MIRLN—- 1-20 Jan 2018 (v21.01)

MIRLN—- 1-20 Jan 2018 (v21.01)—- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)



  FERC proposes rule to expand cyber incident reporting (Fifth Domain, 28 Dec 2017) - The Federal Energy Regulatory Commission wants to expand cyber incident reporting requirements to include any time an adversary attempts to break into an energy company’s networks, rather than only those that compromise the company’s critical operations. “The proposed development of modified mandatory reporting requirements is intended to improve awareness of existing and future cyber security threats and potential vulnerabilities.” At the crux of the proposed rule is the question of what defines a “reportable cyber incident” in the energy industry. According to the current CIP reliability standards, a cyber incident must disrupt core processes in order to be considered critical. “Under these definitions, unsuccessful attempts to compromise or disrupt a responsible entity’s core activities are not subject to the current reporting requirements,” the proposed rule said. This definition may also leave out cyberattacks designed to steal information or create openings for a future, large scale hack, meaning that incident reports would not give early warning by recording that activity. The new rule was proposed after the Foundation for Resilient Societies filed a petition on January 13, 2017, that FERC institute a rule requiring an enhanced Reliability Standard for malware detection, reporting, mitigation and removal from the Bulk-Power System. top

- and -

SEC plans cybersecurity guidance refresh: What to expect (Data Breach Today, 29 Dec 2017) - The U.S. Securities and Exchange Commission is planning to update its 6-year-old cybersecurity guidance for how publicly traded firms report data breaches to investors. The agency has indicated that it expects to refine guidance around how businesses disclose cybersecurity risks to investors as well as require insider trading programs to include blackout rules in the event that a suspected data breach gets discovered (see Report: SEC Plans Breach Reporting Guidance Refresh ). “Unfortunately, in the reality that we live in now, cyber breaches are going to be increasingly common, and this is in part why the SEC is so fully focused on cybersecurity,” says Matt Rossi, a former assistant chief litigation counsel to the SEC who’s now an attorney specializing in securities litigation and enforcement as well as data privacy at global law firm Mayer Brown. “Chairman [Jay] Clayton said it’s one of the greatest risks to the financial system right now.” Indeed, in September, Clayton signaled to a Senate banking committee that companies would be required to disclose more cybersecurity information to investors in a timely manner (see SEC Chair Wants More Cyber Risk Disclosure From Public Firms ). His remarks, ironically, followed the SEC having failed to publicly disclose its own major breach for 16 months (see Hackers May Have Traded on Stolen SEC Data ). In November, meanwhile, William Hinman, the SEC’s director of corporation finance, signaled that the regulator’s cybersecurity guidance , first issued on Oct. 13, 2011, wouldn’t be overhauled but rather amended with some new requirements, such as how breach information gets disclosed internally and escalated to senior management (see Report: SEC Plans Breach Reporting Guidance Refresh ). With the refresh, Rossi says businesses should expect to have to disclose more cyber risks, refine their insider trading policies and prove that they’re taking information security seriously. top

Zero-width [fingerprinting] characters (Zach Aysan, 30 Dec 2017) - Journalists watch out-you may be unintentionally revealing sources. In early 2016 I realized that it was possible to use zero-width characters, like zero-width non-joiner or other zero-width characters like the zero-width space to fingerprint text. Even with just a single type of zero-width character the presence or non-presence of the non-visible character is enough bits to fingerprint even the shortest text. We’re​ not the​ same text, even though we look the same. We’re not the same​ text, even though we look the same. Unlike previous text fingerprinting techniques, zero-width characters are not removed when formatting is removed from text. They’re often not even visible in contexts where software experts would expect them to be, like on a programming terminal. I also realized that it is possible to use homoglyph substitution (e.g., replacing the letter “a” with its Cyrillic counterpart, “а”), but I dismissed this as too easy to detect due to the differences in character rendering across fonts and systems. However, differences in dashes (en, em, and hyphens), quotes (straight vs curly), word spelling (color vs colour), and the number of spaces after sentence endings could probably go undetected due to their frequent use in real text. With increased effort, synonyms (huge vs large vs massive) can also be used, though it would require some manual setup because words lack single definitions (due to homonyms) and in some contexts would be easier to detect since differing word lengths may cause sentences to wrap differently across documents. * * * After discovering these techniques I shared them with some friends to try to help track down a cyber criminal which they thought might be an insider threat (it wasn’t, it was just a normal blackhat hacker). Then the White House started leaking like an old hose, so I continued to keep quiet. The reason I’m writing about this now is that it appears both homoglyph substitution and zero-width fingerprinting have been discovered by others, so journalists should be informed of the existence of these techniques. If your news organization has a pre-existing trove of documents it should be fairly straightforward to scan them for zero-width characters or mixed character encodings. Detecting synonym substitution would require multiple documents and some custom code, but should be fairly straightforward for an intermediately skilled data scientist or software developer with some time. top

This candidate for Congress will let his constituents decide how he votes (Fast Company, 2 Jan 2018) - Michael Allman is running for Congress as a Republican. But if his constituents lean left of him on a particular issue before Congress, that’s how Allman will vote. That’s because Allman is running on a direct democracy platform: For every issue, voters in his district will be able to use a blockchain-enabled website to securely log their opinions, and Allman will follow the will of the people. “Everyone thinks what’s happening in Washington, D.C., today is broken,” says Allman, former CEO of Southern California Gas, who is running for the 52nd district in San Diego County. “Nobody thinks it’s working. We can go into a hundred reasons why, but I’d summarize it with just one word: Partisanship. Everybody votes with the party on pretty much everything, and it’s a red versus blue, us versus them kind of attitude.” Allman has no background in politics, but has worked in the tech industry, and realized that the technology exists to make direct representation possible. Working with a tech company that had an existing platform, he created a custom website that will outline both sides of a general issue-for example, whether or not there should be more gun control laws-or a specific bill. Voters can read through the arguments on both sides, and read selected op-eds. The site can verify that someone is in a particular district and that they’re registered to vote, and then register their opinion confidentially. Of course, the success of the system will depend on participation-and even elections typically have low turnout (for midterm elections, turnout is only around 40%). But logging on to the online platform is easier than making it to a polling place, and for ongoing issues, people won’t have to vote by a particular deadline. Conceivably, if voters know that their participation could make a difference on an actual vote in Congress-and that impact is guaranteed, rather than making calls or sending emails to representatives-they may be more motivated to act. [ Polley : “Well, it seemed like a good idea at the time.”] top

DHS expands license plate dragnet, streams collections to us law enforcement agencies (TechDirt, 4 Jan 2018) - The DHS has provided the public with a Privacy Impact Assessment (PIA) on its use of license plate readers (LPRs). What the document shows is the DHS’s hasty abandonment of plans for a national license plate database had little impact on its ability to create a replacement national license plate database. The document deals with border areas primarily, but that shouldn’t lead inland drivers to believe they won’t be swept up in the collection. The DHS has multiple partners in its license plate gathering efforts , with the foremost beneficiary being the DEA, as Papers, Please! Reports: The latest so-called ” Privacy Impact Assessment ” (PIA) made public by the US Department of Homeland Security, ” CBP License Plate Reader Technology “, provides unsurprising but disturbing details about how the US government’s phobias about foreigners and drugs are driving (pun intended) the convergence of border surveillance and dragnet surveillance of the movements of private vehicles within the USA . The CBP defines the border as anything within 100 miles of the country’s physical borders, which also include international airports. Consequently, more than 2/3rds of the nation’s population reside in the CBP’s so-called “Constitution-free zone.” The plate readers discussed in the PIA aren’t just the ones drivers and visitors might expect. While the CBP operates many of these at static locations at entry points, other LPRs are mounted on CBP vehicles or hidden in areas the CBP patrols. The addition of the DEA adds law enforcement to the mix. This means the DHS is intermingling its collection with existing law enforcement databases, allowing it to build an ad hoc national database without having to inform the public or hire a contractor to build one from the ground up. top

  - and -

  New CBP border device search policy still permits unconstitutional searches (EFF, 8 Jan 2018) - U.S. Customs and Border Protection (CBP) issued a new policy on border searches of electronic devices that’s full of loopholes and vague language and that continues to allow agents to violate travelers’ constitutional rights. Although the new policy contains a few improvements over rules first published nine years ago , overall it doesn’t go nearly far enough to protect the privacy of innocent travelers or to recognize how exceptionally intrusive electronic device searches are. Nothing announced in the policy changes the fact that these device searches are unconstitutional, and EFF will continue to fight for travelers’ rights in our border search lawsuit . Below is a legal analysis of some of the key features of the new policy. * * * top

  - and -

  Federal agencies may be regularly hiding surveillance methods in criminal cases (Reason, 9 Jan 2018) - The U.S. government uses secret evidence to build criminal cases, according to a report released today by Human Rights Watch. The report offers one of the most comprehensive looks yet at “parallel construction,” a tactic where federal law enforcement hides classified or sensitive methods from courts by building a parallel chain of evidence after the fact. The report shows that numerous federal law enforcement agencies send requests to local police to find reasons to perform traffic stops and searches on criminal suspects. Unless something goes wrong, defendants will never know the origins of the government’s case against them. The group notes that parallel construction raises several civil rights concerns, chiefly the right to a fair trial. “When you have parallel construction, you have defendants and even judges who don’t know how evidence was gathered and can’t challenge the constitutionality of that,” report author Sarah St. Vincent says. “What you have is very one-sided, where the government, on its own, is deciding what practices it thinks are legal.” The method was first revealed in a 2013 Reuters investigation , which detailed how the Special Operations Division, a secretive unit within the Drug Enforcement Administration (DEA), had been funneling surveillance tips to field agents and other agencies to build cases. Meanwhile, it trained agents to “recreate” evidence chains to keep classified methods hidden from defendants, judges, and even federal prosecutors. According to the Human Rights Watch report, the Special Operations Division’s activities were nicknamed “the dark side” and exiting agents were given Darth Vader keychains as tokens. DEA training slides that I obtained via a 2014 Freedom of Information Act request shed further light on how widespread the tactic is. The FOIA request also resulted in perhaps my favorite redaction that I have ever received: * * * [Polley: See also , How the government hides secret surveillance programs (Wired, 9 Jan 2018)] top

  Raising its bet on analytics, Littler adds first Chief Data Analytics Officer (American Lawyer, 9 Jan 2018) - By hiring Zev Eigen , a data scientist with a Ph.D. from the Massachusetts Institute of Technology, Littler Mendelson publicly placed its bet more than two years ago on the potential that data analytics would change the way law is practiced. Now the rapidly expanding global labor and employment giant is doubling down. Littler is poised to announce its hire of a chief data analytics officer, Aaron Crews , who will be tasked with managing the firm’s data capabilities and to help it roll out more technology-based products based on the ideas of the firm’s existing data scientists. Littler has already been tapping into the data it has collected for the past five-plus years through its Littler CaseSmart platform. One product spearheaded by Eigen is a prediction model for Equal Employment Opportunity Commission charges that Littler has used internally to gauge outcomes and prices for client matters. Last year the firm also began offering Equal Pay audits, which more than 100 clients have used to determine their risk of discrimination claims. Thomas Bender, co-president and co-managing partner at Littler , said there is an “endless horizon” for the possibilities on how data analytics can change the practice of law. Crews, a former Littler partner and electronic discovery counsel, re-joins the firm after having spent the past six months as general counsel and vice president of strategy at legal artificial intelligence company Text IQ , a position he discussed late last year with LegalTech News . Before that, Crews spent three years as a senior associate general counsel and global head of e-discovery at Wal-Mart Stores Inc. , having joined the retail giant from Littler in 2014. top

  Ninth Circuit doubles down: Violating a website’s terms of service is not a crime (EFF, 10 Jan 2018) - Good news out of the Ninth Circuit: the federal court of appeals heeded EFF’s advice and rejected an attempt by Oracle to hold a company criminally liable for accessing Oracle’s website in a manner it didn’t like. The court ruled back in 2012 that merely violating a website’s terms of use is not a crime under the federal computer crime statute, the Computer Fraud and Abuse Act . But some companies, like Oracle, turned to state computer crime statutes-in this case, California and Nevada-to enforce their computer use preferences. This decision shores up the good precedent from 2012 and makes clear-if it wasn’t clear already-that violating a corporate computer use policy is not a crime. Oracle v. Rimini involves Oracle’s terms of use prohibition on the use of automated methods to download support materials from the company’s website. Rimini, which provides Oracle clients with software support that competes with Oracle’s own services, violated that provision by using automated scripts instead of downloading each file individually. Oracle sent Rimini a cease and desist letter demanding that it stop using automated scripts, but Oracle didn’t rescind Rimini’s authorization to access the files outright. Rimini still had authorization from Oracle to access the files, but Oracle wanted them to access them manually-which would have seriously slowed down Rimini’s ability to service customers. Rimini stopped using automatic downloading tools for about a year but then resumed using automated scripts to download support documents and files, since downloading all of the materials manually would have been burdensome, and Oracle sued. The jury found Rimini guilty under both the California and Nevada computer crime statues, and the judge upheld that verdict-concluding that, under both statutes, violating a website’s terms of service counts as using a computer without authorization or permission. top

  Sedona Conference publishes the Sedona Conference Data Privacy Primer (Ride the Lightning, 11 Jan 2018) - On January 9 th , the Sedona Conference and its Working Group 11 on Data Security and Privacy (WG11) announced the publication of The Sedona Conference Data Privacy Primer . This final version contains several updates following thorough consideration of the public comments submitted between January and April 2017. WG11 developed the Data Privacy Primer to provide a practical framework and guide to basic privacy issues in the United States and to identify key considerations and resources, including key privacy concepts in federal and state law, regulations, and guidance. You can download the publication without charge here . top

Inside Uber’s $100,000 payment to a hacker, and the fallout (NYT, 12 Jan 2018) - “Hello Joe,” read the November 2016 email from someone identifying himself as “John Doughs.” “I have found a major vulnerability in Uber.” The email appeared to be no different from other messages that Joe Sullivan, Uber’s chief security officer, and his team routinely received through the company’s “bug bounty” program, which pays hackers for reporting holes in the ride-hailing service’s systems, according to current and former Uber security employees. Yet the note and Uber’s eventual $100,000 payment to the hacker, which was initially celebrated internally as a rare win in corporate security, have since turned into a public relations debacle for the company. In November, when Uber disclosed the 2016 incident and how the information of 57 million driver and rider accounts had been at risk, the company’s chief executive since August, Dara Khosrowshahi, called it a “failure” that it had not notified people earlier. Mr. Sullivan and a security lawyer, Craig Clark, were fired. In the weeks since, Uber’s handling of the hacking has come under major scrutiny. Not only did Uber pay an outsize amount to the hacker, but it also did not disclose that it had briefly lost control of so much consumer and driver data until a year later. The behavior raised questions of a cover-up and a lack of transparency, as well as whether the payment really was just a ransom paid by a security operation that had acted on its own for too long. The hacking is now the subject of at least four lawsuits, with attorneys general in five states investigating whether Uber broke laws on data-breach notifications. In addition, the United States attorney for Northern California has begun a criminal investigation into the matter. Most of all, the hacking and Uber’s response have fueled a debate about whether companies that have crusaded to lock up their systems can scrupulously work with hackers without putting themselves on the wrong side of the law. [S]ince the fallout from Uber’s disclosure, Silicon Valley companies have taken a harder look at their bounty programs. At least three have put their programs under review, according to two consultants who have confidential relationships with those companies, which they declined to name. Others said criminal prosecutions for not reporting John Doughs would deter ethical hackers who would otherwise come forward, causing even more security breaches. This account of Uber’s hacking and the company’s response was based on more than a dozen interviews with people who dealt with the incident, many of whom declined to be identified because of the confidentiality of their exchanges. Many are current or former members of Uber’s security team, who defended their actions as a prime example of how executives should respond to security problems. The New York Times also obtained more than two dozen internal Uber emails and documents related to the incident. * * * [ Polley : quite interesting] top

Science Fiction Writers of America accuse Internet Archive of piracy (Slashdot, 13 Jan 2018) - An anonymous reader writes: The “Open Library” project of the nonprofit Internet Archive has been scanning books and offering “loans” of DRM-protected versions for e-readers (which expire after the loan period expires). This week the Legal Affairs Committe of the Science Fiction Writers of America issued a new “Infringement Alert” on the practice , complaining that “an unreadable copy of the book is saved on users’ devices…and can be made readable by stripping DRM protection.” The objection, argues SFWA President Cat Rambo, is that “writers’ work is being scanned in and put up for access without notifying them… it is up to the individual writer whether or not their work should be made available in this way.” But the infringement alert takes the criticism even further. “We suspect that this is the world’s largest ongoing project of unremunerated digital distribution of entire in-copyright books.” The Digital Reader blog points out one great irony. ” The program initially launched in 2007 . It has been running for ten years, and the SFWA only just now noticed.” They add that SFWA’s tardiness “leaves critical legal issues unresolved.” “Remember, Google won the Google Books case, and had its scanning activities legalized as fair use ex post facto… n fact the Internet Archive has a stronger case than Google did; the latter had a commercial interest in its scans, while the Internet Archive is a non-profit out to serve the public good.” top

  China’s total information awareness: Second-order challenges (Lawfare, 16 Jan 2018) - Every day seems to bring a new article about China’s pervasive use of facial recognition technology. Both the New York Times and the Washington Post have reported how widely China is using this technology, collecting and storing video evidence from cameras on every street corner and road, at apartment building entrances, and in businesses, malls, transportation hubs, and public toilets. The Chinese government seeks to consolidate this information with people’s criminal and medical records, travel plans, online purchases, and comments on social media. China would link all of this information to every citizen’s identification card and face, forming one omnipotent database. Similarly, the Wall Street Journal produced a chilling long-form article tracking a journalist’s trip to Xinjiang province. The piece details not just the use of facial recognition software but also more intrusive steps such as the use of DNA collection, iris scanning, voice-pattern analysis, phone scanners, ID card swipes, and security checkpoints, all to further suppress unrest among the predominantly Muslim Uighur population. The piece frames life in Xinjiang as a forecast of what’s to come in China more broadly. These developments feel relatively distant, both geographically and as a matter of current U.S. domestic practice. Our government does not collect video feeds from cameras in public toilets and private apartment buildings. Nor does it possess a database containing every citizen’s photograph. Nevertheless, federal and local government agencies in the United States are increasing their use of facial recognition software at the border and in law enforcement contexts. There are a range of second-order questions that we should begin to think about as facial recognition software continues to improve and as its use expands, both within and beyond China’s borders. * * * [ Polley : Fascinating, and scary piece. TV’s The Prisoner , Person of Interest , Black Mirror, Electric Dreams - all looking more realistic.] top

Electronic device advisory for ABA mid-year meeting attendees (ABA, 16 Jan 2018) - Thousands of lawyers, judges and other legal professionals will cross international borders when attending the 2018 ABA Mid-Year Meeting in Vancouver, British Columbia, Canada. Each person leaving and reentering the United States is subject to inspection and search from both United States and Canadian officials. This paper has been prepared by the ABA Center for Professional Responsibility to update legal professionals about searches that U.S. Customs and Border Protection (“CBP”) agents might conduct when legal professionals cross an international border with electronic devices containing confidential client or judicial information. While the actual number of travelers whose electronic devices are subject to border inspection is relatively low, a possibility exists that electronic devices may be searched. Part I describes a new Directive, issued January 4, 2018, by the CBP. Part II summarizes the principal Model Rules of Professional Conduct legal professionals should consider. Part III offers a list of protective measures legal professionals may wish to take while planning their travel to the Mid-Year Meeting. [ Polley : See also , NY City Bar ” FORMAL OPINION 2017-5: An Attorney’s Ethical Duties Regarding U.S. Border Searches of Electronic Devices Containing Clients’ Confidential Information ” (25 July 2017)] top

Google’s art selfies aren’t available in Illinois. Here’s why. (Chicago Tribune, 17 Jan 2018) - The Google Arts & Culture app’s new feature seems to be everywhere as social media streams are flooded with photos of friends and the great works of art that resemble them - that is, nearly everywhere but Illinois. The state is one of two in the country where the Google app’s art selfie feature - which matches users’ uploaded selfies with portraits or faces depicted in works of art - is not available. Google won’t say why. But it’s likely because Illinois has one of the nation’s most strict laws on the use of biometrics, which include facial, fingerprint and iris scans. “They’re being overly cautious” by keeping the feature out of Illinois, said Christopher Dore, a partner at Chicago law firm Edelson, which has brought biometrics suits against tech companies including Facebook. Some Illinois residents are finding workarounds to discover their artwork look-alikes, sending selfies to out-of-state friends who will run their photo through the feature. * * * Texas is the only other state without access to the art selfies, and it, too, has a biometrics law. Illinois’ Biometric Information Privacy Act mandates that companies collecting such information obtain prior consent from consumers, detailing how they’ll use it and how long it will be kept. It also allows private citizens to sue, while other states have laws that let only the attorney general bring a lawsuit. top


Security Planner (recommended by Bruce Schneier, 21 Dec 2017) - Security Planner is a custom security advice tool from Citizen Lab. Answer a few questions, and it gives you a few simple things you can do to improve your security. It’s not meant to be comprehensive, but instead to give people things they can actually do to immediately improve their security. I don’t see it replacing any of the good security guides out there, but instead augmenting them. The advice is peer reviewed, and the team behind Security Planner is committed to keeping it up to date. top

U.S. Army Concept for Cyberspace and Electronic Warfare Operations 2025-2040 (BeSpacific, 15 Jan 2018) - CRS report via FAS. “TRADOC Pamphlet 525-8- 6, The U.S. Army Concept for Cyberspace and Electronic Warfare Operations expands on the ideas presented in TRADOC Pamphlet 525-3- 1, The U.S. Army Operating Concept: Win in a Complex World (AOC). This document describes how the Army will operate in and through cyberspace and the electromagnetic spectrum and will fully integrate cyberspace, electronic warfare (EW), and electromagnetic spectrum operations as part of joint combined arms operations to meet future operational environment challenges. Cyberspace and EW operations provide commanders the ability to conduct simultaneous, linked maneuver in and through multiple domains, and to engage adversaries and populations where they live and operate. Cyberspace and EW operations provide commanders a full range of physical and virtual, as well as kinetic and non-kinetic, capabilities tailored into combinations that enhance the combat power of maneuver elements conducting joint combined operations. Th is concept serves as a foundation for developing future cyberspace and electronic warfare capabilities and helps Army leaders think clearly about future armed conflict, learn about the future through the Army’s campaign of learning, analyze future capability gaps and identify opportunities, and implement interim solutions to improve current and future force combat effectiveness..” top


(note: link-rot has affected about 50% of these original URLs)

NLRB rules on employee use of company email for union purposes (Faegre & Benson’s John Polley [yes, he’s my brother], 8 Jan 2008) - Ever since the advent of email in the workplace, employers have sought guidance about whether they may lawfully prohibit employees from using company email systems to solicit other employees to support a union. However, since most employers permit employees to use company email for at least some personal communications, the concern has been that prohibiting employee use of email for union solicitations would run afoul of nondiscrimination rules under the National Labor Relations Act. In Guard Publishing Company, 351 NLRB No. 70 (December 16, 2007), the National Labor Relations Board finally addressed these issues. In Guard Publishing Company, the NLRB held that an employer may prohibit employees from using a company-owned email system to solicit for “non-job-related reasons,” even if the employer had allowed employees to use the email system for various personal reasons such as giving away tickets or announcing the birth of a child. However, Guard Publishing, a 3-2 decision, was sharply divided along party lines, and the terms of office of two of the Board members in the majority (and one in the dissent) expired within days of the decision. Therefore, there is some real doubt about whether this decision will remain law when a new, full Board is constituted. There is also some doubt about whether portions of this decision will survive on appeal. top

IP addresses are personal data, EU regulator says (Washington Post, 22 Jan 2008) - IP addresses, strings of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union’s group of data privacy regulators said Monday. Germany’s data-protection commissioner, Peter Scharr, leads the E.U. group, which is preparing a report on how well the privacy policies of Internet search engines operated by Google, Yahoo, Microsoft and others comply with E.U. privacy law. Scharr told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address, “then it has to be regarded as personal data.” His view differs from that of Google, which insists an IP address merely identifies the location of a computer, not who the individual user is. That is true but does not take into consideration that many people regularly use the same computer and IP address. Scharr acknowledged that IP addresses for a computer may not always be personal or linked to an individual. For example, some computers in Internet cafes or offices are used by several people. These exceptions have not stopped the emergence of a host of “whois” Internet sites, which allow users to type in an IP address and will then generate a name for the person or company linked to it. Treating IP addresses as personal information would have implications for how search engines record data. Google was the first last year to cut the time it stored search information to 18 months. It also reduced the time limit on the cookies that collect information on how people use the Internet from a default of 30 years to an automatic expiration in two years. A privacy advocate at the nonprofit Electronic Privacy Information Center said it was “absurd” for Google to claim that stripping out the last two figures from the stored IP address made the address impossible to identify by making it one of 256 possible configurations. “It’s one of the things that make computer people giggle,” the center’s executive director, Marc Rotenberg, said. “The more the companies know about you, the more commercial value is obtained.” Google’s global privacy counsel, Peter Fleischer, said Google collects IP addresses to give customers a more accurate service because it knows what part of the world a search result comes from and what language is used - and that was not enough to identify an individual user. top