislators might mandate the inclusion of so-called “backdoors” in consumer devices, regulators might only allow the government to purchase technologies that meet minimum levels of security, intelligence agencies might attempt to influence encryption technical standards in ways that are beneficial to intelligence gathering, and companies might make encryption a default in their products. Collectively, choices like these effectively define a country’s encryption “policy.” It is not one law or a regulation, but instead the cumulative impact of each (sometimes conflicting) decision that affects the availability and effectiveness of encryption technologies. The challenge for such decisionmakers is that although the domestic impacts of such individual decisions are often intended and predictable, the international implications are often both unintentional and poorly understood. The purpose of this paper is to help policymakers better anticipate the numerous global ramifications, including those that can undermine the intent of the original policy. top

Equifax data breach cost hits $242 million (SC Magazine, 26 April 2018) - The massive data breach that compromised the data of 147.9 million Equifax customers last year has cost the company more than $242 million in related expenses, but luckily for the company, much of this cost has been covered by its cybersecurity insurance. Equifax noted the expenditures in its first-quarter financial report . The total tally for the breach since it became public in September has been $242.7 million with $78.7 million in pre-tax expenses being spent during the first quarter, ended March 30. This included $45.7 million in IT and security costs to transform the company’s IT infrastructure and improve application, network, and data security, and the costs of development and launch of Lock and Alert. Another $28.9 million was spent during the quarter on legal and investigative fees and $4.1 million on product liability costs include the expected costs of fulfillment of TrustedID Premier and support of consumers using TrustedID Premier. In the financial filing, Equifax said it carries $125 million in cybersecurity insurance, with a $7.5 million deductible and has so far received $60 million in payments from its carrier, $10 million was received during the first quarter. top

25 years ago today, the web opened up and the world changed (Fast Company, 30 April 2018) - On April 30, 1993, CERN-the European Organization for Nuclear Research-announced that it was putting a piece of software developed by one of its researchers, Tim Berners-Lee, into the public domain. That software was a “global computer networked information system” called the World Wide Web, and CERN’s decision meant that anyone, anywhere, could run a website and do anything with it. In an era when online services were still dominated by proprietary, for-profit walled gardens such as AOL and CompuServe, that was a radical idea. top

Facebook says it will let users remove data from outside sites (Axios, 1 May 2018) - Facebook said Tuesday that in the coming months it would let users see and wipe the data fed into its ad targeting system by outside websites and applications. Why it matters : Facebook is grappling with a data privacy reckoning after the Cambridge Analytica scandal focused a spotlight on its relations with external developers. What they’re saying : “This feature will enable you to see the websites and apps that send us information when you use them, delete this information from your account, and turn off our ability to store it associated with your account going forward,” said Erin Egan, who the company recently said would focus full-time on her role as Chief Privacy Officer. If a user deletes this information, it will no longer be associated with their account - although Facebook says it will continue to give outside parties broad analytics reports. Facebook founder and chief executive Mark Zuckerberg called the new control a “Clear History” option, similar to what web browsers offer, and said in a post that when users take advantage of it, “Facebook won’t be as good while it relearns your preferences.” [ see also Facebook’s Zuckerberg unveils privacy tool ‘clear history’ (CNET, 1 May 2018)] top

Under the Foreign Sovereign Immunities Act, where do hacking torts happen? (Lawfare, 1 May 2018) - The Democratic National Committee’s lawsuit against the Russian Federation will run aground, as Ingrid Wuerth notes , unless the DNC can find a way around Russia’s immunity in American courts. In that respect, the suit raises a question on which precedent remains thin: whether allegations of state-sponsored hacking can fit through the Foreign Sovereign Immunities Act exception for cases that involve “personal injury or death, or damage to or loss of property, occurring in the United States and caused by the tortious act or omission of the foreign state.” That provision, the noncommercial tort exception, was written primarily to address traffic accidents, as the Supreme Court noted in Argentine Republic v. Amerada Hess . Very few plaintiffs have attempted to invoke it in challenges to nation-state spying, and the case most squarely on point-the D.C. Circuit’s 2017 decision in Doe v. Federal Democratic Republic of Ethiopia -suggests that the DNC will face an uphill battle. But as I recently argued in a case comment for the Harvard Law Review, and as this post summarizes, there are reasons for the Southern District of New York to think carefully before following Doe . top

- and -

The digital vigilantes who hack back (The New Yorker, 7 May 2018) - American companies that fall victim to data breaches want to retaliate against the culprits. But can they do so without breaking the law? [ Polley : worth a close read; very interesting.] top

Data breach that revealed client file sparks legal malpractice action (New Jersey Law Journal, 1 May 2018) - A matrimonial attorney and her firm are facing a malpractice suit in state Superior Court in Morris County, New Jersey , after litigation over a divorce was disrupted by a data breach . top

Pirate radio stations explode on YouTube (NYT, 3 May 2018) - Luke Pritchard and Jonny Laxton were 13 when they met at a boarding school in Crowthorne, England, in 2011. They bonded over a shared love of underground music and in 2014 started a YouTube channel, College Music , to promote the artists they liked. At first, the channel grew slowly. Then, in the spring of 2016, Mr. Pritchard discovered 24/7 live-streaming, a feature that allows YouTube’s users to broadcast a single video continuously. College Music had 794 subscribers in April 2015, a year before Mr. Pritchard and Mr. Laxton started streaming. A month after they began, they had more than 18,440. In April 2016, they had 98,110 subscribers and as of last month, with three active live streams, they have more than triple that amount, with 334,000. They make about $5,000 a month from the streams. The boys stumbled upon a new strategy, one that, in the past two years, has helped a certain kind of YouTube channel achieve widespread popularity. Hundreds of independently run channels have begun to stream music nonstop, with videos that combine playlists with hundreds of songs and short, looped animations, often taken from anime films without copyright permission. * * * The channels occupy a precarious space between YouTube’s algorithm and its copyright policing, drawing comparisons to the unlicensed pirate radio stations of the 20th century , recreated in the digital sphere. Many of the channels blink in and out of existence within a week, but their presence has become a compelling part of the site’s musical ecosystem. And while competitors like Spotify are gaining, YouTube still dominates the streaming world, Report from the International Federation of the Phonographic Industry. top

RESOURCES

A fantastic chart on the admissibility of electronic evidence (RideTheLightning, 24 April 2018) - Thanks to my friend Craig Ball for a “Christmas in April” gift of a splendid post onthe admissibility of electronic evidence and a related chart shared with him by U.S. District Judge Paul Grimm and Kevin Brady, who is Of Counsel to Redgrave LLP. The chart is beautifully designed and easy to use. It covers authentication, relevance, hearsay exceptions and the Best Evidence rule. top

Distributed Stock Ledgers and Delaware Law (ABA’s The Business Lawyer, April 2018) - Effective August 1, 2017, the Delaware General Corporation Law (the “DGCL”) now authorizes Delaware corporations to use blockchain technology to maintain stock ledgers and communicate with stockholders. Consistent with the DGCL’s status as an enabling act that facilitates private ordering, the blockchain amendments are permissive. In the near term, they create a foundation for a technology ecosystem by removing any uncertainty about the validity of shares that have been issued or are maintained using blockchain technology. Over a longer time horizon, the amendments foreshadow a more flexible, dynamic, and digital future in which distributed ledger technology and smart contracts play major roles. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

The internet’s 100 oldest dot-com domains (PC World, 21 Dec 2008) - The Internet’s been around in some form for decades. It wasn’t until the mid-80s, though, that the Web as we know it started coming together—and those precious dot-com domains started getting snatched up. As we finish out the tech-centric year of 2008, we thought we’d take a look back at the Internet’s oldest commercial Web sites—the ones registered back when chatting about “the Net” was as socially acceptable as wearing Jedi garb into a crowded nightclub. So grab your light sabers, dear friends—we’re boarding the Millennium Falcon and heading back to a virtual galaxy far, far away. [ Polley in 2008: Schlumberger was number 75 on May 20, 1987.] top

AT&T mulls watching you surf (New York Times, 14 August 2008) - AT&T is “carefully considering” monitoring the Web-surfing activities of customers who use its Internet service, the company said in a letter in response to an inquiry from the House Committee on Energy and Commerce. While the company said it hadn’t tested such a system for monitoring display advertising viewing habits or committed to a particular technology, it expressed much more interest in the approach than the other big Internet providers who also responded to the committee’s letter. AT&T did however promise that if it does decide to start tracking its customers online, it will “do so the right way.” In particular, the advertising system will require customers to affirmatively agree to have their surfing monitored. This sort of “opt-in” approach is preferred by privacy experts to the “opt-out” method, practiced by most ad targeting companies today, which records the behavior of anyone who doesn’t explicitly ask to not to be tracked. top

MIRLN—- 25 March - 14 April 2018 (v21.05)—- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENTS

Take a look at the new ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals (2nd Edition). Published in November, it’s already out-sold the 1st edition, probably because cyberattacks on law firms are in the news every day. The Handbook contains actionable information about “reasonable” security precautions for lawyers in every practice setting (solos, smalls, and large firms; in-house, government, and public-interest practitioners). Produced by the ABA Cybersecurity Legal Task Force (which I co-chair), it complements other resources for ABA members. Learn more here: ambar.org/cyber

NEWS

Appeals court says it’s okay to copyright an entire style of music (TechDirt, 21 March 2018) - We had hoped that the 9th Circuit might bring some sanity back to the music copyright world by overturning the awful “Blurred Lines” ruling that has already created a massive chilling effect among musicians… but no such luck. In a ruling released earlier this morning, the 9th Circuit largely affirmed the lower court ruling that said that Pharrell and Robin Thicke infringed on Marvin Gaye’s copyright by writing a song, “Blurred Lines,” that was clearly inspired by Gaye’s “Got To Give It Up.” No one has denied that the songs had similar “feels” but “feeling” is not copyrightable subject matter. The compositions of the two songs were clearly different, and the similarity in feel was, quite obviously, paying homage to the earlier work, rather than “copying” it. For what it’s worth, there appears to be at least some hesitation on the part of the majority ruling, recognizing that this ruling could create a huge mess in the music world, so it tries (and mostly fails) to insist that this ruling is on narrow grounds, specific to this case (and much of it on procedural reasons, which is a kind way of suggesting that the lawyers for Pharrell and Thicke fucked up royally). As the court summarizes: * * * top

NIST targets APTs with resilience strategies (GCN, 21 March 2018) - From the Office of Personnel Management data breach to the Russian hacking of the 2016 elections, cyberattacks from hostile nation-states, criminal and terrorist groups and rogue individuals are becoming more frequent. The National Institute of Standards and Technology’s most recent draft publication aims to help organizations address vulnerabilities and create more “defensible and survivable systems.” “Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems” provides guidance on addressing advanced persistent threats that target IT infrastructure to impede critical aspects of an organization’s mission. It is applicable to new systems, but also addresses engineering considerations when improving resiliency in legacy systems. NIST defines cyber resilience as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources regardless of the source.” The publication breaks down elements of cyber resiliency to provide a conceptual framework of goals, objectives, techniques and design principles. top

Lawyers have an obligation to stay on Facebook (Kevin O’Keefe, 27 March 2018) - Computer scientist and author, Jaron Lanier, in a ballyhooed op-ed in the Guardian, challenges us all to delete Facebook. Lanier was no fan of Facebook before (having already urged people to delete their social media accounts), but after Cambridge Analytica he saw it the perfect time to challenge everyone to beat the addiction, make a political statement and redefine your social life. The problem for lawyers is that Facebook represents the opportunity to engage the public where they are and on their terms. Like it or not, lawyers have an ethical obligation to make legal services accessible to people - not just to the impoverished, but to middle income individuals and small business people. To do this as a lawyer you not only need to go where the people are, but you need to establish trust by listening, sharing and nurturing relationships. More people spend more time on the Internet on Facebook than any other place. Social media, Facebook included, represents the town square, the coffee shop, the church group and the civic board of today. It’s where lawyers establish enough trust and value in people’s minds that legal services, at least though a lawyer, remain a viable answer for consumers and small business people. Lawyers jumping off Facebook can do so out of fear (perhaps legitimate) or to make a political statement, but by doing so they are turning on the public they serve. Access to legal services will only decline. [ Polley : interesting perspective, which I do not share.] top

A cyberattack hobbles Atlanta, and security experts shudder (NYT, 27 March 2018) - The City of Atlanta’s 8,000 employees got the word on Tuesday that they had been waiting for: It was O.K. to turn their computers on. But as the city government’s desktops, hard drives and printers flickered back to life for the first time in five days, residents still could not pay their traffic tickets or water bills online, or report potholes or graffiti on a city website. Travelers at the world’s busiest airport still could not use the free Wi-Fi. Atlanta’s municipal government has been brought to its knees since Thursday morning by a ransomware attack - one of the most sustained and consequential cyberattacks ever mounted against a major American city. The digital extortion aimed at Atlanta, which security experts have linked to a shadowy hacking crew known for its careful selection of targets, laid bare once again the vulnerabilities of governments as they rely on computer networks for day-to-day operations. The assault on Atlanta, the core of a metropolitan area of about six million people, represented a serious escalation from other recent cyberattacks on American cities, like one last year in Dallas where hackers gained the ability to set off tornado sirens in the middle of the night. Threat researchers at Dell SecureWorks, the Atlanta-based security firm helping the city respond to the ransomware attack, identified the assailants as the SamSam hacking crew, one of the more prevalent and meticulous of the dozens of active ransomware attack groups. The SamSam group is known for choosing targets that are the most likely to accede to its high ransom demands - typically the Bitcoin equivalent of about $50,000 - and for finding and locking up the victims’ most valuable data. In Atlanta, where officials said the ransom demand amounted to about $51,000, the group left parts of the city’s network tied in knots. Some major systems were not affected, including those for 911 calls and control of wastewater treatment. But other arms of city government have been scrambled for days. top

- and -

New York City is launching public cybersecurity tools to keep residents from getting hacked (TechCrunch, 29 March 2018) - In a week of harrowing city-level cyber attacks , New York is taking some precautions. While the timing is coincidental, New York City Mayor just announced that the city will introduce the first tools in its suite of cybersecurity offerings to protect residents against malicious online activity, particularly on mobile devices. When it launches this summer, New York residents will be able to download a free app called NYC Secure . The app will alert smartphone users to potential threats on their devices and offer tips for how to stay secure, “such as disconnecting from a malicious Wi-Fi network, navigating away from a compromised website, or uninstalling a malicious app.” Because the app will take no active steps on its own, it’ll be up to users to heed the advice presented to them. NYC Secure will not collect or transmit any personal identifying information or private data. The city will also beef up security over its public Wi-Fi networks, a notorious target for malicious actors looking to snoop on private information as it passes by unencrypted. The city will implement DNS protection through a service called Quad9 , a free public cybersecurity product out of the partnership between Global Cyber Alliance (GCA), IBM and Packet Clearing House. top

- and -

How to speed up your internet and protect your privacy with Cloudflare’s new DNS service (Gizmodo, 2 April 2018) - Cloudflare has launched its own consumer Domain Name System (DNS) service that not only promises to keep your browsing history safe, but appears significantly faster than any other DNS service available. Cloudflare, known primarily for DDoS mitigation , launched DNS resolver 1.1.1.1 and 1.0.0.1 on Sunday and, at time of writing, analytics show it processing queries at 14.01ms, officially making it in the internet’s fastest DNS resolver. The other true benefit here is that Cloudflare’s perspective on handling user data. Prince said the company views user data as a “toxic asset,” something it strives to either never collect or delete as quickly as possible. “Just at a policy level, Cloudflare’s business has never been advertising or selling consumer data,” Prince said. “As we started to talk to various browser manufacturers and others about what we were doing, they would come back and say, ‘Well, we don’t want you to retain logs for any longer than a week, we don’t want you selling any of the data.’ And I think they were kind of surprised when we returned back and said, ‘Actually, we prefer never to write any personally identifiable information to disk and guarantee that we’ll wipe all of the transactional logs and bug tracking logs within 24 hours.’” Prince said Cloudflare will also bring in an external monitor to certify that it is actually taking all of these steps to ensure user privacy. Those using the DNS services set by their ISPs can have their browsing history recorded, sold, and analyzed for advertising purposes. There are several ways to prevent this, but most involve using a VPN or the Tor browser, both of which can impact speed. There’s also no guarantee that a VPN service isn’t amassing your data itself. (If you’re looking for a reliable VPN, however, I’d suggest Private Internet Access or ProtonVPN .) For non-technical users who’ve never changed their DNS settings, it may seem like one of those unfamiliar options you’d rather not mess around with. But it’s actually quite simple and takes only a few seconds-and, as you’ve read, the benefits can be significant. Below are instructions on how to change your DNS settings for Windows and Mac, as well as iPhone and Android devices. * * * [ Polley : You probably should do this; also install an ad-blocker; use a VPN (vet it first); etc.] top

Law firms’ guide to selecting a cloud-based vendor (Nat’l Law Review, 28 March 2018) - Selecting vendors can be a frustrating and complicated process-but it doesn’t have to be. You’ve already got enough to think about while considering the differences in functionality across different products and vendors, and factoring in security is like going through the entire decision-making process all over again! With a few key considerations, though, you can vet vendors’ security protocols like a pro, leaving you to make a choice that fits your budget and performance needs with the peace of mind that comes with knowing that security is covered. * * * [ Polley : workman-like checklist.] top

- and -

NJ physician practice fined over $400,000 for data breach caused by vendor (Jackson Lewis, 8 April 2018) - Last week, New Jersey Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs (“Division”) announced that a physician group affiliated with more than 50 South Jersey medical and surgical practices agreed to pay $417,816 and improve data security practices to settle allegations it failed to properly protect the privacy of more than 1,650 patients whose medical records were made viewable on the internet as a result of a server misconfiguration by a private vendor. In this case, according to the NJ Office of Attorney General, the physician practice used a third party vendor to transcribe dictations of medical notes, letters, and reports by doctors, a popular service provided to many physical practices and other medical providers across the country. When the vendor, a HIPAA business associate, attempted to update software on a password-protected File Transfer Protocol website (“FTP Site”) where the transcribed documents were kept, it unintentionally misconfigured the web server, allowing the FTP Site to be accessed without a password. As a result, anyone who searched Google using search terms that happened to be contained within the dictation information would have been able to access and download the documents located on the FTP Site. These documents would have included doctor names, patient names, and treatment information concerning patients. top

Protecting election registration sites from cyber intrusions (GCN, 28 March 2018) - The Center for Internet Security’s newly established Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) plans to deploy intrusion detection sensors to voter registration websites for all 50 states by the 2018 midterm elections, an official told GCN. The intrusion detection sensors are called Albert sensors, and CIS has been using them on the state and local level since 2010, according to CIS Vice President of Operations Brian Calkin. The open-source Albert sensors provide automated alerts on both traditional and advanced network threats. Albert grew out of a Department of Homeland Security’s Einstein project, which focuses on detecting and blocking cyberattacks within federal agencies. DHS approached CIS about creating similar capability for states and localities, but since the Einstein name was taken, CIS called it Albert instead. top

Combatting deep fakes through the right of publicity (Lawfare, 30 March 2018) - Fake news is bad enough already, but something much nastier is just around the corner: As Evelyn Douek explained , the “next frontier” of fake news will feature machine-learning software that can cheaply produce convincing audio or video of almost anyone saying or doing just about anything . These may be ” digital avatars ” built from generative adversarial networks (GANs), or they may rely on simpler face-swapping technology to create ” deep fakes .” The effect is the same: fake videos that look frighteningly real. Bobby Chesney and Danielle Citron recently sounded the alarm on Lawfare about the threat to democracy from “deep fakes,” lamenting “the limits of technological and legal solutions.” They argue that existing law has a limited ability to force online platforms to police such content because “Section 230 of the Communications Decency Act immunizes from (most) liability the entities best situated to minimize damage efficiently: the platforms.” But in fact, a loophole built into Section 230 immunity-the intellectual property exception-could be helpful in combating deep fakes and other next-generation fake news. Victims of deep fakes may successfully bring ” right of publicity ” claims against online platforms, thereby forcing the platforms to systematically police such content. At a minimum, such right-of-publicity claims are likely to generate crucial litigation. * * * top

- and -

Realistic docudramas don’t violate California publicity rights-deHavilland v. FX (Eric Goldman, 2 April 2018) - Last week, the California Court of Appeal ordered the dismissal of a right of publicity and false-light privacy lawsuit brought by legendary actress Olivia de Havilland against FX Networks over the depiction of her in the television miniseries Feud: Bette and Joan (2017). The opinion is available here . One of Hollywood’s staples is the docudrama: a motion picture or television series based on real persons and real-life events. Recent examples include the television series The People v. O.J. Simpson (which won nine Emmy awards), and the movies Hidden Figures (about female mathematicians and engineers at NASA in the 1960s) and Darkest Hour (about Winston Churchill’s early days as Prime Minister). Sometimes docudramas are near-journalistic in nature, and sometimes they are heavily fictionalized; but all docudramas are necessarily dramatized to some extent, because it is impossible to depict real life with 100% accuracy. To depict private conversations, for example, a screenwriter must invent dialogue, because no one was there to record what was said, and even the participants to the conversation may remember it differently when interviewed in later years. It is also common for screenwriters to invent fictitious or composite characters to interact with the more well-known historical figures that are the focus of the docudrama. Docudramas have frequently been the source of litigation disputes. When real-life people are upset with how they are depicted in a movie or television series, they often turn to causes of action such as libel, false-light privacy, or the right of publicity to vindicate what they see as the truth. More often than not, these lawsuits fail; but they succeed often enough to avoid Rule 11 sanctions, and the cost of litigating these disputes may have a “chilling effect” on the willingness of Hollywood to take on certain subject material. Hollywood studios frequently pay people for the “rights” to tell their life stories, simply in order to avoid having a suit filed against them for a violation of their rights of privacy or publicity, and the attendant cost of litigation. * * * top

Tech thinks it has a fix for the problems it created: Blockchain (NYT, 1 April 2018) - Worried about someone hacking the next election? Bothered by the way Facebook and Equifax coughed up your personal information? The technology industry has an answer called the blockchain - even for the problems the industry helped to create. The first blockchain was created in 2009 as a new kind of database for the virtual currency Bitcoin , where all transactions could be stored without any banks or governments involved. Now, countless entrepreneurs, companies and governments are looking to use similar databases - often independent of Bitcoin - to solve some of the most intractable issues facing society. “People feel the need to move away from something like Facebook and toward something that allows them to have ownership of their own data,” said Ryan Shea, a co-founder of Blockstack, a New York company working with blockchain technology. The creator of the World Wide Web, Tim Berners-Lee, has said the blockchain could help reduce the big internet companies’ influence and return the web to his original vision. But he has also warned that it could come with some of the same problems as the web. Blockchain allows information to be stored and exchanged by a network of computers without any central authority. In theory, this egalitarian arrangement also makes it harder for data to be altered or hacked. In the first three months of 2018, venture capitalists put half a billion dollars into 75 blockchain projects, more than double what they raised in the last quarter of 2017, according to data from Pitchbook. Most of the projects have not gotten beyond pilot testing, and many are aimed at transforming mundane corporate tasks like financial trading and accounting. But some experiments promise to transform fundamental things, like the way we vote and the way we interact online. [ Polley : Quite interesting article (if a bit unstructured), and worth a close read.] top

US suspects cellphone spying devices in DC (AP, 3 April 2018) - For the first time, the U.S. government has publicly acknowledged the existence in Washington of what appear to be rogue devices that foreign spies and criminals could be using to track individual cellphones and intercept calls and messages. The use of what are known as cellphone-site simulators by foreign powers has long been a concern, but American intelligence and law enforcement agencies - which use such eavesdropping equipment themselves - have been silent on the issue until now. In a March 26 letter to Oregon Sen. Ron Wyden, the Department of Homeland Security acknowledged that last year it identified suspected unauthorized cell-site simulators in the nation’s capital. The agency said it had not determined the type of devices in use or who might have been operating them. Nor did it say how many it detected or where. The agency’s response, obtained by The Associated Press from Wyden’s office, suggests little has been done about such equipment, known popularly as Stingrays after a brand common among U.S. police departments. The Federal Communications Commission, which regulates the nation’s airwaves, formed a task force on the subject four years ago, but it never produced a report and no longer meets regularly. * * * Legislators have been raising alarms about the use of Stingrays in the capital since at least 2014, when Goldsmith and other security-company researchers conducted public sweeps that located suspected unauthorized devices near the White House, the Supreme Court, the Commerce Department and the Pentagon, among other locations. Like other major world capitals, he said, Washington is awash in unauthorized interception devices. Foreign embassies have free rein because they are on sovereign soil. Every embassy “worth their salt” has a cell tower simulator installed, Turner said. They use them “to track interesting people that come toward their embassies.” The Russians’ equipment is so powerful it can track targets a mile away, he said. top

Anatomy of a cyber attack (NY Law Journal, 4 April 2018) - Cybersecurity is an increasingly important risk vector that impacts every facet of society. Day by day, businesses and even individuals are finding themselves to be targets of cyberattacks and lawyers are certainly no exception. The exponential scale of the problem can be seen in the fact that, according to a recent report , there were more records compromised in 2017 than there are people currently living on earth. While this risk is applicable to all organizations and individuals, lawyers, as safeguards of their client’s information, are particularly useful targets for cyber criminals. Lawyers of every stripe and specialty tend to possess large quantities of their clients’ sensitive data and in many cases present a more desirable target than the clients themselves because the data of all of their clients is centralized in a single location. Recognizing this threat, the bar has taken steps to ensure that the profession rises to the challenge posed by the pervasive threat of cyber-compromise. The bar’s understanding of the lawyer’s duty to his or her clients has developed along two parallel paths-the duty of confidentiality and the duty of technological competence as applied in the digital context. In 2017, the American Bar Association proceeded along the first path and released Formal Opinion 477 , which dealt with cybersecurity in client communications. This is a fundamental departure from previously established guidance from the ABA, which held that “A lawyer may transmit information relating to the representation of a client by unencrypted e-mail sent over the Internet without violating the Model Rules of Professional Conduct (1998) because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint.” While this specific rule change only effects attorney communications and not the practice of law more generally, it signals a change from the Bar that it is now more willing than ever to begin regulating cybersecurity and the practice of law. Not only the ABA has adopted these changes, in fact twenty-eight state Bars have adopted language mandating that the duty of competency in representation extends to technological competence as well. [ Polley : not much new(s) here, but the New York Law Journal reaches an important audience; more and more visibility (and appreciation) of these kinds of issues.] top

Facebook scans the photos and links you send on Messenger, and it reads flagged chats (LA Times, 4 April 2018) - Facebook Inc. scans the links and images that people send each other on Facebook Messenger, and reads chats when they’re flagged to moderators, making sure it all abides by the company’s rules governing content. If it doesn’t pass muster, it gets blocked or taken down. The company confirmed the practice after an interview with Chief Executive Mark Zuckerberg, published this week, raised questions about Messenger’s practices and privacy. Zuckerberg told Vox’s Ezra Klein a story about receiving a phone call related to ethnic cleansing in Myanmar. Facebook had detected people trying to send sensational messages through the Messenger app, he said. “In that case, our systems detect what’s going on,” Zuckerberg said. “We stop those messages from going through.” Some people reacted with concern on Twitter: Was Facebook reading messages more generally? Facebook has been under scrutiny in recent weeks over how it handles users’ private data, and the revelation struck a nerve. Messenger doesn’t use the data from the scanned messages for advertising, the company said, but the policy may extend beyond what Messenger users expect. top

- and -

What you don’t know about how Facebook uses your data (NYT, 11 April 2018) - * * * Facebook meticulously scrutinizes the minutiae of its users’ online lives, and its tracking stretches far beyond the company’s well-known targeted advertisements. Details that people often readily volunteer - age, employer, relationship status, likes and location - are just the start.Facebook tracks both its users and nonusers on other sites and apps. It collects biometric facial data without users’ explicit “opt-in” consent. And the sifting of users can get quite personal. Among many possible target audiences, Facebook offers advertisers 1.5 million people “whose activity on Facebook suggests that they’re more likely to engage with/distribute liberal political content” and nearly seven million Facebook users who “prefer high-value goods in Mexico.” “Facebook can learn almost anything about you by using artificial intelligence to analyze your behavior,” said Peter Eckersley, the chief computer scientist for the Electronic Frontier Foundation, a digital rights nonprofit. “That knowledge turns out to be perfect both for advertising and propaganda. Will Facebook ever prevent itself from learning people’s political views, or other sensitive facts about them?” Facebook uses a number of software tools to do this tracking. When internet users venture to other sites, Facebook can still monitor what they are doing with software like its ubiquitous “Like” and “Share” buttons, and something called Facebook Pixel - invisible code that’s dropped onto the other websites that allows that site and Facebook to track users’ activity. Ms. Dingell asked Mr. Zuckerberg how many non-Facebook sites used various kinds of Facebook tracking software: “Is the number over 100 million?” He said he’d have to get back to her with an answer. * * * top

Is cybersecurity improving? (Lawfare, 5 April 2018) - Is cybersecurity improving overall? By at least some measures the answer is a surprising “yes.” This annual report from FireEye gives us at least two reasons to think that trend lines are actually improving: First, as noted by Joe Uchill of Axios Codebook , the identity of who discovers an intrusion is changing drastically. As recently as 2011, 94 percent of intrusions were discovered and reported by outsiders-law enforcement, customers, or other observers. Today, victim companies discover 64 percent of their own breaches-a significant improvement in self-awareness. Second, that improvement has consequences. An intruders “dwell time” inside a victim’s system is less than a quarter of what it was in 2011. It’s still too high-median dwell time is 75 days in the U.S., 175 in Europe and more than 490 in Asia-but the fact that it is down is a significant improvement. top

Cyberinsurance tackles the wildly unpredictable world of hacks (Wired, 6 April 2018) - In the aftermath of the Equifax data breach last year that exposed personal information of more than 145 million people, analysis firm Property Claim Services estimated that cyberinsurance would cover roughly $125 million of Equifax’s losses from the incident. It’s uncertain whether Equifax will actually receive that much money; insurance claims can take a long time to investigate, process, and pay out. But it was a reminder of the increasingly important role insurance plays in cybersecurity-and the challenges of getting it right. In 2016, the cyberinsurance market brought in around $3.5 billion in premiums globally, of which $3 billion came from US-based companies, according to the Organisation for Economic Co-operation and Development. That’s not an enormous amount of money compared to other insurance markets; motor vehicle insurance premiums in the US, for instance, total more than $200 billion annually . But cyberinsurance premiums have grown steadily at a rate of roughly 30 percent every year for the past five years, in an industry unaccustomed to such spikes. With the Regulation poised to go into effect May 25, and firms of every size in every sector concerned about emerging online threats, insurance carriers see ample opportunity. But as the cyberinsurance market grows and those carriers take on responsibility for more computer-based risks, it becomes increasingly important that they model that risk and predict its outcomes accurately, a notoriously difficult task in the evolving and unpredictable domain of online threats. Companies like retailers, banks, and healthcare providers began seeking out cyberinsurance in the early 2000s, when states first passed data breach notification laws. But even with 20 years’ worth of experience and claims data in cyberinsurance, underwriters still struggle with how to model and quantify a unique type of risk. “Typically in insurance we use the past as prediction for the future, and in cyber that’s very difficult to do because no two incidents are alike,” said Lori Bailey, global head of cyberrisk for the Zurich Insurance Group. Twenty years ago, policies dealt primarily with data breaches and third-party liability coverage, like the costs associated with breach class-action lawsuits or settlements. But more recent policies tend to accommodate first-party liability coverage, including costs like online extortion payments, renting temporary facilities during an attack, and lost business due to systems failures, cloud or web hosting provider outages, or even IT configuration errors. top

RSS is undead (TechCrunch, 7 April 2018) - RSS died. Whether you blame Feedburner , or Google Reader , or Digg Reader last month , or any number of other product failures over the years, the humble protocol has managed to keep on trudging along despite all evidence that it is dead, dead, dead. Now, with scandal over Cambridge Analytica, there is a whole new wave of commentators calling for RSS to be resuscitated. Brian Barrett at Wired said a week ago that “… anyone weary of black-box algorithms controlling what you see online at least has a respite, one that’s been there all along but has often gone ignored. Tired of Twitter? Facebook fatigued? It’s time to head back to RSS.” Let’s be clear: RSS isn’t coming back alive so much as it is officially entering its undead phase. Don’t get me wrong, I love RSS. At its core, it is a beautiful manifestation of some of the most visionary principles of the internet, namely transparency and openness. The protocol really is simple and human-readable. It feels like how the internet was originally designed with static, full-text articles in HTML. Perhaps most importantly, it is decentralized, with no power structure trying to stuff other content in front of your face. It’s wonderfully idealistic, but the reality of RSS is that it lacks the features required by nearly every actor in the modern content ecosystem, and I would strongly suspect that its return is not forthcoming. [Polley : interesting; I use RSS to find about 20% of the content that goes into MIRLN.] top

Using Turnitin to teach students not to plagiarize (InsideHigherEd, 10 April 2018) - By now, most educators know about Turnitin, and many of us have used it to scare our students out of submitting work written by someone else, whether that writer was a friend, an internet entrepreneur or even (in the most obvious cases) Wikipedia. The first time I used it to check for plagiarism, I have to admit that it was purely for the fear factor, as I hadn’t learned much about the benefits the resource has to offer. I just looked at the similarity percentages to see how high they were, warning students that they would be penalized if they had plagiarized. It took me a while to understand how Turnitin can also be useful to students if they are taught how to take advantage of it as a tool. * * * Here’s how I tell students to use Turnitin to check their papers. First, I set it up on my end so that they can submit multiple times and see their similarity percentages. Students have told me sometimes their other professors won’t allow this, which might be to further discourage plagiarism attempts by preventing students from knowing whether they need to make changes, but I feel that this restricts a powerful teachable moment. Next, when students have polished their drafts to a point where they think they’re finished, they submit and wait for the percentage. Obviously, a high percentage is less than ideal, but that alone won’t provide everything they need to know. Plagiarism is still possible with a low score, so I then have them click “markup document” and the originality tab. A truer originality percentage will show up if they use the filter, located on the right-hand side, to exclude any quotes they have used, as those will obviously come directly from sources. I also tell them to click “exclude bibliography,” as titles of sources they have used will also come up highlighted. Any other writing that is too close to a source will be marked in various colors. This is a good check to see where they may need to make some tweaks. * * * [ Polley : quite interesting.] top

RESOURCES

Starting A Mobile Hotspot Lending Program (Maine.gov, March 2018) - Implementing a Mobile Hotspot Lending Program at your library offers up a world of possibilities for your patrons. Enabling patrons to take the Internet home offers a number of unique benefits such as: * * * By loaning out the Internet, just like a book, your Library can provide its patrons with 24/7 access to Internet. In an increasingly interconnected world, the Internet is vital in day to day life. Offering mobile hotspot devices to your patrons will help meet their information needs in new and exciting ways. top

Borgesius and Steenbruggen on The Right to Communications Confidentiality in Europe: Protecting Trust, Privacy, and Freedom of Expression (MLPB, 11 April 2018) - Frederik Zuiderveen Borgesius, University of Amsterdam, IVir Institute for Information Law (IViR), and Wilfred Steenbruggen, Bird & Bird, have published The Right to Communications Confidentiality in Europe: Protecting Trust, Privacy, and Freedom of Expression. Here is the abstract: In the European Union, the General Data Protection Regulation (GDPR) provides comprehensive rules for the processing of personal data. In addition, the EU lawmaker intends to adopt specific rules to protect confidentiality of communications, in a separate ePrivacy Regulation. Some have argued that there is no need for such additional rules for communications confidentiality. This paper discusses the protection of the right to confidentiality of communications in Europe. We look at the right’s origins as a fundamental right to assess the rationale for protecting the right. We also analyse how the right is currently protected under the European Convention on Human Rights and under EU law. We show that the right to communications confidentiality protects three values: trust in communication services, privacy, and freedom of expression. The right aims to ensure that individuals and businesses can safely entrust communication to service providers. Initially, the right protected only postal letters, but it has gradually developed into a strong safeguard for the protection of confidentiality of communications, regardless of the technology used. Hence, the right does not merely serve individual privacy interests, but also other interests that are crucial for the functioning of our information society. We conclude that separate EU rules to protect communications confidentiality, next to the GDPR, are justified and necessary to protect trust, privacy and freedom and expression. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Comcast to stop blocking Internet traffic (NBC, 27 March 2008) - Comcast Corp., an Internet service provider under investigation for hampering online file-sharing by its subscribers, announced Thursday an about-face in its stance and said it will treat all types of Internet traffic equally. Comcast said it will collaborate with BitTorrent Inc., the company founded by the creator of the popular BitTorrent file-sharing protocol, to come up with better ways to transport large files over the Internet instead of delaying file transfers. Since user reports of interference with file-sharing traffic were confirmed by an Associated Press investigation in October, Comcast has been vigorously defending its practices, most recently at a hearing of the Federal Communications Commission in February. Consumer and “Net Neutrality” advocates have been equally vigorous in their attacks on the company, saying that by secretly blocking some connections between file-sharing computers, Comcast made itself a judge and gatekeeper for the Internet. They also accused Comcast of stifling delivery of Internet video, an emerging competitor to the cable company’s core business. Comcast has said that its practices were necessary to keep file-sharing traffic from overwhelming local cable lines, where neighbors share capacity with one another. On Thursday, Comcast said that by the end of the year, it will move to a system that manages capacity without favoring one type of traffic over another. top

Abracadabra! Bush makes privacy board vanish (Wired, 4 Feb 2008) - The Bush administration has failed to nominate any candidates to a newly empowered privacy and civil-liberties commission. This leaves the board without any members, even as Congress prepares to give the Bush administration extraordinary powers to wiretap without warrants inside the United States. The failure rankles Sens. Joe Lieberman (I-Connecticut) and Susan Collins (R-Maine), respectively chairman and ranking minority member of the Senate’s Homeland Security Committee. “I urge the president to move swiftly to nominate members to the new board to preserve the public’s faith in our promise to protect their privacy and civil liberties as we work to protect the country against terrorism,” Lieberman said in a statement. “The White House’s failure to move forward with appointing the new board is unacceptable, and I call on the administration to do so as quickly as possible to prevent a gap in this vital mission,” Collins said in a statement. top

MIRLN—- 4-24 March 2018 (v21.04)—- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | LOOKING BACK | NOTES

Let’s fix peer review (Ray Truant Laboratory, 14 Feb 2018) - If one explains the current system of peer review to a non-scientist, the response is typically, “that’s insane, I thought you guys were supposed to be smart”. To recap: When we apply for a grant or want to publish our science, we secretly get the work reviewed by our peers, some of which are competing with us for precious funding, or a bizarre version of fame. Under the veil of anonymity, a reviewer can write anything, included false statements, or incorrect statements to justify a decision. The decision is most often, “do not fund” or “reject”, even if the review is based off of inaccuracies, lack of expertise, or even blatant slander. There are no rules, there are no repercussions. There are few integrity guidelines, or oversight, nor rules of ethics in the review process for the most part. It can lead to internet trolling at a level of high art. In funding decisions, these mistakes can be missed by inattentive panels, but were definitely missed in the CIHR reform scheme before panels were re-introduced. We still have a problem of reviewers self-identifying expertise they simply do not have. Scientists have to follow strict rules of ethics when submitting data, including conflicts of interest, research ethics, etc. No such rules are often formally stated in the review process and can vary widely between journals. This system is historic, back to an era when biomedical research was a fraction of the size it is today, and journal Editors were typically active scientists. The community was small. But as science rapidly expanded in the 90s, so did scientific publishing, and soon editors became professional editors, with some never running a lab or research program. Then, came the digital revolution, and journals were no longer being read on paper and the pipeline to publish increased exponentially. What drove the massive expansion of journals? Money. Big money. And like many historic industries, it’s thriving, mostly based off free slave labor. * * * [ Polley : Quite interesting; flagged for me by a former client. See also Who May Swim in the Ocean of Knowledge? (Carl Malamud, March 2018)] top   Five questions to test your understanding of the ethics of technology (Law Technology Today, 1 March 2018) - More than 28 states now say lawyers have an ethical duty to be competent in technology. Indeed, a State Bar of California ethics opinion recently extended that duty to include competence in e-discovery, CA Formal Opinion No. 2015-193. On top of that, the federal courts have implemented new proportionality rules governing your duty to produce documents. All of this comes as lawyers grapple with thorny ethical issues concerning the use of cloud technology, storing privileged documents with outside vendors, and relying on key tasks on smart but non-human computer algorithms. So what are your ethical duties with using new technology, such as technology assisted review (TAR) in e-discovery? A careful look at five key questions surrounding the ethics of TAR can help you use it in a way that is strategic, reasonable and proportional to the matter. And will save you and your client on review costs. * * * top

- and -

Ethics opinion stresses lawyers’ duty of confidentiality when blogging (ABA Journal, 6 March 2018) - Lawyers should be mindful of the duty of confidentiality when they engage in public commentary, including blogging and other online postings, according to an ethics opinion from the ABA Standing Committee on Ethics and Professional Responsibility. Formal Ethics Opinion 480 explains that lawyers communicating about legal topics in public commentary must comply with the ABA Model Rules of Professional Conduct, including Rule 1.6(a) , which provides: “A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).” This duty of confidentiality is broad and includes all information related to the representation, not just information learned directly from the client. The reach of this rule is much broader than either the attorney-client privilege or the work product doctrine. The opinion explains that this duty of confidentiality applies even if the information about the client’s representation is found in a court record or other public record. “The duty of confidentiality extends generally to information related to a representation whatever its source and without regard to the fact that others may be aware of or have access to such knowledge,” the opinion reads. “The salient point is that when a lawyer participates in public commentary that includes client information, if the lawyer has not secured the client’s informed consent or the disclosure is not otherwise impliedly authorized to carry out the representation, then the lawyer violates Rule 1.6(a),” the opinion continues. [ Polley : This is almost entirely “not news”. But, it makes the point that even “public” client information shouldn’t be blogged about.] top  

Hogan Lovells, 4th largest US firm, moves into the cloud (LegalTech, 1 March 2018) - Cloud adoption has been a slow-brewing trend in the legal sector over the last few years, but a recent announcement that Hogan Lovells, the fourth-largest firm in the United States based on the National Law Journal’s 2017 rankings, has opted to adopt a cloud-based document management system may indicate that legal is moving more definitively into the cloud. Hogan Lovells recently announced that the firm plans to use cloud-based system NetDocuments as its primary document management system. Prior to the adoption, the firm was using two competing systems, iManage and OpenText, left over from the firm’s merger of Washington D.C.-based Hogan & Hartson and U.K. firm Lovells in 2010. top

International law and cyberspace: Evolving views (Lawfare, 4 March 2018) - On Feb. 13, our colleague Robert Chesney flagged the upcoming Cyber Command legal conference titled “Cyberspace Operations in the Gray Zone.” The conference-which begins Monday morning and involves heavy interagency and private sector and academia participation-is set to address a number of key international and domestic law issues surrounding cyberspace operations, such as the exploiting of social media in the gray zone, the characterizing of information warfare in cyberspace, the protecting of domestic information systems, the countering of gray zone cyber threats, technology and warfare, and privacy implications of military cyberspace operations. Much of the conference will be geared towards sub-use of force issues and activities that may not clearly be governed by the law of armed conflict, which raises questions about when exactly cyber activities do or not involve the use of force. The U.S. asserts that extant international law, to include International Humanitarian Law (IHL) applies to cyberspace, but it has yet to offer definitive guidance on what cyberattacks, short of those causing obvious large scale kinetic destruction, constitute a prohibited use of force or invoke the LOAC. While the Tallinn Manual 2.0 may be the most comprehensive treatise on the applicability of international law to cyberspace thus far, it was developed without the official participation of, and has not been sanctioned by, States. The U.S. Government, for example, has taken no official position on the views set forth in the Manual. Because members of the military are tasked with following the law, defining the nuances of the applicability of international law in cyberspace should be a central priority. We hope that the following discussions can serve to enrich this week’s conference, and further DoD’s development of cyber law. This year, a number of excellent pieces of scholarship emerged that could help enhance conference discussions on key elements of international law, namely the principles governing cyber operations outside the context of armed conflict, such as sovereignty and the IHL principles of distinction and proportionality. In his personal capacity, Colonel Gary P. Corn, Staff Judge Advocate of USCYBERCOM, co-authored ” Sovereignty in the Age of Cyber ” with Robert Taylor, Former Principal Deputy General Counsel of DoD, and posted on SSRN an advance draft of an upcoming chapter titled, “Cyber National Security: Navigating Gray Zone Challenges In and Through Cyberspace.” Meanwhile, Commander Peter Pascucci, Chief of Operational Law at USCYBERCOM, authored ” Distinction and Proportionality in Cyberwar: Virtual Problems with a Real Solution .” These works add nuance to the applicability of international law principles to cyberspace and vary somewhat from the publicly stated views of prior State Department Legal Advisers, as we’ll argue below. top  

Companies sharpen cyber due diligence as M&A activity revenue up (Morningstar, 5 March 2018) - Automatic Data Processing Inc. deployed a team of cybersecurity, risk management and financial-crime specialists to WorkMarket before acquiring it in January. The ADP team combed the software maker’s technology, practices and internal policies. It also interviewed staff about monitoring for intrusions, training employees and performing other security tasks. The payroll processor also hired a cybersecurity firm to do its own evaluation. Security problems, said ADP’s chief security officer Roland Cloutier, could kill any deal. “If we found out data was exfiltrated, we may walk away,” he said. “We’ve looked at a lot of companies and only purchased a few. Security always plays a part.” Companies are intensifying due diligence of acquisition targets to avoid costly cybersecurity surprises, particularly when intellectual property, such as software code or customer data drive the deal. Gaps in data protection, undiscovered breaches, regulatory violations and other holes in a company’s technology operations can threaten transactions. Such problems can also decrease the value of a deal or leave an acquirer liable for problems after a merger. ADP investigators typically look for troublespots such as signs of an unauthorized presence on the target’s network and scant or no evidence that employees have received security training. No significant problems surfaced at WorkMarket, but deep study of a target’s cybersecurity helps executives forecast deal costs, Mr. Cloutier said. ADP typically spends two to four months on the process. Problems can arise even years later. FedEx Corp. moved quickly last month to secure a server that exposed data from customer driver’s licenses and passports. FedEx inherited the server when it bought e-commerce service Bongo International in 2014. [ Polley : directly on point is the recently published ABA book ” Guide to Cybersecurity Due Diligence in M&A Transactions “, which I highly recommend.] top  

Reflecting on the original big idea for MOOCs (InsideHigherEd, 6 March 2018) - Six years ago, inspired by a big idea to democratize higher education, the University of Michigan (U-M) became a founding partner of Coursera. Massive open online courses (MOOCs) were born. While the issuance of MOOC death certificates by skeptics is only rivaled in frequency by those filed by South Park writers for Kenny, MOOCs consistently find ways to survive and indeed thrive in nurturing environments. MOOCs are far from dead. Rather, they appear to hatch derivatives. Sean Gallagher of Northeastern University’s Center for the Future of Higher Education and Talent Strategy refers to this as “the new ecology of credentials”, a landscape transforming rapidly as we move from the early knowledge economy to the digital, AI, Gig economy. Which leads those of us close to the action to reflect often upon the original big idea for MOOCs. Typically stating a goal to “democratize” is followed by “access to” something. In hindsight, it’s clear we hadn’t fully considered the potential of what we might be democratizing. What, in fact, are we scaling? Is it content and courses? Curriculum and credentials? Communities and college towns ? With today’s announcement , we are now much closer to saying “all of the above”. MOOCs may have initially provided learners an opportunity to simply peer into the university. Now MOOCs and MOOC derivatives (e.g. Teach-Outs, specializations, MicroMasters, MasterTrack, etc.) are helping universities to expand how they think about engaging with the world. For U-M, this is entirely consistent with top institutional priorities around academic innovation, diversity, equity, and inclusion, and public engagement. We are the global, inclusive, public research university. The real innovation of the MOOC era is not the unbundling of academic degrees that first captured massive attention, but rather the re-bundling that results from serious academic R&D - the creation of new communities and credentials for all levels. In announcing Michigan’s new degrees this morning at the Coursera Partners Conference, Coursera CEO Jeff Maggioncalda contextualized these latest innovations as evidence that, “the future of work and the future of learning are converging.” Today U-M announced the intent to design two new fully online master’s degree programs and a new online cohort-based pathway to advanced degrees and career advancement called the MasterTrack Certificate. Let’s consider this latest re-bundling effort within the broader context. * * * top

- and -

Udacity u-turns on money-back guarantee (InsideHigherEd, 16 March 2018) - It was hailed as a “dream come true” by Udacity’s founder and CEO Sebastian Thrun. “We now GUARANTEE a job for anyone who completes a Nanodegree Plus—or else tuition back. Hope other universities follow,” tweeted Thrun in January 2016. Now, it seems, the dream is over. Udacity has quietly scrapped its pledge, nixing the program, which guaranteed a job within six months of graduation or 100 percent of students’ money back, at the end of last year. top

Geek Squad’s relationship with FBI is cozier than we thought (EFF, 6 March 2018) - After the prosecution of a California doctor revealed the FBI’s ties to a Best Buy Geek Squad computer repair facility in Kentucky, new documents released to EFF show that the relationship goes back years. The records also confirm that the FBI has paid Geek Squad employees as informants. EFF filed a Freedom of Information Act (FOIA) lawsuit last year to learn more about how the FBI uses Geek Squad employees to flag illegal material when people pay Best Buy to repair their computers. The relationship potentially circumvents computer owners’ Fourth Amendment rights . The documents released to EFF show that Best Buy officials have enjoyed a particularly close relationship with the agency for at least 10 years. For example, an FBI memo from September 2008 details how Best Buy hosted a meeting of the agency’s “Cyber Working Group” at the company’s Kentucky repair facility. The memo and a related email show that Geek Squad employees also gave FBI officials a tour of the facility before their meeting and makes clear that the law enforcement agency’s Louisville Division “has maintained close liaison with the Geek Squad’s management in an effort to glean case initiations and to support the division’s Computer Intrusion and Cyber Crime programs.” Another document records a $500 payment from the FBI to a confidential Geek Squad informant. This appears to be one of the same payments at issue in the prosecution of Mark Rettenmaier , the California doctor who was charged with possession of child pornography after Best Buy sent his computer to the Kentucky Geek Squad repair facility. Other documents show that over the years of working with Geek Squad employees, FBI agents developed a process for investigating and prosecuting people who sent their devices to the Geek Squad for repairs. The documents detail a series of FBI investigations in which a Geek Squad employee would call the FBI’s Louisville field office after finding what they believed was child pornography. top  

Large law firms seeing more data breaches (Ride the Lightning, 6 March 2018) - I know many readers have not read the 2017 ABA Legal Technology Survey because it costs money, but it is well worth reviewing the cybersecurity highlights - more 4000 respondents were surveyed. 22% of respondents said their firms had experienced a data breach at some point, up from 14 percent last year - that’s a big escalation. Significantly, respondents at firms with 500 or more attorneys took the bulk of those hits. Over one third of law firms with 10-99 attorneys reported being compromised in 2017 alone. Some of the key consequences from breaches were downtime, loss of billable hours, destruction or loss of files - and of course having to pay consulting fees for remediating damages from the attacks. As one might expect, reporting stats are much lower. 7% of firms with 500+ attorneys and 3% of firms with 10-49 attorneys reported authorized access to sensitive client data. 25% of firms reported having no security policies, though all firms with 500+ lawyers did have such policies. 66% of BigLaw firms do have an Incident Response Plan. 51% of firms with 100-499 attorneys and 43% of firms with 50-99 attorneys also have an incident response plan. top

- and -

‘Confusing as hell’: Making sense of cyber insurance (ABA Journal, 9 March 2018) - When it comes to managing a firm’s cybersecurity risks, password regimens and encrypted backups are not enough. You need cyber insurance. A Friday morning panel at ABA Techshow entitled “Cyberinsurance: Necessary, Expensive and Confusing as Hell,” attempted to demystify the nascent cyber insurance field while underscoring how vital it is to have some sort of insurance policy in place in case of cyberattacks. Panelists Judy Selby, a cyber insurance consultant and lawyer, and Sharon Nelson, president of Sensei Enterprises, laid out the case for the insurance and the challenges of understanding it. No matter how good your cybersecurity infrastructure may be, “it can’t stop it all,” said Nelson. She argued that cyber insurance is necessary, “because you are managing an enormous risk.” Providing background on the relatively new area of cyber insurance, Nelson quoted a PricewaterhouseCoopers report that found one-third of businesses have a cyber insurance policy. Additionally, she noted that policies are being offered by upwards of 60 insurers. At the same time, according to the 2017 ABA Legal Technology Survey, 22 percent of solo and small firms reported a data breach-an increase compared to the previous year, when 14 percent of such firms reported a breach. For many, this can be devastating. According to Nelson, it has been reported that half of all small businesses close within six months after a breach. Cyber insurance varies, but these types of policies can often cover first-party contingencies like legal, forensic, notification, credit monitoring and breach coach costs. It may also cover business interruption incurred by the insured or contingent business interruption, which provides coverage when a third-party service provider that the insured relies on, such as a cloud storage vendor, cannot operate because of a cyber incident. Policies may also cover data restoration, extortion, denial of service attacks and social engineering attacks. Some policies will cover third-party contingencies like privacy and network liability, public relations, regulatory liability, fines and payment card issuer liability. With growing demand and offerings, the cyber insurance market is still new, or a “soft market” in the terms of the presenters. This means that prices vary and terms and exclusions in cyber coverage are not standardized across the industry. “No matter what two polices you’re looking at, it’s apples and oranges,” said Nelson. This includes ubiquitous terms like “cyber incident” or “social engineering,” which will be defined by the insurer in their own idiosyncratic way. To this end, both say it is important to read through potential policies with an eye toward detail and definitions. top

For two months, I got my news from print newspapers. Here’s what I learned. (NYT, 7 March 2018) - I first got news of the school shooting in Parkland, Fla., via an alert on my watch. Even though I had turned off news notifications months ago, the biggest news still somehow finds a way to slip through. But for much of the next 24 hours after that alert, I heard almost nothing about the shooting. There was a lot I was glad to miss. For instance, I didn’t see the false claims - possibly amplified by propaganda bots - that the killer was a leftist, an anarchist, a member of ISIS and perhaps just one of multiple shooters. I missed the Fox News report tying him to Syrian resistance groups even before his name had been released. I also didn’t see the claim circulated by many news outlets ( including The New York Times ) as well as by Senator Bernie Sanders and other liberals on Twitter that the massacre had been the 18th school shooting of the year, which wasn’t true . Instead, the day after the shooting, a friendly person I’ve never met dropped off three newspapers at my front door. That morning, I spent maybe 40 minutes poring over the horror of the shooting and a million other things the newspapers had to tell me. Not only had I spent less time with the story than if I had followed along as it unfolded online, I was better informed, too. Because I had avoided the innocent mistakes - and the more malicious misdirection - that had pervaded the first hours after the shooting, my first experience of the news was an accurate account of the actual events of the day. This has been my life for nearly two months. In January, after the breaking-newsiest year in recent memory, I decided to travel back in time. I turned off my digital news notifications, unplugged from Twitter and other social networks, and subscribed to home delivery of three print newspapers - The Times, The Wall Street Journal and my local paper, The San Francisco Chronicle - plus a weekly newsmagazine, The Economist. I have spent most days since then getting the news mainly from print, though my self-imposed asceticism allowed for podcasts, email newsletters and long-form nonfiction (books and magazine articles). Basically, I was trying to slow-jam the news - I still wanted to be informed, but was looking to formats that prized depth and accuracy over speed. It has been life changing. Turning off the buzzing breaking-news machine I carry in my pocket was like unshackling myself from a monster who had me on speed dial, always ready to break into my day with half-baked bulletins. Now I am not just less anxious and less addicted to the news, I am more widely informed (though there are some blind spots). And I’m embarrassed about how much free time I have - in two months, I managed to read half a dozen books, took up pottery and (I think) became a more attentive husband and father. * * * [ Polley : resonates with me and the idea of saving time is attractive. For me, this story was the tipping point: I’ve just re-subscribed to New York Times home-delivery, hardcopy. I’ve been missing too much.] top

The FCC says a space startup launched four tiny satellites into orbit without permission (The Verge, 10 March 2018) - Earlier this year, a space startup from Silicon Valley launched four of its first prototype communications satellites on top of an Indian rocket. Except the FCC says that the company didn’t have authorization to send up those spacecraft from the US government, IEEE Spectrum reports . It would seemingly mark the first time a US private company launched un-licensed satellites into orbit - and these rogue spacecraft could pose a danger to other objects in space. The four satellites reportedly belong to a fledgling company called Swarm Technologies, which was started by former Google and NASA JPL engineer Sara Spangelo in 2016. The probes, dubbed SpaceBees 1, 2, 3, and 4, are meant to test out Swarm’s idea for a “space-based Internet of Things” network, according to IEEE, and went up as part of a cluster of 31 satellites aboard an Indian Polar Satellite Launch Vehicle (PSLV) rocket on January 12th. At the time of the launch, India’s space agency didn’t name the operator of the four satellites . top

Can’t Washington protect Americans from propaganda on social media? (Poynter, 12 March 2018) - The past two years have taught us that the United States needs a better handle on what social networks are doing to manipulate and prioritize information. If there’s one thing that Washington could do, it would be to provide better safeguards to ensure that these powerful tools are not used to mislead the public again. That’s part of the message from Martha Minow, longtime Harvard Law school dean and expert on the shifting media and technological landscape. Minow also casts a skeptical eye on the concentration of local media ownership by companies such as Sinclair Broadcasting. We need action now, or independent news as we know it won’t be around, she warned in a speech last week at Brown University. Minow cites the Constitution as impetus for Washington “to improve reliable access to material enabling competing views and authentication of messages and sources. The government can protect users against bombardment by computer-generated messages that drown out news and drive citizens away from the exchange needed for democratic self-governance.” “Nothing in the Constitution forecloses government action to regulate concentrated economic power, to require disclosure of who is financing communications, and to support news initiatives where there are market failures. The First Amendment forbids Congress from ‘abridging’ the freedom of speech and freedom of press; it does not forbid strengthening it and amplifying news. “Affirmative government action may be precisely what the First Amendment actually requires now.” top  

- and -

How researchers learned to use Facebook ‘likes’ to sway your thinking (NYT, 20 March 2018) - Perhaps at some point in the past few years you’ve told Facebook that you like, say, Kim Kardashian West. When you hit the thumbs-up button on her page, you probably did it because you wanted to see the reality TV star’s posts in your news feed. Maybe you realized that marketers could target advertisements to you based on your interest in her. What you probably missed is that researchers had figured out how to tie your interest in Ms. Kardashian West to certain personality traits, such as how extroverted you are (very), how conscientious (more than most) and how open-minded (only somewhat). And when your fondness for Ms. Kardashian West is combined with other interests you’ve indicated on Facebook, researchers believe their algorithms can predict the nuances of your political views with better accuracy than your loved ones. As The New York Times reported on Saturday , that is what motivated the consulting firm Cambridge Analytica to collect data from more than 50 million Facebook users, without their consent, to build its own behavioral models to target potential voters in various political campaigns. The company has worked for a political action committee started by John R. Bolton, who served in the George W. Bush administration, as well as for President Trump’s presidential campaign in 2016. “We find your voters and move them to action,” boasts on its website. top

ACLU sues TSA over searches of electronic devices (Tech Crunch, 12 March 2018) - The American Civil Liberties Union of Northern California has filed a Freedom of Information Act lawsuit against the Transportation Security Administration over its alleged practices of searching the electronic devices of passengers traveling on domestic flights. “The federal government’s policies on searching the phones, laptops, and tablets of domestic air passengers remain shrouded in secrecy,” ACLU Foundation of Northern California attorney Vasudha Talla said in a blog post. The lawsuit, which is directed toward the TSA field offices in San Francisco and its headquarters in Arlington, Virginia, specifically asks the TSA to hand over records related to its policies, procedures and/or protocols pertaining to the search of electronic devices. This lawsuit comes after a number of reports came in pertaining to the searches of electronic devices of passengers traveling domestically. The ACLU also wants to know what equipment the TSA uses to search, examine and extract any data from passengers’ devices, as well as what kind of training TSA officers receive around screening and searching the devices. [ see also, US border searches of electronic devices: Recent developments and lawyers’ ethical responsibilities (ABA, 13 March 2018) - by Keith Fisher (and, as always, worth reading)] top  

Historical Supreme Court cases now online (Library of Congress, 13 March 2018) - More than 225 years of Supreme Court decisions acquired by the Library of Congress are now publicly available online - free to access in a page image format for the first time. The Library has made available more than 35,000 cases that were published in the printed bound editions of United States Reports (U.S. Reports). United States Reports is a series of bound case reporters that are the official reports of decisions for the United States Supreme Court dating to the court’s first decision in 1791 and to earlier courts that preceded the Supreme Court in the colonial era. The Library’s new online collection offers access to individual cases published in volumes 1-542 of the bound edition. This collection of Supreme Court cases is fully searchable. Filters allow users to narrow their searches by date, name of the justice authoring the opinion, subject and by the main legal concepts at issue in each case. PDF versions of individual cases can be viewed and downloaded. The collection is online at loc.gov/collections/united-states-reports/ . The digital versions of the U.S. Reports in the new collection were acquired by the Law Library of Congress through a purchase agreement with William S. Hein & Co. Inc. The acquisition is part of the Law Library’s transition to a digital future and in support of its efforts to make historical U.S. public domain legal materials freely and easily available to Congress and the world. Users can access this collection from a link on loc.gov and law.gov . More recent editions of the U.S. Reports from 1987 to the present are available online from the U.S. Supreme Court. The U.S. Reports digital collection augments other legal collections made available online during the past year, including the U.S. Code from 1925 to 1988. Other newly digitized collections include the papers of U.S. Presidents James Buchanan, Ulysses S. Grant, Millard Fillmore, Franklin Pierce and James K. Polk; and the papers of Alexander Hamilton, Sigmund Freud and Margaret Bayard Smith. [ Polley : Spotted by MIRLN reader Carl Malamud - @carlmalamud] top  

A cyberattack in Saudi Arabia had a deadly goal. Experts fear another try. (NYT, 15 March 2018) - In August, a petrochemical company with a plant in Saudi Arabia was hit by a new kind of cyberassault. The attack was not designed to simply destroy data or shut down the plant, investigators believe. It was meant to sabotage the firm’s operations and trigger an explosion. The attack was a dangerous escalation in international cyberwarfare, as faceless enemies demonstrated both the drive and the ability to inflict serious physical damage. And United States government officials, their allies and cybersecurity researchers worry that the culprits could replicate it in other countries, since thousands of industrial plants all over the world rely on the same American-engineered computer systems that were compromised. Investigators have been tight-lipped about the August attack. They still won’t identify the company or the country where it is based and have not identified the culprits. But the attackers were sophisticated and had plenty of time and resources, an indication that they were most likely supported by a government, according to more than a dozen people, including cybersecurity experts who have looked into the attack and asked not to be identified because of the confidentiality of the continuing investigation. The only thing that prevented an explosion was a mistake in the attackers’ computer code, the investigators said. The assault was the most alarming in a string of cyberattacks on petrochemical plants in Saudi Arabia. In January 2017, computers went dark at the National Industrialization Company, Tasnee for short, which is one of the few privately owned Saudi petrochemical companies. Computers also crashed 15 miles away at Sadara Chemical Company, a joint venture between the oil and chemical giants Saudi Aramco and Dow Chemical. Within minutes of the attack at Tasnee, the hard drives inside the company’s computers were destroyed and their data wiped clean, replaced with an image of Alan Kurdi , the small Syrian child who drowned off the coast of Turkey during his family’s attempt to flee that country’s civil war. The intent of the January attacks, Tasnee officials and researchers at the security company Symantec believe, was to inflict lasting damage on the petrochemical companies and send a political message. Recovery took months. Energy experts said the August attack could have been an attempt to complicate Crown Prince Mohammed bin Salman’s plans to encourage foreign and domestic private investment to diversify the Saudi economy and produce jobs for the country’s growing youth population. A team at Schneider Electric, which made the industrial systems that were targeted, called Triconex safety controllers, is also looking into the attack, the people who spoke to The Times said. So are the National Security Agency, the F.B.I., the Department of Homeland Security and the Pentagon’s Defense Advanced Research Projects Agency, which has been supporting research into forensic tools designed to assist hacking investigations. All of the investigators believe the attack was most likely intended to cause an explosion that would have killed people. In the last few years, explosions at petrochemical plants in China and Mexico - though not triggered by hackers - have killed several employees, injured hundreds and forced evacuations of surrounding communities. What worries investigators and intelligence analysts the most is that the attackers compromised Schneider’s Triconex controllers, which keep equipment operating safely by performing tasks like regulating voltage, pressure and temperatures. Those controllers are used in about 18,000 plants around the world, including nuclear and water treatment facilities, oil and gas refineries, and chemical plants. The Triconex system was believed to be a “lock and key operation.” In other words, the safety controllers could be tweaked or dismantled only with physical contact. top

Initial estimates show digital economy accounted for 6.5 percent of GDP in 2016 (NTIA, 15 March 2018) - The Bureau of Economic Analysis released, for the first time, preliminary statistics and an accompanying report exploring the size and growth of the digital economy. Goods and services that are primarily digital accounted for 6.5 percent of the U.S. economy, or $1.2 trillion, in 2016, after a decade of growing faster than the U.S. economy overall, BEA’s research shows. These new estimates are supported in part by funding from NTIA. From 2006 to 2016, the digital economy grew at an average annual rate of 5.6 percent, outpacing overall U.S. economic growth of 1.5 percent per year. In 2016, the digital economy supported 5.9 million jobs, or 3.9 percent of total U.S. employment. Digital economy employees earned $114,275 in average annual compensation compared with $66,498 per worker for the total U.S. economy. top  

Election infrastructure ISAC created to share threats specific to voting systems (CyberScoop, 16 March 2018) - States and localities are getting a new, Department of Homeland Security-backed center to coordinate and share information on election security. The Elections Infrastructure Information Sharing and Analysis Center (ISAC) was announced Thursday, giving the nation’s 8,800 state and local jurisdictions a dedicated venue to share information about cyberthreats and vulnerabilities specific to election systems and remote security monitoring capabilities. DHS has tasked the nonprofit Center for Internet Security with establishing and running the ISAC. CIS already runs the Multi-State ISAC , which states have been using to coordinate on election security in lieu of any official. Other ISACs exist for DHS’s critical infrastructure sectors, such as the financial services, electricity and aviation industries. DHS designated election systems as subsector of the country’s critical infrastructure in early 2017 when the intelligence community concluded that Russia tried to interfere in the 2016 presidential election. While that designation was initially met with skepticism on the state and local level, officials now say that it has improved election security coordination across levels of government. top  

Democrats want to subpoena Apple to find out when key administration officials downloaded encrypted messaging apps (The Intercept, 17 March 2018) - On Wednesday, House Democrats on the Intelligence Committee released a memo laying out the steps they would have taken had they been in charge of the Trump-Russia investigation - and steps they may take if and when they gain subpoena power by taking over the House of Representatives in November. Down on Page 20 of the memo is a pair of ideas that could put Congress on a collision course with privacy advocates in Silicon Valley. “Apple: The Committee should seek records reflecting downloaded encrypted messaging apps for certain key individuals,” the memo suggests. “The Committee should likewise issue a subpoena to WhatsApp for messages exchanged between key witnesses of interest.” The committee said that it would also seek to find out “all messaging applications that Mr. [Jared] Kushner used during the campaign as well as the presidential transition, including but not limited to SMS, iMessage, Whatsapp, Facebook Messenger, Signal, Slack, Instagram, and Snapchat.” The committee may also consider adding ProtonMail, the encrypted email service, to that list. One White House staffer, Ryan P. McAvoy, jotted his ProtonMail passwords and his address on a piece of White House stationery and left it at a bus stop near the White House. A source found it there and provided it to The Intercept, which confirmed its authenticity. (McAvoy did not respond to requests for comment.) top  

Big four giant PWC announces blockchain auditing service (CCN, 17 March 2018) - Price Waterhouse Cooper LLP, a Big Four accounting firm that has supported various blockchain projects, has announced a blockchain audit service that it claims will encourage people to use the still new technology, according to The Wall Street Journal . The service will allow companies to offer an outside review of their use of blockchain technology, thereby ensuring they are using it properly and enabling employees to monitor the company’s blockchain transactions. PwC recognizes the obstacles to the technology’s adoption. These include concerns about compliance within companies and organizations, as well as concerns about risk management and corporate controls. While blockchain is often considered tamper-proof, its adoption presents issues similar to that of deploying any information technology. In recognizing such concerns among its own clients who were starting to use blockchain technology, PwC was motivated to develop its new solution. PwC logs transactions on the blockchain and has developed testing criteria and controls. The service will allows user within a company to view, test and monitor transactions on the blockchain in near real time. One customer is a major stock exchange that needs to verify its blockchain based payment process. Another customer, a digital wallet provider, is using the product to verify its transaction processing. PwC declined to identify these two customers. top

‘Netflix for oil’ setting stage for $1 trillion battle over data (Bloomberg, 19 March 2018) - A battle for big data is brewing in the oil patch. The service companies that map underground pockets of oil, drill the wells and lift crude from miles below are generating vast new amounts of data they never before realized could be valuable. But their exploration customers are essentially saying hands off to anything coming out of their wells, including the streams of zeros and 1s. “There’s no doubt to me, we are producing two resources: the oil and gas, and the data,” said Philippe Herve, a Schlumberger Ltd. veteran who now helps oil companies use artificial intelligence at SparkCognition. “The oil and gas is very clear: it belongs to the operator. But who owns the data?” Answering that question will mean real money for a global industry climbing out of the worst crude crash in a generation. An industry that only uses about 1 percent of the data it generates, according to Baker Hughes , is trying to harness it to see where to pump more oil faster for less money. Transforming to a digital oil field could add almost $1 trillion to the world’s economy by 2025, according to a 2015 study by Oxford Economics and Cisco Consulting Services. To the service companies specifically, owning the data—enough to fill 20 million file cabinets since 2010 alone—would mean a whole new revenue stream, perhaps as they sell subscriptions to huge data libraries. “It’s like Netflix for oil and gas,” said John Gibson, an advisor at Tudor Pickering Holt & Co. who previously ran the oil-services business for Halliburton Co. “Imagine that all data is like a movie that many different people want to watch, but they want to watch it at different times.” To the producers, though, owning that data means one less check they’d have to write. And it would ensure competing producers couldn’t see their data while stealthily moving into a new field. EOG Resources Inc. , dubbed by one of its analysts as the Apple Inc. of the oilfield, is widely considered a leader among explorers for bypassing oilfield service companies to generate its own in-house innovations. “Data is king and one of our most valuable resources,” Sandeep Bhakhri, chief information and technology officer at EOG told investors on a conference call last year. “You have to own the data. You cannot outsource its collection, analysis or delivery.” [ Polley : Fascinating; I was in the business 14 years ago, and am surprised this issue isn’t well-settled.] top  

Results may vary in legal research databases (ABA Journal, March 2018) - When a lawyer searches in a legal database, that single search box is like a lure: Put in your search terms and rely on the excellence of the search algorithms to catch the right fish. At first glance, the various legal research databases seem similar. For instance, they all promote their natural language searching, so when the keywords go into the search box, researchers expect relevant results. The lawyer would also expect the results to be somewhat similar no matter which legal database a lawyer uses. After all, the algorithms are all trying to solve the same problem: translating a specific query into relevant results. The reality is much different. In a comparison of six legal databases-Casetext, Fastcase, Google Scholar, Lexis Advance, Ravel and Westlaw-when researchers entered the identical search in the same jurisdictional database of reported cases, there was hardly any overlap in the top 10 cases returned in the results. Only 7 percent of the cases were in all six databases, and 40 percent of the cases each database returned in the results set were unique to that database. It turns out that when you give six groups of humans the same problem to solve, the results are a testament to the variability of human problem-solving. If your starting point for research is a keyword search, the divergent results in each of these six databases will frame the rest of your research in a very different way. top  

Former Google legal heads launch Privacy Compliance Hub (Legal Technology, 20 March 2018) - Two former heads of legal at Google have launched a Privacy Compliance Hub , which is designed to take organisations through their data obligations in a step-by-step fashion in order to keep compliance in the hands of the business, not outside consultants or lawyers. Nigel Jones and Karima Noren - who once upon a time were director of legal EMEA and head of emerging markets respectively, but in the past few years have had a fairly entrepreneurial career path (latterly co-founding legal consultancy The Legal Pod ) - created the Privacy Compliance Hub in January to help aid the process of data compliance and create a culture of privacy compliance within a business, inevitably using GDPR as a hook. Using a team of ‘privacy champions’ appointed from within the organisation, a compliance programme is followed using a methodology and privacy plan which are supplied within the hub. This takes the privacy champions through what they need to do in a structured, step by step fashion, recording each step of the organisation’s compliance journey as they go along. The hub provides straightforward guidance and over 30 template documents, which are linked to key steps of the plan. [ Polley : super expensive; I’m curious if anybody has seen the product.] top  

Think cryptocurrency is confusing? Try paying taxes on it (NYT, 21 March 2018) - The room was full of stressed-out cryptocurrency traders. And for once, they weren’t nervous about the price of Bitcoin, or the roller coaster swings of the virtual currency markets. No, the subject of this gloomy affair was taxes. Specifically, how - and whether - to pay them. With this year’s April 17 tax filing deadline fast approaching, many virtual currency traders are sweating over their tax returns. They’re confused by the complicated rules, many of them stemming from guidelines issued by the I.R.S. in 2014, governing the taxation of virtual currencies. They’re afraid that the windfall profits created by last year’s cryptocurrency boom, which sent currencies like Bitcoin and Ether skyrocketing and created a new class of crypto-millionaires, have left them with huge tax bills. And, of course, they’re worried about drawing the eye of the Internal Revenue Service. Taxes have become an increasingly divisive topic among cryptocurrency fans. On Reddit forums devoted to cryptocurrency trading, some users exchange tips for dodging their tax obligations, including a method of hiding their assets by converting them into “privacy coins,” such as Monero, which are designed to be opaque and untraceable. They argue about whether the I.R.S. could use the blockchain, the digital ledger that records all Bitcoin transactions, to identify tax evaders in the future. And they ask for tax advice on complex situations, such as fly-by-night cryptocurrency exchanges that vanish suddenly, erasing the records of users’ transactions. top  

What is ProtonMail, the service used by Cambridge Analytica to cover its tracks? (Mashable, 21 March 2018) - Cambridge Analytica - the data analytics firm that came under fire this weekend for maliciously collecting information on 50 million Facebook users - reportedly used a self-destructing, encrypted email service called ProtonMail to cover its tracks, covering up correspondence between the company and third parties, according to a investigation published Wednesday. The firm set emails to self-delete after two hours and urged clients to use the service as well, per footage captured of former CEO Alexander Nix talking to a journalist posing as a would-be client. “I’d like you to set up a ProtonMail account, please,” Nix said, “because these are, now it’s getting quite sensitive.” “We set our ProtonMail emails with a self-destruct timer,” he continued. “So you send them, and after they’ve been read, two hours later they disappear.” So how does ProtonMail work? Just like any normal email service. Go to their website , sign up for an account, and you’re in. Their free service has some restrictions, though. You only get 500 MB of storage and can only send 150 messages per day. If you upgrade to the Plus plan for (4.00 € or ~ $4.91 per month), you get 5 GB of storage, 1,000 sent messages per day, and a slew of other perks. * * * All of this sounds a tad bit shady, no? Which brings us to the next question: How does ProtonMail get away with it? The answer is its email servers, which are based in Switzerland. Yes, it’s something the company touts loudly on its website. On its homepage , it says, “ProtonMail is incorporated in Switzerland and all our servers are located in Switzerland. This means all user data is protected by strict Swiss privacy laws.” ProtonMail purports to be so secure that no one but you can access your email. They even make it explicit that ProtonMail couldn’t read your messages if it wanted to. The company says that since all of the data is stored outside the realm of “intrusive” U.S. laws, only encrypted messages could be handed over. * * * [ Polley : see also, Russian court says Telegram must hand over encryption keys to state intelligence service (TechDirt, 21 March 2018); and Kaspersky Lab plans Swiss data center to combat spying allegations - documents (Reuters, 21 March 2018)] top  

NOTED PODCASTS/MOOCS

Slow Burn: A Podcast About Watergate (Slate) - You think you know the story, or maybe you don’t. But Watergate was stranger, wilder, and more exciting than you can imagine. What did it feel like to live through the scandal that brought down a president? Join Leon Neyfakh for an eight-episode podcast miniseries that tells the story of Watergate as it happened-and asks, if we were living through Watergate, would we know it? [ Polley : 8 episodes (about 3 hours); fantastic. If you lived thru Watergate, this’ll take you back to what it was like as the scandal slowly became clear; instructive for our current times.] top


The Accuracy, Fairness, and Limits of Predicting Recidivism
(Harvard Berkman video, 6 March 2018; 56 mins) - Algorithms for predicting recidivism are commonly used to assess a criminal defendant’s likelihood of committing a crime. Proponents of these systems argue that big data and advanced machine learning make these analyses more accurate and less biased than humans. However, our study shows that the widely used commercial risk assessment software COMPAS is no more accurate or fair than predictions made by people with little or no criminal justice expertise. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Egypt ‘to copyright antiquities’ (BBC, 25 Dec 2007) - Egypt’s MPs are expected to pass a law requiring royalties be paid whenever copies are made of museum pieces or ancient monuments such as the pyramids. Zahi Hawass, who chairs Egypt’s Supreme Council of Antiquities, told the BBC the law would apply in all countries. The money was needed to maintain thousands of pharaonic sites, he said. Correspondents say the law will deal a blow to themed resorts across the world where large-scale copies of Egyptian artefacts are a crowd-puller. Mr Hawass said the law would apply to full-scale replicas of any object in any museum in Egypt. “Commercial use” of ancient monuments like the pyramids or the sphinx would also be controlled, he said. “Even if it is for private use, they must have permission from the Egyptian government,” he added. But he said the law would not stop local and international artists reproducing monuments as long as they were not exact replicas. top

Science journal won’t publish papers because authors want to put them on Wikipedia (TechDirt, 19 March 2008) - Over the last few months, we’ve been hearing more and more stories concerning some of the ridiculous levels of control that academic journals exert over the copyrights on the various papers and research they publish. Since many of those journals are ridiculously expensive, much of this important research is basically locked up entirely. This is especially troublesome when it comes to publicly funded research, which you would think should be available to the taxpayers who paid for it. While we’ve definitely seen a trend towards more open rules to publishing, many journals are still behind the curve. Reader parsko writes in to alert us to the news of the American Physical Society, which withdrew the offer to publish two recent studies in the Physical Review Letters because the authors wanted to be able to publish parts of the study in Wikipedia. Since the APS requires you hand over the rights to the study, they wouldn’t allow it, and turned down the papers because of it. Not surprisingly, various scientists are upset about this, pointing out that it seems totally contrary to the purpose of the journal to hide such information using copyright claims. top

MIRLN—- 11 Feb - 3 March 2018 (v21.03)—- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

How the government controls sensitive satellite data (Wired, 8 Feb 2018) - During the cold War, on the vast, barren flatland around Area 51’s dried-up Groom Lake, the military developed a stealth spy plane code-named Project Oxcart. Project personnel were sworn to secrecy, but still, US officials worried that the Soviets would find out what they were up to. With good reason: Up above, USSR satellites were ready to spy with their on-board cameras. While Area 51 employees couldn’t stop these satellites from swinging by, they did come up with a low-tech solution: moving the classified planes into sheds when they knew the satellites would pass over. Today, that’s not a feasible stealth solution. Earth orbit doesn’t just host a few Soviet spysats: More than a thousand working orbiters are out there, hundreds of those equipped with Earth-observing cameras. They are American, European, African, South American, Japanese, Indian, Chinese, Russian. And nothing stops many of them from taking pictures of supersecret areas. But the government has other ways of restricting information. The feds can limit how good commercially available images can be when taken by US companies. And it can issue a directive barring imaging over a given location. The law regulating that imaging, though, was first passed before satellite imaging really existed as an industry. And according to insiders, it’s been keeping satellites down-even as thousands more of them are set to launch in the next decade. When the Land Remote Sensing Policy Act passed, the world was a younger, more naïve place. Aladdin was about to come out. George Sr. was president. Oh, and also the satellite-imaging industry was way different. “The biggest way that it was different was that there wasn’t really one,” says Walter Scott, the founder of DigitalGlobe and CTO of Maxar Technologies, which bought DigitalGlobe last year. The law allowed fully private companies to get a license to take data on Earth from space-and so, when it passed in 1992, Scott did. The law-since added to, amended, and restated -still forms the legal basis for commercial remote sensing. But regulations have also accomplished the opposite, allowing the government to exercise so-called “shutter control”: If the government says to close your satellite’s eye, you have to do it. The government has never put shutter control into effect-at least not exactly. It’s gotten around it, though. After 9/11, the feds didn’t legislate the high-resolution Ikonos satellite out of taking or releasing images of Afghanistan. They simply bought exclusive rights to all of its images of the area, the only high-res ones available on the US market, making it functionally impossible for anyone else to use commercial US imagery surveil the area. Insiders call this “checkbook shutter control.” That kind of limitation also happens on a smaller scale. “US government customers have the ability-as, actually, do some of our other customers-to say, ‘We would like you to take this image and not make this image available publicly,’” explains Scott. “It’s an exclusivity arrangement.” Then, there are the things that aren’t shutter control but do place cuffs around satellite operators. Take the Kyl-Bingaman Amendment , which bans US companies from releasing their high-resolution images of Israel and the Occupied Territories. In addition, “certain licensees have some area imaging restrictions,” says Tahara Dawkins, the director of the NOAA Commercial Remote Sensing Regulatory Affairs Office. “The details are proprietary.” [ Polley : fascinating] top

CISOs wary of threat intelligence accuracy, quality: Study (CXO Today, 8 Feb 2018) - In a world where cyber criminals are becoming increasingly stealthy and sophisticated-with new threats on the rise ranging from ransomware to DNS hijacking-it is ineffective and costly for companies to defend themselves against cybersecurity threats alone. According to a new report conducted by Ponemon Institute , the consumption and exchange of threat intelligence has increased significantly since 2015. Yet despite the increase in the exchange and use of threat intelligence, CISOs are not satisfied with the current quality of the data. [Read the full study here ] The report titled ” Exchanging Cyber Threat Intelligence: There Has to Be a Better Way ,” found that while security professionals are increasingly recognizing the importance of threat intelligence, the majority remain dissatisfied with its accuracy and quality. Meanwhile, because many security teams still execute threat investigations solo rather than pooling intelligence, their ability to quickly act on threats is limited. The report found 67 percent of IT and security professionals spend more than 50 hours per week on threat investigations, instead of efficiently using security resources and sharing threat intelligence. Lack of accuracy and timeliness is among the top complaints about threat intelligence, which in turn hinders its effectiveness and security teams’ ability to quickly mitigate threats, the report noted. In fact, only 31 percent of respondents cited threat intelligence as actionable. But exchanging threat intelligence amongst peers, industry groups, IT vendors and government bodies can result in more holistic, accurate and timely threat intelligence and a stronger security posture. Two-thirds of respondents (66 percent) reported that threat intelligence could have prevented or minimized the consequence of a data breach or cyber attack, indicating that more infosecurity professionals are realizing the importance of threat intelligence. The vast majority of respondents are focused on threat sharing, with 84 percent of organizations fully participating or partially participating in an initiative or program for exchanging threat intelligence with peers and/or industry groups. But, most of these organizations are only participating in peer-to-peer exchange of threat intelligence (65 percent) instead of a more formal approach such as threat intelligence exchange services or consortium, which contributes to the dissatisfaction with the quality of the threat intelligence obtained. Other key findings from the survey include: Most respondents believe threat intelligence improves situational awareness, with an increase from 54 percent of respondents in 2014 to 61 percent of respondents in this year’s study. Sixty-six percent of respondents say shared information is not timely, and 41 percent say it is too complicated. Potential liability and lack of trust in intelligence providers prevent some organizations from fully participating in threat intelligence exchange programs, with 58 percent and 60 percent respectively citing these concerns. Twenty-four percent of organizations would rather exchange threat intelligence via a threat intelligence exchange service and 21 percent via a trusted intermediary, with only four percent preferring to share intelligence directly with other organizations- indicating a need for an exchange platform that enables such sharing because it is trusted and neutral. While the value of threat intelligence declines within minutes, only 24 percent of respondents say they receive threat intelligence in real time (nine percent) or hourly (15 percent). Seventy-three percent of respondents say they use threat indicators and the most valuable types of information are indicators of malicious IP addresses and malicious URLs. top

New Orleans eyes bars and restaurants as new focus of surveillance (Citylab, 9 Feb 2018) - New Orleans Police Superintendent Michael Harrison has a message for New Orleans bar-goers: Be good-you’re being watched. The city council is considering an unprecedented proposal to require any business with a liquor license to install video cameras that feed into a real-time surveillance “command center” monitored 24/7 by law enforcement. “We want to be able to send a message that if you’re in public spaces, we’re going to be able to catch you if you commit a crime,” Harrison told CityLab. “We have to have the ability to demonstrate to would-be criminals, to would-be terrorists, if you will, that in public spaces we’re going to find them and know who you are.” To that end, New Orleans is pioneering what appears to be the most expansive surveillance of bars and restaurants in the country. As currently written, the ordinance requires proprietors to purchase and install street-facing cameras that connect to the city’s command center and store the footage for at least two weeks. Businesses found violating any conditions of the liquor license could be required to install the cameras inside as well. In a survey of other municipal laws , MaCCNO found that no other cities in the U.S. require all businesses with a liquor license to participate in a real-time surveillance network. Still, this unique proposal follows a broader trend of cities increasingly expanding the geographic scope of local video surveillance in the name of public safety. Cities from New York to Fresno have developed software that merges city camera networks with predictive policing software to try to ascertain the likelihood individuals will commit a crime. New Orleans plans to eventually expand the monitoring center to “include an intelligent threat analytics platform that looks for specific kinds of threats and integrates remote-sensing technology,” according to the mayor’s public safety plan . top

ABA House of Delegates approves novel virtual currency draft legislation (ABA Journal, 9 Feb 2018) - The American Bar Association’s House of Delegates approved a draft uniform law regarding virtual currency businesses for states to adopt. Drafted by the National Conference of Commissioners on Uniform State Laws, the Uniform Regulation of Virtual-Currency Business Act is draft legislation intended to create a statutory structure for regulating “virtual currency business activity,” according to the act’s prefatory note . The vote took place during the ABA Midyear Meeting in Vancouver, British Columbia. Many involved with cryptocurrency “are not enamored much in the way of regulation,” according to Fred Miller, the chair of the committee that drafted the legislation. He says, however, that there was near unanimity from advocates, business people and lawyers regarding the need for this type of legislation. Miller notes that the bill does not regulate the underlying technology of virtual currency, called blockchain, often described as a distributed ledger. Instead, the draft law focuses on licensing businesses associated with virtual currencies, like money transmitters and money services. In that regard, the draft law is similar to the Uniform Money Services Act, which deals with traditional currency businesses. To date, state governments have had mixed responses to cryptocurrencies and related businesses. While some have taken a hands-off approach, others have created elaborate licensing schemes. In one example, New York created the BitLicense regulatory scheme in 2015. It has received broad criticism for being over the top, according to Miller. As of last month, only three companies had received BitLicenses. Miller says that the criticism of the New York law was one reason the draft legislation did something novel: it created tiered regulation. The system will trigger certain levels of regulation depending on a company’s earnings. Entities with under $5,000 of business activity will be exempt from regulatory oversight. Those operating between $5,000 and $35,000 will require a “light license”, explains Miller. The full regulatory scheme is triggered once a business breaches the $35,000 threshold. “We wanted to allow some regulation and allow some experimentation and innovation as well,” says Miller. To date, the draft legislation has been introduced in Hawaii and Nebraska, according to the Uniform Law Commission’s website . top

German court says Facebook’s real name policy is illegal (The Verge, 12 Feb 2018) - A German court ruled that Facebook’s real name policy is illegal and that users must be allowed to sign up for the service under pseudonyms to comply with a decade-old privacy law. The ruling, made last month but only now being announced, comes from the Berlin Regional Court and was detailed today by the Federation of German Consumer Organizations (abbreviated from German as VZBV), which filed the lawsuit against Facebook. Facebook says it will appeal the ruling, but also that it will make changes to comply with European Union privacy laws coming into effect in June, according to Reuters . “We are working hard to ensure that our guidelines are clear and easy to understand, and that the services offered by Facebook are in full accordance with the law,” a Facebook spokesperson said. According to the VZBV, the court found that Facebook’s real name policy was “a covert way” of obtaining users’ consent to share their names, which are one of many pieces of information the court said Facebook did not properly obtain users’ permission for. The court also said that Facebook did not provide a clear choice to users for other default settings, such as to share their location in chats, and it ruled against clauses that allowed Facebook to use information such as profile pictures for “commercial, sponsored, or related content.” VZBV notes that it didn’t win on all counts, though. Facebook prevailed on a complaint that it was misleading to say the service was free, because as VZBV put it, consumers pay “with their data.” Given that the ruling comes from a regional court and that both parties intend to appeal, it’s unlikely that some of these decisions are going to be final. But it’s still bad news for Facebook - and good news for users - that a consumer advocacy group is finding success as it pushes back against the social network’s generous data sharing policies, which are often more a benefit to the company than to people using the service. top

97% of cybersecurity leaders are evaluating vendor security, including law firms, says new survey (ABA Journal, 12 Feb 2018) - Released Feb. 8, the report, titled “The Shifting Cybersecurity Landscape: How CISOs and Security Leaders Are Managing Evolving Global Risks to Safeguard Data,” explores the role of chief information security officers, the adoption of cloud technology and how businesses are auditing their vendors. While the report did not focus on the legal industry, formal evaluation of legal vendors was touched on. Seventeen percent of respondents said these evaluations were driven by regulatory requirements. Even with this level of scrutiny, only 53 percent said they were confident in the security of their data being managed by third parties, like law firms. Fifty-seven percent of respondents said they were periodically involved in litigation or investigations. And the level of concern regarding sharing data with these companies “depends on the case and litigation, as well as what disclosure of information is required,” said an unnamed technology CISO in the report. Looking at cloud storage, the report found that 87 percent of respondents were using third-party cloud providers to “host non-critical information” to save money and streamline business processes. Nearly one-fifth said that moving to the cloud was spurred by using Microsoft Office 365. The 30-person survey, conducted last August by Ari Kaplan Advisors and Ankura, a consultancy, included chief information security officers, chief technology officers and director-level positions related to information security from primarily the U.S. Sixty-seven percent of respondents were from highly regulated financial- and healthcare-related industries, which skewed results towards stronger levels of awareness of these issues, according to the report. top

- and -

Memo to law firms: Raise cybersecurity bar or risk client losses (Bloomberg, 23 Feb 2018) - Law firms may not be the safe repository of client confidences-such as trade secrets and merger plans-that they once were, as hackers recognize firms as prized vaults of proprietary corporate data. “Law firms are ideal targets for hackers because of the sensitive nature and variety of information they collect and store,” Dore said. Clients, for their part, view law firm data breaches or lax security as serious business considerations, Lucian T. Pera, legal ethics partner at Adam and Reese LLP in Memphis, Tenn. and former treasurer of the American Bar Association, told Bloomberg Law. “Cybersecurity protections are becoming a serious factor in client decision-making,” at law firms, and large firms stand to lose business if they don’t take care of cybersecurity, he said. [ Polley : Again, see ABA Cybersecurity Handbook (which Lucian Pera helped write). More than a thousand copies have sold in its 3 months. See also , the ABA Journal’s ongoing 2018 ” Digital Dangers ” series/resources.] top

Tech’s ethical ‘dark side’: Harvard, Stanford and others want to address it (NYT, 12 Feb 2018) - The medical profession has an ethic: First, do no harm . Silicon Valley has an ethos: Build it first and ask for forgiveness later . Now, in the wake of fake news and other troubles at tech companies, universities that helped produce some of Silicon Valley’s top technologists are hustling to bring a more medicine-like morality to computer science. This semester, Harvard University and the Massachusetts Institute of Technology are jointly offering a new course on the ethics and regulation of artificial intelligence. The University of Texas at Austin just introduced a course titled ” Ethical Foundations of Computer Science ” - with the idea of eventually requiring it for all computer science majors. And at Stanford University, the academic heart of the industry, three professors and a research fellow are developing a computer science ethics course for next year. They hope several hundred students will enroll. The idea is to train the next generation of technologists and policymakers to consider the ramifications of innovations - like autonomous weapons or self-driving cars - before those products go on sale. “It’s about finding or identifying issues that we know in the next two, three, five, 10 years, the students who graduate from here are going to have to grapple with,” said Mehran Sahami , a popular computer science professor at Stanford who is helping to develop the course. He is renowned on campus for bringing Mark Zuckerberg to class . “Technology is not neutral,” said Professor Sahami, who formerly worked at Google as a senior research scientist. “The choices that get made in building technology then have social ramifications.” top

Porsche is 3d printing hard-to-find parts for the 959 and other classics (Jalopnik.com, 13 Feb 2018) - Porsche Classic, Porsche’s classic cars division, has turned to 3D printing obscure parts that people might need on occasion. They already have about 52,000 parts available, but for the truly arcane ones, it’s cheaper to 3D print them than make the specialized tools to create them over again. top

We don’t need new laws for faked videos, we already have them (EFF, 13 Feb 2018) - Video editing technology hit a milestone this month. The new tech is being used to make porn. With easy-to-use software, pretty much anyone can seamlessly take the face of one real person (like a celebrity) and splice it onto the body of another (like a porn star), creating videos that lack the consent of multiple parties. People have already picked up the technology, creating and uploading dozens of videos on the Internet that purport to involve famous Hollywood actresses in pornography films that they had no part in whatsoever. While many specific uses of the technology (like specific uses of any technology) may be illegal or create liability, there is nothing inherently illegal about the technology itself. And existing legal restrictions should be enough to set right any injuries caused by malicious uses. * * * [ Polley : Useful article, as usual.] top

- and -

Deep Fakes: A looming crisis for national security, democracy and privacy? (Bobby Chesney on Lawfare, 21 Feb 2018) - “We are truly fucked.” That was Motherboard’s spot-on reaction to deep fake sex videos (realistic-looking videos that swap a person’s face into sex scenes actually involving other people). And that sleazy application is just the tip of the iceberg. As Julian Sanchez tweeted, “The prospect of any Internet rando being able to swap anyone’s face into porn is incredibly creepy. But my first thought is that we have not even scratched the surface of how bad ‘fake news’ is going to get.” Indeed. Recent events amply demonstrate that false claims-even preposterous ones-can be peddled with unprecedented success today thanks to a combination of social media ubiquity and virality, cognitive biases, filter bubbles, and group polarization. The resulting harms are significant for individuals, businesses, and democracy. Belated recognition of the problem has spurred a variety of efforts to address this most recent illustration of truth decay, and at first blush there seems to be reason for optimism. Alas, the problem may soon take a significant turn for the worse thanks to deep fakes. Get used to hearing that phrase. It refers to digital manipulation of sound, images, or video to impersonate someone or make it appear that a person did something-and to do so in a manner that is increasingly realistic, to the point that the unaided observer cannot detect the fake. Think of it as a destructive variation of the Turing test: imitation designed to mislead and deceive rather than to emulate and iterate. * * * [ see also , The danger of deep fakes: responding to Bobby Chesney and Danielle Citron (Stanford’s Herb Lin on Lawfare, 27 Feb 2013)] top

Iterating on Code.mil (Defense Digital Service, 13 Feb 2018) - In February 2017, the Defense Digital Service (DDS) decided it was time to take a more involved approach within the Department of Defense in the government-wide movement to open source code. This was spurred by the release of the new Federal Source Code Policy by the Office of Management and Budget in August, 2016 and Code.gov in November, 2016. We spent a lot of time talking with people in the DoD, across the federal government, and leaders in the Free / Open Source Software (F/OSS) community. Thus we formed a new project called Code.mil and created a repository providing guidance on how to open source code at the DoD. It’s been a long time coming, but that guidance - and its organization and presentation - has received a well-needed refresh with today’s (re)launch of Code.mil , an experiment in open source at the Department of Defense. Our guidance has been reorganized into an easy to digest website and we’re investing in further improvements. The DoD faces many challenges in open sourcing code. Unlike most software projects, code written by U.S. Federal government employees typically does not have copyright protections under U.S. and some international laws. Often times this makes people think that our code can’t use an OSS license, but this is far from true! It does, however, require a little more effort to define our intent. The complexity of national security policy adds another point of difficulty when individual program offices look to open source their work. Even with approval to release code publicly, government employees can be hindered by lack of access to modern source control and developer operations processes. Those barriers are precisely what DDS is good at tackling. The guidance we’re providing at Code.mil will help many projects across the Department by giving developers and product owners a template to start from and the necessary background information to share with people in their organization who may not be familiar with open source software. The site also highlights the policy and laws that affect custom-developed code written by U.S. government employees - or contractors working with us - so that people are informed about the requirements placed on them. * * * top

Project revives old software, preserves ‘born-digital’ data (Yale News, 13 Feb 2018) - Digital preservationists at Yale University Library are building a shareable “emulation as a service” infrastructure to resurrect thousands of obsolete software programs and ensure that the information produced on them will be kept intact and made easily available for future access, study, and use. Funded through a pair of $1 million grants from The Andrew W. Mellon Foundation and the Alfred P. Sloan Foundation, the project will enable access to at least 3,000 applications, including operating systems, scientific software, office and email applications, design and engineering software, and software for creative pursuits like video editing or music composition. “Material across subjects and fields increasingly is created only in digital form, making it vital for research libraries to develop ways to preserve digital information and make it readily accessible to the public,” said Susan Gibbons, university librarian and deputy provost for collections and scholarly communication. “Thanks to the generous support and foresight of the Sloan and Mellon Foundations, Yale University Library is helping both to establish best practices in this emerging and critically important field and to ensure that future generations of students and scholars can examine a word-processing file or electronic spreadsheet as easily as they study a book or manuscript.” The project will establish a shareable infrastructure that provides on-demand access to old software, recreating the original software environment on a current-day device, said Euan Cochrane, the library’s digital preservation manager and the project’s principle investigator. top

CDT launching effort to improve trust in VPNs (CDT, 14 Feb 2018) - As more internet users strive to take more control of their online privacy, Virtual Private Networks or VPNs have surged in popularity. VPNs work by creating an encrypted connections tunnel between a browser or device and the VPN provider’s network, protecting traffic from through potentially hostile local network conditions. They assist in obscuring oneself from ISPs and shielding personal information flowing through non-secure public WiFi found in airports, coffee shops, conferences, and hotels. Advocates, including CDT, and regulators routinely advise individuals to consider using a VPN if they are particularly concerned about protecting their online privacy. But the basic security, privacy, and usability of VPNs vary widely and it can be extremely difficult for users to assess the reliability of any given VPN provider’s privacy and security practices, as evidenced by CDT’s complaint last summer against AnchorFree’s Hotspot Shield VPN . While there have been several well-meaning efforts to develop best practices for VPNs, it remains difficult for privacy advocates and technical experts to recommend a specific commercial VPN service. It is also hard for responsible VPN providers to differentiate themselves on their privacy and security bonafides in the marketplace. To address these challenges, CDT will bring together VPN providers, privacy and consumer advocates, technical experts, and other stakeholders focused on internet infrastructure to create best practices and an enforceable code of conduct for protecting user data with VPNs. CDT believes any successful guidance on privacy and security in VPNs will address the following five issues: * * * [ Polley : This is great; all VPNs are not created equal; CDT is a credible entity to shine some light on this. See also In the market for a VPN app? (FTC, 22 Feb 2018)] top

Salon to use readers’ computers to mine cryptocurrency (The Hill, 13 Feb 2018) - Media company Salon.com is asking readers to allow them to use their computers to mine cryptocurrencies as a new source of revenue. The left-leaning company launched the test program on Monday and is targeting readers who use ad blockers, which it blames for declining revenues, the Financial Times reports. Readers who suppress ads with a blocker now see a pop-up that asks them if they will give Salon access to their computers’ unused processing power to mine digital currencies. The pop-up is powered by Coinhive, which allows companies to run a program on users’ web browsers to mine the cryptocurrency Monero, known for its privacy features and popularity on the black market. [ Polley : I use ad-blockers for security purposes, and there’s no chance that I’d let somebody borrow computer cycles from me either. Forbes and Salon have thus lost me as a reader; Talking Points Memo left enough outside the paywall to keep me engaged, and I’ve just signed up for their “prime” service ($50/year).] top

How Russian bots spread fear at university in the US (InsideHigherEd, 15 Feb 2018) - Numerous reports in the last year have documented how Russian bots manipulated social media during the 2016 presidential campaign. A new journal article in Strategic Studies Quarterly reveals that the Russian bots had another target in the fall of 2015: students at the University of Missouri at Columbia. The bots created false impressions about some threats against black students and faculty members at the university, which resulted in some campus leaders calling for people to stay home and many students to say that they were terrified. The false reports also contributed to a negative image of the university—particularly with regard to its support for minority students—that the university continues to fight. Complicating the situation is that racial tensions were quite real at Mizzou that fall, and real threats did exist. But the article documents how the false reports contributed to considerable fear on campus. In fact, the Russian bots avoided detection in part because the hashtag #PrayforMizzou was used by real people who were at the university or were concerned about it, as well as by those forwarding the bot-created tweets. * * * The author of the journal article is Lieutenant Colonel Jarred Prier of the United States Air Force. Prier writes that there was plenty of evidence—for those looking—that the tweets that spread were false. He cites the tweeting and retweeting patterns, consistent with other Russian bot efforts. “The plot was smoothly executed and evaded the algorithms Twitter designed to catch bot tweeting, mainly because the Mizzou hashtag was being used outside of that attack,” he writes. “The narrative was set as the trend was hijacked, and the hoax was underway.” top

New York’s cybersecurity requirements for financial services companies: Certification of compliance due (Ride The Lightning, 21 Feb 2018) - Lexology reported last week that the first certification of compliance was due under a new law in New York. The New York State Department of Financial Services enacted Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500, on March 1, 2017. The first certification of compliance with this regulation was due February 15, 2018. The regulation requires “covered entities”-meaning any person or non-governmental entity operating under or required to operate under authorization under the Banking Law, Insurance Law, or Financial Services law, to maintain a strong cybersecurity program that includes monitoring, testing, and training, as well as written cybersecurity policies that include periodic risk assessments. The regulation also requires covered entities to designate a qualified “Chief Information Security Officer” and require that the entity establish a written incident response plan to promptly respond to and recover from a cybersecurity incident. The regulation requires a covered entity to provide notice of a breach or cybersecurity event to the superintendent within 72 hours of determination that a cyber event has occurred and empowers the superintendent to enforce the provisions of the regulation. [ see also New York cybersecurity deadline highlights importance of a comprehensive insurance coverage for cyber risks (Hunton, 15 Feb 2018)] top

Facebook inks music licensing deal with ICE covering 160 territories, 290K rightsholders on FB, Insta, Oculus and Messenger (TechCrunch, 21 Feb 2018) - Facebook today took its latest step towards making good on paying out royalties to music rightsholders around tracks that are used across its multiple platforms and networks. The company has signed a deal with ICE Services - a licensing group and copyright database of some 31 million works that represents PRS in the UK, STIM in Sweden and GEMA in Germany - to provide music licensing and royalty collection for works and artists represented by the group, when their music is used on Facebook, Instagram, Oculus and Messenger. WhatsApp is not included because “We understand that WhatsApp is currently used as a pure communication tool akin to private email / messaging,” a spokesperson for ICE told TechCrunch. “This will be kept under review.” The deal is significant because, as ICE describes it, it’s the first multi-territorial license Facebook has signed with an online licensing hub: it will cover 160 territories and 290,000 rightsholders. So what will this be used for? Facebook has moved into a lot of different services over the years, but a streaming music operation to compete with the likes of (soon-to-be public) Spotify, Pandora and Apple Music has not been one of them. However, in recent times it has been laying the groundwork to do more in music. And specifically, it has been signing deals with record labels and others to make sure that the music that is used in videos and other items posted to its sites is legit and paid for to avoid lawsuits, takedown requests, and - yes - potentially the creation of new music-based services down the road, as it starts to tap into the opportunities that music affords it. top

Tech-savvy attorneys in heavy demand amid emerging tech (Bloomberg, 22 Feb 2018) - Memo to lawyers: free your inner computer nerd if you want to represent today’s clients. Take Patrick Berarducci, a lawyer whose resume also includes a background in computer science and software engineering. He was quickly snatched up by the blockchain company ConsenSys to make sure the developing technology complies with existing laws and regulations. “There’s a real shortage” of lawyers like him, John Wolpert, ConsenSys’ product executive, told Bloomberg Law. “We need a lot more code-y lawyers, as I say.” Emerging and fast-evolving technologies, such as blockchain, artificial intelligence and cybersecurity, have law firms scrambling for legal talent that understands technology. Law firms are scouring for attorneys with expertise in computer science or cryptography to advise corporate and government clients implementing technology and navigate nascent case law in these areas, executives and attorneys told Bloomberg Law. Law firms trailing in tech know-how risk losing business from all sectors of the economy, attorneys told Bloomberg Law. More states, in their attorney competence standards, are telling firms to boost their lawyers’ tech expertise, or run the risk of possible sanctions or penalties. * * * [ Polley : look for fluent lawyers - conversant in the technology, international issues, business, and the law. As a Venn-diagram, you want to engage with those in the center.] top

Court destroys future public art installations by holding building owner liable for destroying this one (TechDirt, 22 Feb 2018) - Last week was a big week for dramatically bad copyright rulings from the New York federal courts: the one finding people liable for infringement if they embed others’ content in their own webpages , and this one about 5Pointz , where a court has found a building owner liable for substantial monetary damages for having painted his own building . While many have hailed this decision , including those who have mistakenly viewed it as a win for artists , this post explains why it is actually bad for everyone. The facts in this case are basically this: the owner of a run-down, formerly industrial building in a run-down neighborhood aspired to do something to redevelop his property, but it would be a few years before the time would be right. So in the meantime he let some graffiti artists use the building for their aerosol paintings. The building became known as 5Pointz, and the artwork on it soon began to attract attention. The neighborhood also began to change, and with the improvement the prospects for redeveloping the property into residences became more promising. From the outset everyone knew that redevelopment would happen eventually, and that it would put an end to the arrangement since the redevelopment would likely necessitate tearing down the building, and with it the art on the walls. As the date of demolition grew closer, the artists considered buying the building from the owner in order to prevent it from being torn down and thus preserve the art. However the owner had received a variance that suddenly made the value of the property skyrocket from $40 million to $200 million, which made the buyout impossible. So the artists instead sued to halt the destruction of their art and asked for a preliminary injunction, which would ensure that nothing happened to the art while the case was litigated. But in late 2013 the court denied the preliminary injunction , and so a few days later the building owner went ahead and painted over the walls. The painting-over didn’t end the litigation, which then became focused on whether this painting-over broke the law. In 2017 the court issued a ruling allowing the case to proceed to trial on this question . Then last week came the results of that trial, with the court finding this painting-over a “willfully” “infringing” act and assessing a $6.7 million damages award against the owner for it. It may be tempting to cheer the news that an apparently wealthy man has been ordered to pay $6.7 million to poorer artists for damaging their art. True—the building owner, with his valuable property, seems to be someone who potentially could afford to share some of that wealth with artists who are presumably of lesser means. But we can’t assume that a defendant building owner, who wants to be able to do with his property what he is normally legally allowed to do, will always be the one with all the money, and the plaintiff artist will always be the one without those resources. The law applies to all cases, no matter which party is richer, and the judicial reasoning at play in this case could just as easily apply if Banksy happened to paint the side of your house and you no longer wanted what he had painted to remain there. Per this decision, removing it could turn into an expensive proposition. The decision presents several interrelated reasons for concern. * * * top

SEC expands guidance on cybersecurity disclosure obligations (Wiley Rein, 22 Feb 2018) - On February 21, 2018, the Securities and Exchange Commission (SEC) announced much-anticipated guidance which updates previous guidance on disclosing cybersecurity risk. The Commission stated it was “reinforcing and expanding upon the staff’s 2011 guidance,” while continuing to consider other means of promoting appropriate disclosure of cyber incidents. One takeaway from this guidance is that some uncertainty will remain as to what is material. That said, the SEC is sending clear signals. Companies must pay more attention to the quality and nature of their disclosures and Board management is top of mind at the Commission. Companies should double down on efforts to ensure they have solid policies and procedures, and consider SEC risk when handling a cyber incident. This update comes against the backdrop of other executive branch activity on market transparency and disclosure in response to President Trump’s 2017 Executive Order, as well as statements by senior government officials signaling increasing expectations about private sector efforts on cybersecurity. The government is also looking at measurement and metrics for cyber risk management, in other venues. top

A new, democratic tool for mapping city streets (The Atlantic, 23 Feb 2018) - Let’s say you’re throwing a block party. You and your neighbor both draw your own maps of where the street will be closed, and how to get there. How would you do it? Just label some points on a line, or draw all the intersections? Do you indicate nearby parking spots? Does your map look exactly like your neighbor’s? Would partygoers looking at both get confused? Now take that concept to the city level, where mismatched maps can have truly high stakes. Using giant GIS databases, cities from Boston to San Diego maintain master street maps to guide their transportation and safety decisions. But there’s no standard format for that data. Where are the intersections? How long are the curbs? Where’s the median? It varies from city to city, and map to map. That’s a problem as more private transportation services flood the roads. If a city needs to communicate street closures or parking regulations to Uber drivers, or Google Maps users, or new dockless bike-sharing services-which all use proprietary digital maps of their own-any confusion could mean the difference between smooth traffic and carpocalypse. And, perhaps more importantly, it goes the other way too: Cities struggle to obtain and translate the trip data they get from private companies ( if they can get their hands on it, which isn’t always the case) when their map formats don’t match up. A team of street-design and transportation-data experts believes it has a solution. On Thursday, the National Association of City Transportation Officials and the nonprofit Open Transport Partnership launched a new open data standard and digital platform for mapping and sharing city streets. It might sound wonky, but the implications are big: SharedStreets brings public agencies, private companies, and civic hackers onto the same page, with the collective goal of creating safer, more efficient, and democratic transportation networks. top

How a fight over Star Wars download codes could reshape copyright law (ArsTechnica, 23 Feb 2018) - A federal judge in California has rejected Disney’s effort to stop Redbox from reselling download codes of popular Disney titles like Frozen , Beauty and the Beast , and the latest Star Wars movies. Judge Dean Pregerson’s Tuesday ruling invoked the little-used doctrine of copyright misuse, which holds that a copyright holder loses the right to enforce a copyright if the copyright is being abused. Pregerson faulted Disney for tying digital download codes to physical ownership of discs, a practice that he argued ran afoul of copyright’s first sale doctrine, which guarantees customers the right to resell used DVDs. If the ruling were upheld on appeal, it would have sweeping implications. It could potentially force Hollywood studios to stop bundling digital download codes with physical DVDs and force video game companies to rethink their own practices. But James Grimmelmann, a copyright scholar at Cornell Law School, is skeptical that the ruling will survive an inevitable appeal from Disney. When you buy a Disney DVD or Blu-ray disc, it will often come bundled with a special code that can be used at one of two Disney-sponsored websites, RedeemDigitalMovies and Disney Movies Anywhere (recently superceded by the multi-studio Movies Anywhere ), to obtain a digital copy that can be viewed on PCs and mobile devices. Disney didn’t view the DVD and the download code as two separate products. Instead, Disney views them as a customer convenience-a way to allow a single customer to watch the one movie they’ve purchased on a wide range of devices. But Redbox had a different interpretation. Redbox is in the business of buying DVDs and renting them out to customers. And it saw an opportunity to make some extra money from Disney’s download codes. The company started buying DVD-plus-download-code bundles at ordinary retail locations and breaking the bundles apart. Redbox rented out the DVDs and Blu-Ray discs as it always has. But it also began selling the download codes to customers, allowing them to gain a digital copy of a movie for a fraction of the cost of purchasing a digital download directly from Disney. Disney sued, arguing that Redbox was violating the licensing terms that came with the bundle. The Disney DVDs came bundled with a notice that says “codes are not for sale or transfer.” Disney argued that Redbox had to accept this condition in order to open the package and gain access to the download code. [ Polley : I’ve got a lot of respect for Grimmelmann, and this is a weird case.] top

2nd Circuit contributes to fair use week with an odd and problematic ruling on TVEyes (TechDirt, 2 March 2018) - For years, we’ve quoted a copyright lawyer/law professor who once noted that the standards for fair use are an almost total crapshoot: nearly any case can have almost any result, depending on the judge (and sometimes jury) in the case. Even though there are “four factors” that must be evaluated, judges will often bend over backwards to twist those four factors to get to their desired result. Some might argue that this is a good thing in giving judges discretion in coming up with the “right” solution. But, it also means that there’s little real “guidance” on fair use for people who wish to make use of it. And that’s a huge problem, as it discourages and suppresses many innovations that might otherwise be quite useful. Case in point: earlier this week the 2nd Circuit rejected a lower court decision in the Fox News v. TVEyes case. If you don’t recall, TVEyes provides a useful media monitoring service that records basically all TV and radio, and makes the collections searchable and accessible. It’s a useful tool for other media companies (which want to use clips), for large PR firms tracking mentions, and for a variety of other uses as well. The initial ruling was a big win for fair use (even when done for profit) and against Fox News’ assertion of the obsolete doctrine of “Hot News” misappropriation. That was good. However, that initial ruling only covered some aspects of TVEyes’ operations—mainly the searching and indexing. A second ruling was more of a mixed bag , saying that archiving the content was fair use, but allowing downloading the content and “date and time search” (as opposed to content search) was not fair use. Some of this was appealed up to the 2nd circuit—specifically that second ruling saying parts of the service were not fair use. Thankfully, Fox didn’t even bother appealing the “hot news” ruling or the “fair use on index search” ruling. As you’d expect, the court runs through a four factors test, and as noted above, the analysis is… weird. Once again, it seems clear that the court decided Fox should win and then bent its four factors analysis to make that happen. The court separates out TVEyes operations into two things: “Search” and “Watch.” Whereas the lower court separated out “Watch” into various components, here the court decides that the entire “Watch” part is not fair use, and thus there’s no need to examine the components (the “Search” part remains covered by fair use—which, again, Fox did not challenge). * * * top

RESOURCES

Self-Destruct Apps: Spoliation by Design? (Agnieszka McPeak, U Toledo, 19 Feb 2018) - Abstract: The Federal Rules of Civil Procedure are at risk of being out of sync with current technology trends. Privacy policy in the US and Europe encourages “privacy by design,” the idea that privacy-enhancing features should be built into the very design of new technology. Self-destruct apps, like Snapchat, Confide, and Vaporstream, embody privacy by design by offering ephemeral communication tools that mimic live conversation and avoid permanent records. At the same time, the Federal Rules of Civil Procedure contemplate broad access to relevant information, including electronically stored information, and impose potentially serious consequences in litigation when relevant information is not preserved. This essay analyzes the impact self-destruct apps, like Snapchat, will have on civil discovery and explores the tension between privacy policy and preservation duties. It cautions against characterizing self-destruct apps as spoliation by design: onerous or overly expansive preservation duties for self-destructing content are not warranted or desirable. In some contexts, ephemeral messaging may be more akin to live conversation than email, and the Federal Rules need not assume spoliation by their mere use by individuals and businesses. top

A Call To Cyberarms: The International Arbitrator’s Duty To Avoid Digital Intrusion (Fordham Int’l Law Journal, 2017) - International commercial arbitration rests on certain fundamental attributes that cut across the different rule sets and cultural and legal systems in which it operates. There is common ground that any international commercial arbitration regime must encompass integrity and fairness, uphold the legitimate expectations of commercial parties, and respect essential elements of due process such as equal treatment of the parties, a fair opportunity for each party to present its case and neutral adjudicatory proceedings, untainted by illegal conduct. The system and its integrity depend substantially on the role of the arbitrator. As Professor Rogers has stated: [T]he authoritative nature of adjudicatory outcomes, as well as their existence within a larger system, imposes on adjudicators an obligation to preserve the integrity and legitimacy of the adjudicatory system in which they operate. Cyberbreaches of the arbitral process, including intrusion into arbitration-related data and transmissions, pose a direct and serious threat to the integrity and legitimacy of the process. This article posits that the arbitrator, as the presiding actor, has an important, front-line duty to avoid intrusion into the process. The focus here on cyberintrusion into the arbitral process does not imply that international arbitration is uniquely vulnerable to data breaches, but only that international arbitration proceedings are not immune to increasingly pervasive cyberattacks against corporations, law firms, government agencies and officials and other custodians of large electronic data sets of sensitive information. Similarly, our focus on the role and responsibilities of the arbitrator should not obscure that cybersecurity is a shared responsibility and that other actors have independent obligations. Arbitrators are not uniquely vulnerable to data breaches and are not guarantors of cybersecurity. In the highly interdependent landscape of international commercial arbitration, data associated with any arbitration matter will only be as secure as the weakest link. Since data security ultimately depends on the responsible conduct and vigilance of individuals, any individual actor can be that weak link, whatever their practice setting, whatever the infrastructure they rely upon, and whatever role they play in an arbitration. * * * [ Polley : Spotted by MIRLN reader Phil Ray @philray66.] top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Egypt ‘to copyright antiquities’ (BBC, 25 Dec 2007) - Egypt’s MPs are expected to pass a law requiring royalties be paid whenever copies are made of museum pieces or ancient monuments such as the pyramids. Zahi Hawass, who chairs Egypt’s Supreme Council of Antiquities, told the BBC the law would apply in all countries. The money was needed to maintain thousands of pharaonic sites, he said. Correspondents say the law will deal a blow to themed resorts across the world where large-scale copies of Egyptian artefacts are a crowd-puller. Mr Hawass said the law would apply to full-scale replicas of any object in any museum in Egypt. “Commercial use” of ancient monuments like the pyramids or the sphinx would also be controlled, he said. “Even if it is for private use, they must have permission from the Egyptian government,” he added. But he said the law would not stop local and international artists reproducing monuments as long as they were not exact replicas. top

Laura Berg’s letter (New York Times Editorial, 27 April 2008) - The PEN American Center, the literary organization committed to free expression, is honoring an American most people in this country have never read or even heard of: Laura Berg. She is a psychiatric nurse at a Veterans Affairs hospital who was threatened with a sedition investigation after she wrote a letter to the editor denouncing the Bush administration’s bungling of Hurricane Katrina and the Iraq war. That’s right, sedition: inciting rebellion against the government. We suppose nothing should surprise us in these days of government zealotry. But the horror and the shame of that witch hunt should shock everyone. Ms. Berg identified herself as a V.A. nurse when, soon after Katrina’s horrors, she sent her impassioned letter to The Alibi, a paper in Albuquerque. “I am furious with the tragically misplaced priorities and criminal negligence of this government,” she wrote. “We need to wake up and get real here, and act forcefully to remove a government administration playing games of smoke and mirrors and vicious deceit.” Her superiors at the hospital soon alerted the Federal Bureau of Investigation and impounded her office computer, where she keeps the case files of war-scarred veterans she treats. Then she received an official warning in which a Veterans Affairs investigator intoned that her letter “potentially represents sedition.” It took civil rights litigators and Senator Jeff Bingaman of New Mexico to “act forcefully” in reminding the government of the Constitution and her right to free speech. The Department of Veterans Affairs retreated then finally apologized to the shaken Ms. Berg. Even then, she noted, one superior told her it was preferred that she not identify herself as a V.A. nurse in any future letter writing. “And so I am saying I am a V.A. nurse,” Ms. Berg soon boomed out in a radio broadcast. “And some of my fire in writing this about Katrina and Iraq is from my experience as a V.A. nurse.” Thus declared Ms. Berg, well chosen to receive the new PEN/Katherine Anne Porter First Amendment Award. top

MIRLN—- 21 Jan - 10 Feb 2018 (v21.02)—- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

The NSA knows who you are just by the sound of your voice-and their tech predates Apple and Amazon (CNBC, 20 Jan 2018) - For technology users who have marveled at the ability of Siri or Alexa to recognize their voice, consider this: The National Security Agency has apparently been way ahead of Apple or Amazon . The agency has at its disposal voice recognition technology that it employs to identify terrorists, government spies, or anyone they choose - with just a phone call, according to a report by T he Intercept . The disclosure was revealed in a recently published article, part of a trove of documents leaked by former NSA contractor Edward Snowden. The publication wrote that by using recorded audio, the NSA is able to create a “voiceprint,” or a map of qualities that mark a voice as singular, and identify the person speaking. The documents also suggest the agency is continuously improving its speech recognition capabilities, the publication noted. According to a classified memo obtained by The Intercept , the agency has employed this technology since at least 2006, with the document referencing technology “that identifies people by the sound of their voices.” In fact, the NSA used such technology during Operation Iraqi Freedom, when analysts were able to verify audio thought to be of Saddam Hussein speaking. It suggests that national security operatives had access to high-level voice technology long before Amazon, Apple and Google’s solutions became cultural touchstones. A “voiceprint” is “a dynamic computer model of the individual’s vocal characteristics,” the publication explained, created by an algorithm analyzing features like pitch and mouth shape. Then, using the NSA’s formidable bank of recorded audio files, the agency is able to match the speaker to an identity. top

From public Wi-Fi to encrypted emails, NY panel probes security of lawyer communications (NY Law Journal, 233 Jan 2018) - What happens when a lawyer connects a laptop containing sensitive client information to a public Wi-Fi network or prints out documents from a hotel printer? Those scenarios could put lawyers-and their clients-at an increased risk for data leaks and hacking, said panelists at a Tuesday discussion at the New York State Bar Association’s annual conference in Manhattan. One takeaway from the discussion, which was centered around data security in an attorney’s day-to-day-practice and related ethical obligations, is the importance of using an encrypted communication device in transmitting client information. Encryption is often “client dictated,” not law firm-driven, said panelist James Bernard , a partner at Stroock & Stroock & Lavan who also serves as general counsel to his firm. Many clients, particularly financial services companies that are concerned about unauthorized access to personally identifiable information in their customer base, will use encrypted email, sometimes exclusively, in communications with law firms, Bernard said. * * * Another panelist, Karen Peters , a former presiding justice of the Appellate Division, Third Department, said an attorney’s ethical obligations vary depending on the firm. “Are you talking about a large law firm with hundreds of lawyers that has an international presence? Then I would think their obligation to ensure confidentially to client data is a much higher obligation,” said Peters, noting that such a firm’s clients have information that hackers are looking to acquire, unlike a small firm in Plattsburgh, New York, handling family law or Surrogate’s Court work. top

Your sloppy Bitcoin drug deals will haunt you for years (Wired, 26 Jan 2018) - Perhaps you bought some illegal narcotics on the Silk Road half a decade ago, back when that digital black market for every contraband imaginable was still online and bustling. You might already regret that decision, for any number of reasons. After all, the four bitcoins you spent on that bag of hallucinogenic mushrooms would now be worth about as much as an Alfa Romeo. But one group of researchers wants to remind you of yet another reason to rue that transaction: If you weren’t particularly careful in how you spent your cryptocurrency, the evidence of that drug deal may still be hanging around in plain view of law enforcement, even years after the Silk Road was torn off the dark web. Researchers at Qatar University and the country’s Hamad Bin Khalifa University earlier this week published findings that show just how easy it may be to dredge up evidence of years-old bitcoin transactions when spenders didn’t carefully launder their payments. In well over 100 cases, they could connect someone’s bitcoin payment on a dark web site to that person’s public account. In more than 20 instances, they say, they could easily link those public accounts to transactions specifically on the Silk Road, finding even some purchasers’ specific names and locations. top

ICE is about to start tracking license plates across the US (The Verge, 26 Jan 2018) - The Immigration and Customs Enforcement (ICE) agency has officially gained agency-wide access to a nationwide license plate recognition database, according to a contract finalized earlier this month . The system gives the agency access to billions of license plate records and new powers of real-time location tracking, raising significant concerns from civil libertarians. The source of the data is not named in the contract, but an ICE representative said the data came from Vigilant Solutions, the leading network for license plate recognition data. “Like most other law enforcement agencies, ICE uses information obtained from license plate readers as one tool in support of its investigations,” spokesperson Dani Bennett said in a statement. “ICE is not seeking to build a license plate reader database, and will not collect nor contribute any data to a national public or private database through this contract.” While it collects few photos itself, Vigilant Solutions has amassed a database of more than 2 billion license plate photos by ingesting data from partners like vehicle repossession agencies and other private groups. Vigilant also partners with local law enforcement agencies , often collecting even more data from camera-equipped police cars. The result is a massive vehicle-tracking network generating as many as 100 million sightings per month, each tagged with a date, time, and GPS coordinates of the sighting. top

First ‘Jackpotting’ attacks hit US ATMs (Krebs on Security, 27 Jan 2018) - ATM “jackpotting” - a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand - has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States. To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics - often a combination of both - to control the operations of the ATM. The Secret Service alert explains that the attackers typically use an endoscope - a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body - to locate the internal portion of the cash machine where they can attach a cord that allows them to sync their laptop with the ATM’s computer. “Once this is complete, the ATM is controlled by the fraudsters and the ATM will appear Out of Service to potential customers,” reads the confidential Secret Service alert. At this point, the crook(s) installing the malware will contact co-conspirators who can remotely control the ATMs and force the machines to dispense cash. “In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds,” the alert continues. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash, according to the alert. top

Arizona bar accuses libel lawyers of suing fake defendants (Volokh Conspiracy, 29 Jan 2018) - Friday, the Arizona State Bar filed a disciplinary complaint accusing two lawyers of filing libel lawsuits against fake defendants. Why would anyone do such thing, you might ask? How can you get real money (or real compliance with an injunction) from a fake defendant? Well, say you think some people are libeling you online. You try to get them to take down the libelous material, but you can’t find them, or they refuse. You try to get the hosting site to delete the material, but it refuses. (Under the federal 47 U.S.C. § 230 statute, such intermediaries can refuse without fear of liability.) So you e-mail Google, and ask it to remove the page from Google’s indexes, so that Google users won’t see it. “We don’t know whether it’s actually libelous,” Google responds, “and we aren’t equipped to figure that out. But tell you what: You get a court order against the author that concludes the material is libelous, and then maybe we’ll consider deindexing it.” Now you, or the reputation management company you hired, can get a lawyer and bring that lawsuit. Many people do—but it’s time-consuming and very expensive. And maybe you’ll lose: Maybe the defendant will defend, and will point out that the statement is just nonactionable opinion, or is factually accurate, or (what often happens) was written long enough ago that the statute of limitations runs. So you might be out the money, and without a remedy. That’s where the fake-defendant lawsuits come in. Someone—the plaintiff, the reputation management company, or the lawyer—decides to file suit against a nonexistent defendant. The complaint is filed in court together with a stipulation from the “defendant” (actually filed by whoever is engineering this on the plaintiff’s behalf) agreeing that the statement was false and defamatory, and agreeing to the entry of an injunction ordering the “defendant” to remove the statement. The court sees what appears to be agreement between the parties, and issues the injunction. In one such case, I saw the injunction issued a blazingly fast four days after the filing. Lovely! The only problem, of course, is that it’s a fraud on the court. top

Pentagon reviews GPS policies after soldiers’ Strava tracks are seemingly exposed (NPR, 29 Jan 2018) - Locations and activity of U.S. military bases; jogging and patrol routes of American soldiers - experts say those details are among the GPS data shared by the exercise tracking company Strava, whose Heat Map reflects more than a billion exercise activities globally. The Pentagon says it’s looking at adding new training and policies to address security concerns. “Recent data releases emphasize the need for situational awareness when members of the military share personal information,” Pentagon spokesman Major Adrian J.T. Rankine-Galloway of the U.S. Marine Corps said in a statement about the implications of the Strava data that has made international headlines. Strava - which includes an option for keeping users’ workout data private - published the updated Heat Map late last year. The California-based company calls itself “the social network for athletes,” saying that its mobile apps and website connect millions of people every day. * * * Describing what he calls “a security nightmare for governments around the world,” foreign policy columnist Jeffrey Lewis describes for The Daily Beast about how he used the Strava data to explore a missile command center in Taiwan whose location is meant to be secret. top

UK gov will fine infrastructure firms up to £17m for lax cybersecurity safeguards (The Inquirer, 29 Jan 2018) - The UK government has announced that it will fine critical infrastructure organisations to £17m if they fail to implement appropriate cybersecurity safeguards. UK gov issued the warning over the weekend, telling bosses of energy, transport, water and health firms to boost their cyber security defences or risk being slapped with hefty fines under the incoming Network and Information Systems (NIS) directive . It said that, in the future, a regulator will be able to assess the cybersecurity infrastructure of the country’s critical industries to ensure they’re as robust “as possible”. This regulator will have the power to issue legally-binding instructions to improve security, and - if appropriate - impose financial penalties, the government warned. The system will be aimed at ensuring that UK electricity, transport, water, energy, transport, health and digital infrastructure firms are able to deal with cybersecurity threats. It will cover IT threats including power outages, hardware failures and environmental hazards. Under these measures, cybersecurity breaches and system failures such as WannaCry will fall under the NIS directive. top

The shrinking half-life of knowledge, and what that means for KM (KnoCo, 30 Jan 2018) - When John Browne was CEO at BP, he talked about “the shrinking half-life of ideas”. This always struck me as a very interesting concept; one which was fundamental to Browne’s approach to corporate KM. I have since found that he was quoting an older idea from 1962 concerning the shrinking half-life of Knowledge, which has now been popularised and explored by Sam Arbesman (see video) among others. The idea of a half-life comes from nuclear physics, and originally applied to the decay of radioactive nucleii. In knowledge terms it refers to the observation that, as this article tells us: “What we think we know changes over time. Things once accepted as true are shown to be plain wrong. .... But what’s really interesting is that studies of the frequency of citations of scientific papers show they become obsolete at a predictable rate. Just as with radioactive decay, you can’t tell when any one ‘fact’ will reach its expiry date, but you can predict how long it will take for half the facts in any discipline to do so. In medicine, for example, ‘truth’ seems to have a 45-year half-life. Some medical schools teach students that, within a few years, half of what they’ve been taught will be wrong - they just don’t know which half. In mathematics, the rate of decay is much slower: very few accepted mathematical proofs get disproved.” Not all knowledge has a short half-life - sometimes the knowledge is linked to the technology, and if you are running a nuclear power station using 1960s control software, then the half-life of the knowledge of the software has to exceed the life of the power station. However in most other areas, where knowledge is evolving and changing, and your competitive advantage lies (at least partly) in having the best and most valid knowledge, then hanging on to old knowledge which is past it’s half-life can be competitively dangerous. And the faster the speed of change, the shorter the half-life of knowledge and the greater the danger of using obsolete knowledge. Where knowledge has a short half-life, Knowledge Management is not so much about documenting and protecting “what you know”, it is about how fast you can know something new, and how easily you can let go of the old. top

Inserting people into porn movies: The First Amendment textbook problem (2005) (Eugene Volokh, 31 Jan 2018) - I added this problem to the second edition of my First Amendment textbook back in 2005, and accounts suggest that it’s now quite timely: Within ten or twenty years [of 2005], there will probably be consumer-usable software that can easily overlay people’s photographs and voices onto movies that depict someone else. The program would automatically and seamlessly alter multiple scenes in which the character is shown from different angles, with different facial expressions, doing different things. (Of course, one can already do this in some measure with photos, but this hypothetical program would be much more sophisticated.) Naturally, many people, famous or not, will be unhappy knowing that they are depicted without their permission in others’ home sex movies. Imagine that Congress therefore decides to prohibit the distribution and use of the computer program that allows such movies to be made. How would such a law be different for First Amendment purposes from normal obscenity legislation? Do you think the law should be upheld (even if that means changing First Amendment law), and on what grounds? If you think the law should be struck down, what about laws that: (1) prohibit the use of the software to make such pornographic movies without the photographed person’s consent; (2) prohibit the noncommercial distribution of the movies, whether to a small group of friends or on the Internet, or; (3) prohibit the commercial distribution of the movies? Don’t limit yourself to considering whether such laws are constitutional under existing obscenity doctrine. Consider also whether you think there should be an obscenity exception at all, and whether you think it should be broader or narrower than it now is. top

- and -

Personalized fake porn videos are now for sale on Reddit (Motherboard, 6 Feb 2018) - Until last week, people in Reddit’s deepfakes community, which creates fake porn videos of celebrities using a machine learning algorithm, have been content to post their work for free, framing it as their hobby. But increasingly, they’re taking the opportunity to make a buck off of nonconsenting women’s likenesses, by selling face-swapped fake porn creations for cryptocurrency. In the weeks since we first reported on it, the r/deepfakes subreddit-home base for AI-generated fake porn videos, mostly of unconsenting celebrities-has exploded to more than 85,000 subscribers. One of those subreddits, r/deepfakeservice, is dedicated to commissioning deepfake videos from other users. The pinned rules post includes guidelines for formatting requests and service offers: For requests, the seller would ask for a description of the video, price, what they need to work with (images of the celebrity needed to create the fake video), and how much time it will take. Where there’s demand, there are people waiting to turn a profit. The subreddit has been up for about a week and has over 200 subscribers and a handful of requests. It raises the question: If trading fake porn videos for free exists in a legal gray area as we’ve reported , does putting a price tag on these videos change the game? [See also , Reddit bans ‘involuntary porn’ communities that trade AI-generated celebrity videos (Tech Crunch, 7 Feb 2018)] top

Get to know the city of Detroit’s propaganda arm (Metro Times, 31 Jan 2018) - Early this month, in the days after Detroit Mayor Mike Duggan said he’d be moving forward with a plan to require thousands of Detroit businesses to buy into a costly surveillance program intended to reduce crime, a sponsored post that looked favorably upon the program appeared at the top of our Facebook timeline. The linked content - “Inside the Real Time Crime Center, DPD’s 24-hour monitoring station” - had all of the trappings of a news story. There was a headline, a byline, a mix of quotes and information. It was published at a site called ” theneighborhoods.org ,” suggesting it may have been the work of a community news nonprofit. But the story was not journalism. It was written by the Detroit city government - more specifically, its “Storytelling” department. The department created by Duggan last year is believed to be the first of its kind in the nation. Staffed by six people, some of them former journalists, its primary objective is to populate a website and cable channel called “The Neighborhoods,” which launched as Duggan was in the midst of a re-election effort that hinged on his ability to thwart perceptions he’d let the city’s neighborhoods languish during his first term. The company line at the time was that the site would “give Detroiters and their neighborhoods a stronger voice,” filling a void department head and “chief storyteller” Aaron Foley claimed traditional media hadn’t. Five months in, the website appears to be fulfilling that mission - in part. The Neighborhoods’ story grid is primarily comprised of features on local businesses, notices on city services, and “things-to-do” listicles that include some neighborhood happenings. But the story posted Jan. 10 did not give Detroiters a “stronger voice” - it omitted their voices almost entirely. In covering the controversial and costly Project Green Light surveillance program following word of a possible mandate, the piece did not include the voices of Detroit business owners who might oppose being forced to buy the technology, nor did it provide quotes from any residents concerned about being filmed - it featured only voices from the law enforcement and counterterrorism intelligence communities. To the undiscerning reader, the report may have seemed innocuous. Project Green Light, a program in which businesses pay for cameras that stream video footage directly into Detroit police headquarters, is generally known for helping drive down crime where it’s present. The Neighborhoods’ story gave readers a glimpse into the Real Time Crime Center where the footage is streamed, and it supplied an anecdote in which police were able to quickly find and arrest a shooting suspect who was caught on tape. The story also did offer a few words about privacy concerns - though only to quickly shoot them down via an officer who said that if people were made to choose between protection and privacy, they’d choose protection. But the program has drawn criticism from the American Civil Liberties Union of Michigan, and business owners have questioned its benefits . Earlier this month we reported that the expensive technology doesn’t appear to be helping stop crimes in progress, and that some business owners feel they benefit only from the perks of the system , which include “priority 1” police response times of 14 minutes. “It’s more of a ‘pay and we’ll come or don’t pay and we’re not coming,’” Billy Jawad, who runs a gas station on 7 Mile and Meyers, told us. The Neighborhoods story overlooked these dynamics, but it also neglected to mention a glaring news peg. Just days earlier, Duggan had said “the votes in council are there” to pass a law that would require any business open past 10 p.m. to buy the technology - at a cost of at least $4,000, plus monthly fees of $140 and up. The proposal, which the city later said would not come for about a year, could impact up to 4,000 businesses , according to Crain’s Detroit Business . top

Google Search results to give ‘diverse’ answers (BBC, 31 Jan 2018) - Google says it will soon alter its Search tool to provide “diverse perspectives” where appropriate. The change will affect the boxed text that often appears at the top of results pages - known as a Snippet - which contains a response sourced from a third-party site. At present, Google provides only a single box but it will sometimes show multiple Snippets in the future. The change could help Google tackle claims it sometimes spreads lies. But one expert warned the move introduced fresh risks of its own. Google introduced Snippets into its search results in 2014, placing the boxed text below paid listings but above other links. The idea is to provide information that users want without them having to click through to another page. Google acknowledged at the time that “fact quality” would vary depending on the request. But it has been accused of providing “shockingly bad” information in some cases. Google offered a less controversial example of a problem, in a blog detailing its new approach. It said that when users asked if reptiles made “good pets” they were given several reasons why the answer was yes, but if they asked if the animals made “bad pets” they were given contradictory advice. It said this happened because its system was designed to favour content that aligned with the posed question, and suggested that offering different viewpoints would therefore be a better option. “There are often legitimate diverse perspectives offered by publishers, and we want to provide users visibility and access into those perspective from multiple sources,” wrote Matthew Gray, Google’s Snippets chief. top

Opinion warns against judges doing online research on facts related to cases (ABA Journal, Feb 2018) - In Formal Opinion 478 , the ABA Standing Committee on Ethics and Professional Responsibility addresses the restrictions imposed by the 2007 ABA Model Code of Judicial Conduct on a judge searching the internet for information helpful in deciding a case. The ABA opinion concludes that Rule 2.9(C) of the Model Code prohibits a judge from researching adjudicative facts on the internet unless a fact is subject to judicial notice. Rule 2.9(C) clearly and definitively declares that “a judge shall not investigate facts in a matter independently, and shall consider only the evidence presented and any facts that may properly be judicially noticed.” Acknowledging the integral part that search engines play in everyday life, Comment 6 to Rule 2.9 bluntly tells judges that the prohibition “extends to information available in all mediums, including electronic.” While recognizing that the internet, including social networking sites, provides immediate access to a limitless amount of information potentially useful to a judge laboring over difficult case-specific factual issues, the recent ABA opinion highlights two important justifications for the prohibition against electronic factual research. First, information found on the web may be fleeting, biased, misleading and sometimes downright false. Second, unless the narrow judicial-notice exception applies, gathering even trustworthy information from the internet compromises the division of responsibility between the judge and the parties so essential to the proper functioning of the adversarial system. The committee emphasizes this point by describing the “defining feature” of the judicial role as a judge’s duty to base decisions only on evidence presented in court and available to the parties. The limitations on independent factual research by judges are not solely a matter of judicial ethics. Rule 2.9(C) is one of the few provisions of the Model Code that integrates an evidentiary rule into an ethical standard. Rule 2.9(C) permits a judge to consider a fact from sources other than the evidence submitted by the parties as long as the judge abides by his or her jurisdiction’s requirements for taking judicial notice of the fact. Incorporating a rule of evidence into an ethical rule complicates the analysis because, as noted by the committee, judicial notice standards and procedures vary significantly from jurisdiction to jurisdiction. To illustrate how Rule 2.9(C) and the doctrine of judicial notice interface, the committee examines Federal Rule of Evidence 201, which governs judicial notice. * * * top

Freedom of the Press Foundation will preserve Gawker’s archives (Tech Crunch, 1 Feb 2018) - Gawker’s posts will be captured and saved by the non-profit Freedom of the Press Foundation , following a report that venture capitalist Peter Thiel wants to buy its remaining assets, including archived content and domain names. Thiel bankrolled the lawsuit that led to Gawker’s bankruptcy and eventual shutdown in 2016. In a blog post , Parker Higgins, the Freedom of the Press Foundation’s director of special projects, said it is launching an online archive collection with Archive-It , a service developed by the Internet Archive (the non-profit that runs the Wayback Machine). The archive will focus on preserving the entire sites of “news outlets we deem to be especially vulnerable to the ‘billionaire problem,’” Higgins wrote. Higgins wrote that by archiving news sites, the Freedom of the Press Foundation “seek[s] to reduce the ‘upside’ for wealthy individuals and organizations who would eliminate embarrassing or unflattering coverage by purchasing outlets outright. In other words, we hope that sites that can’t simply be made to disappear will show some immunity to the billionaire problem.” Archive-It takes screenshots of webpages at specific times and is used by universities, libraries, museums and other organizations to preserve sites they consider important historic documents. For example, UCLA used it to archive sites related to the Occupy Wall Street protests , while the Internet Archive made a collection of sites, news coverage, blog entries and documents about the Wikileaks releases . The Freedom of the Press Foundation has already used Archive-It to capture the LA Weekly after it was acquired by Semenal Media , which originally tried to keep the identity of its owners secret, and then fired most of the newspaper’s editorial staff . Preserved content from Gawker will appear in the Freedom of the Press Foundation’s collection, as well as on the Wayback Machine. [ See also, Archiving the alternative press threatened by wealthy buyers (Freedom of the Press Foundation, 31 Jan 2018)] top

A cybersecurity tip sheet for U.S. campaign officials is gaining traction, usage in field (CyberScoop, 1 Feb 2018) - A prominent nonprofit research organization has begun distributing tip sheets to campaign officials in an effort to safeguard the 2018 midterm elections from hackers. Alison Lundergan, Kentucky’s secretary of state, and Mac Warner, West Virginia’s secretary of state, are now sharing the ” Cybersecurity Campaign Playbook ” with candidates seeking office in their states. Kentucky and West Virginia represent the first two states in the country to distribute and leverage these guidelines. The playbook was created by Defending Digital Democracy (DDD) - a bipartisan initiative focused on providing tools and strategies to protect the democratic process from cyberattacks. The initiative was launched last summer at the Belfer Center for Science and International Affairs at Harvard Kennedy School. It is led by two former campaign managers who were involved in leading failed presidential campaigns for 2016 democratic candidate Hillary Clinton and 2012 republican candidate Mitt Romney, respectively. The DDD playbook is intended for campaigns that don’t have the means to hire professional cybersecurity staff. The recommendations are supposed to be easily digestible for people without technical training. The document was created with the goal of providing political campaigns, candidates and their staff with the basic information to prevent digital attacks. It will be used to “provide campaign operatives with bipartisan and commonsense steps on cybersecurity,” Colin Reed, senior vice presidents of public affairs at DDD told CyberScoop. top

3 million Americans live in higher education deserts (InsideHigherEd, 2 Feb 2018) - Roughly three million Americans live more than 25 miles from a broad-access public college and do not have the sort of high-speed internet connection necessary for online college programs, according to a report from the Urban Institute’s education policy program. The institute used data from the U.S. Department of Education and the Federal Communications Commission to identify these education “deserts,” cross-referencing that information with data from the Census Bureau to determine who lives in them. The report found that 17.6 million adults live in a physical higher education desert, with 3.1 million (1.3 percent of adults in the U.S.) lacking access to online and physical college programs. The report also tracked the demographics of people who live in education deserts. “This study demonstrates what many Native Americans, rural Americans and other Americans living in education deserts already know: the internet has not untethered all of us from our geographic locations,” said the report. “As long as broadband access depends on geography, place still plays an important role in access to higher education.” top

NIST issues “Blockchain Technology Overview” (Ride The Lightning, 5 Feb 2018) - The National Institute of Standards and Technology (NIST) has issued a report titled ” Blockchain Technology Overview .” The report is intended to provide a high-level technical overview and discusses the application of blockchain technology to electronic currency in depth as well as broader applications. “We want to help people understand how blockchains work so that they can appropriately and usefully apply them to technology problems,” said NIST computer scientist Dylan Yaga, who is one of the authors of the report. “It’s an introduction to the things you should understand and think about if you want to use blockchain.” According to Yaga, blockchain technology is a powerful new paradigm for business. “Because the market is growing so rapidly, several stakeholders, customers and agencies asked NIST to create a straightforward description of blockchain so that newcomers to the marketplace could enter with the same knowledge about the technology,” according to the NIST press release. The NIST draft report is open to public comments from January 24 to February 23, 2018. top

Businesses with Apple and Cisco products may now pay less for cybersecurity insurance (Tech Crunch, 5 Feb 2018) - Apple and Cisco announced this morning a new deal with insurer Allianz that will allow businesses with their technology products to receive better terms on their cyber insurance coverage, including lower deductibles - or even no deductibles, in some cases. Allianz said it made the decision to offer these better terms after evaluating the technical foundation of Apple and Cisco’s products, like Cisco’s Ransomware Defense and Apple’s iPhone, iPad and Mac. Allianz found Apple and Cisco’s products offered businesses a “superior level of security,” Apple said in its own announcement about the new deal. The new cyber security insurance solution will involve Aon’s cyber security professionals assessing potential customers’ current cyber security situation and recommendations on how to improve their defenses. And participating organizations will have access to Cisco and Aon’s Incident Response teams in the event of a malware attack. top

An ‘iceberg’ of unseen crimes: Many cyber offenses go unreported (NYT, 5 Feb 2018) - Utah’s chief law enforcement officer was deep in the fight against opioids when he realized that a lack of data on internet sales of fentanyl was hindering investigations. So the officer, Keith D. Squires, the state’s public safety commissioner, created a team of analysts to track and chronicle online distribution patterns of the drug. In Philadelphia, hidebound ways of confronting iPhone thefts let thrive illicit networks to distribute stolen cellphones. Detectives treated each robbery as an unrelated street crime - known as “apple picking” - rather than a vast scheme with connected channels used by thieves to sell the stolen phones. And in Nashville, investigators had no meaningful statistics on a nasty new swindle of the digital age: the “cheating husband” email scheme. In it, anonymous extortionists mass-email large numbers of men, threatening to unmask their infidelities. The extortionists have no idea if the men have done anything wrong, but enough of them are guilty, it turns out, that some pay up, sometimes with Bitcoin. Each case demonstrates how the tools used to fight crime and measure crime trends in the United States are outdated. Even as certain kinds of crimes are declining, others are increasing - yet because so many occur online and have no geographic borders, local police departments face new challenges not only fighting them, but also keeping track of them. Politicians often promote crime declines without acknowledging the rise of new cybercrimes. Many of the offenses are not even counted when major crimes around the nation are tallied. Among them: identity theft; sexual exploitation; ransomware attacks ; fentanyl purchases over the dark web; human trafficking for sex or labor; revenge porn; credit card fraud; child exploitation; and gift or credit card schemes that gangs use to raise cash for their traditional operations or vendettas. In a sense, technology has created an extraordinary moment for industrious criminals, increasing profits without the risk of street violence. Digital villainy can be launched from faraway states, or countries, eliminating physical threats the police traditionally confront. Cyberperpetrators remain unknown. Law enforcement officials, meanwhile, ask themselves: Who owns their crimes? Who must investigate them? What are the specific violations? Who are the victims? How can we prevent it? top

The NYT debuts its first augmented reality-enhanced story on iOS (Tech Crunch, 6 Feb 2018) - Apple’s investment in AR technologies has been ushering in a new wave of apps , from those that let you perform more practical tasks - like visualizing furniture placement in rooms - to those with mass consumer appeal - like AR gaming, including Niantic’s upcoming Harry Potter: Wizards Unite . But AR can also be used to create unique experiences within more traditional apps, too, as The New York Times is showcasing with today’s launch of its first-ever AR experiment for storytelling . In The NYT’s iOS app for iPhone and iPad, the company is debuting its first AR-enabled article, offering a preview of the Winter Olympics . The article focuses on top Olympic athletes, including figure skater Nathan Chen, snowboarder Anna Gasser, short track speed skater J.R. Celski, and hockey goalie Alex Rigsby. In the app, NYT readers can view the athletes appear in the room beside them, zoom in and out, and walk around in 360 degrees to see them from every side. This lets you get up close and personal with the Olympians, where you’re able to see things like how high Chen’s skates are off the ice when performing a jump, the offset of Celski’s skates, or how far open Alex Rigsby’s glove is when making a save. * * * [ Polley : quite impressive - the athletes appear in high-def, right in the middle of my living room; they’re frozen in time, and I can walk entirely around them, and approach/back-away to see more detail, close-up. Impressive.] top

An AI that reads privacy policies so that you don’t have to (Wired, 9 Feb 2018) - You don’t read privacy policies. And of course, that’s because they’re not actually written for you, or any of the other billions of people who click to agree to their inscrutable legalese. Instead, like bad poetry and teenagers’ diaries, those millions upon millions of words are produced for the benefit of their authors, not readers-the lawyers who wrote those get-out clauses to protect their Silicon Valley employers. But one group of academics has proposed a way to make those virtually illegible privacy policies into the actual tool of consumer protection they pretend to be: an artificial intelligence that’s fluent in fine print. Today, researchers at Switzerland’s Federal Institute of Technology at Lausanne (EPFL), the University of Wisconsin and the University of Michigan announced the release of Polisis -short for “privacy policy analysis”-a new website and browser extension that uses their machine-learning-trained app to automatically read and make sense of any online service’s privacy policy , so you don’t have to. In about 30 seconds, Polisis can read a privacy policy it’s never seen before and extract a readable summary, displayed in a graphic flow chart, of what kind of data a service collects, where that data could be sent, and whether a user can opt out of that collection or sharing. Polisis’ creators have also built a chat interface they call Pribot that’s designed to answer questions about any privacy policy, intended as a sort of privacy-focused paralegal advisor. Together, the researchers hope those tools can unlock the secrets of how tech firms use your data that have long been hidden in plain sight. “What if we visualize what’s in the policy for the user?” asks Hamza Harkous, an EPFL researcher who led the work, describing the thoughts that led the group to their work on Polisis and Pribot. “Not to give every piece of the policy, but just the interesting stuff… What if we turned privacy policies into a conversation?” Plug in the website for Pokemon Go, for instance, and Polisis will immediately find its privacy policy and show you the vast panoply of information that the game collects, from IP addresses and device IDs to location and demographics, as well as how those data sources are split between advertising, marketing, and use by the game itself. It also shows that only a small sliver of that data is subject to a clear opt-in consent. (See how Polisis lays out those data flows in the chart below.) Feed it the website for DNA analysis app Helix, and Polisis shows that health and demographic information is collected for analytics and basic services, but, reassuringly, none of it is used for advertising and marketing, and most of the sensitive data collection is opt-in. top

RESOURCES

SEC Cybersecurity Guidelines: Insights Into the Utility of Risk Factor Disclosures for Investors (ABA Business Law Section, Jan 2018) - In October 2011, the SEC issued new guidelines for disclosure of cybersecurity risks. Some firms responded to these guidelines by issuing new risk factor disclosures. This article examines the guidelines and cybersecurity disclosures in the context of existing laws governing securities regulation. It then examines empirical results from firm disclosures following the new guidelines. Evidence shows a relatively small proportion of firms chose to modify their risk factor disclosures, with most firms choosing not to disclose any specific cybersecurity risk. Moreover, disclosing firms generally experienced significant negative stock market price effects on account of making new disclosures. Rather than viewing disclosure as a positive signal of management attentiveness, investors apparently viewed it as a cautionary sign. top

The Cyberlaw Guide to Protest Art: Roadmap (Harvard Berkman/Klein, 22 Jan 2018) - Art plays a significant role in American democracy. Across the political spectrum, protest art - posters, songs, poems, memes, and more -inspires us, gives us a sense of community, and provides insight into how others think and feel about important and often controversial issues. While protest art has been part of our culture for a very long time, the Internet and social media have changed the available media and the visibility of protest artists. Digital technologies make it easy to find existing works and incorporate them into your own, and art that goes viral online spreads faster than was ever possible in the analog world. Many artists find the law that governs all of this unclear in the physical world, and even murkier online. The authors of this guide are a collection of lawyers and creative folks. We have seen how the law can undermine artists, writers, and musicians when they’re caught unaware, and distract them from the work they want to do. But we’ve also observed how savvy creators use the law to enhance their work and broaden their audiences. This guide is intended to ensure that you, the reader, can be one of the savvy ones. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Sharper aerial pictures spark privacy fears (The Guardian, 24 Jan 2008) - If you were up to no good in the London open air last winter, start working up excuses: you might be on the web. This week, a company launches an online map of central London which includes aerial photography at four times the resolution of existing online maps: the equivalent of looking down from the 10th floor. The map, from 192.com, publishes aerial photography at a resolution of 4cm for London and 12.5cm for the rest of the UK. In the right conditions, images at this resolution are enough to identify individuals - a step that existing online mapping ventures such as Google Earth and Microsoft’s Virtual Earth have so far been careful to avoid. Alastair Crawford, 192’s chief executive, makes no apologies for the possibilities: “We’re considering holding a competition. We want to challenge people to find out how much naughty stuff is happening. If you’re having an affair in London, you’d better be careful!” The mapping venture is likely to heat up the debate about the extent to which information about individuals is available on the web - especially as 192.com, which specialises in providing data about individuals gleaned from official sources has announced plans to attach estimated ages to every person in its database of 27 million Britons. top

GOP halts effort to retrieve White House e-mails (Washington Post, 27 Feb 2008) - After promising last year to search its computers for tens of thousands of e-mails sent by White House officials, the Republican National Committee has informed a House committee that it no longer plans to retrieve the communications by restoring computer backup tapes, the panel’s chairman said yesterday. The move increases the likelihood that an untold number of RNC e-mails dealing with official White House business during the first term of the Bush administration - including many sent or received by former presidential adviser Karl Rove - will never be recovered, said House Democrats and public records advocates. The RNC had previously told the House Oversight and Government Reform Committee that it was attempting to restore e-mails from 2001 to 2003, when the RNC had a policy of purging all e-mails, including those to and from White House officials, after 30 days. But Chairman Henry A. Waxman (D-Calif.) disclosed during a hearing yesterday that the RNC has now said it “has no intention of trying to restore the missing White House e-mails.” “The result is a potentially enormous gap in the historical record,” Waxman said, including the buildup to the Iraq war. Spokesman Danny Diaz said in a statement that the RNC “is fully compliant with the spirit and letter of the law.” He declined further comment. top

MIRLN—- 1-20 Jan 2018 (v21.01)—- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

  FERC proposes rule to expand cyber incident reporting (Fifth Domain, 28 Dec 2017) - The Federal Energy Regulatory Commission wants to expand cyber incident reporting requirements to include any time an adversary attempts to break into an energy company’s networks, rather than only those that compromise the company’s critical operations. “The proposed development of modified mandatory reporting requirements is intended to improve awareness of existing and future cyber security threats and potential vulnerabilities.” At the crux of the proposed rule is the question of what defines a “reportable cyber incident” in the energy industry. According to the current CIP reliability standards, a cyber incident must disrupt core processes in order to be considered critical. “Under these definitions, unsuccessful attempts to compromise or disrupt a responsible entity’s core activities are not subject to the current reporting requirements,” the proposed rule said. This definition may also leave out cyberattacks designed to steal information or create openings for a future, large scale hack, meaning that incident reports would not give early warning by recording that activity. The new rule was proposed after the Foundation for Resilient Societies filed a petition on January 13, 2017, that FERC institute a rule requiring an enhanced Reliability Standard for malware detection, reporting, mitigation and removal from the Bulk-Power System. top

- and -

SEC plans cybersecurity guidance refresh: What to expect (Data Breach Today, 29 Dec 2017) - The U.S. Securities and Exchange Commission is planning to update its 6-year-old cybersecurity guidance for how publicly traded firms report data breaches to investors. The agency has indicated that it expects to refine guidance around how businesses disclose cybersecurity risks to investors as well as require insider trading programs to include blackout rules in the event that a suspected data breach gets discovered (see Report: SEC Plans Breach Reporting Guidance Refresh ). “Unfortunately, in the reality that we live in now, cyber breaches are going to be increasingly common, and this is in part why the SEC is so fully focused on cybersecurity,” says Matt Rossi, a former assistant chief litigation counsel to the SEC who’s now an attorney specializing in securities litigation and enforcement as well as data privacy at global law firm Mayer Brown. “Chairman [Jay] Clayton said it’s one of the greatest risks to the financial system right now.” Indeed, in September, Clayton signaled to a Senate banking committee that companies would be required to disclose more cybersecurity information to investors in a timely manner (see SEC Chair Wants More Cyber Risk Disclosure From Public Firms ). His remarks, ironically, followed the SEC having failed to publicly disclose its own major breach for 16 months (see Hackers May Have Traded on Stolen SEC Data ). In November, meanwhile, William Hinman, the SEC’s director of corporation finance, signaled that the regulator’s cybersecurity guidance , first issued on Oct. 13, 2011, wouldn’t be overhauled but rather amended with some new requirements, such as how breach information gets disclosed internally and escalated to senior management (see Report: SEC Plans Breach Reporting Guidance Refresh ). With the refresh, Rossi says businesses should expect to have to disclose more cyber risks, refine their insider trading policies and prove that they’re taking information security seriously. top

Zero-width [fingerprinting] characters (Zach Aysan, 30 Dec 2017) - Journalists watch out-you may be unintentionally revealing sources. In early 2016 I realized that it was possible to use zero-width characters, like zero-width non-joiner or other zero-width characters like the zero-width space to fingerprint text. Even with just a single type of zero-width character the presence or non-presence of the non-visible character is enough bits to fingerprint even the shortest text. We’re​ not the​ same text, even though we look the same. We’re not the same​ text, even though we look the same. Unlike previous text fingerprinting techniques, zero-width characters are not removed when formatting is removed from text. They’re often not even visible in contexts where software experts would expect them to be, like on a programming terminal. I also realized that it is possible to use homoglyph substitution (e.g., replacing the letter “a” with its Cyrillic counterpart, “а”), but I dismissed this as too easy to detect due to the differences in character rendering across fonts and systems. However, differences in dashes (en, em, and hyphens), quotes (straight vs curly), word spelling (color vs colour), and the number of spaces after sentence endings could probably go undetected due to their frequent use in real text. With increased effort, synonyms (huge vs large vs massive) can also be used, though it would require some manual setup because words lack single definitions (due to homonyms) and in some contexts would be easier to detect since differing word lengths may cause sentences to wrap differently across documents. * * * After discovering these techniques I shared them with some friends to try to help track down a cyber criminal which they thought might be an insider threat (it wasn’t, it was just a normal blackhat hacker). Then the White House started leaking like an old hose, so I continued to keep quiet. The reason I’m writing about this now is that it appears both homoglyph substitution and zero-width fingerprinting have been discovered by others, so journalists should be informed of the existence of these techniques. If your news organization has a pre-existing trove of documents it should be fairly straightforward to scan them for zero-width characters or mixed character encodings. Detecting synonym substitution would require multiple documents and some custom code, but should be fairly straightforward for an intermediately skilled data scientist or software developer with some time. top

This candidate for Congress will let his constituents decide how he votes (Fast Company, 2 Jan 2018) - Michael Allman is running for Congress as a Republican. But if his constituents lean left of him on a particular issue before Congress, that’s how Allman will vote. That’s because Allman is running on a direct democracy platform: For every issue, voters in his district will be able to use a blockchain-enabled website to securely log their opinions, and Allman will follow the will of the people. “Everyone thinks what’s happening in Washington, D.C., today is broken,” says Allman, former CEO of Southern California Gas, who is running for the 52nd district in San Diego County. “Nobody thinks it’s working. We can go into a hundred reasons why, but I’d summarize it with just one word: Partisanship. Everybody votes with the party on pretty much everything, and it’s a red versus blue, us versus them kind of attitude.” Allman has no background in politics, but has worked in the tech industry, and realized that the technology exists to make direct representation possible. Working with a tech company that had an existing platform, he created a custom website that will outline both sides of a general issue-for example, whether or not there should be more gun control laws-or a specific bill. Voters can read through the arguments on both sides, and read selected op-eds. The site can verify that someone is in a particular district and that they’re registered to vote, and then register their opinion confidentially. Of course, the success of the system will depend on participation-and even elections typically have low turnout (for midterm elections, turnout is only around 40%). But logging on to the online platform is easier than making it to a polling place, and for ongoing issues, people won’t have to vote by a particular deadline. Conceivably, if voters know that their participation could make a difference on an actual vote in Congress-and that impact is guaranteed, rather than making calls or sending emails to representatives-they may be more motivated to act. [ Polley : “Well, it seemed like a good idea at the time.”] top

DHS expands license plate dragnet, streams collections to us law enforcement agencies (TechDirt, 4 Jan 2018) - The DHS has provided the public with a Privacy Impact Assessment (PIA) on its use of license plate readers (LPRs). What the document shows is the DHS’s hasty abandonment of plans for a national license plate database had little impact on its ability to create a replacement national license plate database. The document deals with border areas primarily, but that shouldn’t lead inland drivers to believe they won’t be swept up in the collection. The DHS has multiple partners in its license plate gathering efforts , with the foremost beneficiary being the DEA, as Papers, Please! Reports: The latest so-called ” Privacy Impact Assessment ” (PIA) made public by the US Department of Homeland Security, ” CBP License Plate Reader Technology “, provides unsurprising but disturbing details about how the US government’s phobias about foreigners and drugs are driving (pun intended) the convergence of border surveillance and dragnet surveillance of the movements of private vehicles within the USA . The CBP defines the border as anything within 100 miles of the country’s physical borders, which also include international airports. Consequently, more than 2/3rds of the nation’s population reside in the CBP’s so-called “Constitution-free zone.” The plate readers discussed in the PIA aren’t just the ones drivers and visitors might expect. While the CBP operates many of these at static locations at entry points, other LPRs are mounted on CBP vehicles or hidden in areas the CBP patrols. The addition of the DEA adds law enforcement to the mix. This means the DHS is intermingling its collection with existing law enforcement databases, allowing it to build an ad hoc national database without having to inform the public or hire a contractor to build one from the ground up. top

  - and -

  New CBP border device search policy still permits unconstitutional searches (EFF, 8 Jan 2018) - U.S. Customs and Border Protection (CBP) issued a new policy on border searches of electronic devices that’s full of loopholes and vague language and that continues to allow agents to violate travelers’ constitutional rights. Although the new policy contains a few improvements over rules first published nine years ago , overall it doesn’t go nearly far enough to protect the privacy of innocent travelers or to recognize how exceptionally intrusive electronic device searches are. Nothing announced in the policy changes the fact that these device searches are unconstitutional, and EFF will continue to fight for travelers’ rights in our border search lawsuit . Below is a legal analysis of some of the key features of the new policy. * * * top

  - and -

  Federal agencies may be regularly hiding surveillance methods in criminal cases (Reason, 9 Jan 2018) - The U.S. government uses secret evidence to build criminal cases, according to a report released today by Human Rights Watch. The report offers one of the most comprehensive looks yet at “parallel construction,” a tactic where federal law enforcement hides classified or sensitive methods from courts by building a parallel chain of evidence after the fact. The report shows that numerous federal law enforcement agencies send requests to local police to find reasons to perform traffic stops and searches on criminal suspects. Unless something goes wrong, defendants will never know the origins of the government’s case against them. The group notes that parallel construction raises several civil rights concerns, chiefly the right to a fair trial. “When you have parallel construction, you have defendants and even judges who don’t know how evidence was gathered and can’t challenge the constitutionality of that,” report author Sarah St. Vincent says. “What you have is very one-sided, where the government, on its own, is deciding what practices it thinks are legal.” The method was first revealed in a 2013 Reuters investigation , which detailed how the Special Operations Division, a secretive unit within the Drug Enforcement Administration (DEA), had been funneling surveillance tips to field agents and other agencies to build cases. Meanwhile, it trained agents to “recreate” evidence chains to keep classified methods hidden from defendants, judges, and even federal prosecutors. According to the Human Rights Watch report, the Special Operations Division’s activities were nicknamed “the dark side” and exiting agents were given Darth Vader keychains as tokens. DEA training slides that I obtained via a 2014 Freedom of Information Act request shed further light on how widespread the tactic is. The FOIA request also resulted in perhaps my favorite redaction that I have ever received: * * * [Polley: See also , How the government hides secret surveillance programs (Wired, 9 Jan 2018)] top

  Raising its bet on analytics, Littler adds first Chief Data Analytics Officer (American Lawyer, 9 Jan 2018) - By hiring Zev Eigen , a data scientist with a Ph.D. from the Massachusetts Institute of Technology, Littler Mendelson publicly placed its bet more than two years ago on the potential that data analytics would change the way law is practiced. Now the rapidly expanding global labor and employment giant is doubling down. Littler is poised to announce its hire of a chief data analytics officer, Aaron Crews , who will be tasked with managing the firm’s data capabilities and to help it roll out more technology-based products based on the ideas of the firm’s existing data scientists. Littler has already been tapping into the data it has collected for the past five-plus years through its Littler CaseSmart platform. One product spearheaded by Eigen is a prediction model for Equal Employment Opportunity Commission charges that Littler has used internally to gauge outcomes and prices for client matters. Last year the firm also began offering Equal Pay audits, which more than 100 clients have used to determine their risk of discrimination claims. Thomas Bender, co-president and co-managing partner at Littler , said there is an “endless horizon” for the possibilities on how data analytics can change the practice of law. Crews, a former Littler partner and electronic discovery counsel, re-joins the firm after having spent the past six months as general counsel and vice president of strategy at legal artificial intelligence company Text IQ , a position he discussed late last year with LegalTech News . Before that, Crews spent three years as a senior associate general counsel and global head of e-discovery at Wal-Mart Stores Inc. , having joined the retail giant from Littler in 2014. top

  Ninth Circuit doubles down: Violating a website’s terms of service is not a crime (EFF, 10 Jan 2018) - Good news out of the Ninth Circuit: the federal court of appeals heeded EFF’s advice and rejected an attempt by Oracle to hold a company criminally liable for accessing Oracle’s website in a manner it didn’t like. The court ruled back in 2012 that merely violating a website’s terms of use is not a crime under the federal computer crime statute, the Computer Fraud and Abuse Act . But some companies, like Oracle, turned to state computer crime statutes-in this case, California and Nevada-to enforce their computer use preferences. This decision shores up the good precedent from 2012 and makes clear-if it wasn’t clear already-that violating a corporate computer use policy is not a crime. Oracle v. Rimini involves Oracle’s terms of use prohibition on the use of automated methods to download support materials from the company’s website. Rimini, which provides Oracle clients with software support that competes with Oracle’s own services, violated that provision by using automated scripts instead of downloading each file individually. Oracle sent Rimini a cease and desist letter demanding that it stop using automated scripts, but Oracle didn’t rescind Rimini’s authorization to access the files outright. Rimini still had authorization from Oracle to access the files, but Oracle wanted them to access them manually-which would have seriously slowed down Rimini’s ability to service customers. Rimini stopped using automatic downloading tools for about a year but then resumed using automated scripts to download support documents and files, since downloading all of the materials manually would have been burdensome, and Oracle sued. The jury found Rimini guilty under both the California and Nevada computer crime statues, and the judge upheld that verdict-concluding that, under both statutes, violating a website’s terms of service counts as using a computer without authorization or permission. top

  Sedona Conference publishes the Sedona Conference Data Privacy Primer (Ride the Lightning, 11 Jan 2018) - On January 9 th , the Sedona Conference and its Working Group 11 on Data Security and Privacy (WG11) announced the publication of The Sedona Conference Data Privacy Primer . This final version contains several updates following thorough consideration of the public comments submitted between January and April 2017. WG11 developed the Data Privacy Primer to provide a practical framework and guide to basic privacy issues in the United States and to identify key considerations and resources, including key privacy concepts in federal and state law, regulations, and guidance. You can download the publication without charge here . top

Inside Uber’s $100,000 payment to a hacker, and the fallout (NYT, 12 Jan 2018) - “Hello Joe,” read the November 2016 email from someone identifying himself as “John Doughs.” “I have found a major vulnerability in Uber.” The email appeared to be no different from other messages that Joe Sullivan, Uber’s chief security officer, and his team routinely received through the company’s “bug bounty” program, which pays hackers for reporting holes in the ride-hailing service’s systems, according to current and former Uber security employees. Yet the note and Uber’s eventual $100,000 payment to the hacker, which was initially celebrated internally as a rare win in corporate security, have since turned into a public relations debacle for the company. In November, when Uber disclosed the 2016 incident and how the information of 57 million driver and rider accounts had been at risk, the company’s chief executive since August, Dara Khosrowshahi, called it a “failure” that it had not notified people earlier. Mr. Sullivan and a security lawyer, Craig Clark, were fired. In the weeks since, Uber’s handling of the hacking has come under major scrutiny. Not only did Uber pay an outsize amount to the hacker, but it also did not disclose that it had briefly lost control of so much consumer and driver data until a year later. The behavior raised questions of a cover-up and a lack of transparency, as well as whether the payment really was just a ransom paid by a security operation that had acted on its own for too long. The hacking is now the subject of at least four lawsuits, with attorneys general in five states investigating whether Uber broke laws on data-breach notifications. In addition, the United States attorney for Northern California has begun a criminal investigation into the matter. Most of all, the hacking and Uber’s response have fueled a debate about whether companies that have crusaded to lock up their systems can scrupulously work with hackers without putting themselves on the wrong side of the law. [S]ince the fallout from Uber’s disclosure, Silicon Valley companies have taken a harder look at their bounty programs. At least three have put their programs under review, according to two consultants who have confidential relationships with those companies, which they declined to name. Others said criminal prosecutions for not reporting John Doughs would deter ethical hackers who would otherwise come forward, causing even more security breaches. This account of Uber’s hacking and the company’s response was based on more than a dozen interviews with people who dealt with the incident, many of whom declined to be identified because of the confidentiality of their exchanges. Many are current or former members of Uber’s security team, who defended their actions as a prime example of how executives should respond to security problems. The New York Times also obtained more than two dozen internal Uber emails and documents related to the incident. * * * [ Polley : quite interesting] top

Science Fiction Writers of America accuse Internet Archive of piracy (Slashdot, 13 Jan 2018) - An anonymous reader writes: The “Open Library” project of the nonprofit Internet Archive has been scanning books and offering “loans” of DRM-protected versions for e-readers (which expire after the loan period expires). This week the Legal Affairs Committe of the Science Fiction Writers of America issued a new “Infringement Alert” on the practice , complaining that “an unreadable copy of the book is saved on users’ devices…and can be made readable by stripping DRM protection.” The objection, argues SFWA President Cat Rambo, is that “writers’ work is being scanned in and put up for access without notifying them… it is up to the individual writer whether or not their work should be made available in this way.” But the infringement alert takes the criticism even further. “We suspect that this is the world’s largest ongoing project of unremunerated digital distribution of entire in-copyright books.” The Digital Reader blog points out one great irony. ” The program initially launched in 2007 . It has been running for ten years, and the SFWA only just now noticed.” They add that SFWA’s tardiness “leaves critical legal issues unresolved.” “Remember, Google won the Google Books case, and had its scanning activities legalized as fair use ex post facto… n fact the Internet Archive has a stronger case than Google did; the latter had a commercial interest in its scans, while the Internet Archive is a non-profit out to serve the public good.” top

  China’s total information awareness: Second-order challenges (Lawfare, 16 Jan 2018) - Every day seems to bring a new article about China’s pervasive use of facial recognition technology. Both the New York Times and the Washington Post have reported how widely China is using this technology, collecting and storing video evidence from cameras on every street corner and road, at apartment building entrances, and in businesses, malls, transportation hubs, and public toilets. The Chinese government seeks to consolidate this information with people’s criminal and medical records, travel plans, online purchases, and comments on social media. China would link all of this information to every citizen’s identification card and face, forming one omnipotent database. Similarly, the Wall Street Journal produced a chilling long-form article tracking a journalist’s trip to Xinjiang province. The piece details not just the use of facial recognition software but also more intrusive steps such as the use of DNA collection, iris scanning, voice-pattern analysis, phone scanners, ID card swipes, and security checkpoints, all to further suppress unrest among the predominantly Muslim Uighur population. The piece frames life in Xinjiang as a forecast of what’s to come in China more broadly. These developments feel relatively distant, both geographically and as a matter of current U.S. domestic practice. Our government does not collect video feeds from cameras in public toilets and private apartment buildings. Nor does it possess a database containing every citizen’s photograph. Nevertheless, federal and local government agencies in the United States are increasing their use of facial recognition software at the border and in law enforcement contexts. There are a range of second-order questions that we should begin to think about as facial recognition software continues to improve and as its use expands, both within and beyond China’s borders. * * * [ Polley : Fascinating, and scary piece. TV’s The Prisoner , Person of Interest , Black Mirror, Electric Dreams - all looking more realistic.] top

Electronic device advisory for ABA mid-year meeting attendees (ABA, 16 Jan 2018) - Thousands of lawyers, judges and other legal professionals will cross international borders when attending the 2018 ABA Mid-Year Meeting in Vancouver, British Columbia, Canada. Each person leaving and reentering the United States is subject to inspection and search from both United States and Canadian officials. This paper has been prepared by the ABA Center for Professional Responsibility to update legal professionals about searches that U.S. Customs and Border Protection (“CBP”) agents might conduct when legal professionals cross an international border with electronic devices containing confidential client or judicial information. While the actual number of travelers whose electronic devices are subject to border inspection is relatively low, a possibility exists that electronic devices may be searched. Part I describes a new Directive, issued January 4, 2018, by the CBP. Part II summarizes the principal Model Rules of Professional Conduct legal professionals should consider. Part III offers a list of protective measures legal professionals may wish to take while planning their travel to the Mid-Year Meeting. [ Polley : See also , NY City Bar ” FORMAL OPINION 2017-5: An Attorney’s Ethical Duties Regarding U.S. Border Searches of Electronic Devices Containing Clients’ Confidential Information ” (25 July 2017)] top

Google’s art selfies aren’t available in Illinois. Here’s why. (Chicago Tribune, 17 Jan 2018) - The Google Arts & Culture app’s new feature seems to be everywhere as social media streams are flooded with photos of friends and the great works of art that resemble them - that is, nearly everywhere but Illinois. The state is one of two in the country where the Google app’s art selfie feature - which matches users’ uploaded selfies with portraits or faces depicted in works of art - is not available. Google won’t say why. But it’s likely because Illinois has one of the nation’s most strict laws on the use of biometrics, which include facial, fingerprint and iris scans. “They’re being overly cautious” by keeping the feature out of Illinois, said Christopher Dore, a partner at Chicago law firm Edelson, which has brought biometrics suits against tech companies including Facebook. Some Illinois residents are finding workarounds to discover their artwork look-alikes, sending selfies to out-of-state friends who will run their photo through the feature. * * * Texas is the only other state without access to the art selfies, and it, too, has a biometrics law. Illinois’ Biometric Information Privacy Act mandates that companies collecting such information obtain prior consent from consumers, detailing how they’ll use it and how long it will be kept. It also allows private citizens to sue, while other states have laws that let only the attorney general bring a lawsuit. top

RESOURCES

Security Planner (recommended by Bruce Schneier, 21 Dec 2017) - Security Planner is a custom security advice tool from Citizen Lab. Answer a few questions, and it gives you a few simple things you can do to improve your security. It’s not meant to be comprehensive, but instead to give people things they can actually do to immediately improve their security. I don’t see it replacing any of the good security guides out there, but instead augmenting them. The advice is peer reviewed, and the team behind Security Planner is committed to keeping it up to date. top

U.S. Army Concept for Cyberspace and Electronic Warfare Operations 2025-2040 (BeSpacific, 15 Jan 2018) - CRS report via FAS. “TRADOC Pamphlet 525-8- 6, The U.S. Army Concept for Cyberspace and Electronic Warfare Operations expands on the ideas presented in TRADOC Pamphlet 525-3- 1, The U.S. Army Operating Concept: Win in a Complex World (AOC). This document describes how the Army will operate in and through cyberspace and the electromagnetic spectrum and will fully integrate cyberspace, electronic warfare (EW), and electromagnetic spectrum operations as part of joint combined arms operations to meet future operational environment challenges. Cyberspace and EW operations provide commanders the ability to conduct simultaneous, linked maneuver in and through multiple domains, and to engage adversaries and populations where they live and operate. Cyberspace and EW operations provide commanders a full range of physical and virtual, as well as kinetic and non-kinetic, capabilities tailored into combinations that enhance the combat power of maneuver elements conducting joint combined operations. Th is concept serves as a foundation for developing future cyberspace and electronic warfare capabilities and helps Army leaders think clearly about future armed conflict, learn about the future through the Army’s campaign of learning, analyze future capability gaps and identify opportunities, and implement interim solutions to improve current and future force combat effectiveness..” top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

NLRB rules on employee use of company email for union purposes (Faegre & Benson’s John Polley [yes, he’s my brother], 8 Jan 2008) - Ever since the advent of email in the workplace, employers have sought guidance about whether they may lawfully prohibit employees from using company email systems to solicit other employees to support a union. However, since most employers permit employees to use company email for at least some personal communications, the concern has been that prohibiting employee use of email for union solicitations would run afoul of nondiscrimination rules under the National Labor Relations Act. In Guard Publishing Company, 351 NLRB No. 70 (December 16, 2007), the National Labor Relations Board finally addressed these issues. In Guard Publishing Company, the NLRB held that an employer may prohibit employees from using a company-owned email system to solicit for “non-job-related reasons,” even if the employer had allowed employees to use the email system for various personal reasons such as giving away tickets or announcing the birth of a child. However, Guard Publishing, a 3-2 decision, was sharply divided along party lines, and the terms of office of two of the Board members in the majority (and one in the dissent) expired within days of the decision. Therefore, there is some real doubt about whether this decision will remain law when a new, full Board is constituted. There is also some doubt about whether portions of this decision will survive on appeal. top

IP addresses are personal data, EU regulator says (Washington Post, 22 Jan 2008) - IP addresses, strings of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union’s group of data privacy regulators said Monday. Germany’s data-protection commissioner, Peter Scharr, leads the E.U. group, which is preparing a report on how well the privacy policies of Internet search engines operated by Google, Yahoo, Microsoft and others comply with E.U. privacy law. Scharr told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address, “then it has to be regarded as personal data.” His view differs from that of Google, which insists an IP address merely identifies the location of a computer, not who the individual user is. That is true but does not take into consideration that many people regularly use the same computer and IP address. Scharr acknowledged that IP addresses for a computer may not always be personal or linked to an individual. For example, some computers in Internet cafes or offices are used by several people. These exceptions have not stopped the emergence of a host of “whois” Internet sites, which allow users to type in an IP address and will then generate a name for the person or company linked to it. Treating IP addresses as personal information would have implications for how search engines record data. Google was the first last year to cut the time it stored search information to 18 months. It also reduced the time limit on the cookies that collect information on how people use the Internet from a default of 30 years to an automatic expiration in two years. A privacy advocate at the nonprofit Electronic Privacy Information Center said it was “absurd” for Google to claim that stripping out the last two figures from the stored IP address made the address impossible to identify by making it one of 256 possible configurations. “It’s one of the things that make computer people giggle,” the center’s executive director, Marc Rotenberg, said. “The more the companies know about you, the more commercial value is obtained.” Google’s global privacy counsel, Peter Fleischer, said Google collects IP addresses to give customers a more accurate service because it knows what part of the world a search result comes from and what language is used - and that was not enough to identify an individual user. top

MIRLN—- 10-31 Dec 2017 (v20.18)—- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

20,000 artworks available for free download on LACMA’s robust digital archive (My Modern Met, 4 Dec 2017) - You don’t have to travel the world to see great art. As museums continue to digitize their collections, you can view paintings, sculptures, and other artwork that spans thousands of years and geographical locations. The Los Angeles County Museum of Art (LACMA) has worked for the past two years to make their acquisitions viewable online . There are 20,000 images available and in the public domain, making them also free downloadable art for anyone. Altogether, the museum has uploaded 80,000 works on their website with both restricted and unrestricted use-a quarter of the art that’s in their physical collection. It’s easy to find an image that will inspire you. The robust online search is sorted via highlights, chronology, curatorial area, and more; it’s a great place to start. If you’re looking for something more specific, however, they’ve tagged individual works with their defining attributes. Typing in the word “cactus”, for instance, will bring up photographs, paintings, and objects having to do with the plant. You can even choose the option to filter only images that are in the public domain. top

Vicarious liability for data breach by rogue [UK] employee (Clyde & Co, 5 Dec 2017) - In the first group litigation of its kind, Morrisons Supermarkets was found to be vicariously liable for the actions of a rogue employee who, driven by a grudge against the supermarket chain, took payroll data relating to 100,000 employees and published it online. This was despite the fact that Morrisons was found to be entirely innocent of any misuse, that the employee had acted deliberately to harm his employer, had been convicted and imprisoned for his actions and that disclosure of the data had been done at home, on a Sunday outside office hours. In principle, the decision could mean that Morrisons will be liable to compensate all 5,500 employees involved in the claim. Permission has already been given for Morrisons to appeal the decision to the Court of Appeal. top

  Almost one-third of US businesses had a data breach (Sys-Con Media, 7 Dec 2017) - Almost one-third of U.S. businesses (29 percent) experienced a data breach in the previous year, a survey for The Hartford Steam Boiler Inspection and Insurance Company (HSB), part of Munich Re, reported today, and eight in ten spent at least $5,000 to respond. The HSB survey conducted by Zogby Analytics also found that almost half of the breaches (47 percent) were caused by a vendor or contractor working for a business, followed by employee negligence (21 percent) and lost or stolen mobile devices or storage media (20 percent). In two-thirds of the data breaches, the businesses reported their reputation was negatively affected. When asked what the biggest hurdle would be for their organization to respond to a data breach, 51 percent said lack of knowledge and 41 percent a lack of resources. The financial impact of a data breach was considerable: 27 percent of the businesses spent between $5,000 and $50,000 to respond and 30 percent spent between $50,000 and $100,000. top

  Governors and federal agencies are blocking nearly 1,300 accounts on Facebook and Twitter (ProPublica, 8 Dec 2017) - Amanda Farber still doesn’t know why Maryland Gov. Larry Hogan blocked her from his Facebook group. A resident of Bethesda and full-time parent and volunteer, Farber identifies as a Democrat but voted for the Republican Hogan in 2014. Farber says she doesn’t post on her representatives’ pages often. But earlier this year, she said she wrote on the governor’s Facebook page, asking him to oppose the Trump administration’s travel ban and health care proposal. She never received a response. When she later returned to the page, she noticed her comment had been deleted. She also noticed she had been blocked from commenting. (She is still allowed to share the governor’s posts and messages.) According to documents ProPublica obtained through an open-records request this summer, hers is one of 494 accounts that Hogan blocks. Blocked accounts include a schoolteacher who criticized the governor’s education policies and a pastor who stance against accepting Syrian refugees. They even have their own Facebook group: Marylanders Blocked by Larry Hogan on Facebook . In August, ProPublica filed public-records requests with every governor and 22 federal agencies, asking for lists of everyone blocked on their official Facebook and Twitter accounts. The responses we’ve received so far show that governors and agencies across the country are blocking at least 1,298 accounts. More than half of those - 652 accounts - are blocked by Kentucky Gov. Matt Bevin, a Republican. Four other Republican governors and four Democrats, as well as five federal agencies, block hundreds of others, according to their responses to our requests. Five Republican governors and three Democrats responded that they are not blocking any accounts at all. Many agencies and more than half of governors’ offices have not yet responded to our requests. When the administrator of a public Facebook page or Twitter handle blocks an account, the blocked user can no longer comment on posts. That can create an inaccurate public image of support for government policies. ( Here’s how you can dig into whether your elected officials are blocking constituents. ) top

How Google Fiber turned 2017 into its comeback year (TechRepublic, 11 Dec 2017) - Google Fiber showed new life in 2017, after a near death experience in late 2016. The fiber internet pioneer launched in three new cities-Huntsville, AL, Louisville, KY, and San Antonio, TX-this year. It also began to heavily rely on shallow trenching , a new method of laying cables, to expedite the construction process. “We’re very pleased with the response from residents in these markets-along with our other existing Google Fiber cities, where we worked hard throughout the year to bring Fiber service to even more people in many more neighborhoods,” a Google Fiber spokesperson told TechRepublic. The comeback happened after a construction halt and the CEO stepping down in October 2016, which left some wondering if Fiber was on its last breath. But 2017 wasn’t entirely a year of redemption. In February, hundreds of Fiber employees were moved to new jobs at Google. And Gregory McCray left the role of CEO in July after only holding the position for five months. And internet experts still have their doubts. Chris Antlitz, a senior analyst at Technology Business Research, labelled Fiber’s year as “not very good.” Jim Hayes, president of the Fiber Optic Association, called Google Fiber a “very distant player” in the fiber market. Fiber set a new bar for broadband by showing incumbent internet service providers (ISPs) that it is economically feasible to bring 1 gigabit internet to consumers, Antlitz said. Since Google Fiber led a connectivity renaissance in 2011 when it launched in its first city, Kansas City, KS, top telecom providers have been in an arms race to upgrade their broadband pipes to accommodate 1 gigabit, Antlitz said. Google Fiber’s presence in the market has caused competition that has forced other fiber providers like Verizon and AT&T Fiber to offer cheaper, faster service . Adding a second provider to a market can reduce prices by around one-third, according to a study by the Fiber to the Home Council . top

How email open tracking quietly took over the web (Wired, 11 Dec 2017) - “I just came across this email,” began the message, a long overdue reply. But I knew the sender was lying. He’d opened my email nearly six months ago. On a Mac. In Palo Alto. At night. I knew this because I was running the email tracking service Streak , which notified me as soon as my message had been opened. It told me where, when, and on what kind of device it was read. With Streak enabled, I felt like an inside trader whenever I glanced at my inbox, privy to details that gave me maybe a little too much information. And I certainly wasn’t alone. There are some 269 billion emails sent and received daily. That’s roughly 35 emails for every person on the planet, every day. Over 40 percent of those emails are tracked, according to a study published last June by OMC, an “email intelligence” company that also builds anti-tracking tools. The tech is pretty simple. Tracking clients embed a line of code in the body of an email-usually in a 1x1 pixel image, so tiny it’s invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. Newsletter services, marketers, and advertisers have used the technique for years, to collect data about their open rates; major tech companies like Facebook and Twitter followed suit in their ongoing quest to profile and predict our behavior online. But lately, a surprising-and growing-number of tracked emails are being sent not from corporations, but acquaintances. “We have been in touch with users that were tracked by their spouses, business partners, competitors,” says Florian Seroussi, the founder of OMC. “It’s the wild, wild west out there.” According to OMC’s data, a full 19 percent of all “conversational” email is now tracked. That’s one in five of the emails you get from your friends. And you probably never noticed. “Surprisingly, while there is a vast literature on web tracking, email tracking has seen little research,” noted an October 2017 paper published by three Princeton computer scientists. All of this means that billions of emails are sent every day to millions of people who have never consented in any way to be tracked, but are being tracked nonetheless. And Seroussi believes that some, at least, are in serious danger as a result. * * * top

  Most companies fail to disclose cybersecurity as a risk factor in SEC filings (Corporate Counsel, 12 Dec 2017) - In recent years, the number of companies identifying cybersecurity as a risk factor in U.S. Securities and Exchange Commission filings has grown tremendously. But there appears to have been a leveling off in 2017, which may indicate that companies “have blinders on” when it comes to disclosing cybersecurity risks, according to a new report. From 2012 to 2016, the number of companies reporting cybersecurity as a risk factor in SEC filings has grown 277 percent, the report from Intelligize Inc. shows. Despite that increase though, the report, which is based on all public company SEC filings from 2012 to this year, indicates that there’s still only a relatively small proportion of all public companies-38 percent-citing cybersecurity as a risk factor in quarterly and annual filings. What’s more, the report said, while by 2016, 1,662 public companies reported cybersecurity was a risk factor, as of Oct. 31 of this year, that number had only seen a slight bump to 1,680 companies. The slowdown in disclosing cyber as a risk may indicate one of two things, Todd Hicks, CEO of Intelligize, said in an email. It means companies “either they have blinders on-or they are deliberately not acknowledging the risks because they don’t want to tip off potential hackers,” he said. But Hicks added that he expects to see more reporting from companies in the coming years. “For the 62 percent of public companies not disclosing, I would expect that number to get smaller over the next few years, especially as the SEC gets stricter on rules around specific risk factor disclosure,” Hicks said. top

- and -

4 in 5 physicians had a cyberattack in their practices, says survey (AMA, 12 Dec 2017) - More than four in five U.S. physicians (83 percent) have experienced some form of a cybersecurity attack, according to new research released today by Accenture and the American Medical Association (AMA). This, along with additional findings, signals a call to action for the health care sector to increase cybersecurity support for medical practices in their communities. The findings, which examined the experiences of roughly 1,300 U.S. physicians, underscore the recognition that it is not “if” but “when” a cyberattack will occur. More than half (55 percent) of the physicians were very or extremely concerned about future cyberattacks in their practice. In addition, physicians were most concerned that future attacks could interrupt their clinical practices (cited by 74 percent), compromise the security of patient records (74 percent) or impact patient safety (53 percent). “The important role of information sharing within clinical care makes health care a uniquely attractive target for cyber criminals through computer viruses and phishing scams that, if successful, can threaten care delivery and patient safety,” said AMA President David O. Barbe , M.D., M.H.A. “New research shows that most physicians think that securely exchanging electronic data is important to improve health care. More support from the government, technology and medical sectors would help physicians with a proactive cybersecurity defense to better ensure the availability, confidentially and integrity of health care data.” The findings show the most common type of cyberattack was phishing-cited by more than half (55 percent) of physicians who experienced an attack-followed by computer viruses (48 percent). Physicians from medium and large practices were twice as likely as those in small practices to experience these types of attacks. Nearly two-thirds (64 percent) of all the physicians who experienced a cyberattack experienced up to four hours of downtime before they resumed operations, and approximately one-third (29 percent) of physicians in medium-sized practices that experienced a cyberattack said they experienced nearly a full day of downtime. top

  Model publishing contract features author-friendly terms for open access scholarship (Authors Alliance, 14 Dec 2017) - The University of Michigan and Emory University have teamed up to create a Model Publishing Contract for Digital Scholarship designed to aid in the publication of long-form digital scholarship according to open access principles. Developed by a team of library and university press professionals, the model contract takes into account the needs of a variety of stakeholders. The contract is shorter and easier to understand than typical publishing contracts, and it offers authors more rights in their own work, while still allowing publishers sufficient rights for commercial uses and sales. Associated documents include: * * * top

  Tips for capturing social media evidence (Attorney at Work, 15 Dec 2017) - It turns out that sometimes you can believe what you see on the internet. Criminal defendants and civil litigants overshare on social media just like the rest of us. But heading into court, that tendency is less an annoying habit and more a potential self-incrimination. In their search for credible evidence against opponents, lawyers are increasingly turning to social media for digital smoking guns. When Facebook first urged its users to “Go Live!” on its new video posting system, it probably imagined videos of blown-out birthday candles or baby’s first steps. Disturbingly, the feature began to be used for posting videos bragging to the world about crimes. But self-incriminating evidence includes more than posting videos of possible crimes. For example, spouses often use internet posts against each other in divorce court. Even as early as 2010, 81 percent of divorce attorneys agreed there was an increase in social media evidence. They cited Facebook as the top source for online evidence, with 66 percent of those lawyers finding something useful for their clients on the social site. No area of practice is immune: Bankruptcy lawyers need to worry about posts that indicate hidden assets, and personal injury attorneys should worry that their client’s Instagram posts will make the jury skeptical of claims of pain and suffering. You can use social media evidence to great effect, but first, you’ve got to find it and capture it in an efficient way. Consider these three tips: * * * top

  DLA Piper had planned a cyberbreach response before major malware attack in June (ABA Journal, 19 Dec 2017) - DLA Piper had planned its response to a cyberbreach before its systems shut down in response to a major malware attack last June. Don Jaycox, DLA Piper’s chief information officer for the Americas, tells the Wall Street Journal (sub. req.) that t he attack began when a malware agent known as NotPetya was downloaded on a finance server in Ukraine. “Our first instinct-because we had planned it out-was to shut everything down once we realized the attack had a fairly broad reach,” Jaycox said. “Everything was off the air, along with roughly two-thirds of our end points, laptops, desktops, etc.” DLA Piper had already contracted with companies that would assist it in monitoring its network and responding to an attack. Two were tapped the first day of the breach, and a third was called in on the second day. The law firm had registered all of its cellphones to a mass communication texting system, allowing for a blast communication. The firm also had a game plan for quickly recovering a targeted system, such as email, but it couldn’t quickly restore every system at once. “People who do backups to the cloud, one of the things that you need to think about is what is the scenario for total recovery if you lose everything,” Jaycox said. “Because getting all the data back if you need to get all of it can be a little bit challenging.” The top question from clients was whether their data was compromised, Jaycox said. At first, the law firm was able to say it found no indications of compromised information. After additional assessment, that statement can now be made “with a very high degree of certainty,” he said. top

  - and -

  Prepare, practice, protect: A strategy for defeating cyberthreats to lawyers (ABA Journal article, by ODNI’s Bob Litt & colleagues, Jan 2018) - Corporate litigator Jane Doe sat down at her desk Monday morning and logged on to her computer. She opened an email appearing to be from a client that read: “Hi. Could you please take a look at this document? It’s urgent.” Doe clicked on the attachment. Two weeks later, a hacker website published confidential documents that one of her most important clients had given the firm in connection with a lawsuit alleging environmental violations. Doe’s client called, furious, to inform her that she was discharged, and that the client was considering a lawsuit against her firm. Every week brings news of major new cyberattacks-the stealing of personal information from Equifax and the federal Office of Personnel Management, the Petya and WannaCry ransomware worms, the Russian hacking of the Democratic National Committee’s emails, to name a few. Indeed, the cyberthreat from criminals, hacktivists and state actors is growing. The costs associated with these malicious activities are staggering: Last year, the Commission on the Theft of American Intellectual Property estimated that the annual cost of IP theft in three major categories may be as high as $600 billion and that the low-end total exceeds $225 billion, or 1.25 percent of the U.S. economy. Law firms have not been immune. In fact, they have been a ripe target: * * * [ Polley : This is the first in a year-long 2018 series “Digital Dangers”, addressing cybersecurity and the threat faced by lawyers. This is related to the ABA’s just-published Cybersecurity Handbook (2nd Ed.). The Journal’s series, the Handbook, and other resources showcase work by the ABA’s Cybersecurity Legal Task Force , which I have the privilege of co-chairing with Ruth Bro.] top

  Rep. Blackburn introduces fake net neutrality legislation (Free Press, 19 Dec 2017) - On Tuesday, Rep. Marsha Blackburn (R-Tennessee) introduced anti-Net Neutrality legislation that she dubbed the “Open Internet Preservation Act.” The bill lacks many of the fundamental guarantees that prevent internet access providers from interfering with online traffic. Rep. Blackburn, who is among the top recipients of campaign contributions from the phone and cable lobby, said on Twitter that she hopes to rush the legislation to President Donald Trump’s desk for signing. The bill reportedly includes prohibitions on blocking or throttling of internet traffic, but would not prevent pay-to-play prioritization schemes. It would also constrain FCC authority to contend with future abuses and prevent states from enacting their own Net Neutrality protections. Free Press Action Fund President and CEO Craig Aaron made the following statement: “Having lost their fight against Net Neutrality in the court of public opinion, companies like AT&T, Comcast and Verizon are trying to use fake Net Neutrality bills like this to end all effective oversight of their anti-competitive, anti-consumer practices. Blackburn’s legislation fails at the very thing it claims to accomplish. It prohibits a few open-internet violations, but opens the door to rampant abuse through paid-prioritization schemes that split the internet into fast lanes for the richest companies and slow lanes for everyone else. This bill’s true goal is to let a few unregulated monopolies and duopolies stifle competition and control the future of communications. This cynical attempt to offer something the tiniest bit better than what the FCC did and pretend it’s a compromise is an insult to the millions who are calling on Congress to restore real Net Neutrality.” top

- and -

Bucking President Trump’s FCC, New York introduces its own net neutrality bill (Fast Company, 19 Dec 2017) - Since the FCC voted last week to abolish net neutrality regulations, California, Washington, and New York State have vowed to take up the cause. New York is one of the first out the gate. State Assembly member Patricia Fahy -a Democrat whose district includes the capital, Albany-has drafted a short piece of legislation to introduce this week. It requires the state government, state agencies, and local governments (including New York City) to do business only with ISPs that adhere to net neutrality principles of no blocking or slowing down access to any legal content. Nor can they allow paid prioritization, or offer content providers premium-priced “fast lanes” for better service. “If you are going to be a contractor and want to work with New York, then you must meet the principles,” Fahy tells Fast Company . She hopes that this approach will get around a roadblock known as preemption. The Constitution generally gives the federal government final authority over commercial activities that cross state lines. But while New York can’t require ISPs to uphold net neutrality, it can use its “power of the purse” to punish ISPs that don’t. “There’s a decent amount of precedent for saying, if you want a state contract, you have to meet such and such requirements,” she says, noting construction contracts contingent on certain labor practices or the use of U.S.-made steel. top

Facial scans at US airports violate Americans’ privacy, report says (NYT, 21 Dec 2017) - A new report concludes that a Department of Homeland Security pilot program improperly gathers data on Americans when it requires passengers embarking on foreign flights to undergo facial recognition scans to ensure they haven’t overstayed visas. The report , released on Thursday by researchers at the Center on Privacy and Technology at Georgetown University’s law school, called the system an invasive surveillance tool that the department has installed at nearly a dozen airports without going through a required federal rule-making process. The report’s authors examined dozens of Department of Homeland Security documents and raised questions about the accuracy of facial recognition scans. They said the technology had high error rates and are subject to bias, because the scans often fail to properly identify women and African-Americans. “It’s telling that D.H.S. cannot identify a single benefit actually resulting from airport face scans at the departure gate,” said Harrison Rudolph, an associate at the center and one of the report’s co-authors. * * * top

  Russian submarines are prowling around vital undersea cables. It’s making NATO nervous. (WaPo, 22 Dec 2017) - Russian submarines have dramatically stepped up activity around undersea data cables in the North Atlantic, part of a more aggressive naval posture that has driven NATO to revive a Cold War-era command, according to senior military officials. The apparent Russian focus on the cables, which provide Internet and other communications connections to North America and Europe, could give the Kremlin the power to sever or tap into vital data lines, the officials said. Russian submarine activity has increased to levels unseen since the Cold War, they said, sparking hunts in recent months for the elusive watercraft. “We are now seeing Russian underwater activity in the vicinity of undersea cables that I don’t believe we have ever seen,” said U.S. Navy Rear Adm. Andrew Lennon, the commander of NATO’s submarine forces. “Russia is clearly taking an interest in NATO and NATO nations’ undersea infrastructure.” NATO has responded with plans to reestablish a command post , shuttered after the Cold War, to help secure the North Atlantic. NATO allies are also rushing to boost anti-submarine warfare capabilities and to develop advanced submarine-detecting planes. top

  Codified US laws from 1925 now available, searchable on loc.gov (Sierra Sun Times, 26 Dec 2017) - More than 60 years of U.S. laws are now published online and accessible for free for the first time after being acquired by the Library of Congress. The Library has made available the main editions and supplements of the United States Code from 1925 through the 1988 edition. The U.S. Code is a compilation of federal laws arranged by subject by the Office of the Law Revision Counsel of the House of Representatives. The Library’s U.S. Code Collection is fully searchable. Filters allow users to narrow their searches by date, title and/or subject. PDF versions of each chapter can be viewed and downloaded. The collection is online at loc.gov/collections/united-states-code/ . This provides access to editions of the U.S. Code that previously were not available to the public online for free. “For the first time these historical materials will be available online for free in a searchable format,” Law Librarian of Congress Jane Sanchez said. “The U.S. Code provides a convenient tool for locating the law in force at a particular point in time. These historical editions will help students, historians and other researchers delving into the primary sources of our government and democracy.” top

  Library of Congress gives up collecting all tweets because Twitter is garbage (Gizmodo, 26 Dec 2017) - In 2010, the Library of Congress started archiving every single public tweet that was published on Twitter. It even retroactively acquired all tweets dating back to 2006. But the Library of Congress will stop archiving every tweet on December 31, 2017. Why is it stopping? Because tweets are trash now. The Library of Congress issued a white paper this month saying that it was proud of its comprehensive collection of tweets from the first 12 years of Twitter, but that it’s completely unnecessary for it to continue. Instead, the organization will only collect tweets that it deems historically significant. For instance, President Trump’s tweets are almost certainly still going to be saved for future generations. One reason that the Library is stopping the comprehensive archive? The social media company’s controversial change to allow 280 character tweets. The Library’s halt on collection of all tweets puts Twitter more in line with the way that other digital collections are archived, including websites. The Library of Congress only archives websites on a selective basis, unlike the nonprofit, non-governmental organization the Internet Archive, which has a much broader goal of archiving everything online with its Wayback Machine . The Library of Congress also noted that many tweets include photos and video and that it has only been collecting text, making some of its collection worthless. top

That game on your phone may be tracking what you’re watching on TV (NYT, 28 Dec 2017) - At first glance, the gaming apps - with names like “Pool 3D,” “Beer Pong: Trickshot” and “Real Bowling Strike 10 Pin” - seem innocuous. One called “Honey Quest” features Jumbo, an animated bear. Yet these apps, once downloaded onto a smartphone, have the ability to keep tabs on the viewing habits of their users - some of whom may be children - even when the games aren’t being played. The apps use software from Alphonso, a start-up that collects TV-viewing data for advertisers. Using a smartphone’s microphone, Alphonso’s software can detail what people watch by identifying audio signals in TV ads and shows, sometimes even matching that information with the places people visit and the movies they see. The information can then be used to target ads more precisely and to try to analyze things like which ads prompted a person to go to a car dealership. More than 250 games that use Alphonso software are available in the Google Play store; some are also available in Apple’s app store. Some of the tracking is taking place through gaming apps that do not otherwise involve a smartphone’s microphone, including some apps that are geared toward children. The software can also detect sounds even when a phone is in a pocket if the apps are running in the background. Alphonso said that its software, which does not record human speech, is clearly explained in app descriptions and privacy policies and that the company cannot gain access to users’ microphones and locations unless they agree. Alphonso declined to say how many people it is collecting data from, and Mr. Chordia said that he could not disclose the names of the roughly 1,000 games and the messaging and social apps with Alphonso software because a rival was trying to hurt its relationships with developers. (The New York Times identified many of the apps in question by searching “Alphonso automated” and “Alphonso software” in the Google Play store.)

RESOURCES

Lee on Digital Copyright in the TPP (MLPB, 11 Dec 2017) - Jyh-An Lee, The Chinese University of Hong Kong Faculty of Law, has published Digital Copyright in the TPP, in Paradigm Shift in International Economic Law Rule-Making: TPP As a New Model for Trade Agreements? 371 (Julien Chaisse, Henry Gao & Chang-fa Lo eds., Springer, 2017). Here is the abstract: This chapter focuses on key copyright issues in TPP’s IP Chapter, especially those related to the Internet and digital technologies. Those issues include copyright term extension, safe harbor for Internet service providers (ISPs), technological protection measures, criminal liability, and limitations and exceptions. This chapter analyzes whether private and public interests represented by various stakeholders in the copyright ecology are taken into full account and kept balanced under TPP. This chapter also evaluates member states’ diverse considerations for implementing those copyright provisions. Furthermore, this chapter uses the IP Chapter as a lens to illustrate the international expansion of copyright facilitated by trade negotiations. top

 

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

The IT law Wiki (launched December 2007)—This wiki is an encyclopedia of the legal issues, cases, statutes, events, people, organizations and publications that make up the global field of information technology law (often referred to as “computer law”). To learn more about this wiki, click on the “About this Wiki” link. To find an article, simply type the name in the “Search The IT Law Wiki” box in the upper right hand corner of [the referenced] page, click the “Content (A-Z)” button to the right or click the “Random page” button above or to the right. To write a new The IT Law Wiki article, enter the page title in the box. [see also the EFF’s similar wiki: http://ilt.eff.org/index.php/Table_of_Contents ] top

Get your own XO laptop: OLPC Give 1 Get 1 project underway (ArsTechnica, 12 Nov 2007) - The One Laptop Per Child (OLPC) initiative announced today the official launch of the Give 1 Get 1 (G1G1) program, which allows individual donors in the United States and Canada to acquire their very own shiny OLPC XO laptop by donating $399 to the project. Designed specifically to be used by schoolchildren in developing countries, the XO laptop was originally only going to be sold in bulk quantity to governments. OLPC had to change those plans earlier this year in order to compensate for slow sales. The G1G1 program, which opens today and ends on November 26, allows individual donors to purchase XO laptops for personal use when also buying one for a child in a developing nation. Ponying up $399 will get donors an XO laptop, and $200 of that donation is tax-deductible. OLPC has also partnered with T-Mobile, which is offering free T-Mobile HotSpot access to all US donors who participate in the G1G1 program. top

MIRLN—- 19 Nov - 9 Dec 2017 (v20.17)—- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

New roadside scanner contract brings uninsured drivers closer to automatic tickets (Oklahoma Watch, 16 Nov 2017) - Oklahoma has finalized a deal with a Massachusetts company to use license-plate scanners to catch uninsured drivers, and the firm expects to issue 20,000 citations a month starting as early as next year. The program, believed to be the first of its kind in the nation, involves setting up automated high-speed cameras on highways around the state to detect uninsured vehicles and mailing their owners a citation with a fine of $184, according to the District Attorneys Council. Gatso USA, a Beverly, Massachusetts-based company that specializes in red-light-running and speeding detection systems, will initially get $80, or 43 percent, of each fine. Its cut will decrease to $74 after two years and $68 after five years, according to a contract approved by the state after months of legal review and negotiation. The company could expect to bring in $1.6 million a month, or $19 million a year, if the 20,000 citations are issued monthly. Gatso is a subsidiary of a Dutch company. Drivers who pay the fees will avoid having a charge of driving without insurance on their permanent record. The purpose of the Uninsured Vehicle Enforcement Diversion Program, approved by the state Legislature in 2016, is to reduce the high number of uninsured motorists in Oklahoma. A 2015 Pew Charitable Trusts survey found that 26 percent of all drivers in the state are uninsured - the highest rate in the nation - which can push up insurance premiums and hit-and-run accidents. But another incentive underlies the program. It will be overseen by the District Attorneys Council rather than law enforcement, and the state’s 27 district attorneys’ offices are expected to receive millions of dollars in citation revenue a year, although no estimates were provided. District attorneys have complained that their revenue sources are diminishing because of state budget cuts and the drop in bounced-check fines. top

The dangerous data hack that you won’t even notice (Quartz, 17 Nov 2017) - A recent wave of cyberattacks-from WannaCry and Equifax to the alleged Russian influence on the US election-has demonstrated how hackers can wreak havoc on our largest institutions. But by focusing only on hackers’ efforts to extort money or mess with our political process, we may have been missing what is potentially an even scarier possibility: data manipulation. Imagine that a major Big Food company gets hacked. But this time, instead of leaking the company’s proprietary information to the public or freezing its systems with ransomware, the hackers subtly manipulate the data on which the company relies. Expiration dates on milk cartons get scrambled so that some are thrown away early while others make drinkers sick, despite appearing within their use-by date. Figures are tweaked slightly on pending invoices to vendors, altering the company’s balance sheets by hundreds of thousands of dollars. Small changes are made to food-safety tests so that a dangerous product that was failing suddenly looks like it is passing regulation tests. Would the company even notice such changes happening? Could it still have the confidence that its backups were uncompromised? How could its investors accurately assess the company’s value when all of its financials might suddenly be based on faulty information? And how might its customers and suppliers respond? Now apply this thought experiment to banks, medical institutions, and government organizations. It’s pretty scary. Unlike “information-gathering” hacks (where data is stolen because it is valuable) or “hold hostage” attacks (when data is imprisoned until someone pays to release it), “manipulation hacks” are hard to detect: They result when individuals (or bots) illegally change vital information below the threshold of attention. * * * top

- and -

$1 billion lawsuit focuses on EHR data integrity concerns (Data Breach Today, 20 Nov 2017) - The suit alleges that eClinicalWorks’ cloud-based EHR system failed to provide reliable health information for potentially millions of patients, which means “patients and doctors cannot rely on the veracity of those records.” The lawsuit against eClinicalWorks comes about five months after the Department of Justice announced that the Westborough, Massachusetts-based vendor agreed to pay a $155 million financial settlement, as well as enter into a five-year corporate integrity agreement, with the Department of Health and Human Services’ Office of Inspector General (see eClinicalWorks Case Shines Spotlight on Data Integrity ). The Justice Department alleged the company falsely claimed it met the HITECH Act EHR incentive program’s certification requirements. Among the requirements it didn’t meet, according to DoJ: accurately recording user actions - such as orders for diagnostic tests - that are conducted in the course of a patient’s treatment and ensuring data portability. The civil lawsuit against eClinicalWorks alleges that as a result of the failure of the vendor to meet certification requirements of the HITECH Act EHR incentive program, the company’s software: (1) Periodically displayed incorrect medical information in the right chart panel of the patient screen; (2) Periodically displayed multiple patients’ information concurrently; (3) In specific workflows, failed to accurately display medical history on progress notes; and (4) Failed to have audit logs accurately record user actions, and in some cases the audit logs misled users as to the events that were conducted in the course of a patient’s treatment. “As a direct result of these deficiencies, millions of patients have had their medical records compromised, i.e. they can no longer rely on the accuracy and veracity of their medical records,” the lawsuit complaint claims. “Because the audit history does not accurately record user actions, there is no way for any patient to know if there records were deleted/altered/modified. In other words, ECW was grossly negligent, or in the alternative, intentionally coded their software to not accurately record user actions,” the complaint says. The lawsuit, which seeks class action status and $999 million in damages for breach of fiduciary duty and gross negligence, was filed on Thursday in a New York district court by Kristina Tot, the administrator of the Estate of Stjepan Tot, “on behalf of herself and all others similarly situated.” top

Cybersecurity: What to know about the ‘Vulnerabilities Equities Process’ (The Recorder, 22 Nov 2017) - They may not realize it, but any company hit by the WannaCry ransomware attack over the past several months was impacted firsthand by a secretive U.S. government policy mechanism known as the VEP. Short for the “Vulnerabilities Equities Process,” the VEP is the procedure through which the government decides whether to hang on to knowledge of computer security flaws for offensive uses (i.e., hacking), or disclose them to ensure they get patched. In the case of WannaCry, news reports and comments by Microsoft’s chief legal officer indicated that the NSA knew about the vulnerability at the root of the worm, but only told Microsoft after losing control of it. In the wake of the ensuing controversy, White House Cybersecurity Coordinator Rob Joyce last week for the first time unveiled a public version of the VEP Charter in an effort to shed some light on the government’s decision-making process. The 14-page document describes in broad strokes the balancing act government hackers must go through after they discover new vulnerabilities. Here are a few things you ought to know about it: * * * top

The Fifth Amendment, decryption and biometric passcodes (Lawfare, 27 Nov 2017) - The spread of commercially available encryption products has made it harder for law enforcement officials to access to information that relates to criminal and national security investigations. In October, FBI Director Christopher Wray said that in an 11-month period, the FBI had been unable to extract data from more than 6,900 devices; that is over half of the devices it had attempted to unlock. It’s a “huge, huge problem,” Wray said. One might think that a way around this problem is for the government to order the user to produce the password to the device. But such an order might face a big hurdle: the Fifth Amendment. A handful of cases have emerged in recent years on the applicability of the Fifth Amendment to demands for passwords to encrypted devices. The protections afforded by the amendment depend on, among other things, whether the password involves biometric verification via a unique physical feature, or the more typical string of characters (passcode). As we will see, the government has a bit more leeway under the Fifth Amendment to insist on the decryption of personal computing devices using biometric passwords that-as in the new iPhone X-are increasingly prevalent. * * * [ Polley : this area is in flux, but the article is a decent summary.] top

Art galleries versus the Pentagon (InsideHigherEd, 28 Nov 2017) - Is it art? Or government property? Or both? The John Jay College of Criminal Justice is currently hosting an exhibit of art from eight current and former detainees at the detention camp at Guantánamo Bay Naval Base in Cuba. Earlier this month, however, the Department of Defense halted the export of artwork made by prisoners there, declaring that works made by the prisoners are property of the United States government. The exhibit, “Ode to the Sea: Art From Guantánamo,” went on display at the City University of New York campus Oct. 2, when Department of Defense policy still allowed detainees to export art from the island prison where the U.S. government currently detains 41 people. A total of 779 people, all men, have been detained at Gauntanamo Bay since the prison’s controversial opening in 2002. “On the opening pages of Moby-Dick , [Herman] Melville writes about the ‘water-gazers’ of New York, office-dwellers who spent their free time looking at the rivers and sea that surround the city,” Erin Thompson, the exhibit’s co-curator and an assistant professor in John Jay’s Department of Art and Music, wrote in an essay for The Paris Review when the exhibit debuted. “The detainee artists told me that they thought of the sea as a symbol of both hope and fear. They represented it in order to dream about escape and to escape as best they could. By immersing themselves so fully in making art, they could imagine that they were in a ship at sea—until the work was finished.” The New York Post characterized the exhibit as “controversial,” noting that some of the first responders who died in the Sept. 11 attacks had attended John Jay. (On the other hand, Thompson noted, only one of the current detainees whose work is on display has actually been charged with a crime.) After going through an examination by prison authorities, art created through prison programming was allowed to be released and sent abroad. That policy was changed earlier this month. “Items produced by detainees remain the property of the U.S. government,” Ben Sakrisson, a Pentagon spokesman, said Monday, adding that the policy was in firmly in place and not under review, which previous reports had suggested was a possibility. Even if a detainee is eventually released, Sakrisson acknowledged that the policy implicitly states that any art made by the detainee would still be government property. top

BakerHostetler and Perkins Coie named ‘founding stewards’ in new blockchain ID network (ABA Journal, 28 Nov 2017) - BakerHostetler and Perkins Coie are “founding stewards” in the new blockchain-based identity network Sovrin. On account of high-profile data breaches of personal information and the increased interest and feasibility of blockchain technology, there is a growing movement to create IDs that do not rely on centralized storage, which is a honeypot for hackers. Sovrin, run by the nonprofit Sovrin Foundation, “is a global, decentralized identity network that allows people and organizations to create portable, self-sovereign digital identities, which they control, and cannot be taken away by any government or organization” according to the BakerHostetler website. As founding stewards, BakerHostetler and Perkins Coie “donate network power to maintain the ledger” that host nodes to house the self-sovereign IDs, according to an email from Judd Bagley, director of communications at Evernym, the company that invented Sovrin and spun it off as a separate nonprofit foundation. Bagley adds: “Stewards are charged with writing encrypted identity data to the Sovrin ledger and verifying the validity” of each ledger entry. Once in the network, the ID’s existence is public across the distributed network. But it can only be accessed with the user’s verification key, which is a public identifier, and a signing key, which is private and known only to the user. Collectively, those two cryptographic keys will signal to a bank, government or another individual or entity that a person is who they say. For Joe Cutler, a partner at Perkins Coie, self-sovereign identity is “the future of identity.” In a press release he said: “SSI aims to shift control over your most personal information back into your own hands, and to end this notion that you must sacrifice privacy and security in order to participate in today’s digital economy.” Laura Jehl, a partner at BakerHostetler’s D.C., office, told the ABA Journal in an email that being a steward is about helping their “clients understand and embrace a future where digital identities can be trusted, mitigating risks from data breaches and other cybersecurity incidents.” The Sovrin Foundation is one of numerous entities focused on self-sovereign ID built on blockchain, which includes IBM’s Blockchain Platform and Microsoft’s partnership with Blockstack and ConsenSys, two blockchain companies. top

- and -

Coinbase ordered to give the IRS data on users trading more than $20,000 (TechCrunch, 29 Nov 2017) - Most digital currencies exist in a sort of twilight state just beyond the grasp of federal regulators, but the U.S. tax authority is starting to get savvy to this whole bitcoin thing. On Wednesday, a federal judge in San Francisco ruled that Coinbase must supply the IRS with identifying information on users who had more than $20,000 in annual transactions on its platform between 2013 and 2015. After noticing that the number of tax returns claiming gains from virtual currency didn’t line up with the emerging popularity of digital currencies like bitcoin as an investment vehicle, the IRS asked Coinbase to hand over a broad swath of information on its users. Coinbase pushed back, and now the court has landed on a compromise that the company is calling a ” partial victory .” “Coinbase itself admits that the Narrowed Summons requests information regarding 8.9 million Coinbase transactions and 14,355 Coinbase account holders. That only 800 to 900 taxpayers reported gains related to bitcoin in each of the relevant years and that more than 14,000 Coinbase users have either bought, sold, sent or received at least $20,000 worth of bitcoin in a given year suggests that many Coinbase users may not be reporting their bitcoin gains,” the court documents read . While cryptocurrency users who value the relative decentralization and privacy afforded by digital currencies won’t be happy, Coinbase succeeded in limiting the government’s initial request for information on all Coinbase users who made transactions from 2013 to 2015 to the smaller subset of high-value users. The IRS initially requested nine kinds of user data, including “complete user profiles, know-your-customer due diligence, documents regarding third-party access, transaction logs, records of payments processed, correspondence between Coinbase and Coinbase users, account or invoice statements and records of payments.” Rejecting some of those requests, today the court narrowed the scope of documents that the IRS can request from Coinbase to taxpayer ID number, name, date of birth, address, transaction logs and account statements, deeming the rest of the documents “not necessary.” Again, these personal data requests will only apply to accounts that have bought, sold, sent or received more than $20,000 in any of those types of transactions between 2013 and 2015. top

As clients demand law firm cyber audits, who sets the terms? (Law.com, 29 Nov 2017) - With hackers and other cyber pitfalls affecting more and more law firms , there is still no universally accepted standard that firms must meet to show that they are adequately protected. In the legal industry, concerns about how to assess firms’ cyber defenses will likely grow, as a growing number of corporate clients insist outside counsel undergo, and most often pay for, cybersecurity audits. “We have seen an exponential increase in inquiries from law firms in 2017 versus years past,” said John DiMaria, a marketing executive in the London office of BSI Group, which provides certifications related to cybersecurity, including certification for ISO/IEC 27001, an international standard for information security management. According to Patti Moran, a spokeswoman for the International Legal Technology Association, and its subsidiary ILTA LegalSEC, a community of law firms seeking to improve the security in the global legal community, more than 44 law firms had achieved that certification by the end of last year, and another 56 were working toward it. That’s a big increase from two years ago, when The American Lawyer reported that at least 10 Am Law 200 firms had attained the ISO certification to assure clients they were taking steps toward protecting their documents and communication systems. To make audits’ worth their expense, cybersecurity auditors must use accepted and published benchmarks, said Jeffrey Ritter, a visiting fellow at the University of Oxford and founding chairman of the American Bar Association’s committee on cyberspace law. “You have to show what criteria you are using,” he said. At the same time, Ritter argues that such standards “have a level of ambiguity” that makes them insufficient safeguards. Meeting an ISO standard is simply not enough, according to John Sweeney, president of Nashville, Tennessee-based LogicForce, which conducts cybersecurity audits largely for law firms. (Other providers of cybersecurity audits include all the Big Four accounting firms, BSI Group and Resiliam.) “ISO is only a single standard that doesn’t necessarily cover practical implementation of best practices. Our experience with corporate audits from financial, health, insurance, and other industries have shown ISO 27001 compliance isn’t enough to get law firms to pass their audits,” Sweeney wrote in an email responding to questions for this article. Moreover, many firms fall far behind even the minimum requirements to meet the ISO standards, a set of legal, physical and technical policies for information risk management procedures, including rules about documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. “There is currently a large gap in where plenty of law firms are today, and any formal certification process,” Sweeney wrote. top

SWIFT warns banks on cyber heists as hack sophistication grows (Reuters, 28 Nov 2017) - SWIFT, the global messaging system used to move trillions of dollars each day, warned banks on Wednesday that the threat of digital heists is on the rise as hackers use increasingly sophisticated tools and techniques to launch new attacks. “Adversaries have advanced their knowledge,” SWIFT said in a 16-page report co-written with BAE Systems Plc’s cyber security division. “No system can be assumed to be totally infallible, or immune to attack.” SWIFT has declined to disclose the number of attacks, identify victims or say how much money has been stolen. Still, details on some cases have become public. The new report described an attack on an unidentified bank. Hackers spent several months inside the network of one customer, preparing for the eventual attack by stealing user credentials and monitoring the bank’s operations using software that recorded computer keystrokes and screenshots, the report said. When they launched the attack in the middle of the night, the hackers installed additional malware that let them modify messaging software so they could bypass protocols for confirming the identity of the computer’s operator, according to the report. The hackers then ordered payments sent to banks in other countries by copying pre-formatted payment requests into the messaging software, according to the report. After the hackers ended the three-hour operation, they sought to hide their tracks by deleting records of their activity. They also tried to distract the bank’s security team by infecting dozens of other computers with ransomware that locked documents with an encryption key, the report said. While SWIFT did not say how much money was taken, it said the bank quickly identified the fraudulent payments and arranged for the stolen funds to be frozen. [ Polley : I’ve seen such attacks executed with painstaking attention-to-detail, nearly-perfectly scripted. Impressive, and scary.] top

- and -

NATO mulls ‘offensive defense’ with cyber warfare rules (Reuters, 30 Nov 2017) - The United States, Britain, Germany, Norway, Spain, Denmark and the Netherlands are drawing up cyber warfare principles to guide their militaries on what justifies deploying cyber attack weapons more broadly, aiming for agreement by early 2019. The doctrine could shift NATO’s approach from being defensive to confronting hackers that officials say Russia, China and North Korea use to try to undermine Western governments and steal technology. The 29-nation NATO alliance recognized cyber as a domain of warfare, along with land, air and sea, in 2014, but has not outlined in detail what that entails. In Europe, the issue of deploying malware is sensitive because democratic governments do not want to be seen to be using the same tactics as an authoritarian regime. Commanders and experts have focused on defending their networks and blocking attempts at malicious manipulation of data. Senior Baltic and British security officials say they have intelligence showing persistent Russian cyber hacks to try to bring down European energy and telecommunications networks, coupled with Internet disinformation campaigns. * * * NATO held its biggest ever cyber exercise this week at a military base in southern Estonia, testing 25 NATO allies against a fictional state-sponsored hacker group seeking to infiltrate NATO air defense and communication networks. “The fictional scenarios are based on real threats,” said Estonian army Lieutenant-Colonel Anders Kuusk, who ran the exercise. NATO’s commanders will not develop cyber weapons but allied defense ministers agreed last month that NATO commanders can request nations to allow them use of their weapons if requested. top

Facebook’s new captcha test: ‘Upload a clear photo of your face’ (Wired, 28 Nov 2017) - Facebook may soon ask you to “upload a photo of yourself that clearly shows your face,” to prove you’re not a bot. The company is using a new kind of captcha to verify whether a user is a real person. According to a screenshot of the identity test shared on Twitter on Tuesday and verified by Facebook, the prompt says: “Please upload a photo of yourself that clearly shows your face. We’ll check it and then permanently delete it from our servers.” In a statement to WIRED, a Facebook spokesperson said the photo test is intended to “help us catch suspicious activity at various points of interaction on the site, including creating an account, sending Friend requests, setting up ads payments, and creating or editing ads.” The process is automated, including identifying suspicious activity and checking the photo. To determine if the account is authentic, Facebook looks at whether the photo is unique. The Facebook spokesperson said the photo test is one of several methods, both automated and manual, used to detect suspicious activity. The company declined to share details to prevent the system from being manipulated. Suspicious activity might include someone who consistently posts from New York and then starts posting from Russia. Facial technology is increasingly common, such the use of Apple Face ID to authenticate users on iPhone X. A since deleted screenshot from Twitter seemed to indicate that users are locked out of their accounts while the photo is being verified. A message said, “You Can’t Log In Right Now. We’ll get in touch with you after we’ve reviewed your photo. You’ll now be logged out of Facebook as a security precaution.” Facebook users who suspect their account has been compromised can go to Facebook.com/hacked . The company would not say when it started using the technique, but in a post on Reddit users reported getting the same prompt in April. The new authentication scheme is the second in recent weeks that relies on photos. Earlier this month, Facebook asked users to upload nude photos to Facebook Messenger, as part of an effort to prevent revenge porn. Facebook said it would use the nude photos to create a digital fingerprint against which to compare future posts. Facebook said the photos are hashed and then deleted from its servers. [ Polley: Orwell.] top

Heightened security risks dictate a proactive corporate board (Security Info Watch, 1 Dec 2017) - * * * Despite the impact that data breaches and other types of cyber-attacks continue to have on all kinds of organizations, Jim Pflaging, principal, technology sector and strategy practice lead at security and risk management advisory firm The Chertoff Group, says the level of involvement many boards have today when it comes to addressing cybersecurity issues is really a mixed bag. Pflaging, who serves on the board of several technology companies himself and as a board advisor to several others, says that The Chertoff Group set out last year to get a better understanding about the state of maturity in cybersecurity conversations at the board level and subsequently interviewed over 100 leading executives across three different continents in companies ranging in size from Fortune 500 organizations to small, private firms. What they found, according to Pflaging, was a “tale of two cities.” “The first (group) was the good news and that was Fortune 500 (companies) in what people would call critical infrastructure - transportation, utilities, finance, healthcare and some tech (firms) - they said, ‘yeah, we’ve been talking about cybersecurity for years. It is a mature conversation, we talk about it from a risk point of view and, in some cases, it is beyond risk and in the overall business continuity discussion,’ Pflaging says. “The second group was largely everybody else and this was not a pretty picture. This resonated with me because it reflected the boards that I am on and that is that cyber is rarely or never on the agenda and if it is on the agenda, it’s in response to a breach. The state of the conversation was there really wasn’t one.” Pflaging says that many of these executives from the first group had learned about cybersecurity mostly from other boards but from personal stories as well. Those board members in the second group reported being confused about exactly what their roles should be as directors when it comes to cybersecurity and what questions they should be asking. top

It’s gonna get a lot easier to break science journal paywalls (Wired, 3 Dec 2017) - * * * Today, even though you can’t access Scholar directly from the Google-prime page, it has become the internet’s default scientific search engine-even more than once-monopolistic Web of Science, the National Institutes of Health’s PubMed, and Scopus, owned by the giant scientific publisher Elsevier. But most science is still paywalled. More than three quarters of published journal articles-114 million on the World Wide Web alone, by one (lowball) estimate -are only available if you are affiliated with an institution that can afford pricey subscriptions or you can swing $40-per-article fees. In the last several years, though, scientists have made strides to loosen the grip of giant science publishers. They skip over the lengthy peer review process mediated by the big journals and just … post. Review comes after. The paywall isn’t crumbling, but it might be eroding. The open science movement , with its free distribution of articles before their official publication, is a big reason. Another reason, though, is stealthy improvement in scientific search engines like Google Scholar , Microsoft Academic, and Semantic Scholar -web tools increasingly able to see around paywalls or find articles that have jumped over. Scientific publishing ain’t like book publishing or journalism. In fact, it’s a little more like music, pre-iTunes, pre-Spotify. You know, right about when everyone started using Napster. * * * top

Stanford lied about business school scholarships (InsideHigherEd, 4 Dec 2017) - A breach of confidential data has indicated that the Stanford University Graduate School of Business has been publicly misrepresenting how it awards scholarships. The business school’s website, for years, said that “all fellowships are need based,” referring to scholarships. A student, Adam Allcock, recently found out that anyone in the business school had access to confidential data. He alerted the school to inform officials of the security flaw, but also downloaded the data and ran an analysis that showed that scholarship awards are not, in fact, need based. “The [Graduate School of Business] secretly ranks students as to how valuable (or replaceable) they were seen, and awarded financial aid on that basis,” Allcock wrote in an 88-page report describing his analysis. “Not only has the GSB also been systematically discriminating by gender, international status and more while lying to their faces for the last 10 to ~25 years.” Poets & Quants , an outlet that specializes in business school rankings and news, broke the story. The San Francisco Chronicle noted that the school has not disputed the report’s findings, and that this isn’t the only data breach Stanford has had in recent months. The school has since admitted that even though it claimed not to award scholarships based on merit, it “has offered additional fellowship awards to candidates whose biographies make them particularly compelling and competitive in trying to attract a diverse class.” Women and those with backgrounds in finance were often favored for scholarship money, even if they had more ability to pay for tuition than others. In some cases, according to the report, scholarships could be three times larger between two different students with identical financial need. The secretive scholarship promise might explain why Stanford graduates perform so well, according to Poets & Quants : the school, for example, sends more students into venture capital and private-equity jobs than Wharton, Chicago Booth, Columbia or Harvard. “Allcock’s discovery that more money is being used by Stanford to entice the best students with financial backgrounds suggests an admissions strategy that helps the school achieve the highest starting compensation packages of any M.B.A. program in the world,” Poets & Quants wrote. “That is largely because prior work experience in finance is generally required to land jobs in the most lucrative finance fields in private equity, venture capital and hedge funds.” top

Independent factual research by judges via the internet (ABA Formal Opinion 478, 8 Dec 2017) - Easy access to a vast amount of information available on the Internet exposes judges to potential ethical problems. Judges risk violating the Model Code of Judicial Conduct by searching the Internetforinformationrelatedtoparticipantsorfactsinaproceeding. Independent investigation of adjudicative facts generally is prohibited unless the information is properly subject to judicial notice. The restriction on independent investigation includes individuals subject to the judge’s direction and control. top

RESOURCES

A Legal Anatomy of AI-generated Art: Part I (Harvard Journal of Law & Technology, 21 Nov 2017) - Abstract: This Comment is the first in a two-part series on how lawyers should think about art generated by artificial intelligences, particularly with regard to copyright law. This first part charts the anatomy of the AI-assisted artistic process. The second Comment in the series examine how copyright interests in these elements interact and provide practice tips for lawyers drafting license agreements or involved in disputes around AI-generated artwork : “Advanced algorithms that display cognition-like processes, popularly called artificial intelligences or “AIs,” are capable of generating sophisticated and provocative works of art.[1] These technologies differ from widely-used digital creation and editing tools in that they are capable of developing complex decision-making processes, leading to unexpected outcomes. Generative AI systems and the artwork they produce raise mind-bending questions of ownership, from broad policy concerns[2] to the individual interests of the artists, engineers, and researchers undertaking this work. Attorneys, too, are beginning to get involved, called on by their clients to draft licenses or manage disputes. The Harvard Law School Cyberlaw Clinic at the Berkman Klein Center for Internet & Society has recently developed a practice in advising clients in the emerging field at the intersection of art and AI. We have seen for ourselves how attempts to negotiate licenses or settle disputes without a common understanding of the systems involved may result in vague and poorly understood agreements, and worse, unnecessary conflict between parties. More often than not, this friction arises between reasonable parties who are open to compromise, but suffer from a lack of clarity over what, exactly, is being negotiated. In the course of solving such problems, we have dissected generative AIs and studied their elements from a legal perspective. The result is an anatomy that forms the foundation of our thinking-and our practice-on the subject of AI-generated art. When the parties to an agreement or dispute share a common vocabulary and understanding of the nature of the work, many areas of potential conflict evaporate. This Comment makes that anatomy available to others, in the hopes that it will facilitate productive negotiations and clear, enforceable agreements for others involved in AI-related art projects. We begin by clarifying what we mean by AI-generated art, distinguishing it from art that is created by humans using digital creation and editing software. Next, we describe four key elements that make up the anatomy of a generative AI. We go into detail on each element, providing plain-language explanations that are comprehensible even to those without a technical background. We conclude with a brief preview of the second Comment in this series, which will delve into how we think about the application of copyright law in this context, including the questions of ownership that arise as to each element, and provide some practical insights for negotiating agreements in the context of AI-generated art. * * *” top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Army squeezes soldier blogs, maybe to death (Wired, 2 May 2007)—The U.S. Army has ordered soldiers to stop posting to blogs or sending personal e-mail messages, without first clearing the content with a superior officer, Wired News has learned. The directive, issued April 19, is the sharpest restriction on troops’ online activities since the start of the Iraq war. And it could mean the end of military blogs, observers say. Military officials have been wrestling for years with how to handle troops who publish blogs. Officers have weighed the need for wartime discretion against the opportunities for the public to personally connect with some of the most effective advocates for the operations in Afghanistan and Iraq—the troops themselves. The secret-keepers have generally won the argument, and the once-permissive atmosphere has slowly grown more tightly regulated. Soldier-bloggers have dropped offline as a result. The new rules obtained by Wired News require a commander be consulted before every blog update. “This is the final nail in the coffin for combat blogging,” said retired paratrooper Matthew Burden, editor of The Blog of War anthology. “No more military bloggers writing about their experiences in the combat zone. This is the best PR the military has—it’s most honest voice out of the war zone. And it’s being silenced.” Army Regulation 530—1: Operations Security (OPSEC) restricts more than just blogs, however. Previous editions of the rules asked Army personnel to “consult with their immediate supervisor” before posting a document “that might contain sensitive and/or critical information in a public forum.” The new version, in contrast, requires “an OPSEC review prior to publishing” anything—from “web log (blog) postings” to comments on internet message boards, from resumes to letters home. Active-duty troops aren’t the only ones affected by the new guidelines. Civilians working for the military, Army contractors—even soldiers’ families—are all subject to the directive as well. But, while the regulations may apply to a broad swath of people, not everybody affected can actually read them. In a Kafka-esque turn, the guidelines are kept on the military’s restricted Army Knowledge Online intranet. Many Army contractors—and many family members—don’t have access to the site. Even those able to get in are finding their access is blocked to that particular file. top

In trade ruling, Antigua wins a right to piracy (New York Times, 22 Dec 2007) - In an unusual ruling on Friday at the World Trade Organization, the Caribbean nation of Antigua won the right to violate copyright protections on goods like films and music from the United States - an award worth up to $21 million - as part of a dispute between the countries over online gambling. The award follows a W.T.O. ruling that Washington had wrongly blocked online gambling operators on the island from the American market at the same time it allowed online wagering on horse racing. Antigua and Barbuda had claimed damages of $3.44 billion a year. That makes the relatively small amount awarded Friday, $21 million, something of a setback for Antigua, which had been struggling to preserve its gambling industry. The United States argued that its behavior had caused $500,000 damage. Yet the ruling is significant in that it grants a rare form of compensation: the right of one country, in this case Antigua, to violate intellectual property laws of another - the United States - by allowing it to distribute copies of American music, movie and software products. top

    MIRLN—- 29 Oct - 18 Nov 2017 (v20.16)—- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

    permalink

  ANNOUNCEMENTS | NEWS | RESOURCES | DIFFERENT | LOOKING BACK NOTES

 

ANNOUNCEMENT

The new Second Edition of the ABA’s best-selling Cybersecurity Handbook is a must-read for anyone working in the field, including private-practice attorneys, in-house counsel, non-profit and government lawyers, and others. For more detail, visit the ABA store at http://bit.ly/2x7HNbJ . (get a 10% discount with code 2ECYBERTF10). Below, an ABA story on the Handbook:

      Updated ABA cybersecurity handbook helps lawyers protect sensitive client information from hackers   (ABA, 1 Nov 2017) - Cybersecurity breaches in law firms have made headlines and clients are asking questions about lawyers’ and firms’ security programs. From the massive Panama Papers breach that led to the dissolution of the Mossack Fonseca Law Firm in April 2016 to the WannaCry and Petya ransomware attacks, which led to a work outage at DLA Piper in June 2017, it is imperative that attorneys understand their obligations and the potential risk of inadequate information security practices to their practices and their clients.      The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms,  and Business, Second Edition”  is an updated edition of the handbook that expands on many of the issues raised in the 2013 first edition, while highlighting the extensive changes in the current cybersecurity environment. It is co-edited by cybersecurity legal experts Jill D. Rhodes, chief information security officer at Option Care and former senior executive with the intelligence community; and Robert S. Litt, counsel, Morrison & Forester and former general counsel of the Office of the Director of National Intelligence, This new edition will enable lawyers and law firms to identify potential cybersecurity risks and prepare a response in the event of an attack. It addresses the current overarching threat as well as ethical issues and special considerations for law firms of all sizes. It also includes the most recent ABA Ethics Opinions and illustrates how to approach the subject of cybersecurity threats and issues with clients, as well as when and how to purchase and use cyber insurance. Rhodes and Litt will deliver a book talk at noon on Dec. 8 at the Army Navy Club - click   here for information on how to register. top

 

NEWS

        How Facebook, Google and Twitter ‘embeds’ helped Trump in 2016   (Politico, 26 Oct 2017) - Facebook, Twitter and Google played a far deeper role in Donald Trump’s presidential campaign than has previously been disclosed, with company employees taking on the kind of political strategizing that campaigns typically entrust to their own staff or paid consultants, according to a new study released Thursday. The   peer-reviewed paper , based on more than a dozen interviews with both tech company staffers who worked inside several 2016 presidential campaigns and campaign officials, sheds new light on Silicon Valley’s assistance to Trump before his surprise win last November. While the companies call it standard practice to work hand-in-hand with high-spending advertisers like political campaigns, the new research details how the staffers assigned to the 2016 candidates frequently acted more like political operatives, doing things like suggesting methods to target difficult-to-reach voters online, helping to tee up responses to likely lines of attack during debates, and scanning candidate calendars to recommend ad pushes around upcoming speeches. Such support was critical for the Trump campaign, which didn’t invest heavily in its own digital operations during the primary season and made extensive use of Facebook, Twitter and Google “embeds” for the general election, says the study, conducted by communications professors from the University of North Carolina at Chapel Hill and the University of Utah. The companies offered such services, without charge, to all the 2016 candidates, according to the study, which details extensive tech company involvement at every stage of the race. But Hillary Clinton’s campaign declined to embed the companies’ employees in her operations, instead opting to develop its own digital apparatus and call in the tech firms to help execute elements of its strategy. “Facebook, Twitter, and Google [went] beyond promoting their services and facilitating digital advertising buys,” the paper concludes, adding that their efforts extended to “actively shaping campaign communications through their close collaboration with political staffers.” top

- and -

      How Russian trolls got into your Facebook feed   (WaPo, 1 Nov 2017) - Americans are getting our first glimpse of how we got played. On Wednesday, Congress released some of the 3,000 Facebook ads and Twitter accounts created by Russian operatives to sway American voters. You can explore them in an analysis the Post published here. These disturbing messages, seen by up to 126 million Americans, raise thorny questions about Silicon Valley’s responsibility for vetting the information it publishes. Beyond Washington, it leaves all of us who use social media to keep up with friends, share photos and follow news wondering: How’d the Russians get to me? The short answer is Silicon Valley made it very easy. Facebook’s top lawyer told Congress on Wednesday the Russian effort was “fairly rudimentary.” Here’s what he meant: Ever notice a Facebook ad that’s eerily relevant to something you’ve been talking about? Had an ad for a pair of sneakers follow you around the Internet for a week? Or seen an ad that says your friend “liked” it? * * * You were in Russia’s crosshairs if you liked the Facebook page of Donald Trump or Hillary Clinton. Same goes for people who said they were fans of Martin Luther King, Jr. Russians even targeted people who shared enough stuff about the South that Facebook tagged them being interested in “Dixie.” top

- and -

        Manipulating social media to undermine democracy   (Freedom House, Nov 2017) - Key Findings: (1) Online manipulation and disinformation tactics played an important role in elections in at least 18 countries over the past year, including the   United States;  (2) Disinformation tactics contributed to a seventh consecutive year of overall decline in internet freedom, as did a rise in disruptions to mobile internet service and increases in physical and technical attacks on human rights defenders and independent media; (3) An record number of governments have restricted mobile internet service for political or security reasons, often in areas populated by ethnic or religious minorities. * * * Russia’s online efforts to influence the American election have been well documented, but the United States was hardly alone in this respect. Manipulation and disinformation tactics played an important role in elections in at least 17 other countries over the past year, damaging citizens’ ability to choose their leaders based on factual news and authentic debate. Although some governments sought to support their interests and expand their influence abroad-as with Russia’s disinformation campaigns in the United States and Europe-in most cases they used these methods inside their own borders to maintain their hold on power. top

        Days after activists sued, Georgia’s election server was wiped clean     (ArsTechnica, 26 Oct 2017) - A server and its backups, believed to be key to a pending federal lawsuit filed against Georgia election officials, was thoroughly deleted according to e-mails recently released under a public records request. Georgia previously came under heavy scrutiny after a researcher discovered significant problems with his home state’s voting system.    A lawsuit soon followed in state court , asking the court to annul the results of the June 20 special election for Congress and to prevent Georgia’s existing computer-based voting system from being used again. The case, Curling v. Kemp , was filed in Fulton County Superior Court on July 3. As the Associated Press   reported Thursday, the data was initially destroyed on July 7 by the Center for Elections Systems at Kennesaw State University, the entity tasked with running the Peach State’s elections. The new e-mails, which were sent by the Coalition for Good Governance to Ars, show that Chris Dehner , one of the Information Security staffers, e-mailed his boss, Stephen Gay, to say that the two backup servers had been ”    degaussed three times .” * * * According to the AP, the FBI made a forensic image of the relevant server in March 2017 as part of its investigation. Atlanta FBI spokesman Stephen Emmett “would not say whether that image still exists.” Neither Emmett nor the FBI field office in Atlanta immediately responded to Ars’ request for comment. top

        Law firms fail on cybersecurity, and corporate clients are cracking down     (LegalTechNews, 26 Oct 2017) - Law firm technology services group LogicForce recently released its quarterly report card on law firm cybersecurity, giving the legal industry a score of only 42 percent on its cybersecurity health. The most recent scorecard aggregated data from client surveys at more than 300 law firms of various sizes. Scores were generated based on the number of firms who reported implementing 12 different factors set forth by LogicForce: information security executives, cybersecurity policies, multifactor authentication, cyber training, cyber insurance, penetration, vulnerability testing, third-party risk assessments, records management policies, cyber investment, full disk encryption, data loss prevention services, and third-party penetration testing. Each factor was weighted differently. The scorecard’s most heavily weighted factor was the presence of an information security executive, a position filled at only 38 percent of surveyed law firms. * * * The report also noted that corporate law firm clients are beginning to crack down harder on their outside counsel for their failure to meet cybersecurity standards. The report found that 48 percent of law firms surveyed had their data security practices subjected to an audit by a corporate client in the last year. top

- and -

        Corporate legal’s new cybersecurity role: First risk responders   (Corporate Counsel, 7 Nov 2017) - As corporations devote more attention to cybersecurity, many are expanding the legal department’s role to cover tasks like third-party risk management. But according to Grant Thornton’s ”    2017 Corporate General Counsel Survey ” of over 190 general counsel, that’s far from where their cybersecurity responsibility ends. Over half (58 percent) of general counsel surveyed said they were highly involved in responding to their organizations’ data security risks and cybersecurity incidents. In addition, 23 percent said that responding to such risks and events were their “primary responsibility,” up from 11 percent in 2015. Of course, it wasn’t always this way. “When we did this survey two years ago, the CFO among other members of the C-suite were driving cybersecurity initiatives,” said Johnny Lee, principal and forensic technology practice leader for Grant Thornton’s Forensic Advisory Services. But as “breaches become more prevalent and as they represent more downstream risk-regulatory and litigation exposure, for example-we’ve seen a shift to legal departments taking the helm on the response,” he said. In light of legal repercussions of cybersecurity incidents, he added, the legal department’s participation in risk response can be an asset given the umbrella of attorney-client privilege. Depending on the nature and extent of a breach, such privilege may need “to be attached early if it’s going to be invoked, and may need to be managed carefully if it’s going to be protected and preserved.” Lee cautioned, however, that the legal department’s cybersecurity role “doesn’t necessarily mean they’re inserting themselves into insurance discussions or being the primary flag holders in front of the board. But it does mean, vis-à-vis the response, that they intend to be the standard bearers there.” top

- and -

        Ok, we get technology competence, but how do we get technologically competent?    (Above The Law, Bob Ambrogi, 6 Nov 2017) - By now, you’ve probably heard of the duty of technology competence. As   more and more states adopt it, more and more articles get written about it, and more and more CLEs get presented about it. But the focus of all this is largely on the nature and scope of the duty. One aspect we hear little about is how lawyers can get and remain technologically competent. There are no easy answers to that question. Florida has taken the most dramatic step, not only mandating tech competence but also   mandating technology training . The first and only state to do this, Florida requires that lawyers complete three hours of CLE every three years in approved technology programs. Another option for law firms and legal departments seeking to promote technology competence is the Legal Technology Assessment developed by Casey Flaherty and his company Procertas . The LTA assesses legal professionals’ proficiency with the basic technology tools they use every day - Word, Excel, and PDF - and provides training on tasks in which they are deficient. Now, there is further progress. The past week brought news of two more initiatives that should further promote technology competence among legal professionals. One is online training for lawyers in legal innovation and technology, the other an index tracking how well law schools are preparing students to deliver legal services in the 21 st Century. * * * top

      Can algorithms send you to prison? Apparently, yes.   (Ride The Lightning, 1 Nov 2017) - The New York Times     reported in an opinion piece last week on a fascinating and disturbing story. In 2013, police officers in Wisconsin arrested Eric Loomis, who was driving a car that had been used in a recent shooting. He pleaded guilty to attempting to flee an officer, and no contest to operating a vehicle without the owner’s consent. Neither of his crimes mandated prison time. But at Mr. Loomis’s sentencing, the judge cited, among other factors, Mr. Loomis’s high risk of recidivism as predicted by a computer program called COMPAS, a risk assessment algorithm used by the state of Wisconsin. The judge denied probation and prescribed an 11-year sentence - six years in prison, plus five years of extended supervision. No one knows exactly how COMPAS works; its manufacturer won’t disclose the proprietary algorithm. We only know the final risk assessment score, which judges may consider at sentencing. Loomis challenged the use of an algorithm as a violation of his due process rights to be sentenced individually, and without consideration of impermissible factors like gender or race. The Wisconsin Supreme Court rejected his challenge. In June, the United States Supreme Court declined to hear his case, meaning a majority of justices effectively condoned the algorithm’s use. This may have far-reaching effects. Why are we allowing a computer program, into which no one in the criminal justice system has any insight, to play a role in sending a man to prison? The author of the op-ed piece asked that question - and so do I. Wisconsin is one of several states using algorithms in the sentencing process. * * * top

        Oil States amicus briefs seek to stabilize IPR constitutional footing   (Patently-O, 1 Nov 2017) - As per usual, the briefs are largely divisible into two categories: (1) direct merits arguments focusing on congressional power to enact the IPR regime; and (2) policy briefs arguing that IPRs do important work. I’ll note here that the focus of the policy briefs is on efficient and timely adjudication. I have not seen any of the briefs so far that recognize the third reality - that the PTAB is invaliding patents that would have been upheld by a court. For some reason amicus consider it appropriate to identify court failures in efficiency but not to identify failures in the substantive decisionmaking. The closest on-point is likely Apple’s Brief which promotes the “well-informed and correct” outcomes of the PTAB.    16-712bsacAppleInc . Overall, the collection of briefs here is quite strong. The most compelling brief in my view is that filed by the well-known team of Duffy and Dabney on behalf of several groups, including the Internet Association. They write: * * * [ Polley : Fairly arcane, but absolutely fascinating set of historical analyses, getting to the very fundamentals of US IPR jurisprudence.] top

        What does a Director of Knowledge Management for a legal firm do?    (KnoCo, 2 Nov 2017) - This month there were two “Director of KM” jobs advertised on linked-in. Let’s see what this job entails. “Knowledge Management” is a poorly defined term, and Knowledge Management jobs can range from low level data-entry clerks to high level strategic posts, and anything in between. However when you see “Director of Knowledge Management” vacancies, that tells you that this is a high level post. One of these advertised vacancies gives few details of the post, but the second, from CMS (the legal firm) gives a full list of responsibilities and characteristics. These are listed below * * * top

        New federal cybersecurity regulations force colleges to strengthen data management   (EdScoop, 2 Nov 2017) - A new set of federal regulations is forcing colleges and universities to tighten their cybersecurity practices, which will require changes in the way colleges manage their data, according to a   new report . Higher education institutions will have to fulfill new contractual obligations to maintain federal grants, research contracts and other transactions in which the institutions receive data from the federal government, according to the report, issued by Deloitte’s Center for Higher Education Excellence and nonprofit EDUCAUSE. In 2016, the U.S. Department of Education signaled it would make colleges comply with requirements laid out in the National Institute of Standards and Technology (NIST) Special Publication 800-171, which are designed to protect the confidentiality of “controlled unclassified information.” The first compliance deadline schools have to meet is Dec. 31. “Whether a college or university has many large government research contracts or one small contract, each institution will need to comply with these new data protection standards,” said Joanna Lyn Grama, director of cybersecurity and IT GRC programs at EDUCAUSE. “Simply put, the evolving higher education threat landscape and very complex regulatory environment means that ad-hoc approaches to data management and protection are no longer adequate and formalized information security programs, based on recognized frameworks and responsive to specific regulations, are required.” According to the report, while higher education CIOs and CISOs are aware of the new standard, “this awareness hasn’t necessarily translated into progress. “Many institutions are still working out how to get started and get everyone on board,” the report says. “Other institutions, notably those that receive significant defense research funding, are much further down the path.” Colleges will have to overcome many existing challenges in order to fulfill the requirements, according to experts at Deloitte and EDUCAUSE. And those challenges go beyond just technological problems. They also encompass organizational change management, training, end-user adoption and process controls. Specific challenges outlined in the report include a lack of executive and board-level attention on NIST’s regulations. top

        35 states and DC back bid to collect online sales taxes   (USA Today, 3 Nov 2017) - Thirty-five state attorneys general and the District of Columbia this week signed on to support South Dakota’s legal bid to collect sales taxes from out-of-state Internet retailers. South Dakota is asking the U.S. Supreme Court to review whether retailers can be required to collect sales taxes in states where they lack a physical presence. The case could have national implications for e-commerce. South Dakota Attorney General Marty Jackley said in a statement Thursday that Colorado filed a friend-of-the-court brief supporting South Dakota’s petition to the high court. The state is seeking to overturn legal rulings issued mostly before the online shopping boom that hamstring officials who want to collect sales taxes from out-of-state retailers. States have pushed Congress to address the issue without success, and one estimate put the loss to states at roughly $26 billion in 2015. South Dakota estimates it loses about $50 million annually to e-commerce. “The problem with the physical-presence rule is that it was first conceived of in 1967, two years before the moon landing and decades before the first retail transaction occurred over the Internet,” according to the brief. Some companies such as Amazon have decided to collect state sales taxes despite the precedent. South Dakota legislators passed a law last year requiring collection of the tax. The law was struck down in September by the state Supreme Court due to precedent. The state had welcomed the defeat so it could try to get the U.S. Supreme Court to take up the case. top

        US Court sides with Google against Canadian de-indexing order   (ZDnet, 3 Nov 2017) - A US federal court on Friday issued a preliminary injunction against a   Canadian Supreme Court ruling,  which asked Google to de-index certain search results not just in Canada but on a global basis. The Canadian ruling “undermines the policy goals of Section 230 [of the US Communications Decency Act] and threatens free speech on the global internet,” wrote Judge Edward Davila of the US District Court for Northern California. The ruling pertains to the case Google v. Equustek , which started with a 2011 complaint from the company Equustek Solutions. The British Columbia firm charged that a group of Equustek distributors (known as the Datalink defendants) were selling counterfeit Equustek products online. Datalink continued to sell these goods globally, even after the court ordered it to stop, prompting Equustek to ask Google to intervene. Google initially de-indexed 345 specific webpages associated with Datalink on google.ca. Equustek then sought an injunction to stop Google from displaying any part of the Datalink websites on any of its search results worldwide. A lower court granted the injunction, and the Canadian Supreme Court upheld it. The ruling’s global implications   elicited concern from freedom of speech advocates. Google   asked the US District Court for Northern California to intervene, arguing that Canada’s ruling was “repugnant” to the rights established by the First Amendment and the Communications Decency Act. Furthermore, the company said it “violates principles of international comity, particularly since the Canadian plaintiffs never established any violation of their rights under U.S. law.” Now that the US District Court has intervened, Google can seek a permanent injunction and ask the Canadian court to modify its original order,    according to the Electronic Frontier Foundation. top

        TSA plans to use face recognition to track Americans through airports   (EFF, 9 Nov 2017) - The “PreCheck” program is billed as a convenient service to allow U.S. travelers to ” speed through security ” at airports. However, the   latest proposal released by the Transportation Security Administration (TSA) reveals the Department of Homeland Security’s greater underlying plan to collect face images and iris scans on a nationwide scale. DHS’s programs will become a massive violation of privacy that could serve as a gateway to the collection of biometric data to identify and track every traveler at every airport and border crossing in the country. Currently TSA collects fingerprints as part of its application process for people who want to apply for PreCheck. So far, TSA hasn’t used those prints for anything besides the mandatory background check that’s part of the process. But this summer, TSA ran a   pilot program at Atlanta’s Hartsfield-Jackson Airport and at Denver International Airport that used those prints and a contactless fingerprint reader to verify the identity of PreCheck-approved travelers at security checkpoints at both airports. Now TSA wants to roll out this program to airports across the country and expand it to encompass face recognition, iris scans, and other biometrics as well. [ Polley : “contactless fingerprint reader?!?] While this latest plan is limited to the more than 5-million Americans who have chosen to apply for PreCheck, it appears to be part of a broader push within the Department of Homeland Security (DHS) to expand its collection and use of biometrics throughout its sub-agencies. For example, in pilot programs in Georgia and Arizona last year, Customs and Border Protection (CBP) used face recognition to capture pictures of travelers boarding a   flight out of the country and border and compared those pictures to previous recorded photos from passports, visas, and “other DHS encounters.” In the Privacy Impact Assessments (PIAs) for those pilot programs, CBP said that, although it would collect face recognition images of all travelers, it would delete any data associated with U.S. citizens. But what began as DHS’s biometric travel screening of foreign citizens   morphed, without congressional authorization , into screening of U.S. citizens, too. Now the agency plans to roll out the program to other border crossings, and it says it will retain photos of U.S. citizens and lawful permanent residents for two weeks and information about their travel for 15 years. It retains data on “non-immigrant aliens” for 75 years. top

      Equifax profit falls as hacking costs take toll   (Reuters, 9 Nov 2017) - Equifax Inc ( EFX.N ) on Thursday reported lower quarterly profit, and quarterly revenue missed estimates, as the credit bureau warned that its massive data breach had prompted some customers to hold back business. The breach, which compromised sensitive data of 145.5 million people, has harmed the company’s reputation and prompted investigations in every U.S. state, a federal criminal probe and hundreds of lawsuits. Equifax said it was not possible to estimate how much it would cost the company to respond to the probes and litigation. The Atlanta-based company said it recorded $87.5 million in expenses related to the hack during the quarter, including legal fees, investigation of the breach, and free credit monitoring for U.S. consumers whose data was exposed in the breach. Equifax estimated a range of additional costs between $56 million and $110 million to continue providing the free services. The company warned there could be further attacks. “We cannot assure that all potential causes of the incident have been identified and remediated and will not occur again,” it said in a quarterly filing with the Securities and Exchange Commission. top

- and -

        Equifax looks to in-house lawyer to ‘build a new future’ after massive breach   (Law.com, 14 Nov 2017) - As Equifax Inc. continues to face fallout from the massive data breach announced earlier this year, the consumer credit reporting company has selected one of its in-house attorneys to oversee its response to the disaster. Taking on this role is Julia Houston, whose official title is chief transformation officer. Along with leading the company through the aftermath of the breach, Houston will coordinate Equifax’s efforts to “build a new future,” according to the company’s   corporate leadership page . In response to request for comment on Houston’s role and on the timing of her appointment, an Equifax spokesperson said: “Equifax’s top priorities are to improve service for consumers and to continue to strengthen our company’s security capabilities. We have revised our corporate structure to address both of these areas and have created a Chief Transformation Officer who reports directly to the CEO.” The spokesperson added that Houston was appointed to this role in October. Houston joined Equifax in October 2013 and was most recently senior vice president of U.S. legal, where she led Equifax’s legal team supporting three businesses in the United States. She previously held the general counsel title at customer management company Convergys Corp. and energy company Mirant Corp. Prior to that, Houston was an in-house attorney at Delta Air Lines Inc. top

        Alphabet’s Project Loon delivers internet service to 100,000 people in Puerto Rico   (The Verge, 9 Nov 2017) - Alphabet’s Project Loon, which last month partnered with AT&T and T-Mobile to   bring LTE connectivity to disaster-stricken Puerto Rico , says its helium air balloons have delivered internet to 100,000 residents on the island. A significant portion of Puerto Rico, still struggling to recover from the effects of Hurricane Maria, is still without cell tower reception, with the Federal Communications Commission   reporting earlier today that nearly 44 percent of Puerto Rico cell sites are still out of service. Loon deployed balloons in late October in what was its fastest-ever deployment in an effort to help residents get back online as soon as possible. While 100,000 is an impressive metric on its own, Puerto Rico is an island of nearly 3.5 million people. A map released today by the FCC shows that a vast majority of the island’s counties still have between 20 and 60 percent of cell towers out of service. Only four counties are reporting only 1 to 20 percent of cell sites out of service, while another four counties have more than 80 percent of their cell sites down. So while Loon is certainly helping Puerto Rico’s government get more residents online, there’s a lot of infrastructure work to be done to get the entire island back online and in contact with the rest of the world. top

        Copyright exceptions for libraries widespread, study at WIPO shows,  but disharmony persists   (IP Watch, 15 Nov 2017) - Nobody among members of the World Intellectual Property Organization disputes the importance of the public services provided by libraries and archives. However, positions are different when it comes to providing exceptions to copyright to those entities so they can continue to dispense their services, in particular in the digital age. An updated study presented today in a WIPO committee shows that most countries have exceptions relating to libraries, but termed in very different ways, and are hesitant on how to deal with digital technologies. Prof. Kenneth Crews, former director of the copyright advisory office at Columbia University (US) and now an attorney at Gipson, Hoffman & Pancione in Los Angeles, today presented   the latest version [pdf] of his original 2008 study, already updated in 2014 and in 2015, during the   35th session of the WIPO Standing Committee on Copyright and Related Rights, taking place from 13-17 November. According to Crews, since 2015, a number of countries have revised their copyright laws and the exceptions they provide to libraries and archives, which, he said, serves as a reminder that this is a dynamic issue. The study covers all 191 WIPO member states and found that 161 of those have at least one provision in their copyright statutes that explicitly applies to libraries or archives. Crews describes four types of exception: type 1 with no library exception (28); type 2 with a general library exception (21); type 3 with specific library exceptions; and type 4 providing for anti-circumvention exemptions. Compared to the last version of the study, fewer countries have no exception, and fewer countries are relying on general exception, Crews said. Specialised exceptions, which constitute the largest share of countries, include preservation and replacement, private study and research, making available on the premises, document delivery, and copy machines in the library. As example, Crews said 102 member states have an exception for preservation, 98 for replacement, and 105 for private study and research. Crews described the influence of several models in current copyright laws, such as the British Copyright Act, which provides multiple provisions such as for preservation and research. He also cited the Bangui Agreement, which also provides clear rules for preservation and research, and the 2001 Information Society Directive and the 2012 Orphan Works Directive of the European Union, which he said have influenced some 14 countries outside of the EU. top

        Guide to cybersecurity due diligence worth reading   (NY Law Journal, 15 Nov 2017) - On the subject of business risk, Warren Buffett observed that the rearview mirror is always clearer than the windshield. For an M&A acquirer, one prime risk is assessing the effectiveness of a target’s cybersecurity program. As data breach incidents involving Yahoo and Neiman Marcus have shown, such incidents can profoundly impact even the largest deals. With billions of M&A dollars at stake, there is a need to clear the windshield. Ronald [sic] Smedinghoff and Roland Trope prove up to the task in this new book, which compiles topical papers written by M&A lawyers whose practices focus on protecting their clients’ high-value digital assets. Although the book is primarily written for M&A lawyers, it can also be useful to a wider audience that includes directors, officers, in-house counsel and data security professionals whose duties include the designing, implementing, updating, testing and monitoring of cybersecurity programs. Throughout the book’s thirteen chapters, it explains how an acquirer can properly assess a target’s cybersecurity posture. As such, the book is intended as an issue-spotting resource. It is not intended to prepare an M&A lawyer to be an expert in cyber crime, or to serve as a manual of M&A provisions that specifically address cybersecurity risks. Although some of the material is repetitive, the editors have done an admirable job in organizing the topics, eliminating jargon, minimizing the use of acronyms, bullet-pointing key checklists, discouraging run-on sentences, reducing paragraph length and ensuring that the entire text appears as though it was written in plain English by a single author. * * * More than a hundred years ago, Theodore Roosevelt observed that risk is like fire: If controlled it can help you; uncontrolled it will rise up and destroy you. For M&A lawyers assessing a target’s cybersecurity risk, this book helps control the fire. [ Polley : It’s Tom Smedinghoff, not Ronald. Excellent resource, and quite positive review.] top

 

RESOURCES

      Liability for Providing Hyperlinks to Copyright-Infringing Content:  International and Comparative Law Perspectives   (Columbia, 12 Nov 2017) - Abstract: ” Hyperlinking, at once an essential means of navigating the Internet, but also a frequent means to enable infringement of copyright, challenges courts to articulate the legal norms that underpin domestic and international copyright law, in order to ensure effective enforcement of exclusive rights on the one hand, while preserving open communication on the Internet on the other. Several recent cases, primarily in the European Union, demonstrate the difficulties of enforcing the right of communication to the public (or, in US copyright parlance, the right of public performance by transmission) against those who provide hyperlinks that effectively deliver infringing content to Internet users. This article will first address the international norms that domestic laws of states member to the multilateral copyright agreements must implement. It next will explore how two of the most significant regional or national copyright regimes, the EU and the US, have coped with the question of linking, and then will consider the relationship of the emerging approaches to copyright infringement with national and regional laws instituting limited immunity for copyright infringements committed by internet service providers. We will conclude with an assessment of the extent to which the outcomes under US and EU regimes, despite their apparently different approaches, in fact diverge.” top

      Preventing Data Breaches at Law Firms: Adapting Proactive,  Management-Based Regulation to Law-Firm Technology   (Arizona Law Review, Nov 2017) - Today, law firms of every size are relying on technology more than ever before. However, a firm’s investment in securing its information systems pales in comparison to that of its corporate counterparts, leaving law-firm clients’ data unnecessarily at risk. Although there has been a modest increase in regulation for firm management overall, law firms have largely ignored the threat of data breaches, failing to adhere to widely accepted information security standards. This lack of compliance has caused cyber criminals to shift their sights from the client to the vulnerable information security systems of law firms. This Note proposes a proactive, regulatory approach to establish a technology infrastructure in law firms, thus ensuring the protection of client information. [ Polley : Others also have proposed a prescriptive, regulatory approach; I’m unconvinced.] top

 

DIFFERENT

    The digital ruins of a forgotten future   (The Atlantic, Dec 2017) - Gidge Uriza lives in an elegant wooden house with large glass windows overlooking a glittering creek, fringed by weeping willows and meadows twinkling with fireflies. She keeps buying new swimming pools because she keeps falling in love with different ones. The current specimen is a teal lozenge with a waterfall cascading from its archway of stones. Gidge spends her days lounging in a swimsuit on her poolside patio, or else tucked under a lacy comforter, wearing nothing but a bra and bathrobe, with a chocolate-glazed donut perched on the pile of books beside her. “Good morning girls,” she writes on her blog one day. “I’m slow moving, trying to get out of bed this morning, but when I’m surrounded by my pretty pink bed it’s difficult to get out and away like I should.” In another life, the one most people would call “real,” Gidge Uriza is Bridgette McNeal, an Atlanta mother who works eight-hour days at a call center and is raising a 14-year-old son, a 7-year-old daughter, and severely autistic twins, now 13. Her days are full of the selflessness and endless mundanity of raising children with special needs: giving her twins baths after they have soiled themselves (they still wear diapers, and most likely always will), baking applesauce bread with one to calm him down after a tantrum, asking the other to stop playing “the Barney theme song slowed down to sound like some demonic dirge.” One day, she takes all four kids to a nature center for an idyllic afternoon that gets interrupted by the reality of changing an adolescent’s diaper in a musty bathroom. But each morning, before all that-before getting the kids ready for school and putting in eight hours at the call center, before getting dinner on the table or keeping peace during the meal, before giving baths and collapsing into bed-Bridgette spends an hour and a half on the online platform Second Life , where she lives in a sleek paradise of her own devising.    Good morning girls. I’m slow moving, trying to get out of bed this morning.  She wakes up at 5:30 to inhabit a life in which she has the luxury of never getting out of bed at all. What is second life? The short answer is that it’s a virtual world that launched in 2003 and was hailed by some as the future of the internet. The longer answer is that it’s a landscape full of goth cities and preciously tattered beach shanties, vampire castles and tropical islands and rainforest temples and dinosaur stomping grounds, disco-ball-glittering nightclubs and trippy giant chess games. In 2013, in honor of Second Life’s tenth birthday, Linden Lab-the company that created it-released   an infographic charting its progress : 36 million accounts had been created, and their users had spent 217,266 cumulative years online, inhabiting an ever-expanding territory that comprised almost 700 square miles. Many are tempted to call Second Life a game, but two years after its launch, Linden Lab circulated a memo to employees insisting that no one refer to it as that. It was a platform . This was meant to suggest something more holistic, more immersive, and more encompassing. * * * [ Polley : detailed story, worth reading. I haven’t logged into SL for years; I may need to go back for another look.] top

    Math student wins “Dance Your Ph.D.” contest   (InsideHigherEd, 6 Nov 2017) - Science sponsors an annual   “Dance Your Ph.D.” contest to highlight research and the importance of communicating findings in ways that help nonspecialists understand them. Below is the video of this year’s winner, Nancy Scherich of the University of California, Santa Barbara. She studies topology, the study of geometry in which shape and size don’t matter. Her focus is on braid theory, or “the rules that determine the unique representations of twists and knots in high-dimensional spaces.” [ Polley : I’m guessing the math is real; the 9m dance   video (with some subtitles) certainly is intriguing. Remember the string game “Cat’s Cradle”?] top

 

LOOKING BACK

    FTC issues online ad privacy guidelines   (NBC News, 20 Dec 2007) - On the same day they cleared Google Inc.‘s purchase of online advertiser DoubleClick, federal regulators said industry needs to be more transparent about how consumers’ Web-surfing habits are tracked. The Federal Trade Commission on Thursday proposed guidelines by which advertisers would voluntarily fess up to Web surfers about whether their online behaviors are monitored and used to personalize ads. Privacy experts said the guidelines could be helpful, but only if industry enforces them. Consumers are largely in the dark about companies tracking them through these ads, the agency said, adding that companies should give people a realistic choice in whether they want to be tracked or not. “You shouldn’t have to be a computer geek to protect your privacy,” said Peter Swire, an Ohio State University law professor and senior fellow at the Center for American Progress, a liberal think tank. top

MIRLN—- 8-28 Oct 2017 (v20.15)—- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENT | NEWS | DIFFERENT | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENT

The new Second Edition of the ABA’s best-selling Cybersecurity Handbook is a must-read for anyone working in the field, including private-practice attorneys, in-house counsel, non-profit and government lawyers, and others. For more detail, visit the ABA store at http://bit.ly/2x7HNbJ. A pre-release review of the Handbook is here: ABA urges lawyers to adopt encryption, other cybersecurity practices in latest ‘handbook’ (Inside Cybersecurity, 24 Oct 2017).

NEWS

Framing the Museum GitHub Repository (Berkman Klein, 5 Oct 2017) - When we use information, we need to understand what we’re looking at. We do this by framing that information - sharing new details about what it is and how we can use it. For museum collections that connect data points across centuries of artworks and objects, institutions are turning to new tools to share and communicate that data. Here, we can look at four institutions using GitHub as a platform to share collections data - the Metropolitan Museum of Art, Museum of Modern Art (MoMA), Cooper Hewitt Smithsonian, Design Museum, and the Tate collection - as an opportunity to parse current practice in this area. GitHub is a platform for sharing and collaborating on code repositories. In a GitHub repository, the README functions as an overview of the repository and its contents. In the museum context, the README may act as a guide for how institutions have chosen to share their collections data. In identifying what information is commonly included in the README, we can map commonalities in which elements institutions have selected to frame and contextualize their collections data. * * * top

- and -

Jeff Koons’ augmented reality Snapchat artwork gets ‘vandalized’ (TechCrunch, 8 Oct 2017) - Earlier this week, Snapchat launched a new augmented reality art exhibiting feature as part of a collaboration with the artist Jeff Koons. ART, as it’s called, will plaster the digital artwork and sculptures of artists into geo-tagged physical locations across the world that viewers can see as a Lens inside the Snapchat app. There has already been a backlash by some in the artistic community who are skeptical of corporations “putting up” digital art that they could potentially monetize wherever they would like. As a way to spark the conversation, earlier this week a group of New York-based artists mocked-up a “vandalized” version of Jeff Koon’s AR Balloon Dog. To be fair, this is a patently 2017 issue to have, but also one that we will definitely have conversation build around it as we question the ownership of physical digital locations. The group didn’t hack Snap’s servers to vandalize the sculpture, the work is more simply a 3D digital recreation of the work placed on top of a photo of the same geo-tagged location as Koons’ work. Graffiti artist Sebastien Errazuriz sought to raise some interesting questions with the work done with Cross Lab Studio, positing whether augmented reality experiences should be governed by similar rules to those renting out physical spaces. On an image of the vandalized artwork, he added more questions: Should corporations be allowed to place what ever content they choose over our digital public space? Central Park belongs to the city of NY. Why should corporations get to geo-tag its gps coordinates for free? We know they will make money renting gps spots to brands and bombard us with advertisement. They should pay rent, we should choose to approve what can be geo-tagged to our digital public and private space. These debates might be a few years ahead of their time, but as augmented reality grows less gimmicky and more monetizable, advertising in public space could grow to be a major industry. It’s interesting to see artists looking to the government to regulate public companies creating art platforms, but it also shows the hesitation many are feeling to the manner in which tech companies are looking to mesh the digital world onto public physical locations with AR tech. top

Court dismisses FTC’s unfairness claims against D-Link (Crowell & Moring, 6 Oct 2017) - Earlier this month, the Northern District of California dismissed FTC’s unfairness claims against D-Link, a manufacturer of routers and IP cameras, while allowing most of FTC’s claims rooted in deception to survive, suggesting that traditional false advertising actions may be FTC’s most effective means of addressing suspect data security practices. Further, the Northern District of California’s decision to dismiss the unfairness claims shows this court’s unwillingness to entertain data security actions rooted in the FTC’s unfairness prong, without concrete harm. FTC filed suit against D-Link in January of this year, alleging that the company engaged in both deceptive and unfair practices based on D-Link’s claimed flimsy data security practices. Specifically, the FTC alleged that D-Link engaged in deceptive practices by marketing sophisticated and state-of-the-art security provided with its products, while simultaneously failing to protect users from “widely known and reasonably foreseeable risks of unauthorized access.” For example, D-Link touted that its products featured “the latest wireless security features to help prevent unauthorized access” and offered the “best possible encryption.” But in practice, according to FTC’s pleadings, D-Link failed to take “easily preventable measures” against “hard-coded user credentials and other backdoors.” And, the Northern District held, these accusations were sufficient to plead a deception claim under the FTC Act. However, where the company did not specifically market its data security practices, its advertising was not deceptive - such as in a brochure where D-Link described the camera as a “surveillance camera” for the “home or small office.” Indeed, where D-Link did not refer to its digital security, the court would not imply messages about the state of that security. Notably though, the Northern District dismissed FTC’s claims that, because D-Link failed to provide adequate data security, it engaged in unfair practices. Specifically, the court found that, because the FTC could not plead actual harm, it had not sufficiently pled a violation of the FTC Act. FTC was unable, the court noted, to show any “monetary loss or an actual incident where sensitive personal data was accessed or exposed.” It was not enough to plead that D-Link put customers at risk. The Northern District did not, however, completely close the door on potential unfairness claims against D-Link. Choosing to dismiss the claims without prejudice, the Northern District noted that “f the FTC had tied the unfairness claim to representations underlying the deception claims, it might have had a more colorable injury element.” Accordingly, where a company does not make affirmative representations about its data security practices, a court will likely be reluctant to find a violation of the FTC Act without concrete injury. top

DoD issues guidance for compliance with cybersecurity regulations (Holland & Knight, 6 Oct 2017) - The U.S. Department of Defense (DoD) published in 2016 a new Defense Federal Acquisition Regulation Supplement (DFARS) provision and two clauses covering the safeguarding of contractor networks. The final DoD clauses are DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls,” and DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” To comply with the rule, contractors must meet the standards set forth in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” not later than Dec. 31, 2017. On Sept. 21, 2017, the Office of the Under Secretary of Defense provided guidance to DoD acquisition personnel concerning implementation of the NIST SP 800-171 standards. * * * top

Publishers take ResearchGate to court, alleging massive copyright infringement (Science Magazine, 6 Oct 2017) - Scholarly publishing giants Elsevier and the American Chemical Society (ACS) have filed a lawsuit in Germany against ResearchGate, a popular academic networking site, alleging copyright infringement on a mass scale. The move comes after a larger group of publishers became dissatisfied with ResearchGate’s response to a request to alter its article-sharing practices. ResearchGate, a for-profit firm based in Berlin, Germany, which was founded in 2008, is one of the largest social networking sites aimed at the academic community. It claims more than 13 million users, who can use their personal pages to upload and share a wide range of material, including published papers, book chapters and meeting presentations. Science funders and investors have put substantial funds into the firm; it has raised more than $87 million from the Wellcome Trust charity, Goldman Sachs, and Bill Gates. In recent years, journal publishers have become increasingly concerned about the millions of copyrighted papers - usually accessible only behind subscription paywalls - that are being shared by ResearchGate users. And on 15 September, the International Association of Scientific, Technical, and Medical Publishers wrote to ResearchGate on behalf of more than 140 publishers, expressing concerns about its article-sharing policies. Specifically, the organization proposed that ResearchGate implement a “seamless and easy” automated system that would help the site’s users determine if an article was protected by copyright and could be legally shared publicly or privately. The association asked for a response by 22 September , noting that its members could follow-up individually or collectively if ResearchGate failed to agree to its proposal. (AAAS, which publishes Science Insider, is a member of the association.) Yesterday, a group of five publishers - ACS, Elsevier, Brill, Wiley and Wolters Kluwer - announced that ResearchGate had rejected the association’s proposal. Instead, the group, which calls itself the ” Coalition for Responsible Sharing ,” said in a 5 October statement that ResearchGate suggested publishers should send the company formal notices, called “takedown notices,” asking it to remove content that breaches copyright. The five publishers will be sending takedown notices, according to the group. But the coalition also alleges that ResearchGate is illicitly making as many as 7 million copyrighted articles freely available, and that the company’s “business model depends on the distribution of these in-copyright articles to generate traffic to its site, which is then commercialised through the sale of targeted advertising.” The coalition also states that sending millions of takedown notices “is not a viable long-term solution, given the current and future scale of infringement. … Sending large numbers of takedown notices on an ongoing basis will prove highly disruptive to the research community.” As a result, two coalition members-ACS and Elsevier-have opted to go to court to try to force ResearchGate’s hand. The lawsuit, filed in a German regional court, asks for “clarity and judgement” on the legality of posting such content, says James Milne, spokesperson for the Coalition for Responsible Sharing and senior vice president of ACS’s journals publishing group in Oxford, U.K. top

Petition to look at former CBS lawyer underscores ethical risks of social media (Inside Counsel, 6 Oct 2017) - After being fired for a controversial Facebook post in the aftermath of the mass shooting in Las Vegas, former CBS lawyer Hayley Geftman-Gold is the subject of a petition calling for the New York State Bar Association to consider whether she is capable of remaining professional in response to a tragedy. This push, which calls for the NYSBA to consider whether Geftman-Gold’s social media post is in keeping with her professional obligations, highlights the ethical risks lawyers face when it comes to using social media, attorneys say. Not long after a gunman in Las Vegas killed more than 50 people and injured nearly 500, Geftman-Gold, who was a vice president and senior counsel of strategic transactions at CBS, posted in a Facebook discussion that she was “not even sympathetic” because “country music fans often are Republican gun toters.” CBS fired her Monday, saying in a statement Friday to Corporate Counsel that the views expressed by Geftman-Gold on social media were “deeply unacceptable to all of us at CBS.” Geftman-Gold, who could not be reached for comment, said in a statement provided to Fox News that she sincerely regrets making the “indefensible post.” The petition, addressed to NYSBA executive director Pamela McDevitt, condemns Geftman-Gold’s “reprehensible and despicable remarks” and calls on the association to “conduct an ethics review of this individual to measure her abilities to remain professional during the response phase of a national tragedy and to censor herself appropriately.” In response to request for comment from McDevitt, Richard Rifkin, special counsel to the NYSBA, told Corporate Counsel that the association has “gotten a number of complaints” about Geftman-Gold. Rifkin added, however, that the NYSBA does not have the ability to discipline attorneys, and so complainants are informed on how “to file a complaint with the appropriate part of the court system.” Currently, Geftman-Gold’s attorney registration record shows no record of discipline. Posted Monday by the Citizens for Judicial Reform, the petition had more than 12,000 signatures as of publication of this article. “The bigger lesson here is people need to think before they post or tweet,” said Ignatius Grande, senior discovery attorney at Hughes Hubbard & Reed, who is also co-chair of the Social Media Committee of the NYSBA’s Commercial and Federal Litigation Section. “Especially as a lawyer, because there are a lot of ethical issues that can come back to haunt you.” The NYSBA’s social media ethics guidelines outline where issues can arise, such as violating rules around advertising or posting confidential information. The guidelines also point to an ethics opinion from the D.C. Bar Legal Ethics Committee in order to make clear that caution should be exercised when stating positions on issues and legal developments on social media platforms that may be inconsistent with those positions of clients. “I think part of what the ethics boards have been dealing with over the last ten years is how to deal with social media, because it really has changed how you apply some of the rules that are out there,” Grande said. “And attorneys are looked at with a magnifying glass or looked at with a higher standard, so it’s important to look before you post.” top

Computer virus hits US Predator and Reaper drone fleet (ArsTechnica, 7 Oct 2017) - A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other war zones. The virus, first detected nearly two weeks ago by the military’s Host-Based Security System , has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the US military’s most important weapons system. “We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.” top

How Russia harvested American rage to reshape US politics (NYT, 9 Oct 2017) - YouTube videos of police beatings on American streets. A widely circulated internet hoax about Muslim men in Michigan collecting welfare for multiple wives. A local news story about two veterans brutally mugged on a freezing winter night. All of these were recorded, posted or written by Americans. Yet all ended up becoming grist for a network of Facebook pages linked to a shadowy Russian company that has carried out propaganda campaigns for the Kremlin, and which is now believed to be at the center of a far-reaching Russian program to influence the 2016 presidential election. A New York Times examination of hundreds of those posts shows that one of the most powerful weapons that Russian agents used to reshape American politics was the anger, passion and misinformation that real Americans were broadcasting across social media platforms. * * * top

Cyberstalking case highlights how VPN provider claims about not keeping logs are often false (TechDirt, 10 Oct 2017) - When the Trump administration recently decided to gut consumer privacy protections for broadband , many folks understandably rushed to VPNs for some additional privacy and protection. And indeed, many ISPs justified their lobbying assault on the rules by stating that users didn’t need privacy protections, since they could simply use a VPN to fully protect their online activity. But we’ve noted repeatedly that VPNs are not some kind of panacea , and in many instances you’re simply shifting the potential for abuse from your ISP—to a VPN provider that may not actually offer the privacy it claims. Latest case in point: like many companies, a VPN provider by the name of PureVPN has been advertising for years on its website that it keeps no logs of user behavior: “PureVPN operates a self-managed VPN network that currently stands at 750+ Servers in 141 Countries. But is this enough to ensure complete security? That’s why PureVPN has launched advanced features to add proactive, preventive and complete security. There are no third-parties involved and NO logs of your activities .” But when the Department of Justice man by the name of Ryan Lin for stalking, one key component of the case involved using PureVPN logs to track his online activities. * * * top

Host of hacks not raising cyber premiums (iTreasurer, 10 Oct 2017) - Despite the continuing steady flow of news about major companies getting hacked, cyber policy premiums have continued to fall and their coverage broaden as insurers crowd into the space. In fact, the magnitude of cybercrimes only seems to be growing, with recent revelations that all of Yahoo’s three billion customer accounts were hacked, as was Equifax’s 140 million customers, along with Deloitte’s client emails and certain SEC filings. As a result, some cyber insurers have increased underwriting scrutiny for certain risks while others still offer premiums that continue to fall, according to Kevin Kalinich, the global practice leader for cyber risk at brokerage Aon. “We have over 70 cyber carriers out of the US, Bermuda and London. Therefore, despite the recent cyber incidents, unless you are in a ‘high risk’ industry class, because there’s so much competition we’re seeing rates come down,” Mr. Kalinich said. “If you’re buying cyber insurance, now is definitely a good time to buy it.” David Bradford, chief strategy officer and director of strategic partnership development at Advisen, a provider of data, media, and technology solutions for the commercial property and casualty insurance market, said that many companies are currently experiencing reductions between 5% and 15%, a trend that should continue for the immediate future. He said the Equifax breach is unlikely to have a significant impact on premiums, because the company has $150 million or less of coverage, and so is unlikely to drive capacity out of the marketplace. “It will probably cause some alarm among certain classes of buyers, but it’s within the range of what insurers expected to pay,” he said. Premiums remain elevated for companies in industries such as retail and healthcare, which have seen significant breaches in recent years. However, they likely will fall gradually as cybercriminals turn their sights to other industries. The broad downward pressure on premiums fundamentally stems from supply outweighing demand-the 65 insurers Advisen estimates plying the cyber-policy space are chasing after a relatively small pot of premiums, approximately $3.5 billion. Companies can take on upwards of $600 million in coverage, Mr. Bradford said, although brokers must cobble together that capacity using policies from numerous carriers. top

What could Equifax CLO John Kelley have done differently? (InsideCounsel, 11 Oct 2017) - John Kelley, CLO of Equifax, has found himself at the center of the controversy surrounding the recent massive data breach at the company. Former Equifax Inc. CEO Richard Smith spent much of last week testifying before Congress about the massive data breach that has affected some 145 million U.S. consumers . Many grilling Smith questioned the timeline following the discovery of the incursion and wondered how three Equifax executives were able to sell shares totaling close to $2 million just days later. The answers inevitably came back to the company’s chief legal officer, John Kelley III , who along with being in charge of security within the company , is responsible for approving share sales by Equifax executives. Parsing the decisions Kelley made in the aftermath of the breach raises some intriguing issues for the many in-house counsel who must grapple with cybersecurity threats and shows that the story of how Equifax responded to its recent breach is anything but simple. * * * [ Polley : interesting.] top

- and -

What cybersecurity standard will a judge use in Equifax breach suits? (Lawfare, 20 Oct 2017) - Those affected by data breaches now have increasing opportunities to take their claims to court. Last month, in northern California’s federal district court, Judge Lucy Koh upheld the right of victims to sue Yahoo for massive breaches between 2013 and 2016. Victims of the Equifax hack, which impacted millions more than initially reported, are filing dozens of lawsuits. And in another ruling last month, Koh upheld a class of health insurance company Anthem’s data breach victims right to sue for a recently revealed second breach-shortly after Anthem was ordered to pay $115 million to victims and credit-monitors after the first incident. We’ve previously described the role of theories of harm to victims, and the duty of care for companies, as courts iron out standards in data breach litigation. But what happens in court? What standards are judges applying for cybersecurity when deciding these lawsuits? What amount of cybersecurity would have been sufficient, in court if not in practice? In other words, we should assume that because a cybersecurity regime is a series of processes, and because no large-scale entity is impenetrable, breaches can and will happen, even when a company exercises care. So, what standard of care is acceptable? Especially in large-scale operations that hold potential for large scale breaches? The Equifax case may set the high-water mark of weak precautions and bungled incident-response plans, coupled with the intimacy of data and vastness of people affected. But what is the lower limit of acceptable standards for situations that are less clear? (Incidents like the Deloitte hack in September that compromised confidential emails of some of its blue-chip clients.) * * * [ Polley : interesting, and lengthy; ultimately (unsurprisingly) indeterminate; still, a useful exposition.] top

Australian court rules an unsent text message on phone of a deceased man as a valid will (Mashable, 11 Oct 2017) - An unsent message of a deceased man in Australia has been ruled as a valid will. It means he will leave his estate to his brother and nephew as opposed to his son and wife, who he apparently had a difficult relationship with. The decision was handed down by a judge at the Supreme Court of Queensland, following no evidence of any other will created by the deceased man. The man, who tragically took his own life, was found with the phone by his widow in October 2016. The following day, a friend of the widow was asked to look through the deceased man’s contact list to see who should be notified of his death. It was there the unsent text message was found, and a screenshot was taken. ” Dave Nic you and Jack keep all that I have house and superannuation, put my ashes in the back garden with Trish Julie will take her stuff only she’s ok gone back to her ex AGAIN I’m beaten . A bit of cash behind TV and a bit in the bank Cash card pin 3636 MRN190162Q 10/10/2016 My will ,” read the text message. The widow, who contested the will, sought to rely on the fact that because the deceased man did not send the text message, he didn’t mean it. But the judge in this case, Justice Susan Brown, was satisfied the unsent text constituted as a valid document and the deceased man had made up his mind on where his property would go after his death, due to the words “my will” at the end of the message. Also noted by the judge was the contact between the deceased man, his brother and nephew, prior to his death, and that the text was written close to the date of his death. It was also deemed likely the deceased man intended for the message to be found with him. “In all of the circumstances I consider that the text message was intended by the deceased to operate as his will upon his death,” Brown said. top

Microsoft cloud can now host classified Pentagon data (NextGov, 17 Oct 2017) - Microsoft announced on Tuesday that the Defense Department can host secret classified data in its cloud. The announcement means the Defense Department, the military services, intelligence agencies and their industry partners working within secret enclaves can host classified data in Microsoft’s Azure Government Secret cloud, where they’ll have access to new technologies like machine learning. * * * Secret data is traditionally distributed through a system of computer networks managed by the Defense and State departments called the Secret Internet Protocol Router Network, or SIPRNet. Microsoft’s Azure Government Secret cloud can now host SIPRNet data. top

Federal judge unseals New York crime lab’s software for analyzing DNA evidence (ProPublica, 20 Oct 2017) - A federal judge this week unsealed the source code for a software program developed by New York City’s crime lab, exposing to public scrutiny a disputed technique for analyzing complex DNA evidence. Judge Valerie Caproni of the Southern District of New York lifted a protective order in response to a motion by ProPublica , which argued that there was a public interest in disclosing the code. ProPublica has obtained the source code, known as the Forensic Statistical Tool, or FST, and published it on GitHub ; two newly unredacted defense expert affidavits are also available . “Everybody who has been the subject of an FST report now gets to find out to what extent that was inaccurate,” said Christopher Flood, a defense lawyer who has sought access to the code for several years. “And I mean everybody - whether they pleaded guilty before trial, or whether it was presented to a jury, or whether their case was dismissed. Everybody has a right to know, and the public has a right to know.” Caproni’s ruling comes amid increased complaints by scientists and lawyers that flaws in the now-discontinued software program may have sent innocent people to prison. Similar legal fights for access to proprietary DNA analysis software are ongoing elsewhere in the U.S. At the same time, New York City policymakers are pushing for transparency for all of the city’s decision-making algorithms, from pre-trial risk assessments, to predictive policing systems, to methods of assigning students to high schools. top

Casetext now automatically ‘pushes’ legal research to attorneys (Bob Ambrogi, 23 Oct 2017) - The legal research company Casetext has introduced a feature that monitors an attorney’s litigation dockets for briefs and memoranda from opposing counsel and then automatically delivers a report of case law that is relevant but not included in the document. The feature uses Casetext’s legal research assistant CARA , an analytical tool that automatically finds cases that are relevant to a legal document but not cited in the document. The standard way to use CARA is for an attorney who has received a brief, memoranda or other legal document to upload it to CARA, and CARA then performs its analysis and generates a list of relevant cases that are not mentioned in the document. With this new feature, which Casetext is calling CARA Notifications, Casetext monitors all the PACER dockets in which an attorney has active matters. Whenever opposing counsel files a substantive document such as a brief or memorandum, Casetext retrieves the document, runs it through CARA, and delivers the report to the attorney. “Traditionally in legal research, an attorney gets a brief and then seeks out case law to oppose the brief,” Pablo Arredondo, chief legal research officer at Casetext, explained. “The closest thing there has been to push notification is that some research services let you track a case or track a search. What we’re doing now - and I believe we’re the first - is pushing the caselaw to oppose the brief automatically based on monitoring the dockets.” Seven firms have been using this feature on a pilot basis since Oct. 1, including Quinn Emanuel Urquhart & Sullivan, Ogletree Deakins, and Fenwick & West. The feature is being provided to them as part of their standard subscription, at no extra cost. Casetext is analyzing the text of docket entries and documents to determine which are substantive and which are not, so that it does not run routine filings through the analysis. It only analyzes documents filed by opposing sides in the case, so the attorney’s own filings are not automatically analyzed. (Of course, subscribers can always run their documents through CARA before they file them.) One early user called the service “anticipatory knowledge retrieval,” Arredondo said. top

MIT issues diplomas using the Bitcoin blockchain (Cryptocoins News, 23 Oct 2017) - The Massachusetts Institute of Technology (MIT) has begun a pilot program to test the benefits and challenges of using the bitcoin blockchain to issue diplomas. As MIT News reports , the pilot program began this summer and provided 111 MIT graduates with the option to receive their diplomas through a blockchain-reliant smartphone app called Blockcerts Wallet, in addition to the traditional hard-copy format. The Blockcerts app, which was developed by the MIT Media Lab in collaboration with Cambridge software company Learning Machine, generates a public-private key pair after a student downloads it and registers for the program. The app then sends the public key to MIT, who writes it into the digital record and adds a one-way hash to the bitcoin blockchain. The app stores the user’s private key, enabling him or her to prove ownership of the diploma. The school says “empower[s] students to be the curators of their own credentials.” top

Decision reversed: Mistake using file sharing site didn’t waive privilege (Ride the Lightning, 24 Oct 2017) - A case I wrote a post about in March of 2017 has now been reversed - to the relief of many lawyers, I’m sure. As Bloomberg BNA reported (sub. req.), the decision by a state magistrate judge in Harleysville Ins. Co. v. Holding Funeral Home, Inc . was reversed by a federal judge in Virginia on October 2nd. Thanks to Dave Ries for letting me know. The decision basically says that inadvertent disclosure of confidential materials through an error in using a file-sharing site didn’t waive a plaintiff’s attorney-client privilege and work product protection for those materials. The judge also found that defense counsel acted unethically by using the protected materials without notifying plaintiff’s counsel and seeking a court ruling on the waiver issue. The case represents a reminder that lawyers generally aren’t free to secretly exploit inadvertently disclosed materials even if they believe the disclosure waived any privilege claim. * * * top

DIFFERENT

Tenure-track Faculty Positions (MIT, 17 Oct 2017) - Tenure track faculty position; Program in Media Arts and Sciences/Media Lab: The MIT Media Lab seeks a new kind of early career faculty member, not defined by discipline, rather by his or her unique and iconoclastic experience, style and points of view. You can be a designer, inventor, scientist, scholar or other - any combination - as long as you make things that matter. Impact is key. This means somebody with at least these three sets of characteristics: (1) being deeply versed in a minimum of two fields, preferably not ones normally juxtaposed; (2) being an orthogonal and counter-intuitive thinker, even a misfit within normal structures; (3) having an adventurous personality, boundless optimism, and desire to change the world. Any disciplines apply as long as their confluence shows promise of solving big, hard and long-term problems. And, most importantly, candidates must explain why their work really can only be done at the Media Lab. We prefer candidates not be similar to our existing faculty. We welcome applicants who have never considered academic careers. Successful candidates will: establish and lead their own research group within the Media Lab; engage in collaborative projects with industrial sponsors and other Media Lab research groups; actively contribute to shaping the open and creative culture that defines our community; supervise masters and doctoral students; and participate in the Media Arts and Sciences academic program. Appointments will be within the Media Arts and Sciences academic program, principally at the Assistant Professor level. A doctorate is not necessary, but evidence of extreme creativity is. * * * [ Polley : I’d guess that every MIRLN reader wants this job. Pass it along.] top

RESOURCES

A tool to get your copyrights back (Lawrence Lessig, October 2017) - I was incredibly happy to read that Creative Commons and the Authors Alliance have released a tool (cool URL: rightsback.org) to enable authors to recover the rights they had transferred to someone else. This was a project started a decade ago. It was hard then. I am very proud they have delivered it now. Copyright is an incredibly interesting law of property, chock through with weird exceptions and protections. One of those protections is that a creator can get a second chance with his or her copyright. If you created something, and then transferred your copyright to someone else, even though the transfer might say “this is forever …” you have the right to get it back. But (surprise! surprise!) it turns out it is INCREDIBLY difficult to exercise that right properly. And many creators find it just way too difficult (read: expensive) to exercise the right. The tool that CC/AA have created tries to make it as simple as possible. The tool walks you through the steps necessary to determine whether you have a right, and when you need to file. The tool doesn’t do the transfer, but it does help you see whether you are entitled, and if you are, it simplifies the process of making that happen. The purpose of copyright law is to help creators. You wouldn’t know that by looking at the way the law actually works. But where the law clearly benefits creators, we should do whatever we can to support it. top

ABA Committee on Law and National Security launches national security podcast (ABA, 23 Oct 2017) - The ABA Committee on Law and National Security has created a new podcast called National Security Law Today . Hosted by committee members and staff, the podcast features legal experts discussing hot topics and current issues in the world of national security, as well as career advice for those looking to break into the field of national security law. Listeners will learn about the specific impact that national security law has on the legal, economic and business world outside the government. The theme for the first year is national security in private practice, focusing on laws and regulations that impact practitioners and their clients. Topics include State Department and Treasury Department sanctions, the Committee on Foreign Investment in the United States, the Foreign Agents Registration Act, export regulations, security clearances and litigation, international tribunals and prosecuting terrorist acts. New episodes air every other Thursday, and each one is approximately a half-hour long. The show is available online on the podcast website and you can find it for streaming or subscribing on iTunes , Stitcher , Soundcloud and TuneIn . Upcoming guests include: * * * top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Judge: Man can’t be forced to divulge encryption passphrase (CNET, 14 Dec 2007) - A federal judge in Vermont has ruled that prosecutors can’t force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase. U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination. Niedermeier tossed out a grand jury’s subpoena that directed Sebastien Boucher to provide “any passwords” used with his Alienware laptop. “Compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him,” the judge wrote in an order dated November 29 that went unnoticed until this week. “Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop.” Especially if this ruling is appealed, U.S. v. Boucher could become a landmark case. The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for the last decade arguing the merits of either approach. (A U.S. Justice Department attorney wrote an article in 1996, for instance, titled “Compelled Production of Plaintext and Keys.”) This debate has been one of analogy and metaphor. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings. Orin Kerr, a former Justice Department prosecutor who’s now a law professor at George Washington University, shares this view. Kerr acknowledges that it’s a tough call, but says, “I tend to think Judge Niedermeier was wrong given the specific facts of this case.” top

E-mail from the grave? Microsoft seeks patent on ‘immortal computing’ (Seattle PI, 22 Jan 2007)—In this culture of instant information, some Microsoft Corp. researchers are pursuing a radical notion—the concept of saving messages for delivery in decades, centuries or more. The project, dubbed “immortal computing,” would let people store digital information in physical artifacts and other forms to be preserved and revealed to future generations, and maybe even to future civilizations. After all, when looking that far in the future, you never know who the end users might be. One scenario the researchers envision: People could store messages to descendants, information about their lives or interactive holograms of themselves for access by visitors at their tombstones or urns. And here’s where the notion of immortality really kicks in: The researchers say the artifacts could be symbolic representations of people, reflecting elements of their personalities. The systems might be set up to take action—e-mailing birthday greetings to people identified as grandchildren, for example. The previously undisclosed project came to light through a newly surfaced patent application in which the researchers explain some of the concepts they’re exploring. The project seeks to address the fact that large amounts of valuable information are stored on media with limited life spans, in formats that could be rendered obsolete. Consider how quickly floppy disks disappeared. But the researchers aren’t just thinking about the informational legacies of individuals. “Maybe we should start thinking as a civilization about creating our Rosetta stones now, along with lots of information, even going beyond personal memories into civilization memories,” said Eric Horvitz, a Microsoft principal researcher who also is working on the project. top

 

MIRLN—- 17 Sept - 7 Oct 2017 (v20.14)—- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | FUN | LOOKING BACK | NOTES

Future Navy accident investigations will look for cyber attacks (NextGov, 15 Sept 2017) - Rampant internet speculation aside, there’s no evidence yet that any hostile electronic breach led to recent U.S. Navy mishaps, according to the admiral who leads the service’s cyber operations. In fact, it was mostly to put such speculation to rest that Vice Adm. Jan Tighe said she dispatched a small team to join the Navy’s investigation into the Aug. 21 collision of the USS McCain with a cargo ship off Singapore. That accident followed a similar June 17 incident involving another destroyer, the USS Fitzgerald. Tighe said there’s no particular schedule for the team to complete its work. “Quite frankly, with respect to McCain, this is a ‘first of.’ We have a really hard time predicting a timeline,” she said. “It rather depends on what and if we find anything that looks suspicious and what and how we will go about determining whether it is, actually, suspicious or not. So, it could be weeks. It could be months. I don’t think it’s years.” But that’s part of the point. As Tighe’s investigators sniff around for evidence of meddling, they are trying to figure out where to look, whom to talk to, what angles to consider, and more. They are, in fact, pioneering a new kind of inquiry for the Navy. “Codifying how we will do these types of mishap investigations to account for a cyber component going forward is where we will learn from the results of the McCain investigation,” she said. Eventually, the Navy will “make it part of the normal process of how we do mishap investigations.” top

  The alternate reality of prior art (Patently-O, 17 Sept 2017) - Thought pioneer Dan Abelow fits within an interesting designation. So far in 2017, his U.S. Patent Publication No. 2012/0069131 - mysteriously titled “Reality Alternate” - is the Most-Oft examiner cited U.S. prior art reference. The document - now patented as U.S. Patent No. 9,183,560 - covers a method of providing “a portal for a user … to be present simultaneously in two or more different non-fictional alternate realities that are distinct from a non-fictional physical reality of the user.” [Here, I’m looking at Examiner citations rather than those submitted by Applicants] The Abelow document reads something like science-fiction novel - defining a new Alternate Reality world both in terms of its incredible impact and technical specifications. From the abstract: Just as fiction authors have described alternate worlds in novels, this introduces an Alternate Reality-but provides it as technical innovation. This new Alternate Reality’s “world” is named the “Expandaverse” which is a conceptual alteration of the “Universe” name and a conceptual alteration of our current reality. Where our physical “Universe” is considered given and physically fixed, the Expandaverse provides a plurality of human created digital realities that includes a plurality of human created means that may be used simultaneously by individuals, groups, institutions and societies to expand the number and types of digital realities-and may be used to provide continuous expansions of a plurality of Alternate Realities. To create the Expandaverse current known technologies are reorganized and combined with new innovations to repurpose what they accomplish and deliver, collectively turning the Earth and near-space into the equivalent of one large, connected room (herein one or a plurality of “Shared Planetary Life Spaces” or SPLS) with a plurality of new possible human realities and living patterns that may be combined differently, directed differently and controlled differently than our current physical reality. In addition to being written in a way that draws diverse connections (helpful for obviousness conclusions), the reference is also 750 pages long! (The patentee paid an extra $4,000+ in filing costs for the extra page length). One of the best patent attorneys in the country - David Feigenbaum - filed this case and helped push it through to issuance. [ Polley : Hmmmmmm… Snowcrash ? Rainbow’s End ?] top

Lawyers can accept payment in bitcoin, Nebraska ethics opinion says (ABA Journal, 18 Sept 2017) - Lawyers may accept payment in digital currencies such as bitcoin but must immediately convert the money into U.S. dollars, according to a Nebraska ethics advisory opinion. The opinion , issued Sept. 11, is the first by a state ethics body to address the ethics of bitcoin payments, the Norfolk Daily News and Coin Desk report. Nebraska lawyer Matt McKeever says he requested the opinion. Eastern Nebraska is a rapidly growing hub for payment processing and financial technology, McKeever told the Norfolk Daily News. Bitcoin ATMs are already in use in the area, and the currency is being used on a daily basis, he said. The ethics opinion by the Lawyer’s Advisory Committee says a growing number of law firms in other jurisdictions accept payments in bitcoin, a currency with volatile prices. In 2013, for example, the price fluctuated from about $7 per bitcoin to $1,200 per bitcoin. Immediate conversion to dollars mitigates the risk of volatility and possible unconscionable overpayment for legal services, the ethics opinion says. Lawyers who receive payment in digital currencies should take three steps, the opinion says. First, the lawyer should notify the client that the payment will be immediately converted to U.S. dollars. Second, the lawyer should make the conversion through a payment processor. Third the lawyer should credit the client’s account at the time of payment. The opinion also says that lawyers who accept virtual currency “must be careful to see that this property they accept as payment is not contraband, does not reveal client secrets, and is not used in a money-laundering or tax avoidance scheme; because convertible virtual currencies can be associated with such mischief.” Lawyers may hold digital currencies in trust for clients after advising that the currency won’t be converted to U.S. dollars, but the currency must be held separate from the lawyer’s property and must be properly safeguarded, the ethics opinion says. There is no bank or FDIC insurance to reimburse a client for hacked bitcoin, so lawyers should take precautions such as encryption or use of more than one private key for access. top

  World Wide Web Consortium abandons consensus, standardizes DRM with 58.4% support, EFF resigns (Cory Doctorow on BoingBoing, 18 Sept 2017) - In July, the Director of the World Wide Web Consortium overruled dozens of members’ objections to publishing a DRM standard without a compromise to protect accessibility, security research, archiving, and competition. EFF appealed the decision , the first-ever appeal in W3C history, which concluded last week with a deeply divided membership. 58.4% of the group voted to go on with publication, and the W3C did so today, an unprecedented move in a body that has always operated on consensus and compromise. In their public statements about the standard, the W3C executive repeatedly said that they didn’t think the DRM advocates would be willing to compromise, and in the absence of such willingness, the exec have given them everything they demanded. This is a bad day for the W3C: it’s the day it publishes a standard designed to control, rather than empower, web users. That standard that was explicitly published without any protections—even the most minimal compromise was rejected without discussion , an intransigence that the W3C leadership tacitly approved . It’s the day that the W3C changed its process to reward stonewalling over compromise, provided those doing the stonewalling are the biggest corporations in the consortium. EFF no longer believes that the W3C process is suited to defending the open web. We have resigned from the Consortium, effective today. Below is our resignation letter : * * * top

Motel 6 to revamp privacy, data sharing policies after Phoenix locations send guest info to ICE (SC Magazine, 18 Sept 2017) - Motel 6 employees in the Phoenix area who voluntarily and routinely handed guest registers to ICE officials without the benefit of a warrant may not have run afoul of the company’s privacy policy , but the hotel chain said it would take steps to shut down or prevent similar operations at its other properties nationwide. The Phoenix New Times reported last week quoted an employee at one of two Phoenix-area Motel 6 locations as saying, “every morning at about 5 o’clock we do the audit and push a button and it sends it to ICE,” prompting the American Civil Liberties Union (ACLU) to call out the motel chain on both Twitter and Facebook. “Is this your official company policy?” the ACLU tweeted . The Motel Six had said the Phoenix operation was orchestrated by locals and was shut down when corporate caught wind of it. “Moving forward, to help ensure that this does not occur again, we will be issuing a directive to every one of our more than 1,400 locations nationwide, making clear that they are prohibited from voluntarily providing daily guest lists to ICE,” according to a Motel 6 statement. “Additionally, to help ensure that our broader engagement with law enforcement is done in a manner that is respectful of our guests’ rights, we will be undertaking a comprehensive review of our current practices and then issue updated, company-wide guidelines.” top

New ABA book explores what makes cyber due diligence different (LegalTech, 18 Sept 2017) - Companies are now paying much closer attention to cybersecurity issues when involved in mergers and acquisitions. To help explain recent changes, the American Bar Association’s Business Law Section has published a new book, the “Guide to Cybersecurity Due Diligence in M&A Transactions.” It is edited by Thomas J. Smedinghoff, an attorney at Locke Lord, and Roland Trope, an attorney at Trope and Schramm. The 272-page book is broken down into 13 chapters that explore the importance of cybersecurity to due diligence and M&A, what acquirers should know, and how due diligence impacts a transaction. It also features an appendix that includes a listing of common U.S. data security laws and regulations. Among those working on the book were attorneys who specialize in corporate governance and cybersecurity. In explaining why the book came about, Trope told Legaltech News that “just a few years ago, cybersecurity due diligence was often ignored in M&A deals.” He cited one 2015 survey of global dealmakers by an international law firm that found that 78 percent of the respondents indicated that cybersecurity was not analyzed in great depth or specifically quantified as part of the M&A due diligence process. “In the past two years, however, there has been a significant shift toward recognizing the importance of cybersecurity due diligence in the context of M&A transactions,” he said. “Moreover, cybersecurity breaches have had a major impact on recent M&A transactions, further highlighting the need to address this important issue.” Smedinghoff explained that, in the M&A process, cybersecurity due diligence is similar to due diligence of any other topic, such as finance. “It seeks to determine the state or status of cybersecurity preparedness of the target company,” he told Legaltech News. He further highlighted some important questions that companies may want to address: * * * [ Polley : In a related vein, the Second Edition of the ABA’s bestselling Cybersecurity Handbook will come out in early November; a must-read for anyone working in the field, including private-practice attorneys, in-house counsel, non-profit and government lawyers, and others. For more detail, visit the ABA store at http://bit.ly/2x7HNbJ . A limited number of pre-publication copies are available to the press; contact me for information.] top