Saturday, September 15, 2018

MIRLN --- 26 Aug – 15 Sept 2018 (v21.12)

MIRLN --- 26 Aug - 15 Sept 2018 (v21.12) --- by Vince Polley and KnowConnect PLLC

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Intel rips up microcode security fix license that banned benchmarking (The Register, 23 Aug 2018) - Intel has backtracked on the license for its latest microcode update that mitigates security vulnerabilities in its processors - after the previous wording outlawed public benchmarking of the chips. The software, released this month , counters the Foreshadow aka L1TF Spectre-related flaws in its CPUs. However, its terms of use and redistribution were problematic. Following The Register 's report on Tuesday that Linux distro Debian decided to withhold packages containing the microcode security fix over concerns about its license, open-source pioneer Bruce Perens out Intelfor trying to gag netizens. Intel's gagging order came in the form of this license clause: "You will not, and will not allow any third party to … publish or provide any Software benchmark or comparison test results." That made it impossible for free-software bastion Debian to push Intel's microcode to its users as a security update. The reason for Intel's insistence on a vow of silence is that - even with the new microcode in place - turning off hyper-threading is necessary to protect virtual machines from attack via Foreshadow - and that move comes with a potential performance hit. Red Hat, which evidently didn't get the memo to shut up about benchmarks, earlier this month noted : "The performance impact when HT is disabled is dependent on many factors. Measured impact ranges from a +30 per cent gain, to -50 per cent loss and beyond. Most HT testing, however, showed losses in the 0-30 per cent range." Predictably, Intel's contractual omertà had the opposite effect and drew attention to the problem. "Performance is so bad on the latest Spectre patch that Intel had to prohibit publishing benchmarks," said Lucas Holt, MidnightBSD project lead, via Twitter. top

Patent office shows new respect for software (Patently-O, 27 Aug 2018) - Software patents and applications are making a quiet comeback under Director Andrei Iancu's leadership of the U.S. Patent and Trademark Office. This is a welcome shift, since thousands of applications have been held captive in the Office in the wake of Supreme Court decisions culminating in Alice v. CLS Bank , 134 S.Ct. 2347 (2014). In the hands of reductionists, the Alice formula for rejection/invalidation was easy to apply. Every invention can be reduced to an abstract idea. Whatever is left can be explained away as "routine" or "conventional." In the last four years, many software patent applications suffered repeated rejection and the ignoble death of abandonment for lack of will or lack of funds. Even when granted, many software patents were mowed down in inter partes review (IPR) in the Patent Trial and Appeal Board (PTAB). The Federal Circuit's February 2018 decision in Berkheimer , 881 F.3d 1360 (citing Alice and other authority), paved the way for recent progress, holding that when there are genuine issues of material fact concerning alleged routineness or conventionality, evidence of the same must be presented before patent claims properly can be invalidated on such grounds. * * * top

Microsoft will soon automatically transcribe video files in OneDrive for Office 365 subscribers (TechCrunch, 28 Aug 2018) - today announced a couple of AI-centric updates for OneDrive and SharePoint users with an Office 365 subscription that bring more of the company's machine learning smarts to its file storage services. The highlight of these announcements is that starting later this year, both services will get automated transcription services for video and audio files. While video is great, it's virtually impossible to find any information in these files without spending a lot of time. And once you've found it, you still have to transcribe it. Microsoft says this new service will handle the transcription automatically and then display the transcript as you're watching the video. The service can handle over 320 file types, so chances are it'll work with your files, too. top

Open internet saves accused copyright infringer from liability (Patently-O, 29 Aug 2018) - Cobbler Nevada, LLC v. Gonzales ( 9th Cir. 2018 ) This copyright lawsuit involves cute Adam Sandler movie titled The Cobbler. In the movie, Sandler's character free-rides off of the experiences of others by using a magical shoe-cobbling machine. The movie copyright holders did not reciprocate that freedom when American Pirates began downloading and distributing the movie through BitTorrent. Cobbler-Nevada was able to trace the Internet Protocol (IP) address associated with the infringing activity and then filed suit in a John Doe lawsuit. Comcast responded to a subpoena in the case with information that the IP address was assigned to its customer Thomas Gonzales. The Copyright holder then amended its complaint to name Gonzales - accusing him of copyright infringement as well as contributory copyright infringement (for failing to secure his internet connection). Note here that Gonzales operates an adult care home and that the internet service was open to residents and visitors. The appeal here focuses on the pleadings and whether the complaint states a claim. In Iqbal , the Supreme Court explained that a complaint must be plausible - allegation of plausible facts that create a plausible "entitlement to relief." Reviewing the allegations here, the 9th Circuit found that the facts alleged against Gonzalez here are "not enough to raise a right to relief above a speculative level." (quoting Twombly ): * * * top

Bitcoin and other cryptocurrencies are useless (The Economist, 30 Aug 2018) - An old saying holds that markets are ruled by either greed or fear. Greed once governed cryptocurrencies. The price of Bitcoin, the best-known, rose from about $900 in December 2016 to $19,000 a year later. Recently, fear has been in charge. Bitcoin's price has fallen back to around $7,000; the prices of other cryptocurrencies, which followed it on the way up, have collapsed, too. No one knows where prices will go from here. Calling the bottom in a speculative mania is as foolish as calling the top. It is particularly hard with cryptocurrencies because, as our Technology Quarterly this week points out, there is no sensible way to reach any particular valuation. It was not supposed to be this way. Bitcoin, the first and still the most popular cryptocurrency, began life as a techno-anarchist project to create an online version of cash, a way for people to transact without the possibility of interference from malicious governments or banks. A decade on, it is barely used for its intended purpose. Users must wrestle with complicated software and give up all the consumer protections they are used to. Few vendors accept it. Security is poor. Other cryptocurrencies are used even less. With few uses to anchor their value, and little in the way of regulation, cryptocurrencies have instead become a focus for speculation. Some people have made fortunes as cryptocurrency prices have zoomed and dived; many early punters have cashed out. Others have lost money. It seems unlikely that this latest boom-bust cycle will be the last. Economists define a currency as something that can be at once a medium of exchange, a store of value and a unit of account. Lack of adoption and loads of volatility mean that cryptocurrencies satisfy none of those criteria. That does not mean they are going to go away (though scrutiny from regulators concerned about the fraud and sharp practice that is rife in the industry may dampen excitement in future). But as things stand there is little reason to think that cryptocurrencies will remain more than an overcomplicated, untrustworthy casino. top

- and -

Marshall Islands warned against adopting digital currency (BBC, 11 Sept 2018) - The Republic of the Marshall Islands has been warned against adopting a digital currency as a second form of legal tender. The International Monetary Fund (IMF) said the country, which consists of hundreds of islands in the Pacific Ocean, should "seriously reconsider". Currently, only the US dollar counts as legal tender in the islands. A law to adopt a digital currency named "Sovereign" alongside the dollar was passed in February. The first virtual coins are due to be issued to members of the public via an initial coin offering (ICO) later this year. However, IMF directors said the potential benefits of the move were much smaller than the potential costs of "economic, reputational and governance risks". "[Marshall Island] authorities should seriously reconsider the issuance of the digital currency as legal tender," wrote the directors in their report, which was first spotted by cryptocurrency news site Coindesk . There is just one domestic commercial bank in the country and it is at risk of losing its only correspondent banking relationship with another bank in the US. top

- and -

FINRA takes down an unregistered cryptocurrency security (TechCrunch, 12 Sept 2018) - FINRA, the non-profit organization that tasks itself with policing the securities industry, is charging Timothy Tilton Ayre of Agawam, Mass. with fraud and unlawful distribution of unregistered cryptocurrency securities. Ayre claimed that users could buy equity in his company, Rocky Mountain Ayre, Inc., buy purchasing HempCoin, a cryptocurrency. From the release : In the complaint, FINRA alleges that, from January 2013 through October 2016, Ayre attempted to lure public investment in his worthless public company, Rocky Mountain Ayre, Inc. (RMTN) by issuing and selling HempCoin - which he publicized as "the first minable coin backed by marketable securities" - and by making fraudulent, positive statements about RMTN's business and finances. RMTN was quoted on the Pink Market of OTC Markets Group and traded over the counter. According to the complaint, FINRA also alleges that in June 2015, Ayre bought the rights to HempCoin and repackaged it as a security backed by RMTN common stock. Ayre marketed HempCoin as "the world's first currency to represent equity ownership" in a publicly traded company and promised investors that each coin was equivalent to 0.10 shares of RMTN common stock. Investors mined more than 81 million HempCoin securities through late 2017 and bought and sold the security on two cryptocurrency exchanges. FINRA charges Ayre with the unlawful distribution of an unregistered security because he never registered HempCoin and no exemption to registration applied. Because FINRA is not a government body its charges are rarely very onerous but, in the case of brokerage fraud, Ayre could face further scrutiny if he tries to sell securities in the future. The company, Rocky Mountain Ayre, seems to be associated with a restaurant and medical marijuana sales operation, although it is unclear what the company actually does. top

FBI fights viral influence campaigns with informational videos (Nextgov, 31 Aug 2018) - With midterm elections fast approaching, the FBI on Thursday released a dozen informational videos detailing ways political campaigns can protect themselves against cyberattacks from foreign powers. The Protected Voices initiative covers a wide range of cybersecurity topics-including software patching, secure communications, password protection and browser safety-that can help campaigns fend off the most common attacks. "Foreign influence operations … are not a new problem," officials said on the site, "but the interconnectedness of the modern world, combined with the anonymity of the Internet, have changed the nature of the threat and how the FBI and its partners must address it." In the videos, FBI personnel explain how foreign actors use phishing emails, public Wi-Fi and insecure routers to infiltrate and disrupt campaigns, and how virtual private networks, cloud services and cyber hygiene principles could mitigate those threats. They stress that anyone who goes online regularly could benefits from such cyber best practices, not just political campaigns. [ Polley : these 5-minute videos are very good, and usable by everybody, not just election campaigns.] top

Court shuts down feds' attempt to expand the 'border search' exception to cover inland GPS monitoring (TechDirt, 6 Sept 2018) - Cyrus Farivar of Ars Technica has put together a hell of a read from a suppression order obtained by defendants in a drug case . It involves a truckload of cheese danishes, cocaine trafficking, and the US government's attempt to apply the "border exception" everywhere in the United States. At the heart of it is a GPS tracking device. The government installed it on a truck driven by suspected drug smugglers when it crossed the Canadian border into the US. It then used that device to track the truck as it traveled down to California. The resulting bust only uncovered some bags of sugar, but a previous stop of the same truck had turned up 194 kilos of cocaine. The defendants in the case have had the evidence suppressed. The ruling [PDF] was handed down late last month. It points to the Supreme Court's 2012 Jones decision , which held that placing GPS devices on vehicles was a search under the Fourth Amendment. Warrants are needed to place the devices. Long-term tracking is also out of the question if warrants aren't obtained. The government argued it didn't need a warrant because it placed the device on the truck at the Canadian border. This would be the " border exception " to the Fourth Amendment -- one carved out by the courts which allows all kinds of warrantless searches to be performed in the name of border security. But the judge doesn't buy this attempt to salvage ill-gotten evidence. The government cites a number of cases involving searches of vehicles performed at the border -- some more invasive than others -- where warrants weren't needed. The court finds these citations unavailing because they don't actually address what happened here: the placement of a GPS device at the border which was subsequently used to track a vehicle as it traveled far beyond the Canadian border. top

Prosecutors charge Russian accused of hacking JP Morgan, Dow Jones (TechCrunch, 10 Sept 2018) - New York prosecutors have extradited a Russian hacker accused of breaking into one of the world's largest banking institutions. Moscow resident Andrei Tiurin, 35, was charged Friday after he was extradited from neighboring Georgia, with the theft of over 80 million records from the bank in 2014. The alleged hacker is said to have been under the direction of Gery Shalon, who was separately indicted a year later following the breach. Tiurin was also charged wire and securities fraud, and aggravated identity theft, racking up the maximum possible prison time to over 80 years. Although the indictment did not name the New York-based financial news agency, The Wall Street Journal previously reported the victim as its parent company Dow Jones , following the following the first round of charges in 2015. Tiurin was also accused of trying to artificially inflate the "price of certain stocks publicly traded in the United States," and obtained "hundreds of millions of dollars in illicit proceeds" from various hacking campaigns. top

Vizio, sued for making creepy smart TVs, will notify customers via the TVs (ArsTechnica, 10 Sept 2018) - In what is likely a first in the industry, Vizio is on the verge of agreeing to display a class-action lawsuit message through its previously sold "Smart TV" televisions as part of a legal settlement. This message is meant to alert customers who bought the TV that they will be party to the forthcoming settlement and likely will get a small amount of money. As Ars has reported previously, the manufacturer has been under scrutiny since a revelation that it was snooping on its customers. The tracking started in February 2014 on both new TVs and previously sold devices that didn't originally ship with ACR software installed. The software periodically appended IP addresses to the collected data and also made it possible for more detailed personal information-including age, sex, income, marital status, household size, education level, home ownership, and home values-to be associated. In a court filing submitted last Wednesday, lawyers for both sides asked the judge to push back approval of the preliminary settlement to October 3. "The Parties are developing a class notice program with direct notification to the class through VIZIO Smart TV displays, which requires testing to make sure any TV notice can be properly displayed and functions as intended," they wrote. "The additional time requested will allow the parties to confirm that the notice program proposed in the motion for preliminary approval is workable and satisfies applicable legal standards." top

In a few days, credit freezes will be fee-free (Krebs on Security, 11 Sept 2018) - Later this month, all of the three major consumer credit bureaus will be required to offer free credit freezes to all Americans and their dependents. Maybe you've been holding off freezing your credit file because your home state currently charges a fee for placing or thawing a credit freeze, or because you believe it's just not worth the hassle. If that accurately describes your views on the matter, this post may well change your mind. * * * top

UK's mass surveillance regime violated human rights law, finds ECHR (TechCrunch, 13 Sept 2018) - In another blow to the UK government's record on bulk data handling for intelligence purposes the European Court of Human Rights (ECHR) has ruled that state surveillance practices violated human rights law. Arguments against the UK intelligence agencies' bulk collection and data sharing practices were heard by the court in November last year . In today's ruling the ECHR has ruled that only some aspects of the UK's surveillance regime violate human rights law. So it's not all bad news for the government - which has faced a barrage of legal actions (and quite a few black marks against its spying practices in recent years) ever since its love affair with mass surveillance was revealed and denounced by NSA whistleblower back in 2013. The judgement reinforces a sense that the government has been seeking to push as close to the legal line as possible on surveillance, and sometimes stepping over it - reinforcing earlier strikes against legislation for not setting tight enough boundaries to surveillance powers, and likely providing additional fuel for fresh challenges. The complaints before the ECHR focused on three different surveillance regimes: 1) The bulk interception of communications (aka 'mass surveillance'); 2) Intelligence sharing with foreign governments; and 3) The obtaining of communications data from communications service providers. * * * top

Security risks of government hacking (Bruce Schneier, 13 Sept 2018) - Some of us -- myself included -- have proposed lawful government hacking as an alternative to backdoors. A new report from the Center of Internet and Society looks at the security risks of allowing government hacking. They include: Disincentive for vulnerability disclosure; Cultivation of a market for surveillance tools; Attackers co-opt hacking tools over which governments have lost control; Attackers learn of vulnerabilities through government use of malware; Government incentives to push for less-secure software and standards; and Government malware affects innocent users. These risks are real, but I think they're much less than mandating backdoors for everyone. From the report's conclusion: Government hacking is often lauded as a solution to the "going dark" problem. It is too dangerous to mandate encryption backdoors, but targeted hacking of endpoints could ensure investigators access to same or similar necessary data with less risk. Vulnerabilities will never affect everyone, contingent as they are on software, network configuration, and patch management. Backdoors, however, mean everybody is vulnerable and a security failure fails catastrophically. In addition, backdoors are often secret, while eventually, vulnerabilities will typically be disclosed and patched. The key to minimizing the risks is to ensure that law enforcement (or whoever) report all vulnerabilities discovered through the normal process, and use them for lawful hacking during the period between reporting and patching. Yes, that's a big ask, but the alternatives are worse. This is the canonical lawful hacking paper [from 2014]. top

How the Times verifies eyewitness videos (Sept 14, 2018) - Was a video of a chemical attack really filmed in Syria? What time of day did an airstrike happen? Which military unit was involved in a shooting in Afghanistan? Is this dramatic image of glowing clouds really showing wildfires in California? These are some of the questions the video team at The New York Times has to answer when reviewing raw eyewitness videos, often posted to social media. It can be a highly challenging process, as misinformation shared through digital social networks is a serious problem for a modern-day newsroom. Visual information in the digital age is easy to manipulate, and even easier to spread. What is thus required for conducting visual investigations based on social media content is a mix of traditional journalistic diligence and cutting-edge internet skills, as can be seen in our recent investigation into the chemical attack in Douma, Syria . The following provides some insight into our video verification process. It is not a comprehensive overview, but highlights some of our most trusted techniques and tools. * * * top

RESOURCES

New draft article: "Compelled Decryption and the Privilege Against Self-Incrimination" (Volokh Conspiracy, Orin Kerr, 12 Sept 2018) - I recently posted to SSRN a new draft article, " Compelled Decryption and the Privilege Against Self-Incrimination ," forthcoming in the Texas Law Review . Here's the abstract: This essay considers the Fifth Amendment barrier to orders compelling a suspect to enter in a password to decrypt a locked phone, computer, or file. It argues that a simple rule should apply: An assertion of privilege should be sustained unless the government can independently show that the suspect knows the password. The act of entering in a password is testimonial, but the only implied statement is that the suspect knows the password. When the government can prove this fact independently, the assertion is a foregone conclusion and the Fifth Amendment poses no bar to the enforcement of the order. This rule is both doctrinally correct and sensible policy. It properly reflects the distribution of government power in a digital age when nearly everyone is carrying a device that comes with an extraordinarily powerful lock. As regular readers may note, I've blogged about these issues before. The new draft builds on the themes of my blog posts, elaborating on the argument and offering my responses to several counteraguments. Comments are very welcome, especially critical ones (and especially from techies). top

Ethics of Using Artificial Intelligence to Augment Drafting Legal Documents (David Hricik in TAMU's Journal of Property Law, 2018) - Skynet is not and may never be self-aware, but machines are already doing legal research, drafting legal documents, negotiating disputes such as traffic tickets and divorce schedules, and even drafting patent applications. Machines learn from us, and each other, to augment the ability of lawyers to represent clients - and even to replace lawyers completely. While it also threatens lawyers' jobs, the exponential increase in the capacity of machines to transmit, store, and process data presents the opportunity for lawyers to use these services to provide better, cheaper, or faster legal representation to clients. By way of familiar example, instead of determining whether a precedential opinion remains "good law" by manually going through multiple books - "Shepardizing a case" as an older lawyer would put it - lawyers can use on-line legal services to instantly learn, not just whether an earlier decision has been limited or overruled, but the depth of analysis given to the issue by a later court opinion. Because technology may be able to do some tasks better, or at a lower cost, or both, lawyers should use technology when it will, considering the risks, benefit clients. That obligation requires lawyers to stay "keep abreast of changes in. . . practice, including the benefits and risk associated with relevant technology. . . ." Assessing the benefits and risks of a particular technology obviously requires due diligence into the practical and legal risks of the technology, and comparing that to the benefits it brings to a representation. That assessment requires applying existing ethical rules in a process that can best be analyzed as comprising two stages. The first step requires determining whether the technology does what it is supposed to do in a reasonably competent manner. For example, just as a lawyer could not use a paralegal to use a form to create the first draft of a contract for a client if the paralegal's work was known to be unreliable or unreasonably expensive, a lawyer cannot use an automated contract drafting service with the same shortcomings. The first step, in other words, requires reasonable efforts by the lawyer to determine the competency of the service. If the service does not provide competent assistance, the lawyer obviously cannot use it. The second step requires determining whether a competent service can be used while complying with the ethical obligations of the lawyer, beyond competency. Just as a lawyer must ensure that non-lawyer employees and agents maintain the confidentiality of client information consistent with the lawyer's ethical obligations, he must do so with all services provided by third parties, including automated services. Likewise, lawyers must ensure non-lawyer assistants - even those who are independent contractors hired for a particular matter, and not firm employees - must not have conflicts of interest or violations of other ethical rules. This article focuses on the second step in the due diligence process. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Steal this Wi-Fi (Wired, Article by Bruce Schneier, 10 Jan 2008) - Whenever I talk or write about my own security setup, the one thing that surprises people - and attracts the most criticism - is the fact that I run an open wireless network at home. There's no password. There's no encryption. Anyone with wireless capability who can see my network can use it to access the internet. To me, it's basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it's both wrong and dangerous. top

FTC adopts final Can-Spam rules (Steptoe & Johnson's E-Commerce Law Week, 22 May 2008) - The Federal Trade Commission announced on May 12 that it had approved new rules governing the regulation of commercial email under the CAN-SPAM Act. Most notably, the rules modify the definition of "sender" to address situations where a single email message contains advertisements from multiple parties. In such a situation, if only one person is identified in the "from" line of the commercial email, then this person will generally be considered the "sole sender" of the email and will be exclusively responsible for handling opt-out requests. Moreover, the rules state that a sender may not require a recipient of a commercial email message to pay a fee, provide information other than an email address and opt-out preferences, or take any steps other than sending a reply email or visiting a single webpage in order to opt-out of future emails. The rules become effective July 7, 2008. top

Saturday, August 25, 2018

MIRLN --- 29 July - 25 August 2018 (v21.11)

MIRLN --- 29 July - 25 August 2018 (v21.11) --- by Vince Polley and KnowConnect PLLC

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

South Carolina requires insurers to have plans safeguarding customer data (ABA Journal, 6 July 2018) - Less than a year from now, insurers doing business in South Carolina will be required to have a "comprehensive information security program" that protects consumer data. As of Jan. 1, 2019, insurers licensed in the state will be required to create and maintain data security standards based on an ongoing risk assessment, oversee third-party service providers, investigate breaches and notify regulators within 72 hours of a cyber event that affects more than 250 state residents. "It provides some consumer protection to further help safeguard that extremely important and private information," said South Carolina Department of Insurance director Ray Farmer after the passage of the Insurance Data Security Act in May, according to the South Carolina Radio Network . "It requires insurance companies to beef up their data security." * * * The law was based on model legislation created by the National Association of Insurance Commissioners, a standards setting body. The committee that drafted the legislation was chaired by Farmer. Maria Sasinoski, an associate at the Pittsburgh office of McGuireWoods LLP, told Bloomberg BNA that insurers like the NAIC model because it will "ward off" a patchwork of different state-level laws. She said that Rhode Island is also considering a version of the legislation. In South Carolina, the law, including its notification requirement, goes into effect Jan. 1, 2019, and insurers will be required to provide written security plans to state regulators starting July 1, 2019. top

- and -

Cyber experts: Attacks inevitable, preparation for law firms essential (ABA Journal, 4 Aug 2018) - After the 9/11 attack on the United States, a national commission that analyzed the tragedy found that the country's national security apparatus failed in two major regards: it showed a lack of imagination for the unthinkable and no unity in communication and cooperation to face the developing terrorist threat. Fast forward 17 years. A panel at the American Bar Association Annual Meeting in Chicago raised concerns Saturday that U.S. businesses -- and law firms particularly -- might be going down a similar pre-9/11 path by failing to comprehend the full threat, vulnerabilities and consequences of cyberattacks from around the globe. The program, Cybersecurity Wake Up Call: The Business You Save May Be Your Own , included two key players in the cybersecurity space during the Obama administration - Rajesh De, former general counsel of the National Security Agency, and Suzanne Spaulding, former undersecretary for National Protection and Programs Directorate in the Department of Homeland Security. Also participating were lawyers Thomas Smedinghoff and moderator Ruth Hill Bro, both members of the ABA Cybersecurity Legal Task Force , which sponsored the 90-minute program. The consensus of the panel was that cyberattacks are inevitable, and that preparation for law firms was necessary not only to avoid the hardware issues but also post-attack consequences. A post-attack communications plan was essential, the panelists said. So is thorough due diligence and planning with vendors and others in the supply chain to avoid legal consequences after a breach. The panelists also explored legal issues related to payments and other issues dealing with "ransomware," the concept of criminals shaking down businesses and others for money and bitcoins through cyber breaches. De noted this is a corporate governance issue, and that there should be a plan when an incident occurs on notifying authorities, deciding whether a payment should be made and how to communicate the situation to stakeholders, including governing boards. "It is always the disclosure issues that tend to trip people up," said De, a partner at Mayer Brown in Washington, D.C. Bro, who co-chairs the task force which recently published a book, " The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals ," reminded the audience that cybersecurity "is a process not a product" requiring persistent vigilance and constant review. She touted the motto of the Boy Scouts: "Be prepared." top

- and -

Ohio enacts law giving affirmative defense to businesses which beef up cybersecurity (Ride The Lightning, 8 Aug 2018) - Columbus Business First reported on August 3 rd that Ohio Governor John Kasich had signed into law a bill that aims to prod businesses to beef up security by giving companies something of a "safe harbor" if they voluntarily invest in better cybersecurity to protect customer information. The Ohio Data Protection Act provides an affirmative legal defense for companies that suffer a data breach who are then sued for not implementing reasonable security protocols. Eligible organizations may rely on conformity to certain cybersecurity frameworks as an affirmative defense against tort claims in data breach litigation. To qualify for this new defense, the organization must implement a written cybersecurity program designed to (1) protect the security and confidentiality of personal information, (2) protect against anticipated threats or hazards to the security or integrity of personal information, and (3) protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or fraud. The scale of the cybersecurity program should be appropriate to the organization based on its size and complexity, the nature and scope of its activities, the sensitivity of the personal information protected under the program, the cost and availability of tools to improve its information security and the resources available to the organization. This is a good recognition that one size does not fit all, but makes conforming to the safe harbor more difficult to establish. * * * top

- and -

NIST Small Business Cybersecurity Act becomes law (Security Week, 16 Aug 2018) - Donald Trump signed the NIST Small Business Cybersecurity Act, S. 770 (formerly known as the MAIN STREET Cybersecurity Act ) into law on Tuesday (August 14, 2018). It requires NIST to "disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks." The resources to be provided are informational. They must be generally applicable to a wide range of small businesses; vary with the nature and size of small businesses; promote cybersecurity awareness and workplace cybersecurity culture; and include practical application strategies. The resources must further be technology-neutral and compatible with COTS solutions; and as far as possible consistent with international standards and the Stevenson-Wydler Technology Innovation Act of 1980. Use of these resources by small businesses is voluntary. * * * Small businesses, and many large organizations, struggle to comply with the existing NIST Security Framework. "This change sets the stage for greater compliance and readiness from smaller organizations who previously thought that NIST compliance was too costly or complex to obtain," adds Dr. Bret Fund, founder and CEO at SecureSet. The basic problem is small organizations cannot afford extensive cybersecurity resources in-house, while many still believe they will not be a target for cyber attackers. * * * Counterintuitively, small businesses suffer more from a successful attack than do the larger companies. "In fact," suggests Anupam Sahai, Vice President of Product Management at Cavirin, "recent reports shows that smaller businesses lose proportionately more to cyberattacks since they are targeted just as often, and are less able to recover due to less resilient infrastructures." top

5 lessons learned on data breach management after 2 months of GDPR: Friday is calling (Mayer Brown, 25 July 2018) - The GDPR mandates controllers and processors to have technical and organizational measures in place to ensure an appropriate level of security for personal data. They should have the ability to detect, address and report data breaches in a timely manner. Many internal procedures were drafted in anticipation of the entry into force of the GDPR. Now, two months after GDPR Day, here are five lessons learned from data breach management, as, yes, numerous personal data breaches have occurred since then, of which authorities were notified, in pretty significant numbers and in a variety of sectors. * * * [ Polley : Interesting; also notable for quickly conveying some useful lessons. More to come, I'm sure.] top

Welcome to the Quiet Skies (Boston Globe, 28 July 2018) - Federal air marshals have begun following ordinary US citizens not suspected of a crime or on any terrorist watch list and collecting extensive information about their movements and behavior under a new domestic surveillance program that is drawing criticism from within the agency. The previously undisclosed program, called "Quiet Skies," specifically targets travelers who "are not under investigation by any agency and are not in the Terrorist Screening Data Base," according to a Transportation Security Administration bulletin in March. But some air marshals, in interviews and internal communications shared with the Globe, say the program has them tasked with shadowing travelers who appear to pose no real threat - a businesswoman who happened to have traveled through a Mideast hot spot, in one case; a Southwest Airlines flight attendant, in another; a fellow federal law enforcement officer, in a third. It is a time-consuming and costly assignment, they say, which saps their ability to do more vital law enforcement work. Already under Quiet Skies, thousands of unsuspecting Americans have been subjected to targeted airport and inflight surveillance, carried out by small teams of armed, undercover air marshals, government documents show. The teams document whether passengers fidget, use a computer, have a "jump" in their Adam's apple or a "cold penetrating stare," among other behaviors, according to the records. Air marshals note these observations - minute-by-minute - in two separate reports and send this information back to the TSA. All US citizens who enter the country are automatically screened for inclusion in Quiet Skies - their travel patterns and affiliations are checked and their names run against a terrorist watch list and other databases, according to agency documents. top

Fending off cyberattacks in international arbitration (NY Law Journal, 3 Aug 2018) - In the context of ever-escalating data breaches, international arbitration is not immune to cyberattacks. One widely reported cyberattack targeted the Permanent Court of Arbitration in The Hague (PCA) in July 2015, while the court was administering a hearing between the Philippines and China over disputed territorial waters in the South China Sea. During that arbitration, a malicious software originating in China targeted the PCA's website, the Philippines Department of Justice, the law firm representing the Philippines in the arbitration, and anyone visiting a specific page of the PCA devoted to the dispute, allowing the hackers to access classified information. A similar cyberintrusion occurred in 2008 in the case of Libananco Holdings Co. v. Rep. of Turkey (ICSID Case No ARB/06/9) , where, in the course of a separate court-ordered money laundering investigation, the Turkish government intercepted privileged communications and materials that had been exchanged between Libananco and its counsel in connection with the arbitration. It is therefore of no surprise that international arbitration may become a prime target for cybercriminals. This is for various reasons. First , as a neutral forum for the resolution of complex international disputes, international arbitration often involves parties that are themselves prominent targets of cyberattacks such as multinational corporations, governments, state entities, and public figures. Second , in these types of disputes, digital discovery is the norm and inevitably involves the exchange of highly sensitive information such as trade secrets, business plans, and case strategy, which have the potential of influencing politics and moving financial markets. Third , the risk of exposure to cyberattacks is relatively high because of the way international arbitration is conducted. The information collected is typically organized in easily searchable data sets, such as pleadings, witness statements, expert reports, transcripts of hearings, and arbitral deliberation materials, including draft and final awards. Each fixed or portable device (computers, laptops, smartphones, tablets), cloud-based storage (file-sharing platforms, virtual data rooms), and courtroom technology (real-time translations, live e-transcripts, telepresence technologies) is a digital portal allowing for unauthorized access to arbitration-related materials. The fact that the information is hosted and exchanged by a variety of digitally interdependent players such as in-house and outside counsel, government officers and agencies, arbitral institutions and tribunals, experts and witnesses, and other custodians of large electronic information repositories only increases the likelihood that a data breach of one participant will impact all participants. The data custodians involved in the process also tend to sit in different jurisdictions and communicate through various means, including unencrypted email. Therefore, large amounts of information travel around the world in an unsecured way. Even larger amounts of information may be compromised if U.S.-style discovery takes place. top

Videorecording public servants in public (Volokh Conspiracy, 4 Aug 2018) - I think the federal circuit court decisions recognizing a right to videorecord in public places -- decisions that have so far dealt with recording police officers -- are correct: A right to speak must include some right to gather the information needed to speak (what is often labeled the "right to gather news"), and recording what government officials do in public places is important to be able to speak credibly about it. * * * But courts haven't figured out how far this extends, especially when we get beyond recording the police. Here is an interesting 2017 opinion ( People v. Rivas ) from the New York intermediate appellate court; Rivas was convicted of fourth-degree stalking, which punishes anyone who "intentionally, and for no legitimate purpose, engages in a course of conduct directed at a specific person, and knows or reasonably should know that such conduct ... is likely to cause reasonable fear of material harm to the physical health, safety or property of such person," and of first-degree harassment, which punishes anyone who "intentionally and repeatedly harasses another person by following such person in or about a public place or places or by engaging in a course of conduct or by repeatedly committing acts which places such person in reasonable fear of physical injury." * * * top

Legal protection for ethical hackers (Ride The Lightning, 6 Aug 2018) - The Washington Post (sub. req.) reported on August 3 rd about a new project called Disclose.io which is dedicated to providing legal protection to ethical hackers. The site itself says disclose.io is a collaborative and vendor-agnostic project to standardize best practices around safe harbor for good-faith security research. The project originated with the cybersecurity firm Bugcrowd and a University of California researcher. It aims to protect well-intentioned hackers from legal action when they reveal security vulnerabilities in an organization's networks or software. The project offers companies, academic institutions or even government agencies a standard legal agreement they can post that fundamentally says that it's okay to hack us if you do it in good faith. It tells ethical hackers that they won't get sued or face criminal charges if they find a flaw on an organization's systems and report it responsibly. Laws such as the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act don't contain protections for researchers who disclose bugs, creating a legal gray area discouraging ethical hacking. In recent years, companies have sued or threatened legal action against researchers who have uncovered serious vulnerabilities - sometimes to prevent an embarrassing flaw from being disclosed publicly. In one example last year, the FBI investigated security researchers in Georgia who discovered that millions of voter registration records were publicly accessible on the state's election website. And boy oh boy, was that something that needed to be disclosed! Understandably, researchers are sometimes reluctant to report potentially serious security flaws because they fear the repercussions. Disclose.io offers a template with boilerplate language that spells out in plain terms what security researchers can and can't do if they decide to probe for bugs, and offers them legal safe harbor if they play by the rules. The template is open sourced - anyone is free to use it or modify it. top

The Defense Department has produced the first tools for catching deepfakes (Technology Review, 7 Aug 2018) - The first forensics tools for catching revenge porn and fake news created with AI have been developed through a program run by the US Defense Department. Forensics experts have rushed to find ways of detecting videos synthesized and manipulated using machine learning because the technology makes it far easier to create convincing fake videos that could be used to sow disinformation or harass people. Video trickery involves using a machine-learning technique known as generative modeling, which lets a computer learn from real data before producing fake examples that are statistically similar. A recent twist on this involves having two neural networks, known as generative adversarial networks, work together to produce ever more convincing fakes. The tools for catching deepfakes were developed through a program-run by the US Defense Advanced Research Projects Agency (DARPA)-called Media Forensics . The program was created to automate existing forensics tools, but has recently turned its attention to AI-made forgery. "We've discovered subtle cues in current GAN-manipulated images and videos that allow us to detect the presence of alterations," says Matthew Turek, who runs the Media Forensics program. top

SpiderOak's Warrant Canary died (Bruce Schneier, 8 Aug 2018) - " I have never quite trusted the idea of a warrant canary. But here it seems to have worked. (Presumably, if SpiderOak wanted to replace the warrant canary with a transparency report, they would have written something explaining their decision. To have it simply disappear is what we would expect if SpiderOak were being forced to comply with a US government request for personal data.)"

* * * which leads to the underlying Boing Boing story:

SpiderOak warrant canary to be replaced by 'transparency report' (Boing Boing, 6 August 2018) - SpiderOak is a cloud backup service with a warrant canary : a formal statement that assured users that the company and its operators had never been made to secretly cooperate with the government , law enforcement or other surveilling authority. The canary reportedly disappeared this weekend , then reappeared, along with a statement saying it was being replaced by a " transparency report ."

* * * which leads to:

a 3 August tweet from @SpiderOak, that itself says " the final version of the canary is available at spideroak.com/canary ." In turn, the slightly-convoluted canary includes this language: "On top of this, the canary's effectiveness as a tool has been questioned, the usage of it at other companies is not consistent, and verifying it and keeping track of it is complicated for users." [ Polley : First, I'm struck by Schneier's comment: suggests that canaries can work, if done carefully. Digging into the actual postings by SpiderOak on their Twitter feed suggests a fascinating back-story. Would have been fun being on that legal team. (Sorry for the recursive structure.)] top

Security flaws on Comcast's login page exposed customers' personal information (BuzzFeed, 8 Aug 2018) - Comcast Xfinity inadvertently exposed the partial home addresses and Social Security numbers of more than 26.5 million customers, according to security researcher Ryan Stevenson, who discovered the security flaws. Two previously unreported vulnerabilities in the high-speed internet service provider's online customer portal made it easy for even an unsophisticated hacker to access this sensitive information. After BuzzFeed News reported the findings to Comcast, the company patched the flaws. Spokesperson David McGuire told BuzzFeed News, "We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers' security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report." While Comcast has not found any foul play yet, its review is ongoing. top

The "Arrest and Alleged Charges No Longer Exist -- as If It Never Happened" (Volokh Conspiracy, 8 Aug 2018) - Expungement laws let people who have been arrested-and often even ones who have been convicted-get their records removed from government databases, or sometimes sealed so that some government agencies can access them but the public can't. There's an interesting and important policy debate about whether this should happen, and when it should happen. But the expungement laws do not require private organizations, such as newspapers, to delete information about the arrest or conviction from their archives. (In a few places, they cover private databases of information, sometimes just ones that charge money to remove material from those database; that itself poses First Amendment problems, but those laws are sharply limited and don't purport to cover newspapers.) Nor does an expungement make the original report of the arrest or conviction libelous; it may change what facts the government keeps in its files, or what facts the criminal justice system can later use about the arrest, but it doesn't change reality of the original arrest, and it doesn't bar people from keeping up articles about the arrest. Yet some lawyers' demand letters, unsurprisingly, argue the contrary; here, for instance, is a letter sent in November by New York lawyer Gregg M. Sidoti to the Stillwater (Okla.) News Press about an expungement of a 19-year-old's arrest for public intoxication. * * * top

GCs are flirting with the big four - but they remain wary (Corporate Counsel, 9 Aug 2018) - Within the past couple of months, Adobe Systems Inc . has taken a less traditional path in handling some of its corporate legal work overseas. The company has shifted some matters away from traditional international and regional law firms and hired one of the Big Four accounting firms to take on this work instead. What prompted the switch? According to Lisa Konie, senior director of legal operations for Adobe, it was primarily a predictable alternative fee arrangement . The San Jose, California-based software company pays the firm, which Konie declined to name, an annual fixed fee that depends on the country where the work is being done and the services being provided. "What I don't think a lot of law firms appreciate is that we are held accountable to our CFO," Konie said. "When I come in and tell my CFO that we have 75 percent accountability with billing I come off looking like a rock star." While some companies, like Adobe, are on board with the Big Four, others are hanging back, despite the apparent advantages that these accounting behemoths have over traditional law firms, including more predictable and flexible pricing and Scrooge McDuck-sized bank vaults. Those who remain hesitant say they're still waiting for the Big Four to prove that they offer a better alternative to the traditional firm model. top

Hack causes pacemakers to deliver life-threatening shocks (ArsTechnica, 9 Aug 2018) - Life-saving pacemakers manufactured by Medtronic don't rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients' lives, security researchers said Thursday. At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a CareLink 2090 programmer , a device doctors use to control pacemakers after they're implanted in patients. Because updates for the programmer aren't delivered over an encrypted HTTPS connection and firmware isn't digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients. top

West Virginia to offer mobile blockchain voting app for overseas voters in November election (WaPo, 10 Aug 2018) - West Virginia will provide a mobile blockchain voting option, in addition to absentee ballots, for overseas military service members in elections this November, after receiving audit results this week from a pilot program. It will be the first state to offer this technology to improve voting accessibility for deployed members of the military and their families, according to West Virginia's secretary of state. Eligible voters will be able to cast their ballots through a mobile application that uses blockchain technology , which stores data on a decentralized database, meaning there's no owner, allowing for more transparent transactions. Information is stored publicly, but to ensure privacy, West Virginia voters' personal information will remain anonymous. * * * West Virginia is offering blockchain ballots only to overseas military members, and state officials remain wary of advocating the technology for in-state voters or other state elections. "This is a solution to West Virginia's problems [with overseas voters] specifically. We didn't have the money to build a new system or buy a new one that's already created," Kersey said. "I don't know if blockchain is the answer. It was just the answer we found here." top

- and -

The World Bank is getting in on blockchain (CNN, 10 Aug 2018) - The international lender is planning to issue what it says is the world's first global blockchain bond, a notable mainstream endorsement of the emerging technology. Blockchain is best known as the technology underpinning bitcoin and other cryptocurrencies. It serves as a digital record of financial transactions. The World Bank has hired Commonwealth Bank of Australia ( CBAUF ) to manage the bond , which is expected to raise as much as 100 million Australian dollars ($73 million). They have named it the "Blockchain Offered New Debt Instrument," or "bond-i," a nod to Sydney's famous Bondi Beach. The World Bank follows German automaker Daimler, which used blockchain technology to issue a type of German bond in a pilot project last year. Blockchain could hugely streamline the process of issuing bonds, which has been heavily reliant on physical paperwork for the past 200 years, according to James Wall, a senior institutional banking executive at Commonwealth Bank. Moving the process to the blockchain could cut costs and speed up trading for both bond issuers and investors. top

Fax machines may be vulnerable to hackers, new report finds (WaPo, 13 Aug 2018) - The fax ma­chine is wide­ly con­sid­ered to be a di­no­saur of in­ter­of­fice com­mu­ni­ca­tions, but it may also pres­ent a vul­nera­ble point where hack­ers can in­fil­trate an or­gan­i­za­tion's net­work, ac­cord­ing to a new re­port from Israel-based soft­ware com­pany Check Point. The com­pany said that the vul­ner­a­bil­i­ty was iden­ti­fied as a re­sult of re­search in­tend­ed to dis­cover po­ten­tial se­curi­ty risks, and not as the re­sult of any attack. Hack­ers can gain ac­cess to a net­work using the phone line con­nected to a fax ma­chine, which is of­ten con­nected to the rest of an or­gan­i­za­tion's net­work. By send­ing an image file that con­tains ma­li­cious soft­ware over the phone line, hack­ers can take con­trol of the de­vice and ac­cess the rest of the net­work. The re­search­ers were able to do this using only a fax num­ber, which is of­ten wide­ly dis­tri­but­ed by or­gan­i­za­tions on busi­ness cards and websites. top

US court authorizes service by Twitter on WikiLeaks (Volokh Conspiracy, 13 Aug 2018) - Folkman is a leading expert on (among other things) international service of process, a technical but tremendously important field of civil procedure; read his post for more details on this issue, but here's the introduction: The Democratic National Committee has obtained leave of court to serve process on Wikileaks via Twitter in its lawsuit against Russia, Wikileaks, Julian Assange and others. I have written previously about the FSIA [Foreign Sovereign Immunities Act] issue in the case and the issues about serving process on Mr. Assange in the Ecuadoran embassy in London. But serving process on Wikileaks poses difficulties, too. The DNC's motion gives several reasons for seeking leave to serve process by Twitter rather than by a more traditional means. Wikileaks, it says, is an "organization of unknown structure" that has "more of a virtual than a physical presence." It has post office boxes in California and in Australia, but it is unclear to the DNC whether Wikileaks uses them for business. Lawyers who have represented Wikileaks in prior US litigation have said they no longer represent the organization or are not authorized to accept service. And Wikileaks, or someone purporting to act on its behalf, does have an active Twitter presence.... [ Polley : see also DNC serves WikiLeaks with lawsuit via Twitter (CBS, 10 Aug 2018)] top

Hundreds of researchers from Harvard, Yale and Stanford were published in fake academic journals (Motherboard, 14 Aug 2018) - In the so-called " post-truth era ," science seems like one of the last bastions of objective knowledge, but what if science itself were to succumb to fake news? Over the past year, German journalist Svea Eckert and a small team of journalists went undercover to investigate a massive underground network of fake science journals and conferences. In the course of the investigation, which was chronicled in the documentary " Inside the Fake Science Factory ," the team analyzed over 175,000 articles published in predatory journals and found hundreds of papers from academics at leading institutions, as well as substantial amounts of research pushed by pharmaceutical corporations, tobacco companies, and others. Last year, one fake science institution run by a Turkish family was estimated to have earned over $4 million in revenue through conferences and journals. * * * top

Public utility's recording of home energy consumption every 15 minutes is a "search," Seventh Circuit rules (Orin Kerr on Volokh Conspiracy, 17 Aug 2018) - In a fascinating new decision, Naperville Smart Meter Awareness v. City of Naperville, the Seventh Circuit has held that a public utility commits a "search" of a home when it records every 15 minutes how much electricity the utility is providing the home, at least until the smart readers that enable this data collection come into general public use. At the same time, the court says, the utility's search of the home is reasonable and therefore permitted without any cause or suspicion. The Seventh Circuit's analysis relies on Carpenter v. United States for a significant step in its reasoning. Given that, the new decision is an interesting measure of where Fourth Amendment law may be going in the post- Carpenter era. * * * [ Polley : There's much more here, and Prof. Kerr's take on it is interesting, as always.] top

RESOURCES

Adler on Why Art Does Not Need Copyright - (MLPB, 1 Aug 2018) - Amy Adler, New York University School of Law, is publishing Why Art Does Not Need Copyright in volume 86 of the George Washington Law Review (2018). Here is the abstract: This Article explores the escalating battles between visual art and copyright law in order to upend the most basic assumptions on which copyright protection for visual art is grounded. It is a foundational premise of intellectual property law that copyright is necessary for the "progress" of the arts. This Article demonstrates that this premise is flatly wrong when it comes to visual art. United States courts and scholars have come to understand copyright law almost universally in utilitarian terms; by this account, the reason we grant copyright to authors is to give them economic incentives to create culturally valuable works. But legal scholars have failed to recognize that their paradigm makes no sense when applied to visual art, one of the highest profile and most hotly contested fields in intellectual property law. This is because scholars have failed to take into account the single most important value for participants in the art market: the norm of authenticity, which renders copyright law superfluous. The fundamental assumption of copyright law - that the copy poses a threat to creativity - is simply not true for visual art. By juxtaposing copyright theory with the reality of the art market, this Article shows why copyright law does not - and cannot - incentivize the creation of visual art. In fact, copyright law, rather than being necessary for art's flourishing, actually impedes it. top

Twenty years of web scraping and the Computer Fraud and Abuse Act (BU Journal of Science and Technology Law, 14 Aug 2018) - Abstract: "Web scraping" is a ubiquitous technique for extracting data from the World Wide Web, done through a computer script that will send tailored queries to websites to retrieve specific pieces of content. The technique has proliferated under the ever-expanding shadow of the Computer Fraud and Abuse Act (CFAA), which, among other things, prohibits obtaining information from a computer by accessing the computer without authorization or exceeding one's authorized access. Unsurprisingly, many litigants have now turned to the CFAA in attempt to police against unwanted web scraping. Yet despite the rise in both web scraping and lawsuits about web scraping, practical advice about the legality of web scraping is hard to come by, and rarely extends beyond a rough combination of "try not to get caught" and "talk to a lawyer." Most often the legal status of scraping is characterized as something just shy of unknowable, or a matter entirely left to the whims of courts, plaintiffs, or prosecutors. Uncertainty does indeed exist in the caselaw, and may stem in part from how courts approach the act of web scraping on a technical level. In the way that courts describe the act of web scraping, they misstate some of the qualities of scraping to suggest that the technique is inherently more invasive or burdensome. The first goal of this piece is to clarify how web scrapers operate, and explain why one should not think of web scraping as being inherently more burdensome or invasive than humans browsing the web. The second goal of this piece is to more fully articulate how courts approach the all-important question of whether a web scraper accesses a website without authorization under the CFAA. I aim to suggest here that there is a fair amount of madness in the caselaw, but not without some method. Specifically, this piece breaks down the twenty years of web scraping litigation (and the sixty-one opinions that this litigation has generated) into four rough phases of thinking around the critical access question. The first runs through the first decade of scraping litigation, and is marked with cases that adopt an expansive interpretation of the CFAA, with the potential to extend to all scrapers so long as a website can point to some mechanism that signaled access was unauthorized. The second, starting in the late 2000s, was marked by a narrowing of the CFAA and a focus more on the code-based controls of scraping, a move that tended to benefit scrapers. In the third phase courts have receded back to a broad view of the CFAA, brought about by the development of a "revocation" theory of unauthorized access. And most recently, spurred in part by the same policy concerns that led courts to initially constrain the CFAA in the first place, courts have begun to rethink this result. The conclusion of this piece identifies the broader questions about the CFAA and web scraping that courts must contend with in order to bring more harmony and comprehension to this area of law. They include how to deal with conflicting instructions on authorization coming different channels on the same website, how the analysis should interact with existing technical protocols that regulate web scraping, including the Robots Exclusion Standard, and what other factors beyond the wishes of the website host should govern application of the CFAA to unwanted web scraping. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Offshore hosting firm Havenco lost at sea (The Register, 25 Nov 2008) - Controversial hosting provider HavenCo - which operated from the 'nation' of Sealand, an old naval fort off the coast of Suffolk which was declared a 'sovereign principality' by its quirky owner Roy Bates - has finally gone offline. As of last week, the HavenCo website is gone and the domain is now hosted outside the Sealand subnet. Founded in 2000 by Bates' son and Michael with $1m in seed money, the company initially offered an everything goes-policy along with an offshore fat-pipe data haven. Child pornography, spamming and malicious hacking were strictly prohibited, but with no restrictions on copyright or intellectual property for data hosted on its servers, file-sharing certainly looked like a possibility. Many existing customers had left by 2003. With no investment backing bandwidth never materialised, and the location was vulnerable to DoS attacks. However, what probably scared most potential customers was the fact all internet connectivity went through the UK and that the UK claimed the platform was within its territorial waters. HavenCo was one of many failed business ventures in an attempt to profit from the world's smallest country. A scheme to build a hotel and gambling complex never materalised. Since last year, the principality has been put up for sale. Last year, Swedish bittorrent search site The Pirate Bay said it was in negotiations with Prince Michael of Sealand about purchasing the principality to use it as a base for its own operations, but Bates declared he would never sell the micronation - currently priced at €750m - to a BitTorrent tracker. top

Ohio official sues e-voting vendor for lost votes (Computerworld, 8 August 2008) - Ohio Secretary of State Jennifer Brunner has filed a lawsuit against an electronic-voting machine vendor, saying the vendor should pay damages for dropped votes in the state's March primary election. E-voting machines from Premier Election Solutions, formerly known as Diebold Election Systems, dropped hundreds of votes in 11 Ohio counties during the primary election, as the machine's memory cards were uploaded to vote-counting servers, Brunner's office said. Officials in Brunner's office later discovered the dropped votes in other counties after voting officials in Butler County discovered about 150 dropped votes, said Jeff Ortega, Brunner's assistant director of communications. Brunner's lawsuit, filed in Franklin County Common Pleas Court in Ohio on Wednesday, is a counter claim to an earlier lawsuit filed by Premier. In May, Premier filed a lawsuit against Brunner's office and Cuyahoga County, Ohio, seeking a judgment that Premier did not violate any contracts or warranties. Brunner's lawsuit accuses Premier of not fulfilling its contracts with election officials. The lawsuit also alleges breach of warranty and fraud. Premier e-voting machines are used in half of Ohio's 88 counties. Butler County officials discovered the dropped votes in post-election checks. That set off a statewide investigation, which found dropped votes in 11 other counties, according to information from Brunner's office. Butler County officials sent letters to Premier on April 4 and 9, seeking an explanation for the dropped votes, and on May 16, Premier issued a report, suggesting human error or conflicts with antivirus software were to blame. Brunner and Butler County officials have suggested that the May report and a follow-up issued by Premier lacked evidence that antivirus software caused the problems. A Premier report on May 29 suggested counties disable antivirus software on vote-tabulation servers, but the servers had been certified in Ohio with the antivirus software installed, Brunner said. In December, Brunner's office issued a report questioning the security of touch-screen e-voting machines like those sold by Premier. Machines from Premier and two other vendors had "critical security failures," the report said. top

Saturday, July 28, 2018

MIRLN --- 8-28 July 2018 (v21.10)

MIRLN --- 8-28 July 2018 (v21.10) --- by Vince Polley and KnowConnect PLLC

permalink

ANNOUNCEMENTS | NEWS | PODCASTS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENTS

ABA attendees at the Chicago annual meeting next week may want to attend a showcase program (August 4 10:00-11:30 Central), featuring Raj De (former NSA GC), Suzanne Spaulding (former DHS Undersecretary), and others. " Cybersecurity Wake-up Call: The Business You Save May Be Your Own." Info here . See you there!

NEWS

In world first, Danish court rules stream-ripping site illegal (Torrent Freak, 10 July 2018) - While millions of users still obtain pirate music from peer-to-peer platforms such as BitTorrent, in recent years a new challenge has appeared on the horizon. Sites like YouTube, which offer millions of copies of almost every song imaginable, are now an unwitting player in the piracy ecosystem. Every day, countless people use special tools to extract music from video tracks before storing them on their local machines. This so-called 'stream-ripping' phenomenon is now cited as being one of the greatest piracy threats to the record labels but thus far, no single action has been able to stem the tide. Over in Denmark, however, there has been a breakthrough of sorts following action by local anti-piracy outfit RightsAlliance taken on behalf of IFPI, collecting society KODA , the Danish Artist Union , and the Danish Musicians Association . The action targeted Convert2MP3 , a site that allows users to download audio and video from platforms including YouTube. The recording industry groups wanted the stream-ripping platform blocked by Internet service providers in Denmark but first, they needed it to be declared illegal in the country. That decision came last week from a court in Frederiksberg. * * * top

US government drops prohibition on files for 3D printed arms (Volokh Conspiracy, 10 July 2018) - Last week the U.S. Department of Defense and U.S. Department of State settled a lawsuit and agreed to end their prior restraint of distribution of computer files for the production of 3D printed firearms. The "International Traffic in Arms Regulations (ITAR)" are a collection of regulations covering the export of military weapons from the United States. The regulations are based on the 1976 Arms Export Control Act. The ITAR export controls apply to all arms on the U.S. Munitions List ["USML"], which is created by the State Department. An ITAR export permit costs at least $2,250 annually. Starting in 2012, the Department of Defense issued regulations asserting that many U.S. gunsmiths are required to obtain ITAR export permits even if they never export anything. Details are available on the website of Prince Law Offices, P.C., which specializes in firearms commerce regulation. Under the Obama administration, the U.S. Munitions List grew to include many ordinary firearms, as well as the computer files for 3D printing of ordinary firearms. In 2015, a lawsuit against the ban on distributing 3D printing files within the U.S. was brought by the Second Amendment Foundation (a civil rights litigation organization) and by Defense Distributed (a producer of 3D printing files). Plaintiffs' attorneys included Alan Gura (winner of the Heller and McDonald cases) and Josh Blackman (law professor at South Texas College of Law). There were many arguments in the case, but the principle one was that ban constituted a prior restraint of speech, contrary to the First Amendment. The plaintiffs sought a preliminary injunction against the restraint on speech. The U.S. government prevailed in the District Court, and before a Fifth Circuit panel. A petition for rehearing en banc was rejected by a 9-5 vote. Fifth Circuit Judges voting to grant the petition were Jones, Smith, Clement, Owen, and Elrod. Voting against the petition were Stewart, Jolly, Dennis, Prado, Southwick, Haynes, Graves, Higginson, and Costa. In January 2018, the U.S. Supreme Court denied the petition for certiorari. The preliminary injunction having been utterly defeated, the next stage for the case was factual development in district court. In the view of attorney Alan Gura, the main reason for the loss on the preliminary injunction was reluctance to upset the status quo, rather than an expectation that the government could prevail on the merits of the First Amendment issue. Documents in the case are available here . In May 2018, the Trump administration proposed revising revise the ITAR regulations. The move for regulatory reform actually began under the Obama administration, but the proposed reforms were never published. Now they have been. Export controls for many ordinary firearms and accessories will be removed from the ITAR list. Exports of such items will instead by controlled by the Department of Commerce. Among the items remaining under the ITAR system are automatic firearms, firearms of greater than .50 caliber, magazines with more than 50 rounds, and sound moderators (a/k/a "silencers"). Non-automatic firearms of.50 caliber or less will no longer be covered under ITAR; among the firearms no longer under ITAR is the semiautomatic AR-15 rifle, the most common rifle in American history. Its typical calibers are .223 and .308--well under the new .50+ caliber rule. Accordingly, the government defendants revisited the Defense Distributed case. If a particular arm (e.g., the AR-15) is no longer part of ITAR, then it would be illogical for ITAR to be applied to instructions for making the arm. Under today's settlement agreement, plaintiffs and others may freely publish 3D printing instructions for firearms that are not covered under ITAR. Restrictions on distribution of 3D printing information for items that are still under ITAR, such as machine guns or rifles over .50 caliber, remain in place. [ Polley : I.e., this is NOT a 1st Amendment case.] top

SEC probes why Facebook didn't warn sooner on privacy lapse (WSJ, 12 July 2018) - Securities regulators are investigating whether Facebook Inc. adequately warned investors that developers and other third parties may have obtained users' data without their permission or in violation of Facebook policies, people familiar with the matter said. The Securities and Exchange Commission's probe of the social-media company, first reported in early July , follows revelations that Cambridge Analytica, a data-analytics firm that had ties to President Donald Trump's 2016 campaign, got access to information on millions of Facebook users. The SEC has requested information from Facebook as it seeks to understand how much the company knew about Cambridge Analytica's use of the data, these people said. The agency also wants to know how Facebook analyzed the risk it faced if developers were to share data with others in violation of its policies, they added. The SEC, one of several government agencies investigating Facebook and its handling of user data, enforces securities laws governing what must be disclosed to shareholders so they can make informed investment decisions. It could close its investigation, which is in its early stages, without taking enforcement action against Facebook. top

Top voting machine vendor admits it installed remote-access software on systems sold to states (Motherboard, 17 July 2018) - The nation's top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them. In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had "provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006," which was installed on the election-management system ES&S sold them. The statement contradicts what the company told me and fact checkers for a story I wrote for the New York Times in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. "None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software," the spokesperson said. ES&S is the top voting machine maker in the country, a position it held in the years 2000-2006 when it was installing pcAnywhere on its systems. The company's machines were used statewide in a number of states, and at least 60 percent of ballots cast in the US in 2006 were tabulated on ES&S election-management systems. It's not clear why ES&S would have only installed the software on the systems of "a small number of customers" and not all customers, unless other customers objected or had state laws preventing this. top

Businesses cannot contractually ban "abusive" consumer reviews (Eric Goldman, 17 July 2018) - An article recently posted to SSRN argues that the Consumer Review Fairness Act (CRFA) purportedly lets businesses contractually ban "abusive" reviews. If this is correct, it could affect millions of businesses and hundreds of millions of consumers. However, the article's argument is clearly wrong, and this error exposes millions of businesses to potentially severe liability. This post explains why and how. Note: unavoidably, this blog post counterproductively draws greater attention to a bad argument. Because of the stakes, I concluded a public correction was, on balance, necessary. However, to reinforce my view that the article doesn't merit your independent review, I've deliberately not identified the article's author or title or linked to it (is there a blogging equivalent of subtweeting?). I recommend reading the article as "enthusiastically" as I "recommend" watching The Emoji Movie . TL;DR top

Ponemon Institute: Average cost of a data breach exceeds $3.8 million (Ride the Lightning, 19 July 2018) - The 2018 Cost of a Data Breach Study is available for download from IBM here . The study was done by the Ponemon Institute and IBM. This year's study reports that the global average cost of a data breach is up 6.4% over the previous year to $3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8% over the previous year to $148. IBM Security and Ponemon conducted interviews with nearly 500 companies that experienced data breaches, and they collected information on hundreds of cost factors surrounding a breach, including technical investigations and recovery, notifications, legal and regulatory requirements, cost of lost business, and loss of reputation. As reported by VentureBeat, the study found that hidden costs in data breaches - such as lost business, negative impact on reputation and employee time spent on recovery - are difficult and expensive to manage. For example, the study found that a third of the cost of "mega breaches" (over 1 million lost records) were derived from lost business. And that is course why the C-Suite has nightmares about data breaches. The reputational damages can be extraordinary. In the past five years, the amount of mega breaches (breaches of more than 1 million records) has increased from nine mega breaches in 2013 to 16 mega breaches in 2017. Due to the small amount of mega breaches in the past, the Cost of a Data Breach study historically analyzed data breaches of around 2,500 to 100,000 lost records. The vast majority of the mega-breaches (10 out of 11) were caused by malicious attacks rather than technical failures or human error. The average time to detect and contain a mega breach was 365 days - almost 100 days longer than a smaller scale breach (266 days). top

Cyber security advice issued to law firms in first legal threat report (GCHQ, 19 July 2018) - The NCSC's first legal threat report has been issued to law firms. Law firms have been urged to follow expert cyber security guidance after a report published today (19 July) showed the scale of the threat they face. The National Cyber Security Centre (NCSC) has published its first report into the cyber threat to the UK legal sector, which reveals that more than £11 million of client money was stolen by cyber criminals between 2016-17. In the last year, 60% of law firms reported an information security incident - an increase of almost 20% from the previous 12 months. The report outlines clear and actionable guidance that firms can follow, such as how to defend your practice against phishing, reduce the risk of malware infection and take effective control of your supply chain. top

US energy regulator wants more disclosure of cyber attacks (Reuters, 19 July 2018) - The Federal Energy Regulatory Commission (FERC), an energy industry regulator, called for the power industry's regulating body, the North American Electric Reliability Corp, to expand rules that require reporting of cyber security incidents to include attempts that might facilitate future efforts to disrupt the grid. FERC requested the increased disclosure after the administration of President Donald Trump blamed the Russian government in March for a campaign of cyber attacks stretching back at least two years that targeted the U.S. power grid. That marked the first time the United States had publicly accused Moscow of hacking into American energy infrastructure. Current NERC rules only mandate reporting of cyber attacks if they compromise or disrupt a "core activity" toward maintaining the reliability of the electric grid, according to a 67-page report issued by FERC. That threshold "may understate the true scope of cyber-related threats" facing the industry, the report said. top

Some colleges cautiously embrace Wikipedia (Chronicle of Higher Ed, 19 July 2018) - Anna Davis remembers when people didn't want to talk to her at academic conferences: "I had this woman one time who held her folder up over her head and was like, 'Don't let my department chair see me talking to you guys, but I'm so glad you're here.'" Davis works for Wikipedia, the online encyclopedia that was once considered anathema to the academic mission. She's director of programs for its higher-education-focused nonprofit arm, Wiki Education. Academics have traditionally distrusted Wikipedia, citing the inaccuracies that arise from its communally edited design and lamenting students' tendency to sometimes plagiarize assignments from it. Now, Davis said, higher education and Wikipedia don't seem like such strange bedfellows. At conferences these days, "everyone's like, 'Oh, Wikipedia, of course you guys are here.'" One initiative Davis oversees at Wiki Education aims to forge stronger bonds between Wikipedia and higher education. The Scholars program, which began in 2015, pairs academics at colleges with experienced Wikipedia editors. Institutions provide the editors with access to academic journals, research databases, and digital collections, which the editors use to write and expand Wikipedia articles on topics of mutual interest. A dozen institutions, including Rutgers University, Brown University, and the University of Pittsburgh, are participating. * * * Scholars' skepticism about Wikipedia also stems from its community-authorship model, said Amanda Rust, a digital-humanities librarian at Northeastern University. Not all academics felt that way about Wikipedia in its fledgling days, but a critical mass perceived the online encyclopedia as a threat, Rust said. As Wikipedia has matured, however, that consensus began to shift. And students' widespread use of Wikipedia has forced some cynics to acknowledge its role in higher education. "Whether or not you think a crowdsourced encyclopedia can work, that ship has sailed, and students are using it all the time," Rust said. top

- and -

Flabbergasted Twitter trashes Forbes story that suggests replacing libraries with Amazon (Mashable, 23 July 2018) - There are bad takes, and then there's the take by Forbes contributor Panos Mourdoukoutas (who also serves as Chair of the Department of Economics at Long Island University) that local libraries should be replaced by Amazon book stores . Among the reasons Mourdoukoutas offers are: libraries don't have as many public events as they used to because of school auditoriums; people go to places like Starbucks to hang out and work and read now instead of their library; and because technology makes physical books obsolete. * * * [ Polley : wild idea, wild story, great Tweets/comments (some NSFW).] top

- and -

Growing role of Amazon in library acquisitions (InsideHigherEd, 23 July 2018) - Research on where academic libraries buy their books has revealed the increasingly important role of nontraditional vendors such as Amazon. A preliminary study , published last week by Ithaka S+R, found that Amazon was the second most popular venue through which academic libraries purchased books in 2017. GOBI Library Solutions, a popular acquisition-management platform, took the No. 1 spot. It controls nearly half of the market share. The research included data from 54 libraries at a range of institutions -- from small private liberal arts colleges to public research universities. During 2017, these 54 libraries purchased 178,120 academic books. The clear majority of these were in print format (96 percent) rather than ebooks (4 percent). Ebooks were found to be significantly more expensive than print titles. In a blog post , Katherine Daniel, an analyst at Ithaka S+R, explained that the study was prompted by questions of whether libraries are really buying fewer books, or simply purchasing them in ways that are not currently captured in acquisition analyses. Further research will include data from large research institutions and will be published in a final report this fall. top

Public domain advocate gets appellate win in bid to publish copyrighted standards referenced in laws (ABA Journal, 19 July 2018) - A federal appeals court on Tuesday told a federal judge to reconsider whether the fair use doctrine allows a nonprofit to post technical standards created by private industry groups that are later referenced in government regulations. The U.S. Court of Appeals for the D.C. Circuit vacated injunctions that had prevented Public.Resource.org, known as PRO, from publishing copyrighted best-practice standards developed by six organizations. PRO had purchased copies of the technical standards that had been incorporated into laws, scanned them into digital files, and posted them online. Its founder, public domain advocate Carl Malamud, tweeted this about the appellate decision: "I bought the law, and the law won." The appeals court ruled in a combined appeal of two lawsuits. A federal judge had ruled the standards organizations held valid and enforceable copyrights, and PRO failed to create a triable issue of fact on whether its publication of the materials constituted fair use. On appeal, PRO argued incorporation of the standards by reference make the works a part of the law, and the law can never be copyrighted. PRO asserted that allowing private ownership of the law is inconsistent with the First Amendment principle that citizens should be able to freely discuss the law and a due process notion that citizens must have free access to the law. PRO also argued that, even if the standards remain copyrighted, its copying qualifies as a fair use because it facilitates public discussion about the law. The appeals court said PRO "raises a serious constitutional concern," but it is better to first address the fair use issue. The district court had concluded PRO distributed the standards to undermine the organizations' ability to raise revenue. According to the appeals court, the record does not support that blanket conclusion. "Rather, by all accounts, PRO distributed these standards for the purpose of educating the public about the specifics of governing law," the court said in an opinion by Judge David Tatel. In addition, Tatel said, the district court failed to account for the variation among the standards at issue and consider the legal status of each incorporated work. In a concurrence, Judge Gregory Katsas strongly supported PRO. "As a matter of common-sense, this cannot be right: access to the law cannot be conditioned on the consent of a private party, just as it cannot be conditioned on the ability to read fine print posted on high walls," he wrote, referencing a book about the Roman emperor Caligula. PRO was represented by the Electronic Frontier Foundation, the law firm of Fenwick & West, and attorney David Halperin. An EFF press release is here . [ Polley : congrats, Carl.] top

The blockchain begins finding its way in the enterprise (TechCrunch, 23 July 2018) - the blockchain is in the middle of a major hype cycle at the moment, and that makes it hard for many people to take it seriously, but if you look at the core digital ledger technology, there is tremendous potential to change the way we think about trust in business. Yet these are still extremely early days and there are a number of missing pieces that need to be in place for the blockchain to really take off in the enterprise. Suffice it to say that it has caught the fancy of major enterprise vendors with the likes of SAP, IBM, Oracle, Microsoft and Amazon all looking at providing some level of Blockchain as a service for customers. While the level of interest in blockchain remains fluid, a July 2017 survey of 400 large companies by UK firm Juniper Research found 6 in 10 respondents were "either actively considering, or are in the process of, deploying blockchain technology." In spite of the growing interest we have seen over the last 12-18 months, blockchain lacks some basic underlying system plumbing, the kind any platform needs to thrive in an enterprise setting. Granted, some companies and the open source community are recognizing this as an opportunity and trying to build it, but many challenges remain. * * * [ Polley : see " Resources " below.] top

1Password's travel mode (Bruce Schneier, 23 July 2018) - The 1Password password manager has just introduced "travel mode," which allows you to delete your stored passwords when you're in other countries or crossing borders: Your vaults aren't just hidden; they're completely removed from your devices as long as Travel Mode is on . That includes every item and all your encryption keys. There are no traces left for anyone to find. So even if you're asked to unlock 1Password by someone at the border, there's no way for them to tell that Travel Mode is even enabled. In 1Password Teams, Travel Mode is even cooler. If you're a team administrator, you have total control over which secrets your employees can travel with. You can turn Travel Mode on and off for your team members, so you can ensure that company information stays safe at all times. The way this works is important. If the scary border police demand that you unlock your 1Password vault, those passwords/keys are not there for the border police to find. The only flaw -- and this is minor -- is that the system requires you to lie. When the scary border police ask you "do you have any other passwords?" or "have you enabled travel mode," you can't tell them the truth. In the US, lying to a federal office is a felony. I previously described a system that doesn't require you to lie. It's more complicated to implement, though. This is a great feature, and I'm happy to see it implemented. top

Canadian court affirms citizens still have an expectation of privacy in devices being repaired by third parties (TechDirt, 23 July 2018) - A Canadian appeals court has decided in favor of greater privacy protections for Canadians. The case involves the discovery of child porn by a computer technician who was repairing the appellant's computer. This info was handed over to the police who obtained a "general warrant" to image the hard drive to scour it for incriminating evidence. Yes, "general warrants" are still a thing in the Crown provinces. The same thing we fought against with the institution of the Fourth Amendment exists in Canada. These days, it has more in common with All Writs orders than the general warrants of the pre-Revolution days, but there's still a hint of tyrannical intent to them. (Again, much like our All Writs orders, which date back to 1789.) "General warrants" are something the government uses when the law doesn't specifically grant permission for what it would like to do. * * * The appellant's challenge of the general warrant (rather than a more particular search warrant) almost went nowhere, but this decision grants him (and others like him) the standing to challenge the warrant in the first place. As the court notes , handing a computer over to a technician doesn't deprive the device's owner of an expectation of privacy. * * * So, while this didn't end up giving the defendant the suppression he was seeking, it did at least affirm an expectation of privacy in devices being handled and repaired by third parties. Better, the opinion contains the government's concession that this privacy expectation exists. Hopefully, this will help deter violations -- erroneous or not -- in the future. top

How clients are pushing their outside counsels to adopt stricter cybersecurity standards and protections (ABA Journal, 25 July 2018) - In a profession defined by zealous representation of clients, it's no surprise that clients are starting to push their outside counsels to beef up cybersecurity. "The possibility that your outside law firm could be breached and your sensitive data stolen is a huge nightmare for in-house lawyers," says Sterling Miller, general counsel of Marketo Inc., an online marketing technology company. "Outside counsel need to start taking this very seriously. If a breach happens, that law firm is probably no longer working for you and the malpractice claim could be very large." These aren't just idle words. In fact, they underline how serious clients have become when it comes to cybersecurity. * * * The legal industry is one of the most targeted sectors for a cyberattack because of the trove of information it possesses about clients and cases. In a profession based on precedent and history, the legal sector often has been slow to adapt to new risks and technological changes. One alarming statistic is that cybersecurity company Mandiant estimates at least 80 of the 100 largest firms in the country, by revenue, have been hacked since 2011. As law firms wade into cybersecurity best practices, the glaring reality is most law firms are not prepared to respond to a major breach. According to the ABA TechReport 2017 , only 26 percent of responding firms had an incident response plan in place to address a security breach, and only two-thirds with 500 lawyers or more had such a plan in place. These plans were not a priority with smaller firms, as 31 percent of firms with 10 to 49 lawyers, 14 percent of firms with two to nine lawyers, and 10 percent of solo practices had such plans. * * * top

Carpenter and the end of bulk surveillance of Americans (Sharon Bradford Franklin on Lawfare, 25 July 2018) - Writing for the majority in Carpenter v. United States , Chief Justice John Roberts called the court's momentous Fourth Amendment decision "a narrow one." The specific holding-that a warrant is required for law enforcement to access historical cell site location information (CSLI)-may indeed be narrow, and the decision rightfully cautions that "the Court must tread carefully" when considering new technologies. Yet, despite its limited scope, the opinion provides a framework for recognizing that the digital trails Americans create through their daily lives are protected by the Fourth Amendment. The decades-old "third-party doctrine," under which Fourth Amendment rights are extinguished whenever individuals share their information with third parties such as banks and telephone companies, has appropriately been confined to the pre-digital age scenarios in which it arose. As others have already argued , the Carpenter decision does not provide a clear legal standard for when the Fourth Amendment applies to data shared with a third party, and it raises many questions about the future of Fourth Amendment doctrine. But the decision does offer a resounding declaration that Fourth Amendment analysis must take account of the "seismic shifts in digital technology" and the power of modern surveillance tools. In particular, the Carpenter decision should foreclose, once and for all, any claim that bulk surveillance of Americans-or bulk collection of their digital records-would be constitutional. Through the USA Freedom Act of 2015, Congress ended the government's bulk telephone records program, known as the Section 215 program, and provided new authority for collection of call detail records using a "specific selection term." With reauthorization of this act to be considered next year, Carpenter's analysis should preclude any attempt to retreat from the narrowing of surveillance authorities achieved under the 2015 law. From the fall of 2013 through January 2017, I served as executive director of the Privacy and Civil Liberties Oversight Board (PCLOB). I was part of a skeletal staff of attorneys who supported the board in its examination of the Section 215 program. The PCLOB's January 2014 report on the Section 215 program found that the program was illegal; this report was highly influential in the debates in Congress that led to the ultimate demise of the program. Still, the report stopped short of finding that the program was unconstitutional. The board noted that "[t]o date ... the Supreme Court has not modified the third-party doctrine or overruled its conclusion that the Fourth Amendment does not protect telephone dialing records." Its recommendation for ending the Section 215 program was based on statutory and policy analyses. When the Second Circuit considered the Section 215 program in ACLU v. Clapper in May 2015, it too found that the program was illegal under the terms of the statute and declined to reach the constitutional questions. * * * top

NOTED PODCASTS/MOOCS

Reclaim Your Data (NPR podcast, 23 July 2018; 47 minutes) - Michael Chertoff, former Homeland Security Secretary and co-author of the Patriot Act, says data collection has gotten out of control. [ Polley : Spotted by MIRLN reader Corinne Cooper - @ucc2] top

RESOURCES

Blockchain for law students (website by Walter Effross at American U) - Offers: (1) a list of recommended resources (for self-directed study and research, as well as for constructing or supplementing syllabi); (2) summaries of and/or excerpts from the emerging body of caselaw concerning blockchain and cryptocurrency; (3) a collection of legal issues and responsive law review articles (and other sources), ordered by field of law; (4) a categorization of major types of participants in the blockchain economy; (5) suggestions on selecting law school courses relevant to blockchain practice; and (6) various questions, opinions, and observations about blockchain-related legal issues. If any reader would like to contribute a guest post on how law students (or practitioners new to this area) can best prepare (e.g., recommended reading, potential paper topics, organizations to become active in, suggestions for programming courses or tutorials), please e-mail effross@wcl.american.edu . top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Larger prey are targets of phishing (New York Times, 16 April 2008) - An e-mail scam aimed squarely at the nation's top executives is raising new alarms about the ease with which people and companies can be deceived by online criminals. Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive's name, company and phone number, and commands the recipient to appear before a grand jury in a civil case. A link embedded in the message purports to offer a copy of the entire subpoena. But a recipient who tries to view the document unwittingly downloads and installs software that secretly records keystrokes and sends the data to a remote computer over the Internet. Another piece of the software allows the computer to be controlled remotely. According to researchers who have analyzed the downloaded file, less than 40 percent of commercial antivirus programs were able to recognize and intercept the attack. The tactic of aiming at the rich and powerful with an online scam is referred to by computer security experts as whaling. The term is a play on phishing, an approach that usually involves tricking e-mail users - in this case the big fish - into divulging personal information like credit card numbers. Phishing attacks that are directed at a particular person, rather than blasted out to millions, are also known as spear phishing. Security researchers at several firms indicated they believed there had been at least several thousand victims of the attack whose computers had been compromised. "I think that it was well done in terms of something people would feel compelled to respond to," said Steve Kirsch, the chief executive of Abaca, an antispam company based in San Jose, Calif. Mr. Kirsch himself received a copy of the message and forwarded it to the company lawyer. "It had my name, phone number, company and correct e-mail address on it and looked pretty legitimate," Mr. Kirsch said. "Even the U.R.L. to find out more looked legitimate at first glance." The software used in the latest attack tries to communicate with a computer in Singapore. That system was still functioning on Tuesday evening, but security researchers said many Internet service providers had blocked access to it. top

Avatars, virtual reality technology, and the US military: Emerging policy issues (Congressional Research Service, 9 April 2008) - This report describes virtual reality technology, which uses three-dimensional user- generated content, and its use by the U.S. military and intelligence community for training and other purposes. Both the military and private sector use this new technology, but terrorist groups may also be using it to train more realistically for future attacks, while still avoiding detection on the Internet. The issues for Congress to consider may include the cost-benefit implications of this technology, whether sufficient resources are available for the communications infrastructure needed to support expanded use of virtual reality technology, and whether there might be national security considerations if the United States falls behind other nations in developing or adopting this new technology. This report will be updated as events warrant. [Editor: the USG is beginning a detailed analysis of legal, policy, and technical implications from VR applications.] top