Saturday, October 27, 2018

MIRLN --- 7-27 Oct 2018 (v21.14)

MIRLN --- 7-27 Oct 2018 (v21.14)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

NEWS

California bill bans bots during elections (SC Magazine, 3 Oct 2018) - A California bill that will ban the use of undeclared bots during elections is set to take effect on July 1, 2019, after Gov. Jerry Brown signed it into law Friday. "This bill would, with certain exceptions, make it unlawful for any person to use a bot to communicate or interact with another person in California online with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication in order to incentivise a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election," according to the Senate Bill No. 1001 . top

- and -

California bans default passwords on any internet-connected device (Engadget, 5 Oct 2018) - In less than two years, anything that can connect to the internet will come with a unique password - that is, if it's produced or sold in California. The " Information Privacy: Connected Devices " bill that comes into effect on January 1, 2020, effectively bans pre-installed and hard-coded default passwords. It only took the authorities about two weeks to approve the proposal made by the state senate. The new regulation mandates device manufacturers to either create a unique password for each device at the time of production or require the user to create one when they interact with the device for the first time. According to the bill, it applies to any connected device, which is defined as a "physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address." top

Microsoft to host the government's classified data early next year (NextGov, 9 Oct 2018) - Microsoft is making moves to target a growing multibillion market: hosting, storing and running the U.S. government's most sensitive classified secrets and data. On Tuesday, the software giant announced it will join rival Amazon as the only commercial cloud providers with the security capabilities to host secret classified data by the end of the first quarter of 2019. Microsoft's announcement comes days before the Pentagon will accept bids on its $10 billion Joint Enterprise Defense Infrastructure contract, which it will award to a single cloud service provider. The announcement doubles as a public declaration of Microsoft's intent to bid on the contract one day after Google pulled out of the competition in part because it can't meet the Pentagon's security requirements stipulated for JEDI quickly enough. Most experts consider Amazon Web Services the favorite to win the contract, in part because it operates the CIA's C2S Cloud, but Microsoft isn't pulling any punches. The company also announced its intent to meet additional security controls to host the government's data classified as top secret, which include the military and Defense Department's most sensitive information. The ability to host both secret and top secret data is a prerequisite to compete for JEDI. top

Can lawyers ethically accept cryptocurrency? (Attorney at Work, 10 Oct 2018) - Several years back we added credit card billing to our options for client bill payment, including through an online secured platform. Our bill collection rates dramatically increased along with how fast a bill was paid with emailed invoices. It was great! We recently saw some companies accepting bitcoin and other cryptocurrencies as payment for goods and services. While we don't expect a high volume of clients to pay with this new "currency," we are thinking about offering it as an option. If nothing else, it shows we are keeping ahead of the curve on modern trends. Should we be pumping the brakes, or do we have the green light to accept cryptocurrency as payment? At first glance, it may seem like you would be in the clear to accept alternative payments for the legal services rendered. Why not, since you can accept nonmonetary items such as a goat for preparing a family's estate planning documents, so long as the goat was reasonable compensation for the legal services provided. Yes, I'm sure someone at some time bartered hooved animals for the services of an attorney and counselor at law. No? What ethics rules might be considered in how you are paid for your work? What makes cryptocurrency different from currency (or bovine for that matter)? At least one state bar has issued an advisory opinion on the topic of cryptocurrency as payment for legal services or otherwise being held for clients by a law firm. In Nebraska Ethics Advisory Opinion for Lawyers No. 17-03, the ethics committee concluded that attorneys "may receive and accept digital currencies such as bitcoin as payment for legal services" with some caveats. The leading concern with the often volatile cryptocurrency values comes in ensuring the fees being paid by a client are reasonable, as required by ABA Model Rule 1.5 . Bitcoin is one of the less volatile of these currencies, and still it has been known to have swings of 10 percent or greater occurring every few hours. As the opinion gives the example, "An arrangement for payment in bitcoin for attorney services could mean that the client pays $200 an hour in one month and $500 an hour the next month, which the client could very easily allege as unconscionable." The opinion suggests the following actions to mitigate the risk of volatility and possible unethical overpayment for services: * * * top

New bots from DoNotPay includes one that lets you sue in any small claims court at the press of a button (Robert Ambrogi, 10 Oct 2018) - DoNotPay , the company that created a chat bot to automatically appeal parking tickets, is today launching a series of legal and consumer-protection bots, in the form of an iOS app, that includes one that will enable individuals to file an action in any small claims court in the United States. In addition, DoNotPay is announcing that it has acquired Visabot , a service launched shortly after the election of Donald Trump to help individuals obtain visas and green cards. DoNotPay is relaunching Visabot and eliminating all fees for the service, which previously ranged from $110 to $150. The new small claims bot covers small claims courts in all 3,000 counties in all 50 states. There is no charge to use the product, so users keep 100 percent of anything they recover. Joshua Browder, the self-taught coder who founded DoNotPay as a 17-year-old in 2015, said the initial idea for this product came from an app he created in the wake of the Equifax breach to help people file small claims lawsuits against the credit rating company. top

Microsoft makes its 60,000 patents open source to help Linux (The Verge, 10 Oct 2018) - Microsoft announced today that it's joining the Open Invention Network (OIN), an open-source patent group designed to help protect Linux from patent lawsuits. In essence, this makes the company's library over 60,000 patents open source and available to OIN members, via ZDNet . OIN provides a license platform for Linux for around 2,400 companies - from individual developers to huge companies like Google and IBM - and all members get access to both OIN-owned patents and cross-licenses between other OIN licensees, royalty-free. Microsoft joining is a big step forward for both sides: OIN gets thousands of new patents from Microsoft, and Microsoft is really helping the open-source community that it has shunned in the past. As Scott Guthrie, Microsoft's executive vice president of the cloud and enterprise group, commented in an interview to ZDNet , "We want to protect open-source projects from IP lawsuits, so we're opening our patent portfolio to the OIN." There are exceptions to what Microsoft is making available - specifically, Windows desktop and desktop application code, which makes sense for many reasons - but otherwise, Microsoft is going open source. And ultimately, that's a good thing for the whole developer community. top

Amicus brief on burdens of proof for compelled decryption (Orin Kerr on Volokh Conspiracy, 11 Oct 2018) - I recently posted a draft article on the Fifth Amendment and compelled entering of passwords: Compelled Decryption and the Privilege Against Self-Incrimination . My article flagged but did not answer a closely-related question: What is the burden of proof to show a foregone conclusion when the government compels entering a password? Coincidentally, the Massachusetts Supreme Judicial Court happened to invite amicus briefs on this issue in a pending case shortly after I posted my draft. It's a question of first impression among state supreme courts and federal circuit courts, and it relates closely to the underlying Fifth Amendment standard. In for a penny, in for a pound, I say. So today I submitted an amicus brief on the proper burden of proof in compelled decryption cases. You can read my brief here: Amicus Brief of Professor Orin Kerr on Standards for Compelled Decryption Under the Fifth Amendment . It argues that the government's burden should be to prove by clear and convincing evidence, based on a totality of the circumstances, that the subject of the order knows the password. top

Seventy years after Howey: An overview of the SEC's developing jurisdiction over digital assets (ABA's BLT, 12 Oct 2018) - On June 14, 2018, Director William Hinman of the SEC's Division of Corporation Finance delivered a speech at the Yahoo! Finance All Markets Summit in San Francisco, during which he shared his view that current offer and sale of bitcoin and ether, the two most valuable and prominent digital assets today, does not constitute a securities transaction. Reiterating the facts-and-circumstances approach the SEC takes in applying securities laws to digital assets, Hinman admitted that the evolvement and the decentralized nature of digital assets could at some point render the application of securities laws requirements insensible and unnecessary. Hinman's speech is the first public statement from SEC leadership that offers clear assurance that certain types of digital assets are not within the purview of SEC regulations. The SEC has been following and monitoring the development of ICOs and digital assets closely. This article traces the series of SEC actions leading up to Hinman's speech and analyzes how the SEC's jurisprudence in this field has developed overtime. * * * top

- and -

SEC launches new strategic hub for innovation and financial technology (SEC, 18 Oct 2018) - The U.S. Securities and Exchange Commission today announced the launch of the agency's Strategic Hub for Innovation and Financial Technology ( FinHub ). The FinHub will serve as a resource for public engagement on the SEC's FinTech-related issues and initiatives, such as distributed ledger technology (including digital assets), automated investment advice, digital marketplace financing, and artificial intelligence/machine learning. The FinHub also replaces and builds on the work of several internal working groups at the SEC that have focused on similar issues. * * * top

- and -

Cybersecurity: Fortune 100 disclosure practices (TheCorporateCounsel.net, 23 Oct 2018) - The SEC continues to ratchet up its scrutiny of cybersecurity issues. It issued disclosure guidance earlier this year & recently turned its attention to internal control implications of cybersecurity lapses. But are companies getting the message? This recent EY report provides some clues on the disclosure front. It analyzes cybersecurity-related disclosures of Fortune 100 companies in proxy statements and Form 10-K filings. Not surprisingly, disclosure practices vary widely. Here are some key findings: * * * top

Federal court ruling in Georgia shows judges have a role to play in election security (Lawfare, 12 Oct 2018) - In the wake of Russia's interference in U.S. elections, questions persist as to whether Russia changed vote totals and changed the outcome of the election. Former Homeland Security Secretary Jeh Johnson and the Senate intelligence committee each say there is no evidence that the Russians did so. But as technologist Matt Blaze told the New York Times , that's "less comforting than it might sound at first glance, because we haven't looked very hard." And experts agree that our outdated voting technology certainly exposes voters to the risk of interference, as election security experts and election administrators have known for more than a decade. Last month, the U.S. District Court for the Northern District of Georgia recognized that the risk of election hacking is of constitutional significance-and that courts can do something about it. In Curling v. Kemp , two groups of Georgia voters contend that Georgia's old paperless voting machines are so unreliable that they compromise the plaintiffs' constitutional right to vote. In ruling on the voters' motion for preliminary injunction, Judge Amy Totenberg held that the plaintiffs had demonstrated a likelihood of success on the merits-in other words, Georgia's insecure voting system likely violated their constitutional rights. While the court declined to order relief in time for the 2018 elections, the ruling suggests that Georgia may eventually be ordered to move to a more secure voting system. top

Real estate lawyers have become big "phish" for cyberfraudsters (Attorney at Work, 12 Oct 2018) - Cyberfraud is a major issue in any industry, but especially in real estate where property transactions can net a hacker hundreds of thousands of dollars in a single wire diversion. Attorneys who practice real estate law and their clients have become prime targets for hackers. According to published FBI data , $969 million was diverted or attempted to be diverted to "criminally controlled" accounts in real estate transactions in fiscal year 2017. Compare that with 2016, when comparable real estate wire transfer frauds amounted to just $19 million. * * * It's extremely difficult to recover funds that have been wired to a fraudulent account, though not impossible. Those who realize the mistake immediately have a better chance. As is the case with many things in life, prevention is the best tactic. Here are ways to lower the risk of real estate cyberfraud. * * * top

3D printers have 'fingerprints,' a discovery that could help trace 3D-printed guns (Science Daily, 18 Oct 2018) - Like fingerprints, no 3D printer is exactly the same. That's the takeaway from a new study that describes what's believed to be the first accurate method for tracing a 3D-printed object to the machine it came from. The advancement could help law enforcement and intelligence agencies track the origin of 3D-printed guns, counterfeit products and other goods. top

Appeals court says of course Georgia's laws (including annotations) are not protected by copyright and free to share (TechDirt, 19 Oct 2018) - The 11th Circuit appeals court has just overturned a lower court ruling and said that Georgia's laws, including annotations, are not covered by copyright, and it is not infringing to post them online. This is big, and a huge win for online information activist Carl Malamud whose Public.Resource.org was the unfortunate defendant in a fight to make sure people actually understood the laws that ruled them. The details here matter, so let's dig in: * * * [ Polley : This is an important victory, and Carl deserves our thanks. Hats off to Alston & Bird, David Halperin (Public Resource), and the ACLU. See also 11th Circuit: Georgia can't copyright annotated legal code (Law.com, 22 Oct 2018), and Court tells Georgia it can't charge people to read the law (ACLU, 22 Oct 2018)] top

ABA ethics opinion offers guidance on data breaches (ABA Journal, 17 Oct 2018) - Lawyers have to safeguard client data and notify clients of a data breach, and the ABA Standing Committee on Ethics and Professional Responsibility has issued a formal opinion that reaffirms that duty. In Formal Opinion 483 , issued Tuesday, the standing committee also provided new guidance to help attorneys take reasonable steps to meet this obligation. "Lawyers today face daunting challenges from the risk of data breaches and cyber attacks that can lead to disclosure of client confidences," says Barbara S. Gillers, chair of the standing committee. "Formal Opinion 483 offers helpful guidance on how the ABA Model Rules of Professional Conduct should inform lawyers' approaches to these risks in order to comply with the duty to protect client information." This opinion builds on the standing committee's Formal Opinion 477R released in May 2017, which set forth a lawyer's ethical obligation to secure protected client information when communicating digitally . "When a breach of protected client information is either suspected or detected, Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach," Formal Opinion 483 says. To that end, this week's new formal opinion only discusses the breach of client data, not other data breaches that may also require action on the part of an attorney or firm. "As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach," states the opinion. "The decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach." The opinion ends on a somber reminder that even if attorneys follow the Model Rules and make "reasonable efforts" to prevent disclosure and access to client information, they may still experience a data breach. "When they do, they have a duty to notify clients of the data breach under Model Rule 1.4 in sufficient detail to keep clients 'reasonably informed' and with an explanation 'to the extent necessary to permit the client to make informed decisions regarding the representation,'" the opinion closes. [ Polley : The Opinion also contains language suggesting that lawyers must "monitor" internet activity-e.g., using IDS tools.] top

New copyright exemptions let you legally repair your phone or jailbreak voice assistants (The Verge, 25 Oct 2018) - In a big victory for hacker, tinkerers, and the right to repair movement, the US Copyright Office has ruled some major changes to the legal exemption to the DMCA, making it far easier for owners to build software tools to hack, modify, and repair their own devices, as explained by iFixit founder Kyle Wiens . Under section 1201 of the Digital Millennium Copyright Act (DMCA), it is "unlawful to circumvent technological measures used to prevent unauthorized access to copyrighted works." Because software has become so integral to all the devices we use - everything from phones to speakers to even trackers - device manufacturers have long used section 1201 to prevent owners from taking apart or repairing their own devices, arguing that breaking the software locks as part of replacing parts or modifying your gadgets is a violation of that statute. But as part of that law, citizens are allowed to petition for exemptions to section 1201 every three years, when the Copyright Office rules what kind of repairs and software tools are and aren't allowed by the law. The final ruling for this cycle was just released (it goes into effect as law on October 28th), and it enacts broad new protections for repairing devices. Wiens' post breaks down the biggest changes, which include: * * * top

RESOURCES

Clarke and Piper on A Legal Framework to Govern Online Political Expression by Public Servants @Carleton_U (MLPB, 23 Oct 2018) - Amanda Clarke, Carleton University School of Public Policy and Administration, and Benjamin Pipe, National Judicial Institute, have published A Legal Framework to Govern Online Political Expression by Public Servants at 21 Canadian Labour and Employment Law Journal 1 (2018). Here is the abstract: This paper considers the extent to which public servants should be allowed to engage in political activities in online fora such as Facebook, Twitter, and YouTube. The question of the appropriate balance between the principle of political neutrality binding public servants and their Charter-protected right to political expression has been extensively addressed in the case law. However, the framework set out in the existing jurisprudence was developed in the context of more traditional forms of political engagement, and fails to provide clear guidance in an age when the political activities of public servants, like those of Canadians as a whole, have to a large degree migrated to social media and other platforms on the web. In an effort to remedy this deficiency, the authors lay the foundation for a revised framework for assessing the permissibility of online political activity by public servants, consisting of four analytical factors: the level and nature of a public servant's position; the visibility of the online activity; the substance of the online activity; and the identifiability of the online actor as a public servant. Adopting this test, the authors contend, would enable adjudicators to strike a reasonable balance between freedom of expression and the principle of political neutrality, by recognizing that in today's world both politics and life as a public servant play out online. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Smartphones, seat belts, searches, and the Fourth Amendment (ArsTechnica, 24 Jan 2008) - When Steve Jobs introduced the iPhone as a "revolutionary" device, he probably wasn't thinking of its effect on the Fourth Amendment. But a new paper by Adam Gershowitz, a professor at the South Texas College of Law, argues that unless courts or legislators make significant changes to the rules governing law enforcement searches, the increasing ubiquity of devices like Apple's übergadget will permit police to routinely gather massive amounts of citizens' sensitive personal data without a warrant. The Fourth Amendment guarantees that Americans will not be subject to "unreasonable searches and seizures." Normally, this means police must show a judge that there is "probable cause" to believe a search will uncover evidence of a crime before tapping our phones or digging through our papers. But the courts have always recognized a variety of special circumstances under which a search may be reasonable even without a court warrant. One important such exception is for "search incident to arrest." This allows police to search the person and immediate vicinity of anyone being placed under arrest, to ensure that the arrestee can't destroy evidence or pull a concealed weapon. The problem with this, argues Gershowitz, is that with the proliferation of iPhone-like devices, the officer digging through your coat pocket suddenly has access to gigabytes worth of potentially sensitive e-mail, videos, photographs, browsing histories, and other documents. If you're in the habit of keeping your passwords saved, they may even be able to reach bank statements, file servers, and that Nerve Personals account you opened "just for fun." Though the underlying rationale for searches incident to arrest is officer safety, courts have adopted a "bright line" rule permitting an arresting officer to search any object in a suspect's possession, such as a cigarette pack, even if it unlikely to conceal a miniature Glock. And since the Supreme Court has ruled that police have broad authority to arrest people for even trivial infractions, such as failure to wear a seat belt, the current rule gives law enforcement officers broad discretion to transform a routine traffic stop into a highly intrusive excavation of your digital life. top

Google makes health service publicly available (SiliconValley.com, 19 May 2008) - Google is now offering the general public electronic access to their medical records and other health-related information. The Mountain View-based Web search leader announced the public launch of Google Health during a Webcast today. It lets users import records from a variety of care providers and pharmacies. Google tested the service by storing medical records for a few thousand patient volunteers at the not-for-profit Cleveland Clinic. [Editor in 2008 : Now, I want Google to offer search for health-care providers, by cost and reputation; then, they'll offer health care insurance coverage.] top

Saturday, October 06, 2018

MIRLN --- 16 Sept - 6 Oct 2018 (v21.13)

MIRLN --- 16 Sept - 6 Oct 2018 (v21.13)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENT

MIRLN began in 1997 and I've have published around 250 times, using an evolving, idiosyncratic approach to stories (not too new, not too obvious, etc.), with an idiosyncratic cross-section of readers (steady at about 3000: techies, lawyers, judges, international types, people in the IC, two former US AGs, etc.). This year probably will be MIRLN's last. (With curated Twitter/RSS feeds you may not miss it at all.) It's been fun; thanks for reading!

NEWS

2018 corporate counsel breach statistics - prepare to groan (RideTheLightning, 17 Sept 2018) - Here's the news in a nutshell: Data breaches of in-house legal departments have doubled in the last year. Assuming that elicited a groan, the source is the 2018 survey by the Association for Corporate Counsel , which reported one-third of in-house counsel offices experienced a data breach in 2017, up from 15 percent in 2016. A related recent ABA Journal article quoted Sterling Miller, general counsel of Marketo Inc., an online marketing technology company: "The possibility that your outside law firm could be breached and your sensitive data stolen is a huge nightmare for in-house lawyers. Outside counsel need to start taking this very seriously. If a breach happens, that law firm is probably no longer working for you and the malpractice claim could be very large." It doesn't really matter whether you are in-house or outside counsel - the odds are that you need to up your security game. That ABA article analyzed the ABA TechReport 2017 and found that "only 26 percent of responding firms had an incident response plan in place to address a security breach, and only two-thirds with 500 lawyers or more had such a plan in place. These plans were not a priority with smaller firms, as 31 percent of firms with 10 to 49 lawyers, 14 percent of firms with two to nine lawyers, and 10 percent of solo practices had such plans."

Roca Labs' anti-review clause violates FTC Act-FTC v. Roca Labs (Eric Goldman, 17 Sept 2018) - Good news: a court ruled that Roca Labs anti-review clause violates the law. It's shocking that Roca Labs chose to defend this practice in court, so it's not surprising that the judge didn't endorse it. Bad news: the court relied on the "unfairness" prong of the FTC Act, and the FTC's unfairness authority can be the basis of FTC overreaching. Good news: the Consumer Review Fairness Act will apply to future cases (this case was initiated before the CRFA's effectiveness), so this topic won't require the FTC to stretch its unfairness authority in the future. Thus, this case reinforces the prevailing wisdom: anti-review clauses are legally toxic; they don't belong in any business' toolkit; and if your contract still contains them, shame on you. * * *

When art created by artificial intelligence sells, who gets paid? (Artsy.net, 17 Sept 2018) - Christie's will auction off an artificial intelligence (AI) artwork for the first time this October, hard on the heels of a pioneering all-AI art exhibition held at New Delhi gallery Nature Morte . While the market is eager to move the work, the field raises questions about ownership, obsolescence, and the art world jobs that algorithms can't do. Many makers of AI art use generative adversarial networks (GANs), technology that allows a computer to study a library of images or sounds, make its own content according to what it has learned, test its own success against the original media, and then try again, improving incrementally through trial and error. The artworks resulting from this back-and-forth between two artificial neural networks-which include prints on paper, videos, and multimedia installations-are often disquietingly lifelike, the flora and fauna of the uncanny valley. Munich-based Mario Klingemann, for instance, trained an algorithm on portraits of Old Masters paintings before exposing it to webcam footage of himself. The process results in a video of melting, many-eyed grotesques that are often compared to the works of Francis Bacon . * * * In press materials for "Gradient Descent," Nature Morte stated that the works are created "entirely by AI in collaboration with artists." Obvious even signed their work with the mathematical equation for the algorithm they used, rather than the collective's name. As much as artists and gallerists may enjoy attributing authorship to AI, and emphasize that they cannot anticipate just what an AI algorithm will produce, legally, there is no doubt as to whether it's the human artist or the AI who owns the finished work. AI is simply a tool artists use, the way a photographer uses a camera or Adobe Photoshop in the creation of their images, says Jessica Fjeld, assistant director of the Cyberlaw Clinic at Harvard Law School. "Humans are deeply involved with every aspect of the creation and training of today's AI technologies, and this will continue to be true tomorrow and for the foreseeable future," Fjeld says. "For me, the far more interesting question is who among these people acquire rights in the outputs, not whether the software itself could have any claim of ownership," she adds.

Congressional Research Service reports now officially publicly available (TechDirt, 18 Sept 2018) - For many, many years we've been writing about the ridiculousness of the Congressional Research Service's reports being kept secret . If you don't know, CRS is a sort of in-house think tank for Congress, that does, careful, thoughtful, non-partisan research on a variety of topics (sometimes tasked by members of Congress, sometimes of its own volition). The reports are usually quite thorough and free of political nonsense. Since the reports are created by the federal government, they are technically in the public domain, but many in Congress (including many who work at CRS itself) have long resisted requests to make those works public. Instead, we were left with relying on members of Congress themselves to occasionally (and selectively) share reports with the public, rather than giving everyone access to the reports. Every year or so, there were efforts made to make all of that research available to the public, and it kept getting rejected . Two years ago, two members of Congress agreed to share all of the reports they had access to with a private site put together by some activists and think tanks, creating EveryCRSReport.com , which was a useful step forward . At the very least, we've now had two years to show that, when these reports are made public, the world does not collapse (many people within CRS feared that making the reports public would lead to more political pressure). Earlier this year, in the Consolidated Appropriations Act of 2018 , there was a nice little line item to officially make CRS reports publicly available . And, this week, it has come to pass. As announced by Librarian of Congress Carla Hayden , there is now an official site to find CRS reports at crsreports.congress.gov . It appears that the available catalog is still limited, but they're hoping to expand backwards to add older reports to the system (a few quick test searches only shows fairly recent reports). But all new reports will be added to the database.

Philippa Ryan: Developing trust through blockchain (ABA Journal, 19 Sept 2018) - Philippa Ryan thinks a lot about trust. A barrister in Australia, she lectures on the subject, and her PhD thesis focused on the breach of trust and the liability of third parties. So when Ryan heard about trustless relationships enabled by blockchain technology, her interest was piqued. However, when she typed "trustless relationships" into her search engine, she says, "the only thing that came up was an ad for Ashley Madison," the notorious dating website for married people looking to keep infidelity discreet. She deleted her search history. Today, Ryan, a lecturer at the University of Technology Sydney, can find more suitable material online. In fact, she's helping fill the gap by writing and speaking around the world on the subject. With knowledge in law and blockchain, she is a leading member of the International Organization for Standardization technical committee on blockchain and distributed ledger technologies. Being a part of Standards Australia and the committee's secretariat, she says the work intends to produce high-level guidelines for governments and technologists to use when legislating or developing the technology around the globe. "What we will be hoping to support is interoperability" between technical and legal systems, says Ryan, 52, who also leads the smart contracts working group at the ISO alongside a German delegation.

- and -

Walmart is betting on the blockchain to improve food safety (TechCrunch, 24 Sept 2018) - Walmart has been working with IBM on a food safety blockchain solution and today it announced it's requiring that all suppliers of leafy green vegetable for Sam's and Walmart upload their data to the blockchain by September 2019 . Most supply chains are bogged down in manual processes. This makes it difficult and time consuming to track down an issue should one like the E. coli romaine lettuce problem from last spring rear its head. By placing a supply chain on the blockchain, it makes the process more traceable, transparent and fully digital. Each node on the blockchain could represent an entity that has handled the food on the way to the store, making it much easier and faster to see if one of the affected farms sold infected supply to a particular location with much greater precision. * * *

- and -

Blockchains for Business Process Management (Cebe's KIT, 1 Oct 2018) - This title is probably a good way to describe most non-cryptocurrency applications of distributed ledgers, and deserves to be adopted. It is the title of a paper (the full title is " Blockchains for Business Process Management -- Challenges and Opportunities "), co-authored by a record 32 researchers and published in the February 2018 the ACM Transactions on Management Information Systems (TMIS). The authors summarize their conclusions as follows: "The BPM and Information Systems communities have a unique opportunity to help shape this fundamental shift toward a distributed, trustworthy infrastructure to promote interorganizational processes."

Law firms can learn from other industries' missteps on cybersecurity awareness and prevention (ABA Journal, 19 Sept 2018; part of the Digital Dangers series) - Equifax. Yahoo. Anthem. Sony. In the past few years, these companies experienced some of the most significant data breaches to date. And all of these companies found themselves subject to intense worldwide media coverage over their failure to secure their information. The industries affected-from health care to entertainment-know all too well that the struggle to secure data in the digital age never ends. While individual businesses within these industries will continue to find themselves vulnerable to breaches, they have an advantage over law firms. They have been fighting this battle for a long time. The legal industry is lagging well behind when it comes to data security, says Rich Santalesa, a member of the boutique cybersecurity firm SmartEdgeLaw Group and of counsel to the New York City-based Bortstein Legal Group. "Law firms as a whole can learn a lot about cybersecurity by looking at other industries," says Santalesa. "Unfortunately, other industries have had to learn their lessons the hard way-by having breaches that have received media attention." Santalesa says data security involves three different, simultaneous focuses: "the technology, the people you have, and needs of the industry in which you work." In addition, data security can't be a one-size-fits-all situation. The cybersecurity needs of a small law firm will be different than the needs of an international firm, just like the needs of Target are different from the needs of a small retail website. However, all law firms, just like all businesses, must pay close attention to the applicable privacy laws, Santalesa says.

- and -

Cybersecurity: Your ethical obligations outlined by legal tech experts (ABA Journal, 25 Sept 2018) - Data breaches are an everyday event, and legal professionals have a specific obligation to protect themselves and their clients from exposure to these threats. The webinar "Darkest Hour? Shining a Light on Cyber Ethical Obligations," is one in a five-part series sponsored by the ABA Cybersecurity Task Force and supported by "The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals, Second Edition." The first thing lawyers must know is that it's not usually obvious when a firm has been hacked. "The vast majority of the time, (hackers) are using your stolen credentials, as opposed to breaking through technical walls," said panelist Arlan McMillan, chief security officer at Kirkland & Ellis in Chicago. "Then they act like you in the firm's network, accessing all the files you have access to." Another common threat comes through malware in an email, also known as a phishing attack, where an individual is asked to click on a link or open an attachment that has been weaponized in such a way that the attacker gains access to your computer. Nation-state attackers target private businesses in 21 percent of breaches to steal data to advance their espionage activities or interests. And firm employees often don't realize they've been hacked for weeks or months, and they usually find out after being contacted by the FBI. "This is not an IT issue," McMillan said. "This is a risk management issue about how you protect your data." He recommends five steps to improve a firm's security posture: * * *

- and -

Teaming up on cybersecurity (AttorneyAtWork, 26 Sept 2018) - Cybersecurity, the new "IT" word (see what we did there?) has everyone's attention, from small firm lawyers to the BigLaw front office. It's also the focus of the 2018 College of Law Practice Management (COLPM) Futures Conference, "Cybersecurity: This Way There Be Dragons." The Futures Conference, presented with Suffolk University School of Law, will take place Oct. 25-26 in Boston. While the two-day event is chock-full of useful information, one session in particular caught my attention: "Security as a Team Sport: Collaboration - An Essential Tool and a Security Hole." It raises an interesting question: Can all the departments that make up a law firm advance its cybersecurity efforts? Not just IT, but management, finance, human resources, marketing, PR?

Interplanetary spacecraft (Patently-O, 23 Sept 2018) - Patent application publication US 2017/0259946 A1 * * * I'm looking forward to reading the first office action in this case - pretty cool approach for thinking through how to use a hollowed-out asteroid for a manned interplanetary spaceship. In his IDS, inventor Wayne White includes a set of interesting references - including a citation to the Greg Bear's 1985 SciFi novel EON that included an alien hollowed-out asteroid.

Do laws requiring people to report crimes violate the First Amendment? (Eugene Volokh, 26 Sept 2018) - Generally speaking, Americans don't have a legal duty to report crimes they witness or learn about. We must generally testify when subpoenaed, but we need not ourselves alert the authorities. But some states have enacted statutes requiring such reporting (at least as to certain serious crimes); still more require certain job categories (such as teachers, whether in public or private schools) to report certain crimes. Do these laws violate the First Amendment protection against compelled speech? The Supreme Court has generally said that requiring people to say certain things is presumptively unconstitutional; and it has also held , in some contexts, that "compelled statements of 'fact'" are generally treated the same as "compelled statements of opinion." But requirements to convey facts to the government -- in tax returns, census questionnaires, draft registrations, and a vast range of other contexts, federal and state -- are so commonplace that it's not clear that the Supreme Court means to cast them all in doubt. (Recall that if something is treated as a presumptively unconstitutional speech compulsion, the government may rebut that presumption only by showing that the compulsion is the least burdensome means of serving a compelling government interest ; even if there is a compelling interest in collecting federal and state taxes, conducting the census, and so on, courts have never required a showing that the laws are the least burdensome means.) And indeed, when mandatory crime reporting laws have been challenged, state courts have upheld them, generally concluding that compelled reporting of facts to the government doesn't really trigger the compelled speech doctrine. See State v. Grover (Minn. 1989) ("The statute [which requires reporting of suspected child abuse] does not compel the dissemination of an 'ideological point of view,' but only mandates the reporting of information-a requirement not altogether dissimilar from that imposed by the Internal Revenue Code."); White v. State (Tex. Ct. App. 2001) (taking the same view). But in May of this year, the Second Circuit handed down a decision, Burns v. Martuscello , that suggests the laws are unconstitutional after all. In Burns , prison guards placed Burns in involuntary protective custody because he refused to agree to report on future misbehavior by other prisoners. And this penalty, the court held, violated the First Amendment right not to be compelled to speak, even taking into account prisoners' sharply reduced First Amendment rights:

SEC charges firm with deficient cybersecurity procedures (SEC, 26 Sept 2018) - The Securities and Exchange Commission today announced that a Des Moines-based broker-dealer and investment adviser has agreed to pay $1 million to settle charges related to its failures in cybersecurity policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers. The SEC charged Voya Financial Advisors Inc. (VFA) with violating the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft. This is the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule. According to the SEC's order, cyber intruders impersonated VFA contractors over a six-day period in 2016 by calling VFA's support line and requesting that the contractors' passwords be reset. The intruders used the new passwords to gain access to the personal information of 5,600 VFA customers. The SEC's order finds that the intruders then used the customer information to create new online customer profiles and obtain unauthorized access to account documents for three customers. The order also finds that VFA's failure to terminate the intruders' access stemmed from weaknesses in its cybersecurity procedures, some of which had been exposed during prior similar fraudulent activity. According to the order, VFA also failed to apply its procedures to the systems used by its independent contractors, who make up the largest part of VFA's workforce. "This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models," said Robert A. Cohen, Chief of the SEC Enforcement Division's Cyber Unit. "They also must review and update the procedures regularly to respond to changes in the risks they face."

Judging judges - how Gavelytics' judicial analytics are reshaping litigation (Robert Ambrogi, 28 Sept 2018) - What if a lawyer could know how a judge is likely to rule in a case or how heavy is a judge's workload? Rick Merrill was a litigator at a large law firm who became frustrated over his inability to get meaningful information about the judges before whom he appeared. So last year, he launched Gavelytics , a California company that uses analytics and artificial intelligence to analyze docket data and provide lawyers with a range of insights about judges' propensities, workloads and leanings. In this episode of LawNext, I visited Gavelytics' office in Santa Monica, where I sat down with Merrill, now the company's CEO, and Justin Brownstone , VP of sales and litigation counsel, to talk about the product one year after its launch, how lawyers use analytics for strategic and competitive purposes, and how analytics and AI are being used more broadly in law. * * *

New Zealand travellers refusing digital search now face $5000 Customs fine (RNZ, 1 Oct 2018) - Travellers who refuse to hand over their phone or laptop passwords to Customs officials can now be slapped with a $5000 fine. The Customs and Excise Act 2018 - which comes into effect today - sets guidelines around how Customs can carry out "digital strip-searches". Previously, Customs could stop anyone at the border and demand to see their electronic devices. However, the law did not specify that people had to also provide a password. The updated law makes clear that travellers must provide access - whether that be a password, pin-code or fingerprint - but officials would need to have a reasonable suspicion of wrongdoing. "It is a file-by-file [search] on your phone. We're not going into 'the cloud'. We'll examine your phone while it's on flight mode," Customs spokesperson Terry Brown said. If people refused to comply, they could be fined up to $5000 and their device would be seized and forensically searched.

- and -

More on the Five Eyes statement on encryption and backdoors (Bruce Schneier, 1 Oct 2018) - Earlier this month, I wrote about a statement by the Five Eyes countries about encryption and back doors. (Short summary: they like them.) One of the weird things about the statement is that it was clearly written from a law-enforcement perspective, though we normally think of the Five Eyes as a consortium of intelligence agencies. Susan Landau examines the details of the statement, explains what's going on, and why the statement is a lot less than what it might seem.

RESOURCES

ICYMI: The Cyber Threat to UK Legal Sector (Nat'l Cyber Security Centre, 19 July 2018) - In common with many other industries, the cyber threat to the UK legal sector is significant and the number of reported incidents has grown substantially over the last few years. According to the 2017 PricewaterhouseCoopers Law Firm survey, 60% of law firms reported an information security incident in the last year, up from 42% in 2014. The financial and reputational impact of cyber attacks on law firms is also significant. The costs arise from the attack itself, the remediation and repairing reputational damage by regaining public trust. The SRA reports that over £11 million of client money was stolen due to cyber crime in 2016-17. There are several factors that make law firms an attractive target for cyber attack - they hold sensitive client information, handle significant funds and are a key enabler in commercial and business transactions. The risk may be greater for law firms that advise particularly sensitive clients or work in locations that are hostile to the UK. For example, firms acting for organisations that engage in work of a controversial nature such as Life Sciences or the energy sector may also be targeted by groups with a political or ideological agenda. The move to offer legal services digitally will not only provide new opportunities but also further avenues for malicious cyber exploitation. The primary threat to the UK legal sector stems from cyber criminals with a financial motive. However, nation states are likely to play an increasingly significant role in cyber attacks at a global level, to gain strategic and economic advantage. There has also been some growth in the hacktivist community targeting law firms to achieve political, economic or ideological ends. The most significant cyber threats that law firms should be aware of are: * * *

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Oregon: Publishing our laws online is a copyright violation (Ars Technica, 16 April 2008) - The State of Oregon takes exception to Web sites that republish the state's Revised Statutes in full, claiming that the statutes contain copyrighted information in the republication causes the state to lose money it needs to continue putting out the official version of the statutes. Oregon's Legislative Counsel, Dexter Johnson, has therefore requested that legal information site Justia remove the information or (preferably) take out a paid license from the state. All citizens are legally presumed to know the law, so claiming copyright over it might seem like an odd position for a state to take; wouldn't massive copying be a goal rather than a problem? But in his letter to Justia, Johnson makes a more nuanced case. While the text of the law is not copyrighted, the "arrangement and subject-matter compilation of Oregon statutory law, the prefatory and explanatory notes, the leadlines and numbering for each statutory section, the tables, index and annotations and other such incidents" are under copyright. A quick visit to the Legislative Counsel's web site shows that Johnson is serious about two things: order forms and copyright. The only items in red on the entire page are a copyright notice that includes "Oregon Laws, the Oregon Revised Statutes, and all specialty publications" and a set of links to order forms for such scintillating works as Landlord and Tenant Laws of Oregon 2008. The state also makes the complete text of its laws available online, and it welcomes sites like Justia to link these up. Republishing them, though, is strongly frowned upon, and Johnson indicates his hope that "it will not be necessary to litigate this matter" (translation: "we are willing to litigate this matter").

French court eviscerates website immunity for user-generated content (Steptoe & Johnson's E-Commerce Law Week, 24 April 2008) - In France, as in the United States, Internet companies are supposed to enjoy legal protection from suits over content provided by third parties. But, if recent U.S. decisions have chipped away at the immunity available to websites under section 230(c)(1) of the Communications Decency Act, a recent French decision has blown a gaping hole in the defenses available under French law. Article 6-I-2 of the French Law for Confidence in the Digital Economy (LCEN) (which mirrors Article 14 of the EU E-Commerce Directive) states that public providers of "communications services" cannot be held liable for "information stored at the request of a recipient of those services" if the provider "did not have actual knowledge of [the] illegal nature" of the information, or if the provider "acted expeditiously to remove the data or make access impossible" after learning of its illegality. But the Paris Court of First Instance held last month that Bloobox.net was not immune for hosting a user-submitted link on its Fuzz.fr service, and was liable as an editor for its putative involvement in the "organization and presentation" of the link and associated headline. This decision extends a trend in which European courts have increasingly been willing to find Internet companies liable for user-generated content. If this trend continues, websites and Internet providers will be looking at major legal problems in Europe.

Saturday, September 15, 2018

MIRLN --- 26 Aug – 15 Sept 2018 (v21.12)

MIRLN --- 26 Aug - 15 Sept 2018 (v21.12) --- by Vince Polley and KnowConnect PLLC

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Intel rips up microcode security fix license that banned benchmarking (The Register, 23 Aug 2018) - Intel has backtracked on the license for its latest microcode update that mitigates security vulnerabilities in its processors - after the previous wording outlawed public benchmarking of the chips. The software, released this month , counters the Foreshadow aka L1TF Spectre-related flaws in its CPUs. However, its terms of use and redistribution were problematic. Following The Register 's report on Tuesday that Linux distro Debian decided to withhold packages containing the microcode security fix over concerns about its license, open-source pioneer Bruce Perens out Intelfor trying to gag netizens. Intel's gagging order came in the form of this license clause: "You will not, and will not allow any third party to … publish or provide any Software benchmark or comparison test results." That made it impossible for free-software bastion Debian to push Intel's microcode to its users as a security update. The reason for Intel's insistence on a vow of silence is that - even with the new microcode in place - turning off hyper-threading is necessary to protect virtual machines from attack via Foreshadow - and that move comes with a potential performance hit. Red Hat, which evidently didn't get the memo to shut up about benchmarks, earlier this month noted : "The performance impact when HT is disabled is dependent on many factors. Measured impact ranges from a +30 per cent gain, to -50 per cent loss and beyond. Most HT testing, however, showed losses in the 0-30 per cent range." Predictably, Intel's contractual omertà had the opposite effect and drew attention to the problem. "Performance is so bad on the latest Spectre patch that Intel had to prohibit publishing benchmarks," said Lucas Holt, MidnightBSD project lead, via Twitter. top

Patent office shows new respect for software (Patently-O, 27 Aug 2018) - Software patents and applications are making a quiet comeback under Director Andrei Iancu's leadership of the U.S. Patent and Trademark Office. This is a welcome shift, since thousands of applications have been held captive in the Office in the wake of Supreme Court decisions culminating in Alice v. CLS Bank , 134 S.Ct. 2347 (2014). In the hands of reductionists, the Alice formula for rejection/invalidation was easy to apply. Every invention can be reduced to an abstract idea. Whatever is left can be explained away as "routine" or "conventional." In the last four years, many software patent applications suffered repeated rejection and the ignoble death of abandonment for lack of will or lack of funds. Even when granted, many software patents were mowed down in inter partes review (IPR) in the Patent Trial and Appeal Board (PTAB). The Federal Circuit's February 2018 decision in Berkheimer , 881 F.3d 1360 (citing Alice and other authority), paved the way for recent progress, holding that when there are genuine issues of material fact concerning alleged routineness or conventionality, evidence of the same must be presented before patent claims properly can be invalidated on such grounds. * * * top

Microsoft will soon automatically transcribe video files in OneDrive for Office 365 subscribers (TechCrunch, 28 Aug 2018) - today announced a couple of AI-centric updates for OneDrive and SharePoint users with an Office 365 subscription that bring more of the company's machine learning smarts to its file storage services. The highlight of these announcements is that starting later this year, both services will get automated transcription services for video and audio files. While video is great, it's virtually impossible to find any information in these files without spending a lot of time. And once you've found it, you still have to transcribe it. Microsoft says this new service will handle the transcription automatically and then display the transcript as you're watching the video. The service can handle over 320 file types, so chances are it'll work with your files, too. top

Open internet saves accused copyright infringer from liability (Patently-O, 29 Aug 2018) - Cobbler Nevada, LLC v. Gonzales ( 9th Cir. 2018 ) This copyright lawsuit involves cute Adam Sandler movie titled The Cobbler. In the movie, Sandler's character free-rides off of the experiences of others by using a magical shoe-cobbling machine. The movie copyright holders did not reciprocate that freedom when American Pirates began downloading and distributing the movie through BitTorrent. Cobbler-Nevada was able to trace the Internet Protocol (IP) address associated with the infringing activity and then filed suit in a John Doe lawsuit. Comcast responded to a subpoena in the case with information that the IP address was assigned to its customer Thomas Gonzales. The Copyright holder then amended its complaint to name Gonzales - accusing him of copyright infringement as well as contributory copyright infringement (for failing to secure his internet connection). Note here that Gonzales operates an adult care home and that the internet service was open to residents and visitors. The appeal here focuses on the pleadings and whether the complaint states a claim. In Iqbal , the Supreme Court explained that a complaint must be plausible - allegation of plausible facts that create a plausible "entitlement to relief." Reviewing the allegations here, the 9th Circuit found that the facts alleged against Gonzalez here are "not enough to raise a right to relief above a speculative level." (quoting Twombly ): * * * top

Bitcoin and other cryptocurrencies are useless (The Economist, 30 Aug 2018) - An old saying holds that markets are ruled by either greed or fear. Greed once governed cryptocurrencies. The price of Bitcoin, the best-known, rose from about $900 in December 2016 to $19,000 a year later. Recently, fear has been in charge. Bitcoin's price has fallen back to around $7,000; the prices of other cryptocurrencies, which followed it on the way up, have collapsed, too. No one knows where prices will go from here. Calling the bottom in a speculative mania is as foolish as calling the top. It is particularly hard with cryptocurrencies because, as our Technology Quarterly this week points out, there is no sensible way to reach any particular valuation. It was not supposed to be this way. Bitcoin, the first and still the most popular cryptocurrency, began life as a techno-anarchist project to create an online version of cash, a way for people to transact without the possibility of interference from malicious governments or banks. A decade on, it is barely used for its intended purpose. Users must wrestle with complicated software and give up all the consumer protections they are used to. Few vendors accept it. Security is poor. Other cryptocurrencies are used even less. With few uses to anchor their value, and little in the way of regulation, cryptocurrencies have instead become a focus for speculation. Some people have made fortunes as cryptocurrency prices have zoomed and dived; many early punters have cashed out. Others have lost money. It seems unlikely that this latest boom-bust cycle will be the last. Economists define a currency as something that can be at once a medium of exchange, a store of value and a unit of account. Lack of adoption and loads of volatility mean that cryptocurrencies satisfy none of those criteria. That does not mean they are going to go away (though scrutiny from regulators concerned about the fraud and sharp practice that is rife in the industry may dampen excitement in future). But as things stand there is little reason to think that cryptocurrencies will remain more than an overcomplicated, untrustworthy casino. top

- and -

Marshall Islands warned against adopting digital currency (BBC, 11 Sept 2018) - The Republic of the Marshall Islands has been warned against adopting a digital currency as a second form of legal tender. The International Monetary Fund (IMF) said the country, which consists of hundreds of islands in the Pacific Ocean, should "seriously reconsider". Currently, only the US dollar counts as legal tender in the islands. A law to adopt a digital currency named "Sovereign" alongside the dollar was passed in February. The first virtual coins are due to be issued to members of the public via an initial coin offering (ICO) later this year. However, IMF directors said the potential benefits of the move were much smaller than the potential costs of "economic, reputational and governance risks". "[Marshall Island] authorities should seriously reconsider the issuance of the digital currency as legal tender," wrote the directors in their report, which was first spotted by cryptocurrency news site Coindesk . There is just one domestic commercial bank in the country and it is at risk of losing its only correspondent banking relationship with another bank in the US. top

- and -

FINRA takes down an unregistered cryptocurrency security (TechCrunch, 12 Sept 2018) - FINRA, the non-profit organization that tasks itself with policing the securities industry, is charging Timothy Tilton Ayre of Agawam, Mass. with fraud and unlawful distribution of unregistered cryptocurrency securities. Ayre claimed that users could buy equity in his company, Rocky Mountain Ayre, Inc., buy purchasing HempCoin, a cryptocurrency. From the release : In the complaint, FINRA alleges that, from January 2013 through October 2016, Ayre attempted to lure public investment in his worthless public company, Rocky Mountain Ayre, Inc. (RMTN) by issuing and selling HempCoin - which he publicized as "the first minable coin backed by marketable securities" - and by making fraudulent, positive statements about RMTN's business and finances. RMTN was quoted on the Pink Market of OTC Markets Group and traded over the counter. According to the complaint, FINRA also alleges that in June 2015, Ayre bought the rights to HempCoin and repackaged it as a security backed by RMTN common stock. Ayre marketed HempCoin as "the world's first currency to represent equity ownership" in a publicly traded company and promised investors that each coin was equivalent to 0.10 shares of RMTN common stock. Investors mined more than 81 million HempCoin securities through late 2017 and bought and sold the security on two cryptocurrency exchanges. FINRA charges Ayre with the unlawful distribution of an unregistered security because he never registered HempCoin and no exemption to registration applied. Because FINRA is not a government body its charges are rarely very onerous but, in the case of brokerage fraud, Ayre could face further scrutiny if he tries to sell securities in the future. The company, Rocky Mountain Ayre, seems to be associated with a restaurant and medical marijuana sales operation, although it is unclear what the company actually does. top

FBI fights viral influence campaigns with informational videos (Nextgov, 31 Aug 2018) - With midterm elections fast approaching, the FBI on Thursday released a dozen informational videos detailing ways political campaigns can protect themselves against cyberattacks from foreign powers. The Protected Voices initiative covers a wide range of cybersecurity topics-including software patching, secure communications, password protection and browser safety-that can help campaigns fend off the most common attacks. "Foreign influence operations … are not a new problem," officials said on the site, "but the interconnectedness of the modern world, combined with the anonymity of the Internet, have changed the nature of the threat and how the FBI and its partners must address it." In the videos, FBI personnel explain how foreign actors use phishing emails, public Wi-Fi and insecure routers to infiltrate and disrupt campaigns, and how virtual private networks, cloud services and cyber hygiene principles could mitigate those threats. They stress that anyone who goes online regularly could benefits from such cyber best practices, not just political campaigns. [ Polley : these 5-minute videos are very good, and usable by everybody, not just election campaigns.] top

Court shuts down feds' attempt to expand the 'border search' exception to cover inland GPS monitoring (TechDirt, 6 Sept 2018) - Cyrus Farivar of Ars Technica has put together a hell of a read from a suppression order obtained by defendants in a drug case . It involves a truckload of cheese danishes, cocaine trafficking, and the US government's attempt to apply the "border exception" everywhere in the United States. At the heart of it is a GPS tracking device. The government installed it on a truck driven by suspected drug smugglers when it crossed the Canadian border into the US. It then used that device to track the truck as it traveled down to California. The resulting bust only uncovered some bags of sugar, but a previous stop of the same truck had turned up 194 kilos of cocaine. The defendants in the case have had the evidence suppressed. The ruling [PDF] was handed down late last month. It points to the Supreme Court's 2012 Jones decision , which held that placing GPS devices on vehicles was a search under the Fourth Amendment. Warrants are needed to place the devices. Long-term tracking is also out of the question if warrants aren't obtained. The government argued it didn't need a warrant because it placed the device on the truck at the Canadian border. This would be the " border exception " to the Fourth Amendment -- one carved out by the courts which allows all kinds of warrantless searches to be performed in the name of border security. But the judge doesn't buy this attempt to salvage ill-gotten evidence. The government cites a number of cases involving searches of vehicles performed at the border -- some more invasive than others -- where warrants weren't needed. The court finds these citations unavailing because they don't actually address what happened here: the placement of a GPS device at the border which was subsequently used to track a vehicle as it traveled far beyond the Canadian border. top

Prosecutors charge Russian accused of hacking JP Morgan, Dow Jones (TechCrunch, 10 Sept 2018) - New York prosecutors have extradited a Russian hacker accused of breaking into one of the world's largest banking institutions. Moscow resident Andrei Tiurin, 35, was charged Friday after he was extradited from neighboring Georgia, with the theft of over 80 million records from the bank in 2014. The alleged hacker is said to have been under the direction of Gery Shalon, who was separately indicted a year later following the breach. Tiurin was also charged wire and securities fraud, and aggravated identity theft, racking up the maximum possible prison time to over 80 years. Although the indictment did not name the New York-based financial news agency, The Wall Street Journal previously reported the victim as its parent company Dow Jones , following the following the first round of charges in 2015. Tiurin was also accused of trying to artificially inflate the "price of certain stocks publicly traded in the United States," and obtained "hundreds of millions of dollars in illicit proceeds" from various hacking campaigns. top

Vizio, sued for making creepy smart TVs, will notify customers via the TVs (ArsTechnica, 10 Sept 2018) - In what is likely a first in the industry, Vizio is on the verge of agreeing to display a class-action lawsuit message through its previously sold "Smart TV" televisions as part of a legal settlement. This message is meant to alert customers who bought the TV that they will be party to the forthcoming settlement and likely will get a small amount of money. As Ars has reported previously, the manufacturer has been under scrutiny since a revelation that it was snooping on its customers. The tracking started in February 2014 on both new TVs and previously sold devices that didn't originally ship with ACR software installed. The software periodically appended IP addresses to the collected data and also made it possible for more detailed personal information-including age, sex, income, marital status, household size, education level, home ownership, and home values-to be associated. In a court filing submitted last Wednesday, lawyers for both sides asked the judge to push back approval of the preliminary settlement to October 3. "The Parties are developing a class notice program with direct notification to the class through VIZIO Smart TV displays, which requires testing to make sure any TV notice can be properly displayed and functions as intended," they wrote. "The additional time requested will allow the parties to confirm that the notice program proposed in the motion for preliminary approval is workable and satisfies applicable legal standards." top

In a few days, credit freezes will be fee-free (Krebs on Security, 11 Sept 2018) - Later this month, all of the three major consumer credit bureaus will be required to offer free credit freezes to all Americans and their dependents. Maybe you've been holding off freezing your credit file because your home state currently charges a fee for placing or thawing a credit freeze, or because you believe it's just not worth the hassle. If that accurately describes your views on the matter, this post may well change your mind. * * * top

UK's mass surveillance regime violated human rights law, finds ECHR (TechCrunch, 13 Sept 2018) - In another blow to the UK government's record on bulk data handling for intelligence purposes the European Court of Human Rights (ECHR) has ruled that state surveillance practices violated human rights law. Arguments against the UK intelligence agencies' bulk collection and data sharing practices were heard by the court in November last year . In today's ruling the ECHR has ruled that only some aspects of the UK's surveillance regime violate human rights law. So it's not all bad news for the government - which has faced a barrage of legal actions (and quite a few black marks against its spying practices in recent years) ever since its love affair with mass surveillance was revealed and denounced by NSA whistleblower back in 2013. The judgement reinforces a sense that the government has been seeking to push as close to the legal line as possible on surveillance, and sometimes stepping over it - reinforcing earlier strikes against legislation for not setting tight enough boundaries to surveillance powers, and likely providing additional fuel for fresh challenges. The complaints before the ECHR focused on three different surveillance regimes: 1) The bulk interception of communications (aka 'mass surveillance'); 2) Intelligence sharing with foreign governments; and 3) The obtaining of communications data from communications service providers. * * * top

Security risks of government hacking (Bruce Schneier, 13 Sept 2018) - Some of us -- myself included -- have proposed lawful government hacking as an alternative to backdoors. A new report from the Center of Internet and Society looks at the security risks of allowing government hacking. They include: Disincentive for vulnerability disclosure; Cultivation of a market for surveillance tools; Attackers co-opt hacking tools over which governments have lost control; Attackers learn of vulnerabilities through government use of malware; Government incentives to push for less-secure software and standards; and Government malware affects innocent users. These risks are real, but I think they're much less than mandating backdoors for everyone. From the report's conclusion: Government hacking is often lauded as a solution to the "going dark" problem. It is too dangerous to mandate encryption backdoors, but targeted hacking of endpoints could ensure investigators access to same or similar necessary data with less risk. Vulnerabilities will never affect everyone, contingent as they are on software, network configuration, and patch management. Backdoors, however, mean everybody is vulnerable and a security failure fails catastrophically. In addition, backdoors are often secret, while eventually, vulnerabilities will typically be disclosed and patched. The key to minimizing the risks is to ensure that law enforcement (or whoever) report all vulnerabilities discovered through the normal process, and use them for lawful hacking during the period between reporting and patching. Yes, that's a big ask, but the alternatives are worse. This is the canonical lawful hacking paper [from 2014]. top

How the Times verifies eyewitness videos (Sept 14, 2018) - Was a video of a chemical attack really filmed in Syria? What time of day did an airstrike happen? Which military unit was involved in a shooting in Afghanistan? Is this dramatic image of glowing clouds really showing wildfires in California? These are some of the questions the video team at The New York Times has to answer when reviewing raw eyewitness videos, often posted to social media. It can be a highly challenging process, as misinformation shared through digital social networks is a serious problem for a modern-day newsroom. Visual information in the digital age is easy to manipulate, and even easier to spread. What is thus required for conducting visual investigations based on social media content is a mix of traditional journalistic diligence and cutting-edge internet skills, as can be seen in our recent investigation into the chemical attack in Douma, Syria . The following provides some insight into our video verification process. It is not a comprehensive overview, but highlights some of our most trusted techniques and tools. * * * top

RESOURCES

New draft article: "Compelled Decryption and the Privilege Against Self-Incrimination" (Volokh Conspiracy, Orin Kerr, 12 Sept 2018) - I recently posted to SSRN a new draft article, " Compelled Decryption and the Privilege Against Self-Incrimination ," forthcoming in the Texas Law Review . Here's the abstract: This essay considers the Fifth Amendment barrier to orders compelling a suspect to enter in a password to decrypt a locked phone, computer, or file. It argues that a simple rule should apply: An assertion of privilege should be sustained unless the government can independently show that the suspect knows the password. The act of entering in a password is testimonial, but the only implied statement is that the suspect knows the password. When the government can prove this fact independently, the assertion is a foregone conclusion and the Fifth Amendment poses no bar to the enforcement of the order. This rule is both doctrinally correct and sensible policy. It properly reflects the distribution of government power in a digital age when nearly everyone is carrying a device that comes with an extraordinarily powerful lock. As regular readers may note, I've blogged about these issues before. The new draft builds on the themes of my blog posts, elaborating on the argument and offering my responses to several counteraguments. Comments are very welcome, especially critical ones (and especially from techies). top

Ethics of Using Artificial Intelligence to Augment Drafting Legal Documents (David Hricik in TAMU's Journal of Property Law, 2018) - Skynet is not and may never be self-aware, but machines are already doing legal research, drafting legal documents, negotiating disputes such as traffic tickets and divorce schedules, and even drafting patent applications. Machines learn from us, and each other, to augment the ability of lawyers to represent clients - and even to replace lawyers completely. While it also threatens lawyers' jobs, the exponential increase in the capacity of machines to transmit, store, and process data presents the opportunity for lawyers to use these services to provide better, cheaper, or faster legal representation to clients. By way of familiar example, instead of determining whether a precedential opinion remains "good law" by manually going through multiple books - "Shepardizing a case" as an older lawyer would put it - lawyers can use on-line legal services to instantly learn, not just whether an earlier decision has been limited or overruled, but the depth of analysis given to the issue by a later court opinion. Because technology may be able to do some tasks better, or at a lower cost, or both, lawyers should use technology when it will, considering the risks, benefit clients. That obligation requires lawyers to stay "keep abreast of changes in. . . practice, including the benefits and risk associated with relevant technology. . . ." Assessing the benefits and risks of a particular technology obviously requires due diligence into the practical and legal risks of the technology, and comparing that to the benefits it brings to a representation. That assessment requires applying existing ethical rules in a process that can best be analyzed as comprising two stages. The first step requires determining whether the technology does what it is supposed to do in a reasonably competent manner. For example, just as a lawyer could not use a paralegal to use a form to create the first draft of a contract for a client if the paralegal's work was known to be unreliable or unreasonably expensive, a lawyer cannot use an automated contract drafting service with the same shortcomings. The first step, in other words, requires reasonable efforts by the lawyer to determine the competency of the service. If the service does not provide competent assistance, the lawyer obviously cannot use it. The second step requires determining whether a competent service can be used while complying with the ethical obligations of the lawyer, beyond competency. Just as a lawyer must ensure that non-lawyer employees and agents maintain the confidentiality of client information consistent with the lawyer's ethical obligations, he must do so with all services provided by third parties, including automated services. Likewise, lawyers must ensure non-lawyer assistants - even those who are independent contractors hired for a particular matter, and not firm employees - must not have conflicts of interest or violations of other ethical rules. This article focuses on the second step in the due diligence process. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Steal this Wi-Fi (Wired, Article by Bruce Schneier, 10 Jan 2008) - Whenever I talk or write about my own security setup, the one thing that surprises people - and attracts the most criticism - is the fact that I run an open wireless network at home. There's no password. There's no encryption. Anyone with wireless capability who can see my network can use it to access the internet. To me, it's basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it's both wrong and dangerous. top

FTC adopts final Can-Spam rules (Steptoe & Johnson's E-Commerce Law Week, 22 May 2008) - The Federal Trade Commission announced on May 12 that it had approved new rules governing the regulation of commercial email under the CAN-SPAM Act. Most notably, the rules modify the definition of "sender" to address situations where a single email message contains advertisements from multiple parties. In such a situation, if only one person is identified in the "from" line of the commercial email, then this person will generally be considered the "sole sender" of the email and will be exclusively responsible for handling opt-out requests. Moreover, the rules state that a sender may not require a recipient of a commercial email message to pay a fee, provide information other than an email address and opt-out preferences, or take any steps other than sending a reply email or visiting a single webpage in order to opt-out of future emails. The rules become effective July 7, 2008. top