MIRLN—- 29 July - 25 August 2018 (v21.11)

MIRLN—- 29 July - 25 August 2018 (v21.11)—- by Vince Polley and KnowConnect PLLC

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

South Carolina requires insurers to have plans safeguarding customer data (ABA Journal, 6 July 2018) - Less than a year from now, insurers doing business in South Carolina will be required to have a “comprehensive information security program” that protects consumer data. As of Jan. 1, 2019, insurers licensed in the state will be required to create and maintain data security standards based on an ongoing risk assessment, oversee third-party service providers, investigate breaches and notify regulators within 72 hours of a cyber event that affects more than 250 state residents. “It provides some consumer protection to further help safeguard that extremely important and private information,” said South Carolina Department of Insurance director Ray Farmer after the passage of the Insurance Data Security Act in May, according to the South Carolina Radio Network . “It requires insurance companies to beef up their data security.” * * * The law was based on model legislation created by the National Association of Insurance Commissioners, a standards setting body. The committee that drafted the legislation was chaired by Farmer. Maria Sasinoski, an associate at the Pittsburgh office of McGuireWoods LLP, told Bloomberg BNA that insurers like the NAIC model because it will “ward off” a patchwork of different state-level laws. She said that Rhode Island is also considering a version of the legislation. In South Carolina, the law, including its notification requirement, goes into effect Jan. 1, 2019, and insurers will be required to provide written security plans to state regulators starting July 1, 2019. top

- and -

Cyber experts: Attacks inevitable, preparation for law firms essential (ABA Journal, 4 Aug 2018) - After the 9/11 attack on the United States, a national commission that analyzed the tragedy found that the country’s national security apparatus failed in two major regards: it showed a lack of imagination for the unthinkable and no unity in communication and cooperation to face the developing terrorist threat. Fast forward 17 years. A panel at the American Bar Association Annual Meeting in Chicago raised concerns Saturday that U.S. businesses—and law firms particularly—might be going down a similar pre-9/11 path by failing to comprehend the full threat, vulnerabilities and consequences of cyberattacks from around the globe. The program, Cybersecurity Wake Up Call: The Business You Save May Be Your Own , included two key players in the cybersecurity space during the Obama administration - Rajesh De, former general counsel of the National Security Agency, and Suzanne Spaulding, former undersecretary for National Protection and Programs Directorate in the Department of Homeland Security. Also participating were lawyers Thomas Smedinghoff and moderator Ruth Hill Bro, both members of the ABA Cybersecurity Legal Task Force , which sponsored the 90-minute program. The consensus of the panel was that cyberattacks are inevitable, and that preparation for law firms was necessary not only to avoid the hardware issues but also post-attack consequences. A post-attack communications plan was essential, the panelists said. So is thorough due diligence and planning with vendors and others in the supply chain to avoid legal consequences after a breach. The panelists also explored legal issues related to payments and other issues dealing with “ransomware,” the concept of criminals shaking down businesses and others for money and bitcoins through cyber breaches. De noted this is a corporate governance issue, and that there should be a plan when an incident occurs on notifying authorities, deciding whether a payment should be made and how to communicate the situation to stakeholders, including governing boards. “It is always the disclosure issues that tend to trip people up,” said De, a partner at Mayer Brown in Washington, D.C. Bro, who co-chairs the task force which recently published a book, ” The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals ,” reminded the audience that cybersecurity “is a process not a product” requiring persistent vigilance and constant review. She touted the motto of the Boy Scouts: “Be prepared.” top

- and -

Ohio enacts law giving affirmative defense to businesses which beef up cybersecurity (Ride The Lightning, 8 Aug 2018) - Columbus Business First reported on August 3 rd that Ohio Governor John Kasich had signed into law a bill that aims to prod businesses to beef up security by giving companies something of a “safe harbor” if they voluntarily invest in better cybersecurity to protect customer information. The Ohio Data Protection Act provides an affirmative legal defense for companies that suffer a data breach who are then sued for not implementing reasonable security protocols. Eligible organizations may rely on conformity to certain cybersecurity frameworks as an affirmative defense against tort claims in data breach litigation. To qualify for this new defense, the organization must implement a written cybersecurity program designed to (1) protect the security and confidentiality of personal information, (2) protect against anticipated threats or hazards to the security or integrity of personal information, and (3) protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or fraud. The scale of the cybersecurity program should be appropriate to the organization based on its size and complexity, the nature and scope of its activities, the sensitivity of the personal information protected under the program, the cost and availability of tools to improve its information security and the resources available to the organization. This is a good recognition that one size does not fit all, but makes conforming to the safe harbor more difficult to establish. * * * top

- and -

NIST Small Business Cybersecurity Act becomes law (Security Week, 16 Aug 2018) - Donald Trump signed the NIST Small Business Cybersecurity Act, S. 770 (formerly known as the MAIN STREET Cybersecurity Act ) into law on Tuesday (August 14, 2018). It requires NIST to “disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks.” The resources to be provided are informational. They must be generally applicable to a wide range of small businesses; vary with the nature and size of small businesses; promote cybersecurity awareness and workplace cybersecurity culture; and include practical application strategies. The resources must further be technology-neutral and compatible with COTS solutions; and as far as possible consistent with international standards and the Stevenson-Wydler Technology Innovation Act of 1980. Use of these resources by small businesses is voluntary. * * * Small businesses, and many large organizations, struggle to comply with the existing NIST Security Framework. “This change sets the stage for greater compliance and readiness from smaller organizations who previously thought that NIST compliance was too costly or complex to obtain,” adds Dr. Bret Fund, founder and CEO at SecureSet. The basic problem is small organizations cannot afford extensive cybersecurity resources in-house, while many still believe they will not be a target for cyber attackers. * * * Counterintuitively, small businesses suffer more from a successful attack than do the larger companies. “In fact,” suggests Anupam Sahai, Vice President of Product Management at Cavirin, “recent reports shows that smaller businesses lose proportionately more to cyberattacks since they are targeted just as often, and are less able to recover due to less resilient infrastructures.” top

5 lessons learned on data breach management after 2 months of GDPR: Friday is calling (Mayer Brown, 25 July 2018) - The GDPR mandates controllers and processors to have technical and organizational measures in place to ensure an appropriate level of security for personal data. They should have the ability to detect, address and report data breaches in a timely manner. Many internal procedures were drafted in anticipation of the entry into force of the GDPR. Now, two months after GDPR Day, here are five lessons learned from data breach management, as, yes, numerous personal data breaches have occurred since then, of which authorities were notified, in pretty significant numbers and in a variety of sectors. * * * [ Polley : Interesting; also notable for quickly conveying some useful lessons. More to come, I’m sure.] top

Welcome to the Quiet Skies (Boston Globe, 28 July 2018) - Federal air marshals have begun following ordinary US citizens not suspected of a crime or on any terrorist watch list and collecting extensive information about their movements and behavior under a new domestic surveillance program that is drawing criticism from within the agency. The previously undisclosed program, called “Quiet Skies,” specifically targets travelers who “are not under investigation by any agency and are not in the Terrorist Screening Data Base,” according to a Transportation Security Administration bulletin in March. But some air marshals, in interviews and internal communications shared with the Globe, say the program has them tasked with shadowing travelers who appear to pose no real threat - a businesswoman who happened to have traveled through a Mideast hot spot, in one case; a Southwest Airlines flight attendant, in another; a fellow federal law enforcement officer, in a third. It is a time-consuming and costly assignment, they say, which saps their ability to do more vital law enforcement work. Already under Quiet Skies, thousands of unsuspecting Americans have been subjected to targeted airport and inflight surveillance, carried out by small teams of armed, undercover air marshals, government documents show. The teams document whether passengers fidget, use a computer, have a “jump” in their Adam’s apple or a “cold penetrating stare,” among other behaviors, according to the records. Air marshals note these observations - minute-by-minute - in two separate reports and send this information back to the TSA. All US citizens who enter the country are automatically screened for inclusion in Quiet Skies - their travel patterns and affiliations are checked and their names run against a terrorist watch list and other databases, according to agency documents. top

Fending off cyberattacks in international arbitration (NY Law Journal, 3 Aug 2018) - In the context of ever-escalating data breaches, international arbitration is not immune to cyberattacks. One widely reported cyberattack targeted the Permanent Court of Arbitration in The Hague (PCA) in July 2015, while the court was administering a hearing between the Philippines and China over disputed territorial waters in the South China Sea. During that arbitration, a malicious software originating in China targeted the PCA’s website, the Philippines Department of Justice, the law firm representing the Philippines in the arbitration, and anyone visiting a specific page of the PCA devoted to the dispute, allowing the hackers to access classified information. A similar cyberintrusion occurred in 2008 in the case of Libananco Holdings Co. v. Rep. of Turkey (ICSID Case No ARB/06/9) , where, in the course of a separate court-ordered money laundering investigation, the Turkish government intercepted privileged communications and materials that had been exchanged between Libananco and its counsel in connection with the arbitration. It is therefore of no surprise that international arbitration may become a prime target for cybercriminals. This is for various reasons. First , as a neutral forum for the resolution of complex international disputes, international arbitration often involves parties that are themselves prominent targets of cyberattacks such as multinational corporations, governments, state entities, and public figures. Second , in these types of disputes, digital discovery is the norm and inevitably involves the exchange of highly sensitive information such as trade secrets, business plans, and case strategy, which have the potential of influencing politics and moving financial markets. Third , the risk of exposure to cyberattacks is relatively high because of the way international arbitration is conducted. The information collected is typically organized in easily searchable data sets, such as pleadings, witness statements, expert reports, transcripts of hearings, and arbitral deliberation materials, including draft and final awards. Each fixed or portable device (computers, laptops, smartphones, tablets), cloud-based storage (file-sharing platforms, virtual data rooms), and courtroom technology (real-time translations, live e-transcripts, telepresence technologies) is a digital portal allowing for unauthorized access to arbitration-related materials. The fact that the information is hosted and exchanged by a variety of digitally interdependent players such as in-house and outside counsel, government officers and agencies, arbitral institutions and tribunals, experts and witnesses, and other custodians of large electronic information repositories only increases the likelihood that a data breach of one participant will impact all participants. The data custodians involved in the process also tend to sit in different jurisdictions and communicate through various means, including unencrypted email. Therefore, large amounts of information travel around the world in an unsecured way. Even larger amounts of information may be compromised if U.S.-style discovery takes place. top

Videorecording public servants in public (Volokh Conspiracy, 4 Aug 2018) - I think the federal circuit court decisions recognizing a right to videorecord in public places—decisions that have so far dealt with recording police officers—are correct: A right to speak must include some right to gather the information needed to speak (what is often labeled the “right to gather news”), and recording what government officials do in public places is important to be able to speak credibly about it. * * * But courts haven’t figured out how far this extends, especially when we get beyond recording the police. Here is an interesting 2017 opinion ( People v. Rivas ) from the New York intermediate appellate court; Rivas was convicted of fourth-degree stalking, which punishes anyone who “intentionally, and for no legitimate purpose, engages in a course of conduct directed at a specific person, and knows or reasonably should know that such conduct ... is likely to cause reasonable fear of material harm to the physical health, safety or property of such person,” and of first-degree harassment, which punishes anyone who “intentionally and repeatedly harasses another person by following such person in or about a public place or places or by engaging in a course of conduct or by repeatedly committing acts which places such person in reasonable fear of physical injury.” * * * top

Legal protection for ethical hackers (Ride The Lightning, 6 Aug 2018) - The Washington Post (sub. req.) reported on August 3 rd about a new project called Disclose.io which is dedicated to providing legal protection to ethical hackers. The site itself says disclose.io is a collaborative and vendor-agnostic project to standardize best practices around safe harbor for good-faith security research. The project originated with the cybersecurity firm Bugcrowd and a University of California researcher. It aims to protect well-intentioned hackers from legal action when they reveal security vulnerabilities in an organization’s networks or software. The project offers companies, academic institutions or even government agencies a standard legal agreement they can post that fundamentally says that it’s okay to hack us if you do it in good faith. It tells ethical hackers that they won’t get sued or face criminal charges if they find a flaw on an organization’s systems and report it responsibly. Laws such as the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act don’t contain protections for researchers who disclose bugs, creating a legal gray area discouraging ethical hacking. In recent years, companies have sued or threatened legal action against researchers who have uncovered serious vulnerabilities - sometimes to prevent an embarrassing flaw from being disclosed publicly. In one example last year, the FBI investigated security researchers in Georgia who discovered that millions of voter registration records were publicly accessible on the state’s election website. And boy oh boy, was that something that needed to be disclosed! Understandably, researchers are sometimes reluctant to report potentially serious security flaws because they fear the repercussions. Disclose.io offers a template with boilerplate language that spells out in plain terms what security researchers can and can’t do if they decide to probe for bugs, and offers them legal safe harbor if they play by the rules. The template is open sourced - anyone is free to use it or modify it. top

The Defense Department has produced the first tools for catching deepfakes (Technology Review, 7 Aug 2018) - The first forensics tools for catching revenge porn and fake news created with AI have been developed through a program run by the US Defense Department. Forensics experts have rushed to find ways of detecting videos synthesized and manipulated using machine learning because the technology makes it far easier to create convincing fake videos that could be used to sow disinformation or harass people. Video trickery involves using a machine-learning technique known as generative modeling, which lets a computer learn from real data before producing fake examples that are statistically similar. A recent twist on this involves having two neural networks, known as generative adversarial networks, work together to produce ever more convincing fakes. The tools for catching deepfakes were developed through a program-run by the US Defense Advanced Research Projects Agency (DARPA)-called Media Forensics . The program was created to automate existing forensics tools, but has recently turned its attention to AI-made forgery. “We’ve discovered subtle cues in current GAN-manipulated images and videos that allow us to detect the presence of alterations,” says Matthew Turek, who runs the Media Forensics program. top

SpiderOak’s Warrant Canary died (Bruce Schneier, 8 Aug 2018) - ” I have never quite trusted the idea of a warrant canary. But here it seems to have worked. (Presumably, if SpiderOak wanted to replace the warrant canary with a transparency report, they would have written something explaining their decision. To have it simply disappear is what we would expect if SpiderOak were being forced to comply with a US government request for personal data.)”

* * * which leads to the underlying Boing Boing story:

SpiderOak warrant canary to be replaced by ‘transparency report’ (Boing Boing, 6 August 2018) - SpiderOak is a cloud backup service with a warrant canary : a formal statement that assured users that the company and its operators had never been made to secretly cooperate with the government , law enforcement or other surveilling authority. The canary reportedly disappeared this weekend , then reappeared, along with a statement saying it was being replaced by a ” transparency report .”

* * * which leads to:

a 3 August tweet from @SpiderOak, that itself says ” the final version of the canary is available at spideroak.com/canary .” In turn, the slightly-convoluted canary includes this language: “On top of this, the canary’s effectiveness as a tool has been questioned, the usage of it at other companies is not consistent, and verifying it and keeping track of it is complicated for users.” [ Polley : First, I’m struck by Schneier’s comment: suggests that canaries can work, if done carefully. Digging into the actual postings by SpiderOak on their Twitter feed suggests a fascinating back-story. Would have been fun being on that legal team. (Sorry for the recursive structure.)] top

Security flaws on Comcast’s login page exposed customers’ personal information (BuzzFeed, 8 Aug 2018) - Comcast Xfinity inadvertently exposed the partial home addresses and Social Security numbers of more than 26.5 million customers, according to security researcher Ryan Stevenson, who discovered the security flaws. Two previously unreported vulnerabilities in the high-speed internet service provider’s online customer portal made it easy for even an unsophisticated hacker to access this sensitive information. After BuzzFeed News reported the findings to Comcast, the company patched the flaws. Spokesperson David McGuire told BuzzFeed News, “We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers’ security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report.” While Comcast has not found any foul play yet, its review is ongoing. top

The “Arrest and Alleged Charges No Longer Exist—as If It Never Happened” (Volokh Conspiracy, 8 Aug 2018) - Expungement laws let people who have been arrested-and often even ones who have been convicted-get their records removed from government databases, or sometimes sealed so that some government agencies can access them but the public can’t. There’s an interesting and important policy debate about whether this should happen, and when it should happen. But the expungement laws do not require private organizations, such as newspapers, to delete information about the arrest or conviction from their archives. (In a few places, they cover private databases of information, sometimes just ones that charge money to remove material from those database; that itself poses First Amendment problems, but those laws are sharply limited and don’t purport to cover newspapers.) Nor does an expungement make the original report of the arrest or conviction libelous; it may change what facts the government keeps in its files, or what facts the criminal justice system can later use about the arrest, but it doesn’t change reality of the original arrest, and it doesn’t bar people from keeping up articles about the arrest. Yet some lawyers’ demand letters, unsurprisingly, argue the contrary; here, for instance, is a letter sent in November by New York lawyer Gregg M. Sidoti to the Stillwater (Okla.) News Press about an expungement of a 19-year-old’s arrest for public intoxication. * * * top

GCs are flirting with the big four - but they remain wary (Corporate Counsel, 9 Aug 2018) - Within the past couple of months, Adobe Systems Inc . has taken a less traditional path in handling some of its corporate legal work overseas. The company has shifted some matters away from traditional international and regional law firms and hired one of the Big Four accounting firms to take on this work instead. What prompted the switch? According to Lisa Konie, senior director of legal operations for Adobe, it was primarily a predictable alternative fee arrangement . The San Jose, California-based software company pays the firm, which Konie declined to name, an annual fixed fee that depends on the country where the work is being done and the services being provided. “What I don’t think a lot of law firms appreciate is that we are held accountable to our CFO,” Konie said. “When I come in and tell my CFO that we have 75 percent accountability with billing I come off looking like a rock star.” While some companies, like Adobe, are on board with the Big Four, others are hanging back, despite the apparent advantages that these accounting behemoths have over traditional law firms, including more predictable and flexible pricing and Scrooge McDuck-sized bank vaults. Those who remain hesitant say they’re still waiting for the Big Four to prove that they offer a better alternative to the traditional firm model. top

Hack causes pacemakers to deliver life-threatening shocks (ArsTechnica, 9 Aug 2018) - Life-saving pacemakers manufactured by Medtronic don’t rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients’ lives, security researchers said Thursday. At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer , a device doctors use to control pacemakers after they’re implanted in patients. Because updates for the programmer aren’t delivered over an encrypted HTTPS connection and firmware isn’t digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients. top

West Virginia to offer mobile blockchain voting app for overseas voters in November election (WaPo, 10 Aug 2018) - West Virginia will provide a mobile blockchain voting option, in addition to absentee ballots, for overseas military service members in elections this November, after receiving audit results this week from a pilot program. It will be the first state to offer this technology to improve voting accessibility for deployed members of the military and their families, according to West Virginia’s secretary of state. Eligible voters will be able to cast their ballots through a mobile application that uses blockchain technology , which stores data on a decentralized database, meaning there’s no owner, allowing for more transparent transactions. Information is stored publicly, but to ensure privacy, West Virginia voters’ personal information will remain anonymous. * * * West Virginia is offering blockchain ballots only to overseas military members, and state officials remain wary of advocating the technology for in-state voters or other state elections. “This is a solution to West Virginia’s problems [with overseas voters] specifically. We didn’t have the money to build a new system or buy a new one that’s already created,” Kersey said. “I don’t know if blockchain is the answer. It was just the answer we found here.” top

- and -

The World Bank is getting in on blockchain (CNN, 10 Aug 2018) - The international lender is planning to issue what it says is the world’s first global blockchain bond, a notable mainstream endorsement of the emerging technology. Blockchain is best known as the technology underpinning bitcoin and other cryptocurrencies. It serves as a digital record of financial transactions. The World Bank has hired Commonwealth Bank of Australia ( CBAUF ) to manage the bond , which is expected to raise as much as 100 million Australian dollars ($73 million). They have named it the “Blockchain Offered New Debt Instrument,” or “bond-i,” a nod to Sydney’s famous Bondi Beach. The World Bank follows German automaker Daimler, which used blockchain technology to issue a type of German bond in a pilot project last year. Blockchain could hugely streamline the process of issuing bonds, which has been heavily reliant on physical paperwork for the past 200 years, according to James Wall, a senior institutional banking executive at Commonwealth Bank. Moving the process to the blockchain could cut costs and speed up trading for both bond issuers and investors. top

Fax machines may be vulnerable to hackers, new report finds (WaPo, 13 Aug 2018) - The fax ma­chine is wide­ly con­sid­ered to be a di­no­saur of in­ter­of­fice com­mu­ni­ca­tions, but it may also pres­ent a vul­nera­ble point where hack­ers can in­fil­trate an or­gan­i­za­tion’s net­work, ac­cord­ing to a new re­port from Israel-based soft­ware com­pany Check Point. The com­pany said that the vul­ner­a­bil­i­ty was iden­ti­fied as a re­sult of re­search in­tend­ed to dis­cover po­ten­tial se­curi­ty risks, and not as the re­sult of any attack. Hack­ers can gain ac­cess to a net­work using the phone line con­nected to a fax ma­chine, which is of­ten con­nected to the rest of an or­gan­i­za­tion’s net­work. By send­ing an image file that con­tains ma­li­cious soft­ware over the phone line, hack­ers can take con­trol of the de­vice and ac­cess the rest of the net­work. The re­search­ers were able to do this using only a fax num­ber, which is of­ten wide­ly dis­tri­but­ed by or­gan­i­za­tions on busi­ness cards and websites. top

US court authorizes service by Twitter on WikiLeaks (Volokh Conspiracy, 13 Aug 2018) - Folkman is a leading expert on (among other things) international service of process, a technical but tremendously important field of civil procedure; read his post for more details on this issue, but here’s the introduction: The Democratic National Committee has obtained leave of court to serve process on Wikileaks via Twitter in its lawsuit against Russia, Wikileaks, Julian Assange and others. I have written previously about the FSIA [Foreign Sovereign Immunities Act] issue in the case and the issues about serving process on Mr. Assange in the Ecuadoran embassy in London. But serving process on Wikileaks poses difficulties, too. The DNC’s motion gives several reasons for seeking leave to serve process by Twitter rather than by a more traditional means. Wikileaks, it says, is an “organization of unknown structure” that has “more of a virtual than a physical presence.” It has post office boxes in California and in Australia, but it is unclear to the DNC whether Wikileaks uses them for business. Lawyers who have represented Wikileaks in prior US litigation have said they no longer represent the organization or are not authorized to accept service. And Wikileaks, or someone purporting to act on its behalf, does have an active Twitter presence…. [ Polley : see also DNC serves WikiLeaks with lawsuit via Twitter (CBS, 10 Aug 2018)] top

Hundreds of researchers from Harvard, Yale and Stanford were published in fake academic journals (Motherboard, 14 Aug 2018) - In the so-called ” post-truth era ,” science seems like one of the last bastions of objective knowledge, but what if science itself were to succumb to fake news? Over the past year, German journalist Svea Eckert and a small team of journalists went undercover to investigate a massive underground network of fake science journals and conferences. In the course of the investigation, which was chronicled in the documentary ” Inside the Fake Science Factory ,” the team analyzed over 175,000 articles published in predatory journals and found hundreds of papers from academics at leading institutions, as well as substantial amounts of research pushed by pharmaceutical corporations, tobacco companies, and others. Last year, one fake science institution run by a Turkish family was estimated to have earned over $4 million in revenue through conferences and journals. * * * top

Public utility’s recording of home energy consumption every 15 minutes is a “search,” Seventh Circuit rules (Orin Kerr on Volokh Conspiracy, 17 Aug 2018) - In a fascinating new decision, Naperville Smart Meter Awareness v. City of Naperville, the Seventh Circuit has held that a public utility commits a “search” of a home when it records every 15 minutes how much electricity the utility is providing the home, at least until the smart readers that enable this data collection come into general public use. At the same time, the court says, the utility’s search of the home is reasonable and therefore permitted without any cause or suspicion. The Seventh Circuit’s analysis relies on Carpenter v. United States for a significant step in its reasoning. Given that, the new decision is an interesting measure of where Fourth Amendment law may be going in the post- Carpenter era. * * * [ Polley : There’s much more here, and Prof. Kerr’s take on it is interesting, as always.] top

RESOURCES

Adler on Why Art Does Not Need Copyright - (MLPB, 1 Aug 2018) - Amy Adler, New York University School of Law, is publishing Why Art Does Not Need Copyright in volume 86 of the George Washington Law Review (2018). Here is the abstract: This Article explores the escalating battles between visual art and copyright law in order to upend the most basic assumptions on which copyright protection for visual art is grounded. It is a foundational premise of intellectual property law that copyright is necessary for the “progress” of the arts. This Article demonstrates that this premise is flatly wrong when it comes to visual art. United States courts and scholars have come to understand copyright law almost universally in utilitarian terms; by this account, the reason we grant copyright to authors is to give them economic incentives to create culturally valuable works. But legal scholars have failed to recognize that their paradigm makes no sense when applied to visual art, one of the highest profile and most hotly contested fields in intellectual property law. This is because scholars have failed to take into account the single most important value for participants in the art market: the norm of authenticity, which renders copyright law superfluous. The fundamental assumption of copyright law - that the copy poses a threat to creativity - is simply not true for visual art. By juxtaposing copyright theory with the reality of the art market, this Article shows why copyright law does not - and cannot - incentivize the creation of visual art. In fact, copyright law, rather than being necessary for art’s flourishing, actually impedes it. top

Twenty years of web scraping and the Computer Fraud and Abuse Act (BU Journal of Science and Technology Law, 14 Aug 2018) - Abstract: “Web scraping” is a ubiquitous technique for extracting data from the World Wide Web, done through a computer script that will send tailored queries to websites to retrieve specific pieces of content. The technique has proliferated under the ever-expanding shadow of the Computer Fraud and Abuse Act (CFAA), which, among other things, prohibits obtaining information from a computer by accessing the computer without authorization or exceeding one’s authorized access. Unsurprisingly, many litigants have now turned to the CFAA in attempt to police against unwanted web scraping. Yet despite the rise in both web scraping and lawsuits about web scraping, practical advice about the legality of web scraping is hard to come by, and rarely extends beyond a rough combination of “try not to get caught” and “talk to a lawyer.” Most often the legal status of scraping is characterized as something just shy of unknowable, or a matter entirely left to the whims of courts, plaintiffs, or prosecutors. Uncertainty does indeed exist in the caselaw, and may stem in part from how courts approach the act of web scraping on a technical level. In the way that courts describe the act of web scraping, they misstate some of the qualities of scraping to suggest that the technique is inherently more invasive or burdensome. The first goal of this piece is to clarify how web scrapers operate, and explain why one should not think of web scraping as being inherently more burdensome or invasive than humans browsing the web. The second goal of this piece is to more fully articulate how courts approach the all-important question of whether a web scraper accesses a website without authorization under the CFAA. I aim to suggest here that there is a fair amount of madness in the caselaw, but not without some method. Specifically, this piece breaks down the twenty years of web scraping litigation (and the sixty-one opinions that this litigation has generated) into four rough phases of thinking around the critical access question. The first runs through the first decade of scraping litigation, and is marked with cases that adopt an expansive interpretation of the CFAA, with the potential to extend to all scrapers so long as a website can point to some mechanism that signaled access was unauthorized. The second, starting in the late 2000s, was marked by a narrowing of the CFAA and a focus more on the code-based controls of scraping, a move that tended to benefit scrapers. In the third phase courts have receded back to a broad view of the CFAA, brought about by the development of a “revocation” theory of unauthorized access. And most recently, spurred in part by the same policy concerns that led courts to initially constrain the CFAA in the first place, courts have begun to rethink this result. The conclusion of this piece identifies the broader questions about the CFAA and web scraping that courts must contend with in order to bring more harmony and comprehension to this area of law. They include how to deal with conflicting instructions on authorization coming different channels on the same website, how the analysis should interact with existing technical protocols that regulate web scraping, including the Robots Exclusion Standard, and what other factors beyond the wishes of the website host should govern application of the CFAA to unwanted web scraping. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Offshore hosting firm Havenco lost at sea (The Register, 25 Nov 2008) - Controversial hosting provider HavenCo - which operated from the ‘nation’ of Sealand, an old naval fort off the coast of Suffolk which was declared a ‘sovereign principality’ by its quirky owner Roy Bates - has finally gone offline. As of last week, the HavenCo website is gone and the domain is now hosted outside the Sealand subnet. Founded in 2000 by Bates’ son and Michael with $1m in seed money, the company initially offered an everything goes-policy along with an offshore fat-pipe data haven. Child pornography, spamming and malicious hacking were strictly prohibited, but with no restrictions on copyright or intellectual property for data hosted on its servers, file-sharing certainly looked like a possibility. Many existing customers had left by 2003. With no investment backing bandwidth never materialised, and the location was vulnerable to DoS attacks. However, what probably scared most potential customers was the fact all internet connectivity went through the UK and that the UK claimed the platform was within its territorial waters. HavenCo was one of many failed business ventures in an attempt to profit from the world’s smallest country. A scheme to build a hotel and gambling complex never materalised. Since last year, the principality has been put up for sale. Last year, Swedish bittorrent search site The Pirate Bay said it was in negotiations with Prince Michael of Sealand about purchasing the principality to use it as a base for its own operations, but Bates declared he would never sell the micronation - currently priced at €750m - to a BitTorrent tracker. top

Ohio official sues e-voting vendor for lost votes (Computerworld, 8 August 2008) - Ohio Secretary of State Jennifer Brunner has filed a lawsuit against an electronic-voting machine vendor, saying the vendor should pay damages for dropped votes in the state’s March primary election. E-voting machines from Premier Election Solutions, formerly known as Diebold Election Systems, dropped hundreds of votes in 11 Ohio counties during the primary election, as the machine’s memory cards were uploaded to vote-counting servers, Brunner’s office said. Officials in Brunner’s office later discovered the dropped votes in other counties after voting officials in Butler County discovered about 150 dropped votes, said Jeff Ortega, Brunner’s assistant director of communications. Brunner’s lawsuit, filed in Franklin County Common Pleas Court in Ohio on Wednesday, is a counter claim to an earlier lawsuit filed by Premier. In May, Premier filed a lawsuit against Brunner’s office and Cuyahoga County, Ohio, seeking a judgment that Premier did not violate any contracts or warranties. Brunner’s lawsuit accuses Premier of not fulfilling its contracts with election officials. The lawsuit also alleges breach of warranty and fraud. Premier e-voting machines are used in half of Ohio’s 88 counties. Butler County officials discovered the dropped votes in post-election checks. That set off a statewide investigation, which found dropped votes in 11 other counties, according to information from Brunner’s office. Butler County officials sent letters to Premier on April 4 and 9, seeking an explanation for the dropped votes, and on May 16, Premier issued a report, suggesting human error or conflicts with antivirus software were to blame. Brunner and Butler County officials have suggested that the May report and a follow-up issued by Premier lacked evidence that antivirus software caused the problems. A Premier report on May 29 suggested counties disable antivirus software on vote-tabulation servers, but the servers had been certified in Ohio with the antivirus software installed, Brunner said. In December, Brunner’s office issued a report questioning the security of touch-screen e-voting machines like those sold by Premier. Machines from Premier and two other vendors had “critical security failures,” the report said. top