MIRLN—- 27 May - 16 June 2018 (v21.08)

MIRLN—- 27 May - 16 June 2018 (v21.08)—- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)




Register now for the upcoming ABACLE webinar series “Cybersecurity Wake-Up Call: The Business You Save May Be Your Own”. This 5-part series starts June 27 (with ethics CLE credit!), followed by other episodes in July, August, September, and October. Each episode parses related parts of the best-selling ” ABA Cybersecurity Legal Handbook ”. For more information, visit ambar.org/cyberwakeup to register. The “colleagues” discount is 15% - use code FACMARK at checkout. Get 20% off if you subscribe to the full series, along with a free e-copy of the handbook.


Law firm cybersecurity ‘an imperative’ as clients make demands clear (Law.com, 21 May 2018) - As corporate clients fret over the potential threat posed by cyber breaches, Pennsylvania law firms are increasingly making data privacy and cybersecurity a top priority, putting time and resources behind the effort. Legal software company Aderant this month released its second “Business of Law and Legal Technology” survey , which showed general optimism among law firm professionals. But when respondents were asked about the key challenges they faced, more than 32 percent of them named cybersecurity as a top concern. Pennsylvania law firms are grappling with the issue- and the cost -along with the rest of the industry. Law firm technology professionals and firm management in the region say the days are gone when clients could treat their outside lawyers’ cybersecurity efforts as an afterthought. Devin Chwastyk, chair of the privacy and data security group at McNees Wallace & Nurick , said the driver for law firm clients has been demands from their customers for assurance of data privacy. More and more, he said, clients are putting data security addenda on their fee agreements. “Every RFP now requires us to disclose how we protect confidential information,” said Jeff Lobach, managing partner of Barley Snyder. And that requires a greater investment of time and money, he said. Lobach said clients have never been dissatisfied with the measures his firm has put in place. But if they were, he said, the firm would likely be expected to change its practices to keep the work. Cybersecurity as a line item has certainly become a bigger expense for us,” Chwastyk said. “That was inevitable regardless of client demands.” top

- and -

The law firm cybersecurity audit grows up (Law.com, 29 May 2018) - A few years ago, law firms faced a wake-up call. More and more, their networks were being infiltrated, their staff exposed to a new threat called ransomware. They saw the crosshairs on their backs, understood the risks of their coveted position as holders of clients’ sensitive information. But they didn’t come to this realization entirely on their own. Clients in heavily regulated industries, like finance, demanded protections for crucial sensitive data. And slowly, through client security audits and questionnaires, a high of standard cybersecurity awareness at law firms became the norm. * * * But in response, law firm cybersecurity requirements have evolved, too. There are now more in-depth cybersecurity assessments, more expectations around transparency, and more engagement between client and law firm. Cybersecurity questionnaires and audits have been, and still remain, the foundation of law firm cybersecurity assessments. Now, though, they are performed far more rigorously than they were in the past. For one thing, the time between audits is shrinking. “Typically, audits used to be once every three years, then they became once every two years. Now, with big clients, they increasingly tend to be every year,” says Paul Greenwood, chief information officer at Clifford Chance. Clients have also become more demanding, seeing cybersecurity reviews as more of a collaborative and custom process than a simple matter of housekeeping. “It’s more of an engagement than a point-in-time audit,” says Robert Kerr, chief information officer at Cooley. “It used to be a check-the-box type of exercise; now it’s an interactive exercise where they seek clarifications.” And often, these audits will get into the weeds. Brett Don, chief information officer at Stradley Ronon, says that from his experience working with information security prior to entering the law firm world, corporations have “gotten more granular, they’ve gotten more specific in terms of the information they are trying to glean from their business partners, including law firms.” The details that clients usually ask from a law firm will vary, but oftentimes will focus around the technical minutiae of their data security. “The client security questionnaires will ask how we protect their data, and our protocol is to share the results of our ongoing penetration tests and vulnerability scans with them,” says Andrea Markstrom, chief information officer at Blank Rome. This means that, at a minimum, modern law firms need to hold “routine and regular scans of vulnerabilities in their systems,” Don adds. But demanding and detailed audits, even yearly, may not be enough in today’s cyberthreat world. “The other thing that I think we’re seeing more of is these one-off, what I call ‘diligence inquiries’ around high risk vulnerabilities,” Don says, pointing to “Spectre” and “Meltdown” microprocessor vulnerabilities that were disclosed in January 2018 as examples. Such inquiries come “outside the questionnaire process,” he explains, and may encompass several questions about the firm’s susceptibility to the vulnerability. In some cases, he says, clients ask the firm directly to certify that they’ve addressed a particular vulnerability. top

Pentagon cracks down on personal mobile devices (FCW, 23 May 2018) - The Defense Department is cracking down on personal mobile devices inside secure areas of the Pentagon. Under a new policy memo released May 22, DOD personnel, contractors and visitors to the building and supporting facilities in Arlington County, Va., are restricted from having mobile devices in areas designated or accredited for “processing, handling, or discussion of classified information.” Personal and unclassified government-issued mobile devices are prohibited in secure spaces but may be used in common areas. Government-issued unclassified devices being used as desktop replacements must have approved “interim mitigations applied until replaced with compliant devices” within 180 days. Mitigations include disabling the camera, microphone and Wi-Fi settings. Government-issued classified mobile devices can continue to operate per previous authorization while exemptions are reviewed. top

Chase Bank sues Landry’s for $20M over data breach (Houston Chronicle, 23 May 2018) - Chase and its credit card payment processor Paymentech filed a breach-of-contract lawsuit Thursday in federal court in Houston, claiming Landry’s failed to comply with credit card data security standards and is refusing to reimburse the Ohio-based financial institutions for assessments imposed by Visa and MasterCard in the wake of the data breach. Hackers in 2014 and 2015 compromised point-of-sale systems at more than 40 Landry’s properties, including Bubba Gump, McCormick & Schmick’s, Rainforest Cafe and Saltgrass restaurants. In response, Landry’s hired a cyber security firm to examine its payment-card systems and implemented enhanced security measures for processing credit cards, including end-to-end encryption. top

This Frida Kahlo digital collection is massive & free (Remezcle, 25 May 2018) - More than six decades after her death, there is still immense interest in Frida Kahlo . And a new retrospective will allow fans to learn more about the Mexican artist right from their homes. Google Arts & Culture has collaborated with 33 museums from seven countries across the world to bring us Faces of Frida , the largest collection of photographs, documents, and artworks associated with Kahlo. The collection promises to give us a multi-faceted look at the queer, feminist, and disabled icon. “It’s a true global effort,” said Jesús García, Google’s Head of Hispanic Communications, according to Forbes . “Frida’s name kept coming up as a top contender when we started to think of what artists would be the best to feature in a retrospective. There’s so much of her that was not known and could still be explored from an artistic perspective and life experience.” Excitingly, the collection gives us a look into items and artworks that have rarely been displayed, including a sketch Kahlo made of New York in 1932 for Mexican actress Dolores del Río . She sketched what she saw from the Barbizon Plaza Hotel. If you’ve also wanted to visit La Casa Azul , where she lived and worked, but haven’t had a chance, Google also has you covered. “This expertly curated online exhibition presents an intimate view of Frida Kahlo’s life and loves through her vibrant letters, candid photographs, and unpublished essays,” added Kate Haw, director of the Smithsonian Archives of American Art. “Through the story threads of these original records - a total of 54 rare documents drawn from our collections - we gain a deeper understanding of Frida’s relationships with historian Florence Arquin, artist Emmy Lou Packard, photographer Nickolas Muray, art collector Chester Dale, and writer John Weatherwax.” Enjoy it in its full glory here . top

Four days into GDPR, US publishers are starting to feel the effects (Columbia Journalism Review, 29 May 2018) - For something that has been in the works for more than two years , the EU’s General Data Protection Regulation seemed to take at least some people by surprise when it went into effect May 25th-including more than a few publishers. And some warn the long-term effects of the regulations could be severe: Ad exchanges used by many news sites reportedly saw an immediate drop in demand of between 25 and 40 percent, and many believe this could help increase the dominance of platforms like Google and Facebook, since they are better prepared for the data-handling rules and have deeper pockets. When the new rules on how to handle user information went into effect, a number of news sites responded by simply shutting off access to anyone who appeared to be coming from a European address, and for many that continued to be the case right through the Memorial Day weekend. As of Monday, for example, several of the papers belonging to the tronc chain-including the Los Angeles Times and Chicago Tribune- were still showing EU visitors a message saying : “Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism.” Other news sites such as USA Today’s responded to the new rules-under which multi-million-dollar fines can be issued for improper use of data-by removing some or all of the ad-related software that harvests information from users and tracks their behavior. According to one web engineer , the US version of the USA Today site was 5.5 megabytes in size and included more than 800 ad-related requests for information involving 188 different domains. The EU version was less than half a megabyte in size and contained no third-party content at all, meaning it not only didn’t track as much data but also loaded much faster. top

A trip to the ER with your phone may mean injury lawyer ads for weeks (ArsTechnica, 29 May 2018) - With digital traps in hospitals, there’s no need for personal injury lawyers to chase ambulances these days. Law firms are using geofencing in hospital emergency rooms to target advertisements to patients’ mobile devices as they seek medical care, according to Philadelphia public radio station WHYY. Geofencing can essentially create a digital perimeter around certain locations and target location-aware devices within the borders of those locations. Patients who unwittingly jump that digital fence may see targeted ads for more than a month, and on multiple devices, the outlet notes. While the reality may seem like a creepy nuisance to some, privacy experts are raising alarms. “Private medical information should not be exploited in this way,” Massachusetts Attorney General Maura Healey told WHYY. “Especially when it’s gathered secretly without a consumer’s knowledge-without knowledge or consent.” Last year, Healey’s office barred a digital firm from using geofencing in healthcare settings in the state after the firm was hired by a Christian pregnancy counseling and adoption agency to use digital perimeters to target ads to anyone who entered reproductive health facilities, including Planned Parenthood clinics . The goal was to make sure “abortion-minded women” saw certain ads on their mobile devices as they sat in waiting rooms. The ads had text such as “Pregnancy Help” or “You Have Choices,” which, if clicked, would direct them to information about abortion alternatives. top

Cybersecurity: Why it matters in M&A transactions (Schonherr, 30 May 2018) - At a time when we are all dependent on our IT systems and when digital assets are of central importance, cybersecurity is one of the most critical aspects to protect our businesses, know-how and data from being stolen, disclosed, deleted and/or manipulated. In light of the global threats that potentially could affect every business (“no one is safe”), public regulators have started adopting regulations on cybersecurity (e.g. the Austrian Financial Market Authority published guidelines for IT security in financial institutions ). In addition, the GDPR specifically deals with data breach issues. Still, it feels that awareness of cybersecurity issues is lacking. This is particularly true for private M&A transactions. A recent regulation of the New York Department of Financial Services (” NYDFS ”) now specifically addresses cybersecurity risks in M&A transactions . The NYDFS’s regulation was issued in the context of the 2014 large-scale data breach of Yahoo! and Yahoo!‘s failure to disclose the breach until September 2016, shortly before the sale of its operating unit to Verizon Communications Inc. The non-disclosure of the 2014 data breach had a direct impact on the sale, i.e. Yahoo! and Verizon agreed to a USD 350 million reduction in the acquisition price , among other things because Yahoo! had positively represented to Verizon in the publicly available stock purchase agreement that, to the best of its knowledge, there had been no security breaches. In its FAQ , the NYDFS now has clarified the importance of cybersecurity also in M&A transactions: “when Covered Entities are acquiring or merging with a new company, Covered Entities will need to do a factual analysis of how these regulatory requirements apply to that particular acquisition. Some important considerations include, but are not limited to, what business the acquired company engages in, the target company’s risk for cybersecurity including its availability of PII, the safety and soundness of the Covered Entity, and the integration of data systems. The [NYDFS] emphasizes that Covered Entities need to have a serious due diligence process and cybersecurity should be a priority when considering any new acquisitions.” Now, the NYDFS regulation underlines that cybersecurity has become an issue to be also considered in M&A processes, namely in the due diligence and in the transaction documents. top

New data show substantial gains and evolution in internet use (NTIA, 6 June 2018) - The digital divide is showing signs of giving way as more Americans from all walks of life connect to the Internet. Several historically disadvantaged groups showed significant increases in online adoption, according to initial results from NTIA’s most recent survey on Internet use conducted by the U.S. Census Bureau. The survey, which was conducted in November 2017, reveals new contours of Americans’ Internet use. In 2017, more households had a mobile data plan than wired broadband service. Additionally, for the first time since NTIA began tracking use of different types of computing devices, tablets were more popular than desktop computers among Americans, and the number of people who used multiple types of devices also increased substantially. The data show that 78 percent of Americans ages 3 and older used the Internet as of November 2017, compared with 75 percent in July 2015, when our previous survey was conducted. This increase of 13.5 million users was driven by increased adoption among low-income families, seniors, African Americans, Hispanics, and other groups that have been less likely to go online. For example, among Americans living in households with family incomes below $25,000 per year, Internet use increased from 57 percent in 2015 to 62 percent in 2017, while households earning $100,000 or more showed no change during this period. While the trend is encouraging, low-income Americans are still significantly less likely to go online (see Figure 1). top

Special counsel Robert Mueller’s team is requesting that witnesses turn in their personal phones to inspect their encrypted messaging programs (Benton, 7 June 2018) - Apparently, special counsel Robert Mueller’s team is requesting that witnesses turn in their personal phones to inspect their encrypted messaging programs and potentially view conversations between associates linked to President Donald Trump. Since as early as April, Mueller’s team has been asking witnesses in the Russia probe to turn over phones for agents to examine private conversations on WhatsApp, Confide, Signal and Dust, apparently. Fearing a subpoena, the witnesses have complied with the request and have given over their phones. While it’s unclear what Mueller has discovered, if anything, through this new request, investigators seem to be convinced that the apps could be a key to exposing conversations that weren’t previously disclosed to them. [ see also , Are any encrypted messaging apps fail-safe? Subjects of Mueller’s investigation are about to find out. (WaPo, 8 June 2018)] top

FTC rebuked in LabMD case: What’s next for data security? (Wiley Rein, 7 June 2018) - On June 6, the U.S. Court of Appeals for the Eleventh Circuit decided the long-awaited LabMD saga. As Wiley Rein attorneys recently explained in a webinar on agency priorities, this case is an important milestone and inflection point for the new Federal Trade Commission (FTC) leadership. The FTC’s authority and role in data security has been key to ongoing debates over federal privacy and security policy domestically and globally. This case raised issues going to FTC power and practice, but ultimately turned on the remedy imposed by the agency which was found to be so vague as to be unenforceable. The court did not address the key substantive questions: (1) First, in a data breach case, what type of consumer injury gives rise to “unfairness” under Section 5 of the FTC Act, an issue sometimes identified as the “informational injury” question? (2) Second what type of notice is the FTC required to provide regarding reasonable data security measures? Despite its failure to answer these questions, the decision has implications for those issues and the agency’s overall approach to data security. In particular the Eleventh Circuit’s decision was a rebuke to the agency’s remedial efforts, which lean heavily on consent decrees to prod action the agency could not otherwise mandate. The Court found that the FTC’s cease and desist order “mandates a complete overhaul of LabMD’s data-security program and says precious little about how this is to be accomplished.” According to three appeals court judges, “[t]his is a scheme that Congress could not have envisioned.” * * * [ Polley : good analysis.] top

Blockchain’s once-feared 51% attack is now becoming regular (Telegra.ph, 8 June 2018) - Monacoin, bitcoin gold, zencash, verge and now, litecoin cash. At least five cryptocurrencies have recently been hit with an attack that used to be more theoretical than actual, all in the last month. In each case, attackers have been able to amass enough computing power to compromise these smaller networks, rearrange their transactions and abscond with millions of dollars in an effort that’s perhaps the crypto equivalent of a bank heist. More surprising, though, may be that so-called 51% attacks are a well-known and dangerous cryptocurrency attack vector. While there have been some instances of such attacks working successfully in the past, they haven’t exactly been all that common. They’ve been so rare, some technologists have gone as far as to argue miners on certain larger blockchains would never fall victim to one. The age-old (in crypto time ) argument? It’s too costly and they wouldn’t get all that much money out of it. But that doesn’t seem to be the case anymore. NYU computer science researcher Joseph Bonneau released research last year featuring estimates of how much money it would cost to execute these attacks on top blockchains by simply renting power, rather than buying all the equipment. One conclusion he drew? These attacks were likely to increase. And, it turns out he was right. [ see also , Bitcoin’s price was artificially inflated, fueling skyrocketing value, researchers say (NYT, 13 June 2018)] top

Not just corporate: Law firms too are struggling with GDPR compliance (Law.com, 11 June 2018) - Despite the yearslong build up to the EU’s General Data Protection Regulation (GDPR), which came into force on May 25, many organizations are still behind in their compliance efforts. And while much attention has been paid to corporations’ compliance shortcomings, a recent Wolters Kluwer survey found that law firms are also lagging in meeting GDPR mandates. Conducted among 74 medium (26-100 staff members) to large (100-plus) law firms, the survey found that only 47 percent of law firms said they were “fully prepared” to meet the GDPR’s requirements. While 16 percent said they were “somewhat prepared,” more than a third, 37 percent, said they have not prepared specifically for the GDPR at all. Barry Ader, vice president of product management and marketing at Wolters Kluwer, noted that part of the reason why many law firms were unprepared for GDPR was because they thought there would be an extension to the deadline. “Many of the law firms kind of half expected that there would be a delay, and they wouldn’t have had to solve the problem by May 25 , ” he said. However, Ader noted that the lack of preparation was also a sign that “law firms just don’t have the necessary skills, people, and budget to figure out how to handle GDPR.” Indeed, law firms are in a unique situation when it comes to the GDPR, given that many not only have to ensure their own firm’s compliance while also managing and directing their clients’ GDPR compliance efforts. Such ” double duty ” is forcing some firms to staff up and overextend their attorneys. Yet even with added staff and hours, firms can find it challenging to meet GDPR demands. London-based Squire Patton Boggs partner Ann LaFrance, for example, told The American Lawyer that hiring cannot keep up with the wide-ranging compliance needs of their clients. “It still isn’t enough, and there isn’t enough experience out there.” Still, while firms may have a lot of GDPR preparation to do, 60 percent had already assigned a point person, consultant or team to spearhead GDPR compliance efforts, while 72 percent were investing in cybersecurity. What’s more, 43 percent assigned a data protection officer (DPO), though they were not required to under the regulation. Such a mandate only applies to companies classified as “data controllers” who determine the purposes for, and the means of, processing EU personal data. One area where many firms’ GDPR preparations lagged behind is with employee training. The survey found that only 43 percent of law firms conducted security and privacy training annually, while 24 percent had done training in the past three years. An additional 15 percent said that while they did not currently train employees, they were planning to do so in the near future. Seventeen percent did not and had no plans to train at all. [ Polley : Spotted by MIRLN reader Gordon Housworth ] top

On Facebook, a place for civil discussion (NYT, 12 June 2018) - In the run-up to the 2016 election, Russian trolls wielding ads and memes used Facebook as a tool to darken lines of division. More recently, one corner of Facebook has emerged in pursuit of the opposite: civil conversation, even among those who disagree. It has become part of Bethany Grace Howe’s morning routine, right alongside her yogurt and cup of tea. The New York Times’s Reader Center put out a call early last December inviting readers to apply to join a Facebook group where they could offer feedback on The Times’s coverage and talk about how the news affects them. Ms. Howe, 49 - a longtime media scholar, journalist and reader of The Times since she was 13 - was among the first 100 people chosen to join the group. “It was like, O.K., this is too good to be true,” she said. And it soon became clear that the group was a lot more than just a place to talk about the Gray Lady. “I joined because I thought I was going to learn a lot about The New York Times from the people who work at The Times,” Ms. Howe said. “What’s ended up happening is I’ve learned an amazing amount about this country by talking to the readers of The Times.” It has come to mean enough that she is now working to organize a real life meet-up of group members near her in Oregon, where she is a doctoral student of mass media studies examining questions of transgender identity and depictions in media. The Reader Center group is one of four Facebook groups that The Times has created since last spring. There’s NYT Australia , where the focus is Australia but the discussion regularly stretches wider, run by the journalists in The Times’s Australia bureau. There’s Now Read This , an online book club co-managed by The New York Times Book Review and “PBS Newshour” where members discuss a different book every month, guided in part by questions from the two news organizations. And there’s The New York Times Podcast Club (which I help run), where podcast lovers can talk about what they’re listening to and Times employees select a show every week for discussion. These are different from The Times’s institutional Facebook page, or pages run by sections like Styles or Science, which you might follow to see their news articles show up in your feed. In these groups, people at The Times - and collaborators - guide discussions and often engage with group members. Administrators must approve people before they can join, and must sign off on individual posts, too. They can also delete comments or remove members if things get nasty or inappropriate. top

Apple will update iOS to block police hacking tool (The Verge, 13 June 2018) - For months, police across the country have been using a device called a GrayKey to unlock dormant iPhones, using an undisclosed technique to sidestep Apple’s default disk encryption. The devices are currently in use in at least five states and five federal agencies , seen as a breakthrough in collecting evidence from encrypted devices. But according to a new Reuters report , Apple is planning to release a new feature to iOS that would make those devices useless in the majority of cases, potentially sparking a return to the encryption standoff between law enforcement and device manufacturers. Under the new feature, iPhones will cut off all communication through the USB port if they have not been unlocked in the past hour. Once the hour expires, the USB port can only be used to charge the device. The result will give police an extremely short window of time to deploy GrayKey devices successfully. According to a Malware Bytes report published in March, GrayKey works by installing some kind of low-level software through the iPhone’s Lightning port. After plugging into the GrayKey device briefly, the target iPhone will continue to run the GrayKey software on its own, displaying the device’s passcode on-screen between two hours and three days after the software was installed. While politically sensitive, the change will close off an entire class of attacks through the iPhone’s Lightning port, including attacks that copy GrayKey’s techniques. Apple described the change as a general security update rather than a response to law enforcement specifically. top

Google adds federal data to college searches (Inside Higher Ed, 13 June 2018) - Search for a four-year college on Google, and you’ll now be presented with data on admission rates, graduation rates and tuition costs, in addition to the usual link to Wikipedia. Google said the addition of more information to college search results would make it easier for prospective students to choose the right institution for them. Writing in a blog post Tuesday, Jacob Schonberg, product manager for Google, said the process for finding information on colleges is “confusing” and that it is “not always clear what factors to consider and which pieces of information will be most useful for your decision.” Schonberg said Google used data from the U.S. Department of Education’s College Scorecard and Integrated Postsecondary Education Data System (IPEDS). Though IPEDS is one of the most comprehensive sources of data on four-year colleges, its numbers are often criticized for not being representative of student populations, particularly at open-access colleges, as IPEDS data tend to reflect only first-time, full-time students. In addition to data from IPEDS, Google has introduced new college-search features such as lists of notable alumni and suggestions for “similar colleges.” top

How Firefox is using Pocket to try to build a better news feed than Facebook (The Verge, 13 June 2018) - On this week’s episode of Converge , Pocket founder and CEO Nate Weiner tells us why he sold his company to Mozilla, and how he’s working to build a better version of Facebook’s News Feed into the Firefox browser. Pocket, which lets you save articles and videos you find around the web to consume later, now has a home inside Firefox as the engine powering recommendations to 50 million people a month. By analyzing the articles and videos people save into Pocket, Weiner believes the company can show people the best of the web - in a personalized way - without building an all-knowing, Facebook-style profile of the user. “We’re testing this really cool personalization system within Firefox where it uses your browser history to target personalized [recommendations], but none of that data actually comes back to Pocket or Mozilla,” Weiner said. “It all happens on the client, inside the browser itself. There is this notion today… I feel like you saw it in the Zuckerberg hearings. It was like, ‘Oh, users. They will give us their data in return for a better experience.” That’s the premise, right? And yes, you could do that. But we don’t feel like that is the required premise. There are ways to build these things where you don’t have to trade your life profile in order to actually get a good experience.” Pocket can analyze which articles and videos from around the web are being shared as well as which ones are being read and watched. Over time, that gives the company a good understanding of which links lead to high-quality content that users of either Pocket or Firefox might enjoy. In a world where trust in social feeds has begun to collapse, Pocket offers a low-key but powerful alternative. And as Mozilla has integrated it deeper into Firefox, Pocket has become a significant source of traffic for some publishers, The Verge included. [ Polley : I love Pocket.] top

Free MOOCs face the music (Inside Higher Ed, 14 June 2018) - Massive open online courses got a little less open with edX’s recent announcement that it is introducing support fees for some of its MOOCs. Midway through an innocuous-looking blog post , Anant Agarwal, CEO of edX, said the nonprofit would be “moving away from our current model of offering virtually everything for free.” On May 3, edX began testing the introduction of a “modest support fee” that will “enable edX and partners to continue to invest in our global learning platform.” Adam Medros, edX COO and president, said in an interview that the support fee was just one option being explored to ensure the long-term sustainability of the MOOC provider. Previously edX users were able to take most of its courses at no cost, an option that edX calls “auditing” a course. Those who want a certificate to show they have completed a course typically pay between $50 and $300. Some options, such as edX’s MicroMasters programs , cost over $1,000. Now some users will be asked to pay a support fee, “from $9 up to some portion of the certification cost,” said Medros. The price of the support fee “will be aligned to the value and experience” that a course gives to a learner, said Medros, suggesting that the best courses will also be the most expensive. By introducing a support fee, Medros said, there is a possibility that completion rates may go up. “There is a lot of evidence showing that having some ‘skin in the game’ is beneficial in online learning,” said Medros. Medros did not say how many courses the support fee would be applied to, but he said it was edX’s intention that “some portion” of its content “will always be free.” He said edX had not decided which content will remain free and what proportion of the total catalog it will represent. top

Beware of buying a competitor’s name to market your law practice (MyShingle.com, 14 June 2018) - Can lawyers use a competitor’s name as a keyword to market their own law practice? Although Google allows law firms’ to purchase competitors’ names as keywords, at least two states - North Carolina and South Carolina - forbid this practice, finding it inherently deceptive. By contrast, Florida and Texas -allow lawyers to use keywords to advertise with the caveat that the ads must be designed so as not to trick consumers into thinking they are going to one firm’s website when they are instead lead to another. But the bar regulations don’t much matter because increasingly, law firms whose names have been appropriated are suing competitors and winning. As the Daily Report Online reports, a Georgia court recently enjoined a Texas marketing firm called ELM from running ads for a law firm that used a rival firm’s trade name to draw traffic to the advertising firm’s site. Further compounding the confusion, the marketing company used photos of the rival firm’s site as background for the ads and included phone numbers to call centers where operators were instructed to use a generic greeting so that callers would believe that they had reached the rival firm’s answering service. top


Encryption Workarounds (Orin Kerr and Bruce Schneier, Georgetown Law Journal, revised 13 May 2018) - Abstract : The widespread use of encryption has triggered a new step in many criminal investigations: The encryption workaround. We define an encryption workaround as any lawful government effort to reveal unencrypted plaintext of a target’s data that has been concealed by encryption. This Article provides an overview of encryption workarounds. It begins with a taxonomy of the different ways investigators might try to bypass encryption schemes. We classify six kinds of workarounds: find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. For each approach, we consider the practical, technological, and legal hurdles raised by its use. The remainder of this Article develops lessons about encryption workarounds and the broader public debate about encryption in criminal investigations. First, encryption workarounds are inherently probabilistic. None work every time, and none can be categorically ruled out every time. Second, the different resources required for different workarounds will have significant distributional effects on law enforcement. Some techniques are inexpensive and can be used often by many law enforcement agencies; some are sophisticated or expensive and likely to be used rarely and only by a few. Third, the scope of legal authority to compel third-party assistance will be a continuing challenge. And fourth, the law governing encryption workarounds remains uncertain and underdeveloped. Whether encryption will be a game changer or a speed bump depends on both technological change and the resolution of important legal questions that currently remain unanswered. top


(note: link-rot has affected about 50% of these original URLs)

CIA monitors YouTube for intelligence (Information Week, 6 Feb 2008) - In keeping with its mandate to gather intelligence, the CIA is watching YouTube. U.S. spies, now under the Director of National Intelligence (DNI), are looking increasingly online for intelligence; they have become major consumers of social media. “We’re looking at YouTube, which carries some unique and honest-to-goodness intelligence,” said Doug Naquin, director of the DNI Open Source Center (OSC), in remarks to the Central Intelligence Retirees’ Association last October. “We’re looking at chat rooms and things that didn’t exist five years ago, and trying to stay ahead. We have groups looking at what they call ‘Citizens Media’: people taking pictures with their cell phones and posting them on the Internet.” In November 2005, the OSC subsumed the CIA’s Foreign Broadcast Information Service, which housed the agency’s foreign media analysts. The OSC is responsible for collecting and analyzing public information, including Internet content. Steven Aftergood, director of the Federation of American Scientists project on government secrecy, posted transcript of Naquin’s remarks on his blog. “I found the speech interesting and thoughtful,” he said in an e-mail. “I would not have thought of YouTube as an obvious source of intelligence, but I think it’s a good sign that the Open Source Center is looking at it, and at other new media.” top

Google, UN unveil project to map movement of refugees (SiliconValley.com, 8 April 2008) - Internet search giant Google Inc. unveiled a new feature Tuesday for its popular mapping programs that shines a spotlight on the movement of refugees around the world. The maps will aid humanitarian operations as well as help inform the public about the millions who have fled their homes because of violence or hardship, according to the office of the U.N. High Commissioner for Refugees, which is working with Google on the project. “All of the things that we do for refugees in the refugee camps around the world will become more visible,” U.N. Deputy High Commissioner for Refugees L. Craig Johnstone said at the launch in Geneva. Users can download Google Earth software to see satellite images of refugee hot spots such as Darfur, Iraq and Colombia. Information provided by the U.N. refugee agency explains where the refugees have come from and what problems they face. Google says more than 350 million people have already downloaded Google Earth. The software was launched three years ago and originally intended for highly realistic video games, but its use by rescuers during Hurricane Katrina led the company to reach out to governments and nonprofit organizations. top