MIRLN—- 28 Nov - 22 Dec 2018 (v21.16)

MIRLN—- 28 Nov - 22 Dec 2018 (v21.16)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Facebook’s New ‘Supreme Court’ Could Revolutionize Online Speech (Lawfare, 19 Nov 2018) - The Supreme Court of Facebook is about to become a reality. When Facebook CEO Mark Zuckerberg first mentioned the idea of an independent oversight body to determine the boundaries of acceptable speech on the platform-“almost like a Supreme Court,” he said-in an April 2018 interview with Vox , it sounded like an offhand musing. But on Nov. 15, responding to a New York Times article documenting how Facebook’s executives have dealt with the company’s scandal-ridden last few years, Zuckerberg published a blog post announcing that Facebook will “create a new way for people to appeal content decisions to an independent body, whose decisions would be transparent and binding.” Supreme Court of Facebook-like bodies will be piloted early next year in regions around the world, and the “court” proper is to be established by the end of 2019, he wrote. It is difficult to overstate the potential this has to transform understandings of online speech governance, international communication and even the very definition of “free speech.” Zuckerberg’s blog post literally asks more questions about the anticipated tribunal than it answers. (He writes, “Starting today, we’re beginning a consultation period to address the hardest questions, such as: how are members of the body selected? How do we ensure their independence from Facebook, but also their commitment to the principles they must uphold? How do people petition this body? How does the body pick which cases to hear from potentially millions of requests?”) But it’s worth unpacking the underlying ideas behind the proposal and the most difficult challenges that will need to be resolved in how it’s set up. top

Today in brighter crypto news: SEC says tokens are securities (TechCrunch, 21 Nov 2018) - Crypto news got a little boost last week after a dark month of crashes , stablecoins and birthdays . The SEC ruled that two ICO issuers, CarrierEQ Inc. and Paragon Coin Inc., were in fact selling securities instead of so-called utility tokens. “Both companies have agreed to return funds to harmed investors, register the tokens as securities, file periodic reports with the Commission, and pay penalties,” wrote Pamela Sawhney of the SEC. “These are the Commission’s first cases imposing civil penalties solely for ICO securities offering registration violations.” top

- and -

Ohio becomes the first state to accept bitcoin for tax payments (TechCrunch, 28 Nov 2018) - Starting Monday, businesses in Ohio will be able to pay their taxes in bitcoin - making the state that’s high in the middle and round on both ends the first in the nation to accept cryptocurrency officially. Companies that want to take part in the program simply need to go to OhioCrypto.com and register to pay in crypto whatever taxes their corporate hearts desire. It could be anything from cigarette sales taxes to employee withholding taxes, according to a report in The Wall Street Journal , which first noted the initiative. The brainchild of current Ohio state treasurer Josh Mandel, the bitcoin program is intended to be a signal of the state’s broader ambitions to remake itself in a more tech-friendly image. Already, Ohio has something of a technology hub forming in Columbus, home to one of the largest venture capital funds in the Midwest, Drive Capital . And Cleveland (the city once called “the mistake on the lake”) is trying to remake itself in cryptocurrency’s image with a new drive to rebrand the city as “Blockland.” top

Jury dismissed after Crown looks up jurors on LinkedIn (The Globe & Mail, 22 Nov 2018) - A prosecutor’s use of LinkedIn to conduct background checks on jurors is raising new questions about improper vetting after a second jury in a week was dismissed in Atlantic Canada over the issue. Both cases - a murder trial, and one of criminal negligence causing death - are now being tried by judge alone after the prosecution was obliged to drop its earlier objection to defence requests for such a trial. The newest instance came on Thursday in an important case in Nova Scotia - the first in that province under a federal Criminal Code provision drafted after the 1992 Westray methane explosion that killed 26 miners in Plymouth, N.S. Elie Hoyeck, the owner of an auto-repair shop, is charged with criminal negligence causing the death of an employee, Peter Kempton, in a 2013 vehicle fire. The 2004 “Westray law” says that anyone who directs another person in a task must take reasonable steps to ensure the person’s safety. The earlier instance was revealed in a ruling on Monday in a high-profile case in New Brunswick - the retrial of Dennis Oland, charged with second-degree murder of his wealthy father, Richard. He had been found guilty in 2015, but an appeal court set aside the conviction and ordered a new trial in 2016. A police officer conducted checks in a local police database with information on all police contacts (as a witness, complainant, or suspect), and did not share the information with Mr. Oland’s defence team. A judge dismissed the jury and declared a mistrial; a new trial started Tuesday. Vancouver lawyer Eric Gottardi, the past chair of the Canadian Bar Association’s criminal-justice section, said that even one or two such cases are concerning. “You have to think it’s like the tip of an iceberg just because of how unlikely it is that these practices would come to light,” he said in an interview. It is not a new area of law, and the message is clear to police and prosecutors about what they may and may not do. In 2012, the Supreme Court of Canada ruled that prosecutors and police must share with defence lawyers anything they find inadvertently when checking whether potential jurors have criminal records. It made a similar ruling in 1997. The idea is that the prosecution should not have an advantage over the defence, or interfere with jurors’ privacy. top

French tax officials to start digging through social media posts for expensive cars it thinks you can’t afford (TechDirt, 26 Nov 2018) - In a weird announcement threatening the commencement of pointless government monitoring, a French official says tax cheats will now be outed by their own selfies . (via Reason ): France’s tax administrators will start searching through social media accounts in early 2019, a pilot project in the fight against tax avoidance, Budget Minister Gerald Darmanin told weekly business TV show Capital. [...] “(The fiscal administration) will be able to see that if you have numerous pictures of yourself with a luxury car while you don’t have the means to own one, then maybe your cousin or your girlfriend has lent it to you… or maybe not,” Darmanin said. I guess French tax collectors will be scrolling through social media profiles with lists of tax dodgers and a keen appraiser’s eye. There may be several reasons people have expensive items showcased on social media, and not all of them will have anything to do with ill-gotten net gains. A very common internet pastime is presenting your life as more exciting, dynamic, and filled with material goods than it actually is. Photoshop may be involved . Some of what tax officials come across will be evidence of nothing more than self-esteem issues. top

Online dispute resolution bolstering access to justice (Lawyers Weekly/Australia, 27 Nov 2018) - Despite the reluctance many jurisdictions have about utilising tech in dispute resolution matters, the chair of Canada’s Civil Resolution Tribunal has shared how doing so has aided in the country’s access to justice crisis. Speaking to Lawyers Weekly ahead of her appearance at last week’s ODR: The State of the Art International Symposium, the tribunal’s chair Shannon Salter spoke about what has been described as the access to justice crisis and the need for the development of creative solutions to combat the problem. Ms Salter said this is what led Canada’s British Columbia to develop The Civil Resolution Tribunal (CRT) - Canada’s first online tribunal. * * * top

Pennsylvania Supreme Court recognizes Common Law duty to safeguard employees’ personal data (Nat’l Law Review, 27 Nov 2018) - The Pennsylvania Supreme Court has drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard its employees’ personal information stored on an internet-accessible computer. The court further held that Pennsylvania’s economic loss doctrine permits recovery for “purely pecuniary damages” on a negligence claim premised on a breach of such a duty. This decision is likely to have a very significant impact on cybersecurity-related litigation in and beyond Pennsylvania, as negligence is now a viable cause of action for inadequate data security under Pennsylvania law. The court rejected the notion that it was creating a “new affirmative duty” under common law, and instead held that it was applying the “existing duty to a novel factual scenario.” The plaintiffs alleged that-as a condition of employment at UPMC-they were required to provide certain financial and personal information. They further alleged that UPMC collected and stored that information on its internet-accessible computer system without the use of adequate security measures, including proper encryption, adequate firewalls, or adequate authentication protocols. The court held that where an employer’s affirmative collection of employee personal information creates a foreseeable risk of a data breach (even by cybercriminals), the employer has a duty of reasonable care to secure its employees’ personal information “against an unreasonable risk of harm arising out of [the employer’s data collection practices].” UPMC should have realized, the court concluded, that “a cybercriminal might take advantage of the vulnerabilities in UPMC’s computer system and steal [its employees’] information; thus, the data breach was ‘within the scope of the risk created by’ UPMC.” As to the ‘duty’ element of the negligence claim, “the criminal acts of third parties in executing the data breach do not alleviate UPMC of its duty to protect [its employees’] personal and financial information from that breach.” top

When the Internet Archive forgets (Gizmodo, 28 Nov 2018) - On the internet, there are certain institutions we have come to rely on daily to keep truth from becoming nebulous or elastic. Not necessarily in the way that something stupid like Verrit aspired to, but at least in confirming that you aren’t losing your mind, that an old post or article you remember reading did, in fact, actually exist. It can be as fleeting as using Google Cache to grab a quickly deleted tweet, but it can also be as involved as doing a deep dive of a now-dead site’s archive via the Wayback Machine. But what happens when an archive becomes less reliable, and arguably has legitimate reasons to bow to pressure and remove controversial archived material? A few weeks ago, while recording my podcast, the topic turned to the old blog written by The Ultimate Warrior, the late bodybuilder turned chiropractic student turned pro wrestler turned ranting conservative political speaker under his legal name of, yes, “Warrior.” As described by Deadspin’s Barry Petchesky in the aftermath of Warrior’s 2014 passing, he was “an insane dick,” spouting off in blogs and campus speeches about people with disabilities, gay people, New Orleans residents, and many others. But when I went looking for a specific blog post, I saw that the blogs were not just removed, the site itself was no longer in the Internet Archive, replaced by the error message: “This URL has been excluded from the Wayback Machine.” Apparently , Warrior’s site had been de-archived for months, not long after Rob Rousseau pored over it for a Vice Sports article on the hypocrisy of WWE using Warrior’s image for their Breast Cancer Awareness Month campaign. The campaign was all about getting women to “Unleash Your Warrior,” complete with an Ultimate Warrior motif , but since Warrior’s blogs included wishing death on a cancer-survivor, this wasn’t a good look. Rousseau was struck by how the archive was removed “almost immediately after my piece went up, like within that week,” he told Gizmodo. * * * top

GCHQ: We don’t tell tech companies about every software flaw (ZDnet, 29 Nov 2018) - The UK intelligence services has revealed how it chooses which security vulnerabilities to reveal to technology vendors—and which aren’t disclosed because the UK’s national interest is better served by what GCHQ describes as ‘retaining’ the knowledge. For the first time ever, GCHQ and its cyber arm the National Cyber Security Centre (NCSC) has revealed process that is used to determine if a vulnerability is disclosed or not disclosed when discovered. It ultimately means that sometimes GCHQ won’t tell a company if their software is vulnerable to cyber attacks and hacking if it’s deemed to be the better option for national security. When a previously unknown vulnerability is discovered, the default position is to disclose it—but if it serves the national interest, knowledge of the vulnerability may not be disclosed. GCHQ states that the decision to withhold vulnerabilities is not taken lightly and always involves ‘rigorous assessment’ by a panel of experts from GCHQ, the NCSC and the Ministry of Defence. top

- and -

Principles for a more informed exceptional access debate (Lawfare, 29 Nov 2018) - This is part of a series of essays from the Crypto 2018 Workshop on Encryption and Surveillance. In any discussion of cyber security, details matter. Unfortunately, it’s the details that are missing from the discussion around lawful access to commodity end-to-end encrypted services and devices (often called the “going dark” problem). Without details, the problem is debated as a purely academic abstraction concerning security, liberty, and the role of government. There is a better way that doesn’t involve, on one side, various governments, and on the other side lawyers, philosophers, and vendors’ PR departments continuing to shout at each other. If we can get all parties to look at some actual detail, some practices and proposals-without asking anyone to compromise on things they fundamentally believe in-we might get somewhere. As commodity technology starts to really drive the evolution of our daily lives and more of our personal data, our industry and our economy is on the internet, we will repeatedly run into challenges of how to explain complex and subtle technical concepts to non-experts. That’s likely to cover everything from how the internet economy could affect personal privacy through how the mass of data our smart stuff will be generating affects national security to how agencies charged with public protection can do their job in a way that meets the public’s expectation. To do that, we need to have open and honest conversations between experts that can inform the public debate about what’s right and we’ll need a framework in which to do that. We hope the U.K.‘s principles for access to encrypted services may help start that off. These are not intended as general principles for government access to data covering every case; and they do not address the ‘discovery’ problem around how governments establish which services and identities are being used by criminals and other valid targets. They’re specifically for mass-scale, commodity, end-to-end encrypted services, which today pose one of the toughest challenges for targeted lawful access to data and an apparent dichotomy around security. * * * top

Making a ransomware payment? It may now violate US sanctions (Bleeping Computer, 30 Nov 2018) - Thinking about making a ransomware payment? If so, you may want to think twice before doing so as it could land you in trouble for violating U.S. government sanctions. This week the Department of Justice unsealed a grand jury hackers allegedly responsible for the SamSam Ransomware . As part of this indictment, for the first time the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) also publicly attributed cryptocurrency addresses to individuals who were involved in the converting ransomware cryptocurrency payments to fiat currency. “While OFAC routinely provides identifiers for designated persons, today’s action marks the first time OFAC is publicly attributing digital currency addresses to designated individuals” stated the Department of Treasury’s announcement . In this particular case, the cryptocurrency addresses are being attributed to Iran-based individuals named Ali Khorashadizadeh and Mohammad Ghorbaniyan who the U.S. government states have facilitated the exchange of ransomware payments into Iranian Rial. The addresses attributed to these individuals are 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V and 149w62rY42aZBox8fGcmqNsXUzSStKeq8C and contain a combined total of 5,901 bitcoins. At the current prices of bitcoins this is equivalent to over $23 million USD. top

Secret Service announces test of face recognition system around White House (ACLU, 4 Dec 2018) - In yet another step toward the normalization of facial recognition as a blanket security measure, last week the Department of Homeland Security published details of a U.S. Secret Service plan to test the use of facial recognition in and around the White House. According to the document , the Secret Service will test whether its system can identify certain volunteer staff members by scanning video feeds from existing cameras “from two separate locations on the White House Complex, and will include images of individuals passing by on public streets and parks adjacent to the White House Complex.” The ultimate goal seems to be to give the Secret Service the ability to track “subjects of interest” in public spaces. top

The sneaky fight to give cable lines free speech rights (Susan Crawford, Wired, 4 Dec 2018) - It seems counterintuitive that a phone line could be a “speaker.” But the cable industry very much wants to ensure that the act of transmitting speech from Point A to Point B is protected by the First Amendment, so that making a cable connection carry any speech it isn’t interested in amounts to unconstitutional “forced speech.” The addition of Justice Brett Kavanaugh to the Supreme Court roster gives the industry a significant boost. In a 2017 DC Circuit dissenting opinion , Justice Kavanaugh made it clear that he supports giving internet access providers “speaker” privileges, saying that “the First Amendment bars the Government from restricting the editorial discretion of Internet service providers.” top

Cybersecurity: Who’s fessed up to a “Material Weakness?” (The CorporateCounsel.net, 6 Dec 2018) - The SEC’s recent Cyber 21(a) Report highlighted cybersecurity internal control shortcomings at 9 different companies. This Audit Analytics blog looks at which companies have disclosed a “material weakness” following a data breach. This excerpt says that not many have: The investigative report stopped short of recommending any enforcement action and did not name the companies that were investigated. Moreover, the report does not provide sufficient details to determine the identity of the companies. Although we are unable to identify the companies, we were curious whether we can find similar cases. Using Audit Analytics’ cyber breaches dataset, we looked at recent examples & disclosures of companies that fell victims to the attacks described in the report. In total, we looked at nine companies that disclosed incidents of similar breaches. Six of these companies disclosed the breaches in filings furnished with the SEC, though only one made the disclosure in a current report (8-K). Of the six companies that disclosed their cyber breaches in SEC filings, just three disclosed that the breach rose to the level of a material weakness in the companies’ internal controls. The blog also reviews the disclosures made by companies that determined a material weakness existed following a data breach. top

Four tips for law firms in responding to overreaching client audits (Law.com, 7 Dec 2018) - As you know, there can be a lot of effort on the law firm’s end in responding to these security inquiries. How do legal IT professionals identify scenarios where clients are overreaching reasonable bounds of information or action? In cases of overreaching, how should a firm respond to the client? These are all areas where law firms may struggle, as reputation among other clients, professional responsibility concerns, or even bar admittance could be on the line if managed poorly. Here are four tips to better enable your firm to handle these inquiries. * * * top

RESOURCES

Teaching Cybersecurity Law and Policy: My Revised 62-Page Syllabus/Primer (UT’s Bobby Chesney, 4 Dec 2018) - Cybersecurity law and policy is a fun subject to teach. There is vast room for creativity in selecting topics, readings and learning objectives. But that same quality makes it difficult to decide what to cover, what learning objectives to set, and which reading assignments to use. With support from the Hewlett Foundation, I’ve spent a lot of time in recent years wrestling with this challenge, and last spring I posted the initial fruits of that effort in the form of a massive “syllabus” document. Now, I’m back with version 2.0. . At 62 pages (including a great deal of original substantive content, links to readings, and endless discussion prompts), it is probably most accurate to describe it as a hybrid between a syllabus and a textbook. Though definitely intended in the first instance to benefit colleagues who teach in this area or might want to do so, I think it also will be handy as a primer for anyone-practitioner, lawyer, engineer, student, etc.-who wants to think deeply about the various substrands of this emergent field and how they relate to one another. top

- and -

Privacy and Security: A Pedagogic Cybersecurity Framework (Peter Swire, Oct 2018) - This column proposes a Pedagogic Cybersecurity Framework (PCF) for categorizing and teaching the jumble of non-code yet vital cybersecurity topics. From my experience teaching cybersecurity to computer science and other majors at Georgia Tech, the PCF clarifies how the varied pieces in a multidisciplinary cybersecurity course fit together. The framework organizes the subjects that have not been included in traditional cybersecurity courses, but instead address cybersecurity management, policy, law, and international affairs. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

NBC offers wide online access for Beijing Olympics (Washington Post, 28 June 2008) - NBC is making more than 2,200 hours of live competition from Beijing available online, giving Olympic junkies more action than they could ever devour in a day. After barely tipping its toe in the digital world during past Olympics, the network will dive into the deep end: live blogging, 3,000 hours of highlights on demand, daily recaps and analysis and even fantasy league gaming. That’s in addition to the 1,400 hours of coverage planned on six television networks, more than the combined total of every previous Summer Olympics. NBC’s digital plans, however, have angered media outlets that worry the company is being heavy-handed in enforcing its rights to exclusive Olympic access. There’s been some brewing tension about the rights of other media organizations to cover the event; NBC paid $3.5 billion to the International Olympics Committee to televise the five Olympics through Beijing. Other TV networks have a limited window in which to show Olympics highlights, but no video of Olympic events is permitted to be shown on any Web site besides NBCOlympics.com. NBC has allowed video of Olympic trials events to be shown on other Web sites, but each site is required to link to NBCOlympics.com. All of that video must come down Aug. 7, the day before the Beijing Games start. That’s going to limit the ability of Swimming World magazine, which has a heavy online component, to offer material to its users, said Brent Rutemiller, the magazine’s publisher. He’s also upset that limits have been placed on where other organizations can interview athletes, and that they were extended to coaches and officials. top

Biglaw firm recruits on Facebook (ABA Journal, 26 August 2008) - Screen shot of firm’s Facebook page. Looking for a way to better promote itself to the next generation of lawyers, Curtis, Mallet-Prevost, Colt & Mosle has launched a Facebook page as part of its broader law school recruiting efforts. “We are pleased to be capitalizing on the popularity of the most widely used social networking site,” Nancy Delaney, a Curtis partner who is a member of the firm’s personnel committee, says in a release (PDF) about the page. “As a Firm, we recognized the power of this format of communication and the wide use being made of it by future lawyers.” As of this posting, the page had 32 fans. The page promotes the 178-year-old firm with historical information and the benefits of starting a career in New York. It also includes links to news, awards, policies and questions and answers about other office locations and on-campus schedules. On his LawSites blog, Robert Ambrogi posits that Curtis may be the first Am Law 200 firm to feature Facebook as a central recruiting tool. top