MIRLN—- 6-26 May 2018 (v21.07)

MIRLN—- 6-26 May 2018 (v21.07)—- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENTS

Take a look at the new ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals (2nd Edition). Published in November, it’s already out-sold the 1st edition, probably because cyberattacks on law firms are in the news every day. The Handbook contains actionable information about “reasonable” security precautions for lawyers in every practice setting (solos, smalls, and large firms; in-house, government, and public-interest practitioners). Produced by the ABA Cybersecurity Legal Task Force (which I co-chair), it complements other resources for ABA members. Learn more here: ambar.org/cyber

NEWS

Working group releases draft protocol on cybersecurity in international arbitration (NY City Bar, 16 April 2018) - Stating that “nternational arbitration in the digital landscape warrants consideration of what constitutes reasonable cybersecurity measures to protect the information exchanged during the process,” a Working Group on Cybersecurity has released a Draft Cybersecurity Protocol for International Arbitration. The Working Group, consisting of the International Council for Commercial Arbitration (ICCA), the International Institute for Conflict Prevention & Resolution (CPR), and the New York City Bar Association, presented the Draft Protocol at the ICCA Congress in Sydney, Australia, on April 15, local time. “International arbitration is not uniquely vulnerable to cyber breaches, but the stakes are often quite high,” said Mark Morril, an independent arbitrator who represents the New York City Bar Association along with independent arbitrator Stephanie Cohen and Lea Haber Kuck of Skadden Arps Slate Meagher & Flom LLP. “Like any sector that involves high value data, international transmissions and multiple actors, it will require strong security going forward.” * * * Ms. Cohen noted that the Protocol purposefully avoids specific cybersecurity recommendations. She said, “We considered but unanimously rejected the ‘one size fits all approach.’ The Protocol guides parties and arbitrators through a risk-based approach to determine reasonable cybersecurity measures that fit each individual matter.” [ Polley : see also, TDM Call for Papers: Special Issue on Cybersecurity in International Arbitration (TDM 18 Amy 2018); spotted by MIRLN reader Phil Ray - @philray66] top

Corporate America takes action as awareness of risk to key assets grows (Kilpatrick Townsend, 24 April 2018) - Continuing to respond to the ever-increasing targeted attacks on organizations’ most vital confidential information - their “knowledge assets” - Kilpatrick Townsend & Stockton and the Ponemon Institute released today their findings from The Second Annual Study on the Cybersecurity Risk to Knowledge Assets . The first study, Cybersecurity Risk to Knowledge Assets , was released in July 2016. top

Washington utility boosts security after Bitcoin mining moratorium (GT Magazine, 3 May 2018) - Bitcoin belligerence is on the rise, according to Chelan County PUD staff reports, prompting a boost in employee safety and security measures that include bulletproof panels and security cameras at PUD headquarters. The reported bad behavior stems from two cryptocurrency-related groups - unauthorized miners whose power has been disconnected and high-density load service applicants denied because of the current moratorium. “PUD employees in the field and those in the office who are handling issues related to high-density load service have encountered an increasing number of upset customers and potential customers,” said PUD spokeswoman Kimberlee Craig. “In some cases people can get agitated and argumentative. Our goal always is to provide excellent customer service, as well as to keep customers, the public and employees safe, especially when emotions may be running high.” None of the incidents have escalated to the point of calling law enforcement, she said. “The volume of requests and the sense of urgency by applicants has changed the dynamics of the interaction by staff with the cryptocurrency customers,” she said. As a result, staff is taking some proactive steps, which PUD Security Director Rich Hyatt outlined for commissioners on Monday. The increase in tension follows steps taken to put the brakes on blockchain operations that use specialized computer equipment and require a large amount of electricity, running continuously, which can put a strain on the system. The PUD commissioners in March declared an emergency moratorium on new high-density load hookups to give staff time to develop a plan for dealing with the demand for electricity from digital currency miners. The demand spiked when Bitcoin values topped $19,000 last fall. It’s now down to about $7,000, but still up from $500 in 2013. Staff also reported concerns about unauthorized bitcoin operators overloading the system, creating fire hazards and damaging power grid infrastructure. [ Polley : Remember 15 years ago or so when some employees were punished for unauthorized use of computer power (via screensavers like [email protected]) to solve computer problems for others (like folding proteins)? Some of these bitcoin apps sound like that, on steroids. See also, Cryptojacking campaign exploits Drupal bug, over 400 websites attacked (Threat Post, 7 May 2018)] top

The role of norms in internet security: Reputation and its limits (Lawfare, 8 May 2018) - Who maintains the security and stability of the internet-and how do they do it? It’s a simple question, but a difficult one to answer. Internet security, writ large, comprises a diverse set of social and technical tools and an equally diverse set of industry norms around mitigating and remediating abusive behavior. Those tools are developed and used by what I term operational security communities-groups of individuals, largely unaffiliated with governments, that do the day-to-day work of maintaining the security and stability of the internet. What these communities actually do, and the scope and nature of the challenges that they face, is often poorly understood, even among sophisticated state actors. But one of the key mechanisms on which operational security communities rely is a surprisingly familiar one: reputation. * * * [ Polley : Interesting. I’ve been involved with some international norms-development activities in the cyber-warfare arena, and the process is glacial.] top

Law firm data is catnip for hackers (Security Boulevard, 8 May 2018) - Dig into a law firm, and you’ll find secrets. Sometimes these secrets are mundane, like who’s getting divorced, or who’s getting cut out of the will. Sometimes, however, these secrets can shake nations and economies. Huge companies are merging and getting acquired, national leaders are hiding graft in numbered accounts, and you might find all those secrets within the server at a nondescript law firm - which might be possibly the most unsafe place to hide it. Law firms may be extremely discrete when protecting their clients’ identities from judges, the media, and other lawyers, but their track record is less than stellar when it comes to the digital realm. Those who’ve heard of the firm Mossack Fonseca or the Panama Papers (a 2TB data leak that exposed how the wealthy avoid paying taxes) may know that the firm in question was: (1) running a version of WordPress that was 2 years out of date; (2) running a version of Drupal that was three years out of date; (3) running its web server on the same network as its mail server; (4) running its web server without a firewall; (5) running an out-of-date plugin known as “Revolution Slider,” which contained a file upload vulnerability that had been documented since 2014. This multitude of sins collectively led to a scandal that, among other things, brought down the Icelandic Prime Minister. What’s more troubling, however, is that Mossack Fonseca wasn’t a standout among law firms. Many if not most law firms have an equally bad security posture. [ see ANNOUNCEMENTS , above.] top

Important Fourth Circuit ruling on cell phone border searches (Orin Kerr on Volokh Conspiracy, 9 May 2018) - The Fourth Circuit handed down a significant ruling today in United States v. Kolsuz on how the Fourth Amendment applies to cell phone searches of cell phones seized at the border. Although the court ultimately affirmed the conviction based on the good-faith exception, the court also introduced a new and significant limit on border searches. Judge Pamela Harris penned the majority opinion, and Judge Wilkinson added a concurrence. There’s a lot going on in the opinion, and it merits a close read, but I’ll try to offer some highlights and commentary here. * * * [ Polley : Orin Kerr is THE expert on this area of the law in the US; his article is thorough, and interesting. See also, Fourth Circuit rules that suspicionless forensic searches of electronic devices at the border are unconstitutional (EFF, 9 May 2018)] top

- and -

Eleventh Circuit creates circuit split on cell phone border searches (Orin Kerr on Volokh Conspiracy, 23 May 2018) - The Eleventh Circuit has handed down an important new ruling on cell phone searches at the border, United States v. Touset . In an opinion by Judge William Pryor, the court disagrees with the Fourth Circuit and Ninth Circuit caselaw requiring suspicion to conduct a forensic search at the border. The basic issue in these cases is this: When the government seizes a computer or cell phone at the border, and they want to search it using forensic equipment, do they need some sort of suspicion that evidence or contraband is on the device? Or does the traditional border search exception (which ordinarily permits searches of property crossing the border without suspicion) apply? Regular readers of this blog have heard a lot about this question over the years. Just two weeks ago, I post on the Fourth Circuit’s May 9th ruling in United States v. Kolsuz , by Judge Pamela Harris, which required some kind of suspicion to conduct such a search. And I’ve blogged extensively about the Ninth Circuit’s en banc ruling from 2013 in United States v. Cotterman , authored by Judge Margaret McKeown, which required reasonable suspicion for forensic searches at the border. The new Eleventh Circuit decision disagrees with Kolsuz and Cotterman , arguing that no suspicion should be required for a forensic border search. * * * top

SEC not looking to file many cybersecurity cases, official says (BNA, 9 May 2018) - The SEC isn’t planning to make cybersecurity cases part of the “bread and butter” of its enforcement activity, despite its multimillion-dollar penalty against the former Yahoo! Inc. in a first-of-its-kind case in the space, a senior Securities and Exchange Commission official said May 9. The remarks by SEC Cyber Unit Chief Robert Cohen at an enforcement conference in New York came after Yahoo successor Altaba Inc. reached a $35 million settlement with the agency in April to resolve claims that it delayed telling investors about a massive data breach. Cohen didn’t rule out more SEC cases like the one against Yahoo. But, he said, the commission looks to bring cybersecurity cases in which the “facts are particularly bad and when the conduct really violates the statute very clearly.” Insider trading, market manipulation, and accounting fraud are the kinds of matters that will continue to populate a majority of the SEC’s case roster, Cohen said. “We’re not looking to bring dozens and dozens of cybersecurity cases every year,” he said at the conference organized by the Practising Law Institute. The agency in February issued new guidance on how to inform investors about cyber threats and breaches. The document stressed that companies should have procedures to notify company leaders and shareholders about cyberattacks. The SEC, however, doesn’t seek to “second-guess good-faith, reasonable decisions” on cybersecurity disclosure, Cohen said, echoing similar comments from other SEC officials. top

Alexa and Siri can hear this hidden command. You can’t. (NYT, 10 May 2018) - Many people have grown accustomed to talking to their smart devices, asking them to read a text, play a song or set an alarm. But someone else might be secretly talking to them, too. Over the last two years, researchers in China and the United States have begun demonstrating that they can send hidden commands that are undetectable to the human ear to Apple’s Siri, Amazon’s Alexa and Google’s Assistant. Inside university labs, the researchers have been able to secretly activate the artificial intelligence systems on smartphones and smart speakers, making them dial phone numbers or open websites. In the wrong hands, the technology could be used to unlock doors , wire money or buy stuff online - simply with music playing over the radio. A group of students from University of California, Berkeley, and Georgetown University showed in 2016 that they could hide commands in white noise played over loudspeakers and through YouTube videos to get smart devices to turn on airplane mode or open a website. This month, some of those Berkeley researchers published a research paper that went further, saying they could embed commands directly into recordings of music or spoken text. So while a human listener hears someone talking or an orchestra playing, Amazon’s Echo speaker might hear an instruction to add something to your shopping list. top

IBM bans all removable storage, for all staff, everywhere (The Register, 10 May 2018) - IBM has banned its staff from using removable storage devices. In an advisory to employees, IBM global chief information security officer Shamla Naidoo said the company “is expanding the practice of prohibiting data transfer to all removable portable storage devices (e.g.,: USB, SD card, flash drive).” The advisory stated some pockets of IBM have had this policy for a while, but “over the next few weeks we are implementing this policy worldwide.” Big Blue’s doing this because “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.” IBMers are advised to use Big Blue’s preferred sync ‘n’ share service to move data around. But the advisory also admitted that the move may be “disruptive for some.” She’s not wrong: The Register understands that frontline IBM staff sometimes need to download patches so they can be installed on devices they manage for clients and that bootable USB drives are one means of installing those patches. Indeed, IBM offers advice on how to install Linux on its own POWER 9 servers using a USB key. top

The Santa Clara Principles on transparency and accountability in content moderation (Benton Foundation, 10 May 2018) - The Santa Clara Principles offer guidance to internet platforms on how to provide users with meaningful due process when their posts are taken down or their accounts are suspended, and to help ensure that the enforcement of company content guidelines is fair, unbiased, and respectful of users’ free expression rights. The three principles urge companies to: (a) Publish the numbers of posts removed and accounts permanently or temporarily suspended due to violations of their content guidelines; (b) Provide clear notice to all users about what types of content are prohibited , and clear notice to each affected user about the reason for the removal of their content or the suspension of their account; and (c) Enable users to engage in a meaningful and timely appeals process for any content removals or account suspensions. top

Industry insight: Collaboration tools might be the next great security risk (PC Magazine, 14 May 2018) - Collaboration tools have become hugely popular with all kinds of businesses because they enable strategies like virtual teams and keep employees working tightly together no matter how far apart they might be physically. But whether it’s a workflow-based utility such as Asana or a chat-oriented app such as Slack, these tools have also created new opportunities for cybercriminals looking to access your company’s most vital information. Bad actors can infiltrate your collaboration software through application programming interfaces (APIs) or through accidental authorizations that leak private information outside of your organization. In other words, even if they’re being hosted elsewhere, your collaboration tools might still be putting a huge security hole in your network. Greg Arnette is the Director of Data Protection Platform Strategy at Campbell, Calif-based Barracuda Networks, a security, networking, and storage products provider. We recently sat down with Arnette to discuss the sort of attacks that could happen via collaboration services and how businesses can protect themselves. top

20 years of the Laws of Cyberspace (Harvard, 16 May 2018) - It’s been two decades since Harvard Law School Professor Lawrence Lessig published “The Laws Of Cyberspace,” which, in the words of Professor Jonathan Zittrain, “imposed some structure over the creative chaos of what maybe was a field that we’d call cyberlaw.” Lessig’s groundbreaking paper describes four types of constraints that together regulate behavior - law, social norms, the market, and architecture - and argues that due to its special architecture, cyberspace is different from “real” space and thus subject to new possibilities for control by governments and other centers of power. “The world we are entering is not a world where freedom is assured,” Lessig wrote in 1998, but instead, “has the potential to be the most fully, and extensively, regulated space in our history.” On April 16, the Berkman Klein Center of Internet & Society hosted a special event commemorating the 20th anniversary of the publication of “The Laws of Cyberspace,” with Lessig, Harvard Law School Professors Ruth Okediji and Jonathan Zittrain , and Dr. Laura DeNardis of American University. The panelists reflected on the paper, and where the field of cyberlaw has taken us over the last two decades, and they considered how some of the concerns raised in 1998 might apply today. top

Do attorneys need mandatory technology CLEs? N.C. Bar says yes (Bloomberg, 21 May 2018) - Lawyers need technological expertise, whether to protect a client’s sensitive information, apply a data analytics tool during discovery, or simply to be adept at using a word processing program. But though lawyers are ethically bound to understand the technology they use to practice, only one state requires continuing legal education on technology. A new proposal would make North Carolina the second. The North Carolina State Bar later this year will ask the state’s high court to approve an amendment that would require attorneys to complete a one-hour class devoted to technology training, as part of their 12-hour annual CLE requirements. North Carolina would join Florida in requiring technology CLE credits. The Florida Supreme Court in 2016 amended the rules regulating the state bar to require that lawyers obtain three hours of technology CLE credits every three years, of the 33-hour total. The new CLE requirement is a step towards encouraging attorneys to stay current with technological advancements, academics told Bloomberg Law. “The change sends an important message: that lawyers need to understand how technology is affecting the delivery of legal services,” Andrew M. Perlman, dean of Suffolk University School of Law in Boston, told Bloomberg Law. Perlman is also chair of the American Bar Association’s Center for Innovation. top

Play-Doh smell trademarked (Lowering the Bar, 21 May 2018) - Bad news for those of you who currently emit a sweet, slightly musky, vanilla fragrance, with slight overtones of cherry, combined with the smell of a salted, wheat-based dough. You need to stop doing that immediately, because that particular smell has just been trademarked by the Hasbro Corporation . Hasbro announced on Friday that the trademark it claimed for the “iconic” Play-Doh scent had been officially recognized by the U.S. Patent and Trademark Office. That makes it one of only about a dozen scent trademarks that the PTO has recognized to date, including Verizon’s “flowery musk” store scent, the bubble-gum smell of Grendene jelly sandals, and the scent of strawberries with which Lactona toothbrushes are “impregnated.” Why so few trademarks, when there are so many smells? Well, it isn’t easy to trademark a smell, and the concept itself is a little controversial. The main problem seems to be the requirement that a trademarked feature be “nonfunctional,” designed to keep trademarks from limiting competition too much and probably also to keep them from overlapping with patents. This, ironically, means that the smell of a perfume cannot be trademarked, because the PTO considers that to be its function. It is possible to patent a scent molecule , as we have discussed here before. See ”’ Pretty Sure Stank Is Patented,’ Lawyer Claims-But It’s Complicated ,” Lowering the Bar (Oct. 18, 2017). But that too is rare. top

The Wayback Machine is deleting evidence of malware sold to stalkers (Motherboard, 22 May 2018) - The Internet Archive’s goal, according to its website, is “universal access to all knowledge.” As part of that mission, the non-profit runs the Wayback Machine , an online tool that anyone can use to digitally preserve a snapshot of a website. It provides an important public service, in that if a company tries to quietly change its policy, or perhaps a government tries to scrub a position from its website, the Wayback Machine can provide robust proof of the switch. But the Internet Archive has been purging its banks of content related to a company which marketed powerful malware for abusive partners to spy on their spouses . The news highlights the broader issue of the fragility of online archives, including those preserving information in the public interest. “Journalists and human rights defenders often rely on archiving services such as the Wayback Machine as tools to preserve evidence that might be key to demand accountability,” Claudio Guarnieri, a technologist at human rights charity Amnesty International, told Motherboard in an online chat. The company in question is FlexiSpy, a Thailand-based firm which offers desktop and mobile malware. The spyware can intercept phone calls, remotely turn on a device’s microphone and camera, steal emails and social media messages, as well as track a target’s GPS location. Previously, pages from FlexiSpy’s website saved to the Wayback Machine showed a customer survey, with over 50 percent of respondents saying they were interested in a spy phone product because they believe their partner may be cheating. That particular graphic was mentioned in a recent New York Times piece on the consumer spyware market. In another example, a Wayback Machine archive of FlexiSpy’s homepage showed one of the company’s catchphrases: “Many spouses cheat. They all use cell phones. Their cell phone will tell you what they won’t.” Now, those pages are no longer on the Wayback Machine. Instead, when trying to view seemingly any page from FlexiSpy’s domain on the archiving service, the page reads “This URL has been excluded from the Wayback Machine.” (After Motherboard published a series of articles about the consumer spyware market, FlexiSpy purged its own website of content relating to illegal spying on spouses.) top

Privacy Policy (Writers HQ, 23 May 2018) - ” Wow has anyone ever read one of these? We have to have one of these dealios to explain how we comply with the GDPR (General Data Protection Regulation), the DPA (Data Protection Act) and the PECR (Privacy and Electronic Communications Regulations) because God knows there’s not enough actual interesting things in the world to read, you need to read 1,000 words of legalese nonsense that makes literally not one bit of difference to anyone, ever. Also we don’t really know what these things are. We’re just two under-heighted writers who thought we’d have a laugh and get other people writing with us. The best bit about the GDPR is that all this has to be “concise, transparent, intelligible and easily accessible” so hold on to your hats, motherf*&^ers, this is going to be the shortest, clearest and best freakin’ privacy policy you ever did see. So. Here we go… * * * [ Polley : Hilarious. And possibly compliant.] top

Take a look at your Twitter timeline 10 years ago (TechCrunch, 25 May 2018) - Here’s a fun thing for a Friday: go back and see what your Twitter timeline looked like 10 years ago. Twitter has pretty powerful search settings, but Andy Baio - of Kickstarter fame and more - did the heavy-lifting for us all by sharing a link that lets you look at your timeline exactly a decade ago, assuming you followed the same people. Try it here . (The search will work even if you didn’t have an account 10 years ago.) top

Thanks to Google, you can now view Frida Kahlo’s artwork from the comfort of your home (Mashable, 25 May 2018) - There’s nothing quite like going to a museum to view a retrospective of a renowned artist. But for those who cannot do so, Google’s offered up a neat solution. The Arts & Culture arm of the tech company has worked with museums and collections around the world to create an online exhibit dedicated to the life and art of Frida Kahlo. The exhibition is called ” Faces of Frida ,” and features Kahlo’s paintings, snippets of her diary , reimagined works , and editorial pieces exploring hidden meaning behind her paintings and her relationship to folk art . According to Forbes , there are 800 items in total, and the exhibit is a joint effort between 33 museums spanning 7 countries. top

RESOURCES

Encryption Workarounds (Orin Kerr and Bruce Schneier, Georgetown Law Journal, revised 13 May 2018) - Abstract : The widespread use of encryption has triggered a new step in many criminal investigations: The encryption workaround. We define an encryption workaround as any lawful government effort to reveal unencrypted plaintext of a target’s data that has been concealed by encryption. This Article provides an overview of encryption workarounds. It begins with a taxonomy of the different ways investigators might try to bypass encryption schemes. We classify six kinds of workarounds: find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. For each approach, we consider the practical, technological, and legal hurdles raised by its use. The remainder of this Article develops lessons about encryption workarounds and the broader public debate about encryption in criminal investigations. First, encryption workarounds are inherently probabilistic. None work every time, and none can be categorically ruled out every time. Second, the different resources required for different workarounds will have significant distributional effects on law enforcement. Some techniques are inexpensive and can be used often by many law enforcement agencies; some are sophisticated or expensive and likely to be used rarely and only by a few. Third, the scope of legal authority to compel third-party assistance will be a continuing challenge. And fourth, the law governing encryption workarounds remains uncertain and underdeveloped. Whether encryption will be a game changer or a speed bump depends on both technological change and the resolution of important legal questions that currently remain unanswered. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Google begins blurring faces in street view (CNET, 13 May 2008) - Google has begun testing face-blurring technology for its Street View service, responding to privacy concerns from the search giant’s all-seeing digital camera eye. The technology uses a computer algorithm to scour Google’s image database for faces, then blurs them, said John Hanke, director of Google Earth and Google Maps, in an interview at the Where 2.0 conference here. Google has begun testing the technology in Manhattan, the company announced on its LatLong blog. Ultimately, though, Hanke expects it to be used more broadly. Dealing with privacy-both legal requirements and social norms-is hard but necessary, Hanke said. Street View poses other privacy issues besides just faces. Some people aren’t eager to have their houses on display, for example. But much of the hubbub seems to have waned since Google launched Street View in May 2007, and indeed other companies such as Blue Dasher are working on similar technology. Street View presents a view of dozens of United States cities from a driver’s perspective. It appears Google has begun collecting imagery in Europe as well, along with detailed 3D maps, including Milan, Rome, and Paris. top

FBI’s net surveillance proposal raises privacy, legal concerns (CNET, 25 April 2008) - The FBI director and a Republican congressman sketched out a far-reaching plan this week for warrantless surveillance of the Internet. During a House of Representatives Judiciary Committee hearing, the FBI’s Robert Mueller and Rep. Darrell Issa of California talked about what amounts to a two-step approach. Step 1 involves asking Internet service providers to open their networks to the FBI voluntarily; step 2 would be a federal law forcing companies to do just that. Both have their problems, legal and practical, but let’s look at step 1 first. Issa suggested that Internet providers could get “consent from every single person who signed up to operate under their auspices” for federal police to monitor network traffic for attempts to steal personal information and national secrets. Mueller said “legislation has to be developed” for “some omnibus search capability, utilizing filters that would identify the illegal activity as it comes through and give us the ability to pre-empt” it. These are remarkable statements. The clearest reading of them points to deep packet inspection of network traffic—akin to the measures Comcast took against BitTorrent and to what Phorm in the United Kingdom has done, in terms of advertising—plus additional processing to detect and thwart any “illegal activity.” “That’s very troubling,” said Greg Nojeim, director of the project on freedom, security, and technology at the Center for Democracy and Technology. “It could be an effort to achieve, through unknowing consent, permission to monitor communications in a way that would otherwise be prohibited by law.” Unfortunately, neither Issa nor Mueller recognized that such a plan is probably illegal. California law, for instance, says anyone who “intentionally and without the consent of all parties to a confidential communication” conducts electronic surveillance shall be imprisoned for one year. (I say “probably illegal” because their exchange didn’t offer much in the way of details.) “I think there’s a substantial problem with what Mueller’s proposing,” said Al Gidari, a partner at the Perkins Coie law firm who represents telecommunications providers. “He forgets the states have the power to pass more restrictive rules, and 12 of them have. He also forgets that we live in a global world, and the rest of the world doesn’t quite see eye to eye on this issue. That consent would be of dubious validity in Europe, for instance, where many of our customers reside.” top