Saturday, May 05, 2018

MIRLN --- 15 April - 5 May 2018 (v21.06)

MIRLN --- 15 April - 5 May 2018 (v21.06) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENTS

Join me in Washington, D.C. on May 9-10 at the ABA's Internet of Things National Institute. Conference keynotes include US Sen. Mark Warner and Rep. Jerry McNerney (who introduced the Securing IoT Act), Rep. Robin Kelly (Ranking Member of the Subcommittee on Information Technology), Commerce Department GC Peter Davidson, and former FTC Commissioner Terrell McSweeny. DC Bar ABA members get a discount with DCBAR2018iot . Learn more here: ambar.org/iot2018

NEWS

Oil and gas cybersecurity projects went 'to the bottom of the pile' in energy slump (Houston Chronicle, 12 April 2018) - Oil companies put cybersecurity initiatives on hold while crude prices languished at multi-year lows in 2015 and 2016, falling behind in hardening their systems while state-sponsored hacking groups only got more proficient at probing U.S. energy networks, security experts say. As oil companies cut thousands of jobs and pared back drilling operations in the downturn, cybersecurity teams faced funding shortfalls for projects to secure computer networks that run rigs, pipelines and other oil field assets, increasing pressure for a field already challenged by finite resources and competing priorities. In an oil bust, "projects, capabilities and needs that aren't exactly on top of mind go to the bottom of the pile," said Paul Brager Jr., a cybersecurity professional at Houston oil field services firm Baker Hughes, a GE company. But among federal agencies and security professionals called in to respond to online attacks, there's no longer any doubt foreign adversaries in Russia, Iran and North Korea have planned and executed attacks to plant themselves in U.S. critical infrastructure, which includes pipelines, refineries and petrochemical plants. top

Facebook and Cambridge Analytica (Bruce Schneier, 15 April 2018) - In the wake of the Cambridge Analytica scandal, news articles and commentators have focused on what Facebook knows about us. A lot, it turns out. It collects data from our posts, our likes, our photos, things we type and delete without posting, and things we do while not on Facebook and even when we're offline. It buys data about us from others. And it can infer even more: our sexual orientation, political beliefs, relationship status, drug use, and other personality traits -- even if we didn't take the personality test that Cambridge Analytica developed. But for every article about Facebook's creepy stalker behavior, thousands of other companies are breathing a collective sigh of relief that it's Facebook and not them in the spotlight. Because while Facebook is one of the biggest players in this space, there are thousands of other companies that spy on and manipulate us for profit. Harvard Business School professor Shoshana Zuboff calls it "surveillance capitalism." And as creepy as Facebook is turning out to be, the entire industry is far creepier. It has existed in secret far too long, and it's up to lawmakers to force these companies into the public spotlight, where we can all decide if this is how we want society to operate and -- if not -- what to do about it. There are 2,500 to 4,000 data brokers in the United States whose business is buying and selling our personal data. Last year, Equifax was in the news when hackers stole personal information on 150 million people, including Social Security numbers, birth dates, addresses, and driver's license numbers. You certainly didn't give it permission to collect any of that information. Equifax is one of those thousands of data brokers, most of them you've never heard of, selling your personal information without your knowledge or consent to pretty much anyone who will pay for it. Surveillance capitalism takes this one step further. Companies like Facebook and Google offer you free services in exchange for your data. Google's surveillance isn't in the news, but it's startlingly intimate. We never lie to our search engines. Our interests and curiosities, hopes and fears, desires and sexual proclivities, are all collected and saved. Add to that the websites we visit that Google tracks through its advertising network, our Gmail accounts, our movements via Google Maps, and what it can collect from our smartphones. That phone is probably the most intimate surveillance device ever invented. It tracks our location continuously, so it knows where we live, where we work, and where we spend our time. It's the first and last thing we check in a day, so it knows when we wake up and when we go to sleep. We all have one, so it knows who we sleep with. Uber used just some of that information to detect one-night stands; your smartphone provider and any app you allow to collect location data knows a lot more. Surveillance capitalism drives much of the internet. It's behind most of the "free" services, and many of the paid ones as well. Its goal is psychological manipulation, in the form of personalized advertising to persuade you to buy something or do something, like vote for a candidate. And while the individualized profile-driven manipulation exposed by Cambridge Analytica feels abhorrent, it's really no different from what every company wants in the end. This is why all your personal information is collected, and this is why it is so valuable. Companies that can understand it can use it against you. * * * [ Polley : Good perspective.] top

OLPC's $100 laptop was going to change the world - then it all went wrong (The Verge, 16 April 2018) - It was supposed to be the laptop that saved the world. In late 2005, tech visionary and MIT Media Lab founder Nicholas Negroponte pulled the cloth cover off a small green computer with a bright yellow crank. The device was the first working prototype for Negroponte's new nonprofit One Laptop Per Child, dubbed "the green machine" or simply "the $100 laptop." And it was like nothing that Negroponte's audience - at either his panel at a UN-sponsored tech summit in Tunis, or around the globe - had ever seen. After UN Secretary-General Kofi Annan offered a glowing introduction, Negroponte explained exactly why. The $100 laptop would have all the features of an ordinary computer but require so little electricity that a child could power it with a hand crank. It would be rugged enough for children to use anywhere, instead of being limited to schools. Mesh networking would let one laptop extend a single internet connection to many others. A Linux-based operating system would give kids total access to the computer - OLPC had reportedly turned down an offer of free Mac OS X licenses from Steve Jobs. And as its name suggested, the laptop would cost only $100, at a time when its competitors cost $1,000 or more. Then, Negroponte and Annan rose for a photo-op with two OLPC laptops, and reporters urged them to demonstrate the machines' distinctive cranks. Annan's crank handle fell off almost immediately. As he quietly reattached it, Negroponte managed half a turn before hitting the flat surface of the table. He awkwardly raised the laptop a few inches, trying to make space for a full rotation. "Maybe afterwards…" he trailed off, before sitting back down to field questions from the crowd. The moment was brief, but it perfectly foreshadowed how critics would see One Laptop Per Child a few years later: as a flashy, clever, and idealistic project that shattered at its first brush with reality. If you remember the OLPC at all, you probably remember the hand crank. It was OLPC's most striking technological innovation - and it was pure vaporware. Designers dropped the feature almost immediately after Negroponte's announcement, because the winding process put stress on the laptop's body and demanded energy that kids in very poor areas couldn't spare. * * * top

Virtual annual meetings: updated "best practices" (CorporateCounsel.net, 16 April 2018) - Like it did back in 2012, Broadridge recently convened a group of 17 different stakeholders to look at the state of virtual annual meetings - both "virtual only" and hybrid. The end product is this set of " Principles & Best Practices for Virtual Annual Meetings. " Like before, the report's conclusions are not that profound - but can be useful to help guide those considering virtual meetings (and it includes a useful appendix that summarizes each state's laws governing electronic participation in shareholder meetings). top

Cybersecurity standards for private companies: Taking notes from the SEC's public company guidance (Nixon Peabody, 18 April 2018) - The Securities and Exchange Commission ("SEC") recently updated and expanded its guidance to public companies on cybersecurity risks and incidents in its " Commission Statement and Guidance on Public Company Cybersecurity Disclosures " (the "2018 Guidance"). The 2018 Guidance represents a broad recognition of the critical role that cybersecurity plays in the health of companies and the stability of markets. "There is no doubt that the cybersecurity landscape and the risks associated with it continue to evolve," said a statement released by SEC Chairman Jay Clayton . "Public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion." To support this effort, the SEC has created a cybersecurity website with helpful alerts and bulletins, compliance toolkits, and educational resources. In addition, the Unit charged with targeting a wide range of cyber-related misconduct, such as market manipulation through the spread of false information, hacking, and intrusions and attacks on trading platforms and market infrastructure. While a private company can be reassured that a member of the Cyber Unit will not show up at its door, the 2018 Guidance offers useful insights about the evolving risks in the digital marketplace, as well as effective controls and procedures to manage these risks-all of which can inform a private company that must navigate similar pitfalls in the modern e-commerce environment. Cybersecurity is, as the SEC's website states, "a responsibility of every market participant." To that end, the following are some key takeaways for private companies from the 2018 Guidance: * * * top

- and -

Cybersecurity: NIST's new framework (Version 1.1) (CorporateCounsel.net, 20 April 2018) - Recently, NIST released an updated cybersecurity framework . This popular framework is entitled "Version 1.1" rather than the "2.0" that some have been calling it (including us) when the proposal was released last year. Here's an excerpt from this Wachtell Lipton memo : The updated Framework, entitled Version 1.1, is intended to clarify and refine (rather than replace) NIST's original 2014 Cybersecurity Framework, Version 1.0, and builds on the original version's five core cybersecurity functions-Identify, Protect, Detect, Respond, and Recover-and tiered implementation system. Instead of a "one-size-fits-all" approach, the Framework continues to be a flexible platform that can be customized to address the particular cybersecurity risks faced by any company. Of broader import, the updated Framework encourages companies to integrate cybersecurity objectives into strategic planning and governance structures and to ensure that cybersecurity is a central part of overall risk management. In terms of other specific changes, Version 1.1 provides new guidance on how to use the Framework to conduct self-assessments of internal and third-party cybersecurity risks and mitigation strategies, includes an expanded discussion of how to manage cyber risks associated with third parties and supply chains, advances new standards for authentication and identity proofing protocols, and addresses how to apply the Framework to a wide range of contexts, such as industrial controls, the use of off-the-shelf software, and the Internet of Things. top

- and -

New standard accepted by Federal Energy Regulatory Commission for critical infrastructure protection (SC Media, 23 April 2018) - The Federal Energy Regulatory Commission (FERC) approved a new standard to improve electronic access controls to low impact Bulk Electronic Systems (BES), mandatory security controls for mobile devices and develop modifications to critical infrastructure protection (CIP) reliability standards. Work on the new standard began in October 2017 when FERC asked NERC to clarify electronic access controls, adopt mandatory requirements for transient electronic devices and to require the creation of a response policy in case of a system threat. The genesis of this request comes from a group of bipartisan bills that were advanced out of the House Energy and Commerce subcommittee to improve the government's response to cybersecurity attacks on the electric grid. Particularly against less critical facilities. "CIP-003-7 pushes forward on FERC's concern that even the less critical assets covered by these standards (referred to as low impact facilities) present risks to the bulk electric system that need to be addressed," said Daniel Skees, a partner at the law firm Morgan Lewis. Skees represents electric utilities before FERC. FERC officially approved the new CIP reliability standard CIP-003-7 (Cybersecurity Security Management Controls that were submitted by the North American Electric Reliability Corporation (NERC). By accepting the standard NERC is tasked with implementing the new standards. FERC noted that the new rules developed by NERC improve upon the prior CIP reliability standards by clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems, adopting mandatory security controls for transient electronic devices such as thumb drives, laptop computers, and other portable devices used frequently with a low impact BES Cyber Systems; and for adding the requirement to have responsible entities have in place a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. top

- and -

BSA releases international cybersecurity framework to promote strong and consistent cybersecurity governance (BSA, 25 April 2018) - The Software Alliance released an International Cybersecurity Policy Framework to serve as a tool both for policymakers considering foundational cybersecurity legislation and for those examining gaps and shortfalls in existing policies. top

- and -

DOD releases new guidance giving teeth to cybersecurity rules to protect data within the supply chain (CSO, 30 April 2018) - The US Department of Defense issued new guidance on how it might penalize business partners that do not adequately adhere to new security rules codified in NIST SP 800-171. NIST has prescribed a set of 110 security requirements that are derived from a larger standard called NIST SP 800-53 that governs cybersecurity standards for government systems. December 31, 2017 was the designated deadline for implementing the controls as part of DFARS 252.204-7012 to protect confidential unclassified information (CUI). To facilitate gradual adoption, DoD allowed businesses to specify a future date for implementing security controls through the Plan of Actions & Milestones (POAM) artifact. Many organizations have resorted to "POAM'ing" requirements in a checkbox exercise and generated System Security Plans that are very light and do not adequately describe the security posture of the vendor. The new DOD guidance for reviewing system security plans and the NIST SP 800-171 security requirements not yet implemented assigns risk scores to controls. Security controls that are deemed high risk and have not been implemented pose a continued risk to the government. The latest guidance helps ensure that businesses can assess and prioritize how they wish to go about implementing the 110 security controls. The new guidance also provides specific information on the downsides of not implementing the new security controls. The "Assessing the State of a Contractor's Internal Information System in a Procurement Action" document outlines the specific conditions during the request for proposals (rfp), source selection and subsequent contract award that will looked at by government officials related to NIST SP 800-171 compliance. top

Facebook moves 1.5bn users out of reach of new European privacy law (The Guardian, 19 April 2018) - Facebook has moved more than 1.5 billion users out of reach of European privacy law, despite a promise from Mark Zuckerberg to apply the "spirit" of the legislation globally. In a tweak to its terms and conditions, Facebook is shifting the responsibility for all users outside the US, Canada and the EU from its international HQ in Ireland to its main offices in California. It means that those users will now be on a site governed by US law rather than Irish law. The shift highlights the cautious phrasing Facebook has applied to its promises around GDPR. Earlier this month , when asked whether his company would promise GDPR protections to its users worldwide, Zuckerberg demurred. "We're still nailing down details on this, but it should directionally be, in spirit, the whole thing," he said. A week later, during his hearings in front of the US Congress, Zuckerberg was again asked if he would promise that GDPR's protections would apply to all Facebook users. His answer was affirmative - but only referred to GDPR "controls", rather than "protections". Worldwide, Facebook has rolled out a suite of tools to let users exercise their rights under GDPR, such as downloading and deleting data, and the company's new consent-gathering controls are similarly universal. top

- and -

Survey reveals that many companies are behind schedule to achieve Global Data Protection Regulation compliance (McDermott Will & Emery, 20 April 2018) - A major survey sponsored by international law firm McDermott Will & Emery and carried out by the Ponemon Institute has revealed that many companies are behind schedule to achieve Global Data Protection Regulation (GDPR) compliance by the looming May deadline. The survey results show that 40% of companies only expect to achieve compliance with the regulation after May 25th when the Regulation comes into effect. The McDermott-Ponemon study surveyed companies across the US and Europe on their understanding of the impact of GDPR and their readiness for it. Key findings of this important benchmark survey are: * * * [ Polley : thorough report , as usual. I was surprised how un-ready so many organizations are - it's almost laughable. Reminds me of how long organizations were running without full compliance with the DPD, dating from 1995.] top

- and -

Here's why you're getting all those terms of service update emails (Mashable, 25 April 2018) - Get the feeling you're suddenly being bombarded with emails from companies about updated terms of service policies? You are. And there's a good reason: the European Union's forthcoming efforts to protect our personal data. And though the law is based in the EU, the GDPR has a worldwide impact because any global online company that collects data from someone living in the EU will be held accountable. While the specific updates made to each terms of service policy will be individual to every company, the law expands the definition of what information is considered personal data. This means companies will likely be adjusting their privacy policies to inform users that less basic information such as IP addresses, location data, web browsing cookies, and other details are also defined as personal data. Though the new internet regulations don't go into effect until May 25, 2018, companies like Facebook, Instagram, Google, and more, are starting to prepare by updating their terms of services and privacy policies now. top

Federal judge adopts CFTC position that cryptocurrencies are commodities (ABA's Business Law Today, 20 April 2018) - A New York federal judge held that virtual currencies are commodities that can be regulated by the Commodity Futures Trading Commission ("CFTC"), enjoining the defendants, an individual and affiliated entity, from trading cryptocurrencies on their own or others' behalf or soliciting funds from others, and ordering an expedited accounting. CFTC v. McDonnell , No. 18-cv-0361, Dkt. 29 (E.D.N.Y. Filed Jan 18, 2018). While the CFTC announced its position that cryptocurrencies are commodities in 2015, this case marks the first time a court has weighed in on whether cryptocurrencies are commodities. Having answered that question in the affirmative, the court went on to hold that the CFTC has jurisdictional authority over defendants' alleged cryptocurrency fraud under 7 U.S.C. § 9(1), which permits the CFTC to regulate fraud and manipulation in underlying commodity spot markets. top

- and -

Goldman Sachs to open a bitcoin trading operation (NYT, 2 May 2018) - Most big banks have tried to stay far away from the scandal-tainted virtual currency Bitcoin. But Goldman Sachs, perhaps the most storied name in finance, is bucking the risks and moving ahead with plans to set up what appears to be the first Bitcoin trading operation at a Wall Street bank. In a step that is likely to lend legitimacy to virtual currencies - and create new concerns for Goldman - the bank is about to begin using its own money to trade with clients in a variety of contracts linked to the price of Bitcoin. While Goldman will not initially be buying and selling actual Bitcoins , a team at the bank is looking at going in that direction if it can get regulatory approval and figure out how to deal with the additional risks associated with holding the virtual currency. * * * Over the last two years a growing number of hedge funds and other large investors around the world have expressed an interest in virtual currencies. Tech companies like Square have begun offering Bitcoin services to their customers, and the commodity exchanges in Chicago started allowing customers to trade Bitcoin futures contracts in December. But until now, regulated financial institutions have steered clear of Bitcoin, with some going so far as to shut down the accounts of customers who traded Bitcoin. Jamie Dimon, the chief executive of JPMorgan Chase, famously called it a fraud, and many other bank chief executives have said Bitcoin is nothing more than a speculative bubble. top

Abbott issues software patches for more cardiac devices (Gov Info Security, 20 April 2018) - Abbott Laboratories has issued software updates for certain implantable cardiac devices to address cybersecurity flaws and battery issues that pose potential safety risks to patients. The products were previously sold by device maker St. Jude Medical, which Abbott acquired last year. More than 382,000 of these affected devices are distributed in the U.S., including 350,000 devices that are currently implanted in patients, according to the Food and Drug Administration and Abbott. The remainder of the devices are in inventories and will be updated "in-box," an Abbott spokeswoman says. The device problems were also the subject of previous warnings by the FDA and the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team , which both issued new advisories on April 17 about the availability of the Abbott software patches. The impacted devices include certain families of Abbott implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators, which are devices that provide pacing for slow heart rhythms and electrical shock or pacing to stop dangerously fast heart rhythms, the FDA notes in its alert. Last August, Abbott also issued software updates to address similar cybersecurity vulnerabilities in certain implantable cardiac pacemaker devices (see A FDA First: Cyber Recall for Implantable Devices ). top

Newly disclosed documents on the Five Eyes Alliance and what they tell us about intelligence-sharing agreements (Lawfare, 23 April 2018) - The United States is party to a number of international intelligence sharing arrangements-one of the most prominent being the so-called "Five Eyes" alliance. Born from spying arrangements forged during World War II, the Five Eyes alliance facilitates the sharing of signals intelligence among the U.S., the U.K., Australia, Canada and New Zealand. The Five Eyes countries agree to exchange by default all signals intelligence they gather, as well as methods and techniques related to signals intelligence operations. When the Five Eyes first agreed to this exchange of intelligence-before the first transatlantic telephone cable was laid-they could hardly have anticipated the technological advances that awaited them. Yet, we remain in the dark about the current legal framework governing intelligence sharing among the Five Eyes, including the types of information that the U.S. government accesses and the rules that govern U.S. intelligence agencies' access to and dissemination of Americans' private communications and data. In July 2017, Privacy International and Yale Law School's Media Freedom & Information Access Clinic filed a lawsuit against the National Security Agency, the Office of the Director of National Intelligence, the State Department, and the National Archives and Records Administration seeking access to records related to the Five Eyes alliance under the Freedom of Information Act. Over the past few months, we have begun to receive limited disclosure from the NSA and the State Department. While we have not seen the text of the current agreement-as well as other records that would shed important light on how the agreement operates-the disclosures to date give us insight into the nature and scope of U.S. intelligence sharing agreements. Below, we summarize a few of these disclosures and talk through their implications. In particular, we highlight how, taken together, they suggest that the U.S. government takes an inconsistent approach to legal classification and therefore publication of these types of agreements. We also take a closer look at one agreement-the 1961 General Security Agreement between the Government of the United States and the Government of the United Kingdom-which further illuminates our understanding of the privatization of intelligence activities and provides us with a rare glimpse of the "third party rule," an obstacle to oversight and accountability of intelligence sharing. top

US regulator fines Altaba $35 million over 2014 Yahoo email hack (Reuters, 24 April 2018) - U.S. regulators fined Altaba Inc, the company formerly known as Yahoo! Inc, $35 million on Tuesday to settle charges that kept its massive 2014 cyber security breach a secret from investors for more than two years. The Securities and Exchange Commission's case marks the first time it has gone after a company for failing to disclose a cyber security breach. Steven Peikin, co-director the SEC's enforcement division, said cyber breaches were a priority for the agency and hoped companies facing similar issues would take note. top

How hackers could cause chaos on America's roads and railways (Pew Trusts, 24 April 2018) - When hackers struck the Colorado Department of Transportation in a ransomware attack in February and again eight days later, they disrupted the agency's operations for weeks. State officials had to shut down 2,000 computers, and transportation employees were forced to use pen and paper or their personal devices instead of their work computers. Staffers whose computers were infected didn't have access to their files or data, unless it was stored on the internet, and the attack affected the payroll system and vendor contracts. It could have been a lot worse: The Colorado hacks didn't affect traffic signals, cameras or electronic message boards, and state information technology officials, who refused to pay the ransom, said the system had been 95 percent restored as of last week. Transportation systems are ripe targets for cybercriminals, according to cybersecurity experts, and many state and local government officials are only now waking up to the threat and realizing they need to beef up their defenses. In February, Maryland Department of Transportation Secretary Pete Rahn told a meeting of the American Association of State Highway and Transportation Officials that security breaches are a big concern for his agency, which oversees public transit, highways, tolls, a port, an airport and the motor vehicle administration. If hackers get into the network, he said, "they can play with our trains, traffic signals, variable message boards. We've never had to think about these things before." * * * top

Top federal IT contractors leave emails vulnerable to phishing, spoofing (Global Cyber Alliance press release, 25 April 2018) - Only one of the largest federal contractors have fully implemented the top defense against email phishing and spoofing, according to research released today by the Global Cyber Alliance (GCA). In an examination of the top 50 information technology (IT) contractors to the United States government , GCA found that only one contractor is using email-validation security - the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol - at its highest level. DMARC weeds out fake emails (known as direct domain spoofing) deployed by spammers and phishers targeting the inboxes of workers in all sectors of society. According to the 2017 Symantec ISTR report , 1 in 131 emails contained malware, the highest rate in 5 years. Late last year, the Department of Homeland Security mandated that all federal agencies implement DMARC . Security experts praised DHS and Senator Ron Wyden, who called for agencies to implement DMARC , for pushing government agencies to quickly implement DMARC at the highest level possible. Contractors' failure to follow suit could make them more enticing to threat actors looking for new ways to access government information. top

Building on sand isn't stable: Correcting a misunderstanding of the National Academies report on encryption (Lawfare's Susan Landau, 25 April 2018) - The encryption debate is messy. In any debate that involves technology-encryption, security systems and policy, law enforcement, and national security access-the incomparable complexities and tradeoffs make choices complicated. That's why getting the facts absolutely right matters. To that end, I'm offering a small, but significant, correction to a post Alan Rozenshtein wrote on Lawfare on March 29. Rozenshtein argued that in opposing an exceptional-access mandate-the ability for law enforcement to access an encrypted communication or locked device with a warrant-the computer-security community had deluded itself into thinking that such systems couldn't be built securely. As evidence of this, Rozenshtein pointed to the recent National Academies study on the tradeoffs involved in government access to encrypted content. (Note: I served on the study committee.) He wrote that the report made an important point that many missed: "High-level experts in the information-security community itself are trying to build secure third-party-access systems." But this is not what the report said. The Academies report does discuss approaches to "building ... secure systems" that provide exceptional access-but these are initial approaches only. The report states as much in writing that computer scientists have "begun to explore" this area of research. The presentations to the Academies committee were brief descriptions of ideas by three smart computer scientists, not detailed architectures of how such systems would work. There's a huge difference between a sketch of an idea and an actual implementation-Leonardo da Vinci's drawings for a flying machine as opposed to the Wright brothers' plane at Kitty Hawk. The presentations that the Academies saw are more akin to sketches than a system architecture. None of the three presentations involved anything more than the thoughts of a single individual. The study did not hear presentations about engineering teams "trying to build secure third-party-access systems"-there is no such effort at present. (This does not include key-recovery solutions such as those provided in Apple's FileVault or Microsoft's BitLocker ; these solve a different problem from the "going dark" issue.) An exceptional-access system is not merely a complex mathematical design for a cryptosystem; it is a systems design for a complex engineering task. * * * [ Polley : pretty interesting post, and Landau is quite expert in this field.] top

- and -

Encryption policy and its international impacts: A framework for understanding extraterritorial ripple effects (Lawfare, 2 May 2018) - Encryption technologies play a complicated role in today's connected, mobile, data-driven world. My colleagues, Herbert Burkert and Urs Gasser, and I have written a paper offering a conceptual framework that can help policy-makers better understand and anticipate the international ramifications of domestic encryption policies. There is no doubt that encryption has enabled our digital economy, securing everything from online commerce, financial transactions, connected devices, and more. At the same time, examples abound of concerns from law enforcement and intelligence agencies that encryption technologies are making it harder to address crime and terrorism. The 2016 battle between Apple and the FBI over the availability of essentially unbreakable encryption on consumer devices like the iPhone is perhaps the most public, but far from the only example of the complex challenges that encryption poses for legislators, law enforcement agencies, national security agencies, and other policymakers. In response to these technological and legal challenges, decisionmakers and leaders of all kinds-legislators, regulators, intelligence and law enforcement agencies, and companies-are increasingly faced with difficult decisions that ultimately have both direct and indirect impacts on the effectiveness and availability of encryption tools. For example, legislators might mandate the inclusion of so-called "backdoors" in consumer devices, regulators might only allow the government to purchase technologies that meet minimum levels of security, intelligence agencies might attempt to influence encryption technical standards in ways that are beneficial to intelligence gathering, and companies might make encryption a default in their products. Collectively, choices like these effectively define a country's encryption "policy." It is not one law or a regulation, but instead the cumulative impact of each (sometimes conflicting) decision that affects the availability and effectiveness of encryption technologies. The challenge for such decisionmakers is that although the domestic impacts of such individual decisions are often intended and predictable, the international implications are often both unintentional and poorly understood. The purpose of this paper is to help policymakers better anticipate the numerous global ramifications, including those that can undermine the intent of the original policy. top

Equifax data breach cost hits $242 million (SC Magazine, 26 April 2018) - The massive data breach that compromised the data of 147.9 million Equifax customers last year has cost the company more than $242 million in related expenses, but luckily for the company, much of this cost has been covered by its cybersecurity insurance. Equifax noted the expenditures in its first-quarter financial report . The total tally for the breach since it became public in September has been $242.7 million with $78.7 million in pre-tax expenses being spent during the first quarter, ended March 30. This included $45.7 million in IT and security costs to transform the company's IT infrastructure and improve application, network, and data security, and the costs of development and launch of Lock and Alert. Another $28.9 million was spent during the quarter on legal and investigative fees and $4.1 million on product liability costs include the expected costs of fulfillment of TrustedID Premier and support of consumers using TrustedID Premier. In the financial filing, Equifax said it carries $125 million in cybersecurity insurance, with a $7.5 million deductible and has so far received $60 million in payments from its carrier, $10 million was received during the first quarter. top

25 years ago today, the web opened up and the world changed (Fast Company, 30 April 2018) - On April 30, 1993, CERN-the European Organization for Nuclear Research-announced that it was putting a piece of software developed by one of its researchers, Tim Berners-Lee, into the public domain. That software was a "global computer networked information system" called the World Wide Web, and CERN's decision meant that anyone, anywhere, could run a website and do anything with it. In an era when online services were still dominated by proprietary, for-profit walled gardens such as AOL and CompuServe, that was a radical idea. top

Facebook says it will let users remove data from outside sites (Axios, 1 May 2018) - Facebook said Tuesday that in the coming months it would let users see and wipe the data fed into its ad targeting system by outside websites and applications. Why it matters : Facebook is grappling with a data privacy reckoning after the Cambridge Analytica scandal focused a spotlight on its relations with external developers. What they're saying : "This feature will enable you to see the websites and apps that send us information when you use them, delete this information from your account, and turn off our ability to store it associated with your account going forward," said Erin Egan, who the company recently said would focus full-time on her role as Chief Privacy Officer. If a user deletes this information, it will no longer be associated with their account - although Facebook says it will continue to give outside parties broad analytics reports. Facebook founder and chief executive Mark Zuckerberg called the new control a "Clear History" option, similar to what web browsers offer, and said in a post that when users take advantage of it, "Facebook won't be as good while it relearns your preferences." [ see also Facebook's Zuckerberg unveils privacy tool 'clear history' (CNET, 1 May 2018)] top

Under the Foreign Sovereign Immunities Act, where do hacking torts happen? (Lawfare, 1 May 2018) - The Democratic National Committee's lawsuit against the Russian Federation will run aground, as Ingrid Wuerth notes , unless the DNC can find a way around Russia's immunity in American courts. In that respect, the suit raises a question on which precedent remains thin: whether allegations of state-sponsored hacking can fit through the Foreign Sovereign Immunities Act exception for cases that involve "personal injury or death, or damage to or loss of property, occurring in the United States and caused by the tortious act or omission of the foreign state." That provision, the noncommercial tort exception, was written primarily to address traffic accidents, as the Supreme Court noted in Argentine Republic v. Amerada Hess . Very few plaintiffs have attempted to invoke it in challenges to nation-state spying, and the case most squarely on point-the D.C. Circuit's 2017 decision in Doe v. Federal Democratic Republic of Ethiopia -suggests that the DNC will face an uphill battle. But as I recently argued in a case comment for the Harvard Law Review, and as this post summarizes, there are reasons for the Southern District of New York to think carefully before following Doe . top

- and -

The digital vigilantes who hack back (The New Yorker, 7 May 2018) - American companies that fall victim to data breaches want to retaliate against the culprits. But can they do so without breaking the law? [ Polley : worth a close read; very interesting.] top

Data breach that revealed client file sparks legal malpractice action (New Jersey Law Journal, 1 May 2018) - A matrimonial attorney and her firm are facing a malpractice suit in state Superior Court in Morris County, New Jersey , after litigation over a divorce was disrupted by a data breach . top

Pirate radio stations explode on YouTube (NYT, 3 May 2018) - Luke Pritchard and Jonny Laxton were 13 when they met at a boarding school in Crowthorne, England, in 2011. They bonded over a shared love of underground music and in 2014 started a YouTube channel, College Music , to promote the artists they liked. At first, the channel grew slowly. Then, in the spring of 2016, Mr. Pritchard discovered 24/7 live-streaming, a feature that allows YouTube's users to broadcast a single video continuously. College Music had 794 subscribers in April 2015, a year before Mr. Pritchard and Mr. Laxton started streaming. A month after they began, they had more than 18,440. In April 2016, they had 98,110 subscribers and as of last month, with three active live streams, they have more than triple that amount, with 334,000. They make about $5,000 a month from the streams. The boys stumbled upon a new strategy, one that, in the past two years, has helped a certain kind of YouTube channel achieve widespread popularity. Hundreds of independently run channels have begun to stream music nonstop, with videos that combine playlists with hundreds of songs and short, looped animations, often taken from anime films without copyright permission. * * * The channels occupy a precarious space between YouTube's algorithm and its copyright policing, drawing comparisons to the unlicensed pirate radio stations of the 20th century , recreated in the digital sphere. Many of the channels blink in and out of existence within a week, but their presence has become a compelling part of the site's musical ecosystem. And while competitors like Spotify are gaining, YouTube still dominates the streaming world, Report from the International Federation of the Phonographic Industry. top

RESOURCES

A fantastic chart on the admissibility of electronic evidence (RideTheLightning, 24 April 2018) - Thanks to my friend Craig Ball for a "Christmas in April" gift of a splendid post onthe admissibility of electronic evidence and a related chart shared with him by U.S. District Judge Paul Grimm and Kevin Brady, who is Of Counsel to Redgrave LLP. The chart is beautifully designed and easy to use. It covers authentication, relevance, hearsay exceptions and the Best Evidence rule. top

Distributed Stock Ledgers and Delaware Law (ABA's The Business Lawyer, April 2018) - Effective August 1, 2017, the Delaware General Corporation Law (the "DGCL") now authorizes Delaware corporations to use blockchain technology to maintain stock ledgers and communicate with stockholders. Consistent with the DGCL's status as an enabling act that facilitates private ordering, the blockchain amendments are permissive. In the near term, they create a foundation for a technology ecosystem by removing any uncertainty about the validity of shares that have been issued or are maintained using blockchain technology. Over a longer time horizon, the amendments foreshadow a more flexible, dynamic, and digital future in which distributed ledger technology and smart contracts play major roles. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

The internet's 100 oldest dot-com domains (PC World, 21 Dec 2008) - The Internet's been around in some form for decades. It wasn't until the mid-80s, though, that the Web as we know it started coming together -- and those precious dot-com domains started getting snatched up. As we finish out the tech-centric year of 2008, we thought we'd take a look back at the Internet's oldest commercial Web sites -- the ones registered back when chatting about "the Net" was as socially acceptable as wearing Jedi garb into a crowded nightclub. So grab your light sabers, dear friends -- we're boarding the Millennium Falcon and heading back to a virtual galaxy far, far away. [ Polley in 2008: Schlumberger was number 75 on May 20, 1987.] top

AT&T mulls watching you surf (New York Times, 14 August 2008) - AT&T is "carefully considering" monitoring the Web-surfing activities of customers who use its Internet service, the company said in a letter in response to an inquiry from the House Committee on Energy and Commerce. While the company said it hadn't tested such a system for monitoring display advertising viewing habits or committed to a particular technology, it expressed much more interest in the approach than the other big Internet providers who also responded to the committee's letter. AT&T did however promise that if it does decide to start tracking its customers online, it will "do so the right way." In particular, the advertising system will require customers to affirmatively agree to have their surfing monitored. This sort of "opt-in" approach is preferred by privacy experts to the "opt-out" method, practiced by most ad targeting companies today, which records the behavior of anyone who doesn't explicitly ask to not to be tracked. top

Saturday, April 14, 2018

MIRLN --- 25 March – 14 April 2018 (v21.05)

MIRLN --- 25 March - 14 April 2018 (v21.05) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENTS

Take a look at the new ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals (2nd Edition). Published in November, it's already out-sold the 1st edition, probably because cyberattacks on law firms are in the news every day. The Handbook contains actionable information about "reasonable" security precautions for lawyers in every practice setting (solos, smalls, and large firms; in-house, government, and public-interest practitioners). Produced by the ABA Cybersecurity Legal Task Force (which I co-chair), it complements other resources for ABA members. Learn more here: ambar.org/cyber

NEWS

Appeals court says it's okay to copyright an entire style of music (TechDirt, 21 March 2018) - We had hoped that the 9th Circuit might bring some sanity back to the music copyright world by overturning the awful "Blurred Lines" ruling that has already created a massive chilling effect among musicians... but no such luck. In a ruling released earlier this morning, the 9th Circuit largely affirmed the lower court ruling that said that Pharrell and Robin Thicke infringed on Marvin Gaye's copyright by writing a song, "Blurred Lines," that was clearly inspired by Gaye's "Got To Give It Up." No one has denied that the songs had similar "feels" but "feeling" is not copyrightable subject matter. The compositions of the two songs were clearly different, and the similarity in feel was, quite obviously, paying homage to the earlier work, rather than "copying" it. For what it's worth, there appears to be at least some hesitation on the part of the majority ruling, recognizing that this ruling could create a huge mess in the music world, so it tries (and mostly fails) to insist that this ruling is on narrow grounds, specific to this case (and much of it on procedural reasons, which is a kind way of suggesting that the lawyers for Pharrell and Thicke fucked up royally). As the court summarizes: * * * top

NIST targets APTs with resilience strategies (GCN, 21 March 2018) - From the Office of Personnel Management data breach to the Russian hacking of the 2016 elections, cyberattacks from hostile nation-states, criminal and terrorist groups and rogue individuals are becoming more frequent. The National Institute of Standards and Technology's most recent draft publication aims to help organizations address vulnerabilities and create more "defensible and survivable systems." "Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems" provides guidance on addressing advanced persistent threats that target IT infrastructure to impede critical aspects of an organization's mission. It is applicable to new systems, but also addresses engineering considerations when improving resiliency in legacy systems. NIST defines cyber resilience as "the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources regardless of the source." The publication breaks down elements of cyber resiliency to provide a conceptual framework of goals, objectives, techniques and design principles. top

Lawyers have an obligation to stay on Facebook (Kevin O'Keefe, 27 March 2018) - Computer scientist and author, Jaron Lanier, in a ballyhooed op-ed in the Guardian, challenges us all to delete Facebook. Lanier was no fan of Facebook before (having already urged people to delete their social media accounts), but after Cambridge Analytica he saw it the perfect time to challenge everyone to beat the addiction, make a political statement and redefine your social life. The problem for lawyers is that Facebook represents the opportunity to engage the public where they are and on their terms. Like it or not, lawyers have an ethical obligation to make legal services accessible to people - not just to the impoverished, but to middle income individuals and small business people. To do this as a lawyer you not only need to go where the people are, but you need to establish trust by listening, sharing and nurturing relationships. More people spend more time on the Internet on Facebook than any other place. Social media, Facebook included, represents the town square, the coffee shop, the church group and the civic board of today. It's where lawyers establish enough trust and value in people's minds that legal services, at least though a lawyer, remain a viable answer for consumers and small business people. Lawyers jumping off Facebook can do so out of fear (perhaps legitimate) or to make a political statement, but by doing so they are turning on the public they serve. Access to legal services will only decline. [ Polley : interesting perspective, which I do not share.] top

A cyberattack hobbles Atlanta, and security experts shudder (NYT, 27 March 2018) - The City of Atlanta's 8,000 employees got the word on Tuesday that they had been waiting for: It was O.K. to turn their computers on. But as the city government's desktops, hard drives and printers flickered back to life for the first time in five days, residents still could not pay their traffic tickets or water bills online, or report potholes or graffiti on a city website. Travelers at the world's busiest airport still could not use the free Wi-Fi. Atlanta's municipal government has been brought to its knees since Thursday morning by a ransomware attack - one of the most sustained and consequential cyberattacks ever mounted against a major American city. The digital extortion aimed at Atlanta, which security experts have linked to a shadowy hacking crew known for its careful selection of targets, laid bare once again the vulnerabilities of governments as they rely on computer networks for day-to-day operations. The assault on Atlanta, the core of a metropolitan area of about six million people, represented a serious escalation from other recent cyberattacks on American cities, like one last year in Dallas where hackers gained the ability to set off tornado sirens in the middle of the night. Threat researchers at Dell SecureWorks, the Atlanta-based security firm helping the city respond to the ransomware attack, identified the assailants as the SamSam hacking crew, one of the more prevalent and meticulous of the dozens of active ransomware attack groups. The SamSam group is known for choosing targets that are the most likely to accede to its high ransom demands - typically the Bitcoin equivalent of about $50,000 - and for finding and locking up the victims' most valuable data. In Atlanta, where officials said the ransom demand amounted to about $51,000, the group left parts of the city's network tied in knots. Some major systems were not affected, including those for 911 calls and control of wastewater treatment. But other arms of city government have been scrambled for days. top

- and -

New York City is launching public cybersecurity tools to keep residents from getting hacked (TechCrunch, 29 March 2018) - In a week of harrowing city-level cyber attacks , New York is taking some precautions. While the timing is coincidental, New York City Mayor just announced that the city will introduce the first tools in its suite of cybersecurity offerings to protect residents against malicious online activity, particularly on mobile devices. When it launches this summer, New York residents will be able to download a free app called NYC Secure . The app will alert smartphone users to potential threats on their devices and offer tips for how to stay secure, "such as disconnecting from a malicious Wi-Fi network, navigating away from a compromised website, or uninstalling a malicious app." Because the app will take no active steps on its own, it'll be up to users to heed the advice presented to them. NYC Secure will not collect or transmit any personal identifying information or private data. The city will also beef up security over its public Wi-Fi networks, a notorious target for malicious actors looking to snoop on private information as it passes by unencrypted. The city will implement DNS protection through a service called Quad9 , a free public cybersecurity product out of the partnership between Global Cyber Alliance (GCA), IBM and Packet Clearing House. top

- and -

How to speed up your internet and protect your privacy with Cloudflare's new DNS service (Gizmodo, 2 April 2018) - Cloudflare has launched its own consumer Domain Name System (DNS) service that not only promises to keep your browsing history safe, but appears significantly faster than any other DNS service available. Cloudflare, known primarily for DDoS mitigation , launched DNS resolver 1.1.1.1 and 1.0.0.1 on Sunday and, at time of writing, analytics show it processing queries at 14.01ms, officially making it in the internet's fastest DNS resolver. The other true benefit here is that Cloudflare's perspective on handling user data. Prince said the company views user data as a "toxic asset," something it strives to either never collect or delete as quickly as possible. "Just at a policy level, Cloudflare's business has never been advertising or selling consumer data," Prince said. "As we started to talk to various browser manufacturers and others about what we were doing, they would come back and say, 'Well, we don't want you to retain logs for any longer than a week, we don't want you selling any of the data.' And I think they were kind of surprised when we returned back and said, 'Actually, we prefer never to write any personally identifiable information to disk and guarantee that we'll wipe all of the transactional logs and bug tracking logs within 24 hours.'" Prince said Cloudflare will also bring in an external monitor to certify that it is actually taking all of these steps to ensure user privacy. Those using the DNS services set by their ISPs can have their browsing history recorded, sold, and analyzed for advertising purposes. There are several ways to prevent this, but most involve using a VPN or the Tor browser, both of which can impact speed. There's also no guarantee that a VPN service isn't amassing your data itself. (If you're looking for a reliable VPN, however, I'd suggest Private Internet Access or ProtonVPN .) For non-technical users who've never changed their DNS settings, it may seem like one of those unfamiliar options you'd rather not mess around with. But it's actually quite simple and takes only a few seconds-and, as you've read, the benefits can be significant. Below are instructions on how to change your DNS settings for Windows and Mac, as well as iPhone and Android devices. * * * [ Polley : You probably should do this; also install an ad-blocker; use a VPN (vet it first); etc.] top

Law firms' guide to selecting a cloud-based vendor (Nat'l Law Review, 28 March 2018) - Selecting vendors can be a frustrating and complicated process-but it doesn't have to be. You've already got enough to think about while considering the differences in functionality across different products and vendors, and factoring in security is like going through the entire decision-making process all over again! With a few key considerations, though, you can vet vendors' security protocols like a pro, leaving you to make a choice that fits your budget and performance needs with the peace of mind that comes with knowing that security is covered. * * * [ Polley : workman-like checklist.] top

- and -

NJ physician practice fined over $400,000 for data breach caused by vendor (Jackson Lewis, 8 April 2018) - Last week, New Jersey Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs ("Division") announced that a physician group affiliated with more than 50 South Jersey medical and surgical practices agreed to pay $417,816 and improve data security practices to settle allegations it failed to properly protect the privacy of more than 1,650 patients whose medical records were made viewable on the internet as a result of a server misconfiguration by a private vendor. In this case, according to the NJ Office of Attorney General, the physician practice used a third party vendor to transcribe dictations of medical notes, letters, and reports by doctors, a popular service provided to many physical practices and other medical providers across the country. When the vendor, a HIPAA business associate, attempted to update software on a password-protected File Transfer Protocol website ("FTP Site") where the transcribed documents were kept, it unintentionally misconfigured the web server, allowing the FTP Site to be accessed without a password. As a result, anyone who searched Google using search terms that happened to be contained within the dictation information would have been able to access and download the documents located on the FTP Site. These documents would have included doctor names, patient names, and treatment information concerning patients. top

Protecting election registration sites from cyber intrusions (GCN, 28 March 2018) - The Center for Internet Security's newly established Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) plans to deploy intrusion detection sensors to voter registration websites for all 50 states by the 2018 midterm elections, an official told GCN. The intrusion detection sensors are called Albert sensors, and CIS has been using them on the state and local level since 2010, according to CIS Vice President of Operations Brian Calkin. The open-source Albert sensors provide automated alerts on both traditional and advanced network threats. Albert grew out of a Department of Homeland Security's Einstein project, which focuses on detecting and blocking cyberattacks within federal agencies. DHS approached CIS about creating similar capability for states and localities, but since the Einstein name was taken, CIS called it Albert instead. top

Combatting deep fakes through the right of publicity (Lawfare, 30 March 2018) - Fake news is bad enough already, but something much nastier is just around the corner: As Evelyn Douek explained , the "next frontier" of fake news will feature machine-learning software that can cheaply produce convincing audio or video of almost anyone saying or doing just about anything . These may be " digital avatars " built from generative adversarial networks (GANs), or they may rely on simpler face-swapping technology to create " deep fakes ." The effect is the same: fake videos that look frighteningly real. Bobby Chesney and Danielle Citron recently sounded the alarm on Lawfare about the threat to democracy from "deep fakes," lamenting "the limits of technological and legal solutions." They argue that existing law has a limited ability to force online platforms to police such content because "Section 230 of the Communications Decency Act immunizes from (most) liability the entities best situated to minimize damage efficiently: the platforms." But in fact, a loophole built into Section 230 immunity-the intellectual property exception-could be helpful in combating deep fakes and other next-generation fake news. Victims of deep fakes may successfully bring " right of publicity " claims against online platforms, thereby forcing the platforms to systematically police such content. At a minimum, such right-of-publicity claims are likely to generate crucial litigation. * * * top

- and -

Realistic docudramas don't violate California publicity rights-deHavilland v. FX (Eric Goldman, 2 April 2018) - Last week, the California Court of Appeal ordered the dismissal of a right of publicity and false-light privacy lawsuit brought by legendary actress Olivia de Havilland against FX Networks over the depiction of her in the television miniseries Feud: Bette and Joan (2017). The opinion is available here . One of Hollywood's staples is the docudrama: a motion picture or television series based on real persons and real-life events. Recent examples include the television series The People v. O.J. Simpson (which won nine Emmy awards), and the movies Hidden Figures (about female mathematicians and engineers at NASA in the 1960s) and Darkest Hour (about Winston Churchill's early days as Prime Minister). Sometimes docudramas are near-journalistic in nature, and sometimes they are heavily fictionalized; but all docudramas are necessarily dramatized to some extent, because it is impossible to depict real life with 100% accuracy. To depict private conversations, for example, a screenwriter must invent dialogue, because no one was there to record what was said, and even the participants to the conversation may remember it differently when interviewed in later years. It is also common for screenwriters to invent fictitious or composite characters to interact with the more well-known historical figures that are the focus of the docudrama. Docudramas have frequently been the source of litigation disputes. When real-life people are upset with how they are depicted in a movie or television series, they often turn to causes of action such as libel, false-light privacy, or the right of publicity to vindicate what they see as the truth. More often than not, these lawsuits fail; but they succeed often enough to avoid Rule 11 sanctions, and the cost of litigating these disputes may have a "chilling effect" on the willingness of Hollywood to take on certain subject material. Hollywood studios frequently pay people for the "rights" to tell their life stories, simply in order to avoid having a suit filed against them for a violation of their rights of privacy or publicity, and the attendant cost of litigation. * * * top

Tech thinks it has a fix for the problems it created: Blockchain (NYT, 1 April 2018) - Worried about someone hacking the next election? Bothered by the way Facebook and Equifax coughed up your personal information? The technology industry has an answer called the blockchain - even for the problems the industry helped to create. The first blockchain was created in 2009 as a new kind of database for the virtual currency Bitcoin , where all transactions could be stored without any banks or governments involved. Now, countless entrepreneurs, companies and governments are looking to use similar databases - often independent of Bitcoin - to solve some of the most intractable issues facing society. "People feel the need to move away from something like Facebook and toward something that allows them to have ownership of their own data," said Ryan Shea, a co-founder of Blockstack, a New York company working with blockchain technology. The creator of the World Wide Web, Tim Berners-Lee, has said the blockchain could help reduce the big internet companies' influence and return the web to his original vision. But he has also warned that it could come with some of the same problems as the web. Blockchain allows information to be stored and exchanged by a network of computers without any central authority. In theory, this egalitarian arrangement also makes it harder for data to be altered or hacked. In the first three months of 2018, venture capitalists put half a billion dollars into 75 blockchain projects, more than double what they raised in the last quarter of 2017, according to data from Pitchbook. Most of the projects have not gotten beyond pilot testing, and many are aimed at transforming mundane corporate tasks like financial trading and accounting. But some experiments promise to transform fundamental things, like the way we vote and the way we interact online. [ Polley : Quite interesting article (if a bit unstructured), and worth a close read.] top

US suspects cellphone spying devices in DC (AP, 3 April 2018) - For the first time, the U.S. government has publicly acknowledged the existence in Washington of what appear to be rogue devices that foreign spies and criminals could be using to track individual cellphones and intercept calls and messages. The use of what are known as cellphone-site simulators by foreign powers has long been a concern, but American intelligence and law enforcement agencies - which use such eavesdropping equipment themselves - have been silent on the issue until now. In a March 26 letter to Oregon Sen. Ron Wyden, the Department of Homeland Security acknowledged that last year it identified suspected unauthorized cell-site simulators in the nation's capital. The agency said it had not determined the type of devices in use or who might have been operating them. Nor did it say how many it detected or where. The agency's response, obtained by The Associated Press from Wyden's office, suggests little has been done about such equipment, known popularly as Stingrays after a brand common among U.S. police departments. The Federal Communications Commission, which regulates the nation's airwaves, formed a task force on the subject four years ago, but it never produced a report and no longer meets regularly. * * * Legislators have been raising alarms about the use of Stingrays in the capital since at least 2014, when Goldsmith and other security-company researchers conducted public sweeps that located suspected unauthorized devices near the White House, the Supreme Court, the Commerce Department and the Pentagon, among other locations. Like other major world capitals, he said, Washington is awash in unauthorized interception devices. Foreign embassies have free rein because they are on sovereign soil. Every embassy "worth their salt" has a cell tower simulator installed, Turner said. They use them "to track interesting people that come toward their embassies." The Russians' equipment is so powerful it can track targets a mile away, he said. top

Anatomy of a cyber attack (NY Law Journal, 4 April 2018) - Cybersecurity is an increasingly important risk vector that impacts every facet of society. Day by day, businesses and even individuals are finding themselves to be targets of cyberattacks and lawyers are certainly no exception. The exponential scale of the problem can be seen in the fact that, according to a recent report , there were more records compromised in 2017 than there are people currently living on earth. While this risk is applicable to all organizations and individuals, lawyers, as safeguards of their client's information, are particularly useful targets for cyber criminals. Lawyers of every stripe and specialty tend to possess large quantities of their clients' sensitive data and in many cases present a more desirable target than the clients themselves because the data of all of their clients is centralized in a single location. Recognizing this threat, the bar has taken steps to ensure that the profession rises to the challenge posed by the pervasive threat of cyber-compromise. The bar's understanding of the lawyer's duty to his or her clients has developed along two parallel paths-the duty of confidentiality and the duty of technological competence as applied in the digital context. In 2017, the American Bar Association proceeded along the first path and released Formal Opinion 477 , which dealt with cybersecurity in client communications. This is a fundamental departure from previously established guidance from the ABA, which held that "A lawyer may transmit information relating to the representation of a client by unencrypted e-mail sent over the Internet without violating the Model Rules of Professional Conduct (1998) because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint." While this specific rule change only effects attorney communications and not the practice of law more generally, it signals a change from the Bar that it is now more willing than ever to begin regulating cybersecurity and the practice of law. Not only the ABA has adopted these changes, in fact twenty-eight state Bars have adopted language mandating that the duty of competency in representation extends to technological competence as well. [ Polley : not much new(s) here, but the New York Law Journal reaches an important audience; more and more visibility (and appreciation) of these kinds of issues.] top

Facebook scans the photos and links you send on Messenger, and it reads flagged chats (LA Times, 4 April 2018) - Facebook Inc. scans the links and images that people send each other on Facebook Messenger, and reads chats when they're flagged to moderators, making sure it all abides by the company's rules governing content. If it doesn't pass muster, it gets blocked or taken down. The company confirmed the practice after an interview with Chief Executive Mark Zuckerberg, published this week, raised questions about Messenger's practices and privacy. Zuckerberg told Vox's Ezra Klein a story about receiving a phone call related to ethnic cleansing in Myanmar. Facebook had detected people trying to send sensational messages through the Messenger app, he said. "In that case, our systems detect what's going on," Zuckerberg said. "We stop those messages from going through." Some people reacted with concern on Twitter: Was Facebook reading messages more generally? Facebook has been under scrutiny in recent weeks over how it handles users' private data, and the revelation struck a nerve. Messenger doesn't use the data from the scanned messages for advertising, the company said, but the policy may extend beyond what Messenger users expect. top

- and -

What you don't know about how Facebook uses your data (NYT, 11 April 2018) - * * * Facebook meticulously scrutinizes the minutiae of its users' online lives, and its tracking stretches far beyond the company's well-known targeted advertisements. Details that people often readily volunteer - age, employer, relationship status, likes and location - are just the start.Facebook tracks both its users and nonusers on other sites and apps. It collects biometric facial data without users' explicit "opt-in" consent. And the sifting of users can get quite personal. Among many possible target audiences, Facebook offers advertisers 1.5 million people "whose activity on Facebook suggests that they're more likely to engage with/distribute liberal political content" and nearly seven million Facebook users who "prefer high-value goods in Mexico." "Facebook can learn almost anything about you by using artificial intelligence to analyze your behavior," said Peter Eckersley, the chief computer scientist for the Electronic Frontier Foundation, a digital rights nonprofit. "That knowledge turns out to be perfect both for advertising and propaganda. Will Facebook ever prevent itself from learning people's political views, or other sensitive facts about them?" Facebook uses a number of software tools to do this tracking. When internet users venture to other sites, Facebook can still monitor what they are doing with software like its ubiquitous "Like" and "Share" buttons, and something called Facebook Pixel - invisible code that's dropped onto the other websites that allows that site and Facebook to track users' activity. Ms. Dingell asked Mr. Zuckerberg how many non-Facebook sites used various kinds of Facebook tracking software: "Is the number over 100 million?" He said he'd have to get back to her with an answer. * * * top

Is cybersecurity improving? (Lawfare, 5 April 2018) - Is cybersecurity improving overall? By at least some measures the answer is a surprising "yes." This annual report from FireEye gives us at least two reasons to think that trend lines are actually improving: First, as noted by Joe Uchill of Axios Codebook , the identity of who discovers an intrusion is changing drastically. As recently as 2011, 94 percent of intrusions were discovered and reported by outsiders-law enforcement, customers, or other observers. Today, victim companies discover 64 percent of their own breaches-a significant improvement in self-awareness. Second, that improvement has consequences. An intruders "dwell time" inside a victim's system is less than a quarter of what it was in 2011. It's still too high-median dwell time is 75 days in the U.S., 175 in Europe and more than 490 in Asia-but the fact that it is down is a significant improvement. top

Cyberinsurance tackles the wildly unpredictable world of hacks (Wired, 6 April 2018) - In the aftermath of the Equifax data breach last year that exposed personal information of more than 145 million people, analysis firm Property Claim Services estimated that cyberinsurance would cover roughly $125 million of Equifax's losses from the incident. It's uncertain whether Equifax will actually receive that much money; insurance claims can take a long time to investigate, process, and pay out. But it was a reminder of the increasingly important role insurance plays in cybersecurity-and the challenges of getting it right. In 2016, the cyberinsurance market brought in around $3.5 billion in premiums globally, of which $3 billion came from US-based companies, according to the Organisation for Economic Co-operation and Development. That's not an enormous amount of money compared to other insurance markets; motor vehicle insurance premiums in the US, for instance, total more than $200 billion annually . But cyberinsurance premiums have grown steadily at a rate of roughly 30 percent every year for the past five years, in an industry unaccustomed to such spikes. With the Regulation poised to go into effect May 25, and firms of every size in every sector concerned about emerging online threats, insurance carriers see ample opportunity. But as the cyberinsurance market grows and those carriers take on responsibility for more computer-based risks, it becomes increasingly important that they model that risk and predict its outcomes accurately, a notoriously difficult task in the evolving and unpredictable domain of online threats. Companies like retailers, banks, and healthcare providers began seeking out cyberinsurance in the early 2000s, when states first passed data breach notification laws. But even with 20 years' worth of experience and claims data in cyberinsurance, underwriters still struggle with how to model and quantify a unique type of risk. "Typically in insurance we use the past as prediction for the future, and in cyber that's very difficult to do because no two incidents are alike," said Lori Bailey, global head of cyberrisk for the Zurich Insurance Group. Twenty years ago, policies dealt primarily with data breaches and third-party liability coverage, like the costs associated with breach class-action lawsuits or settlements. But more recent policies tend to accommodate first-party liability coverage, including costs like online extortion payments, renting temporary facilities during an attack, and lost business due to systems failures, cloud or web hosting provider outages, or even IT configuration errors. top

RSS is undead (TechCrunch, 7 April 2018) - RSS died. Whether you blame Feedburner , or Google Reader , or Digg Reader last month , or any number of other product failures over the years, the humble protocol has managed to keep on trudging along despite all evidence that it is dead, dead, dead. Now, with scandal over Cambridge Analytica, there is a whole new wave of commentators calling for RSS to be resuscitated. Brian Barrett at Wired said a week ago that "… anyone weary of black-box algorithms controlling what you see online at least has a respite, one that's been there all along but has often gone ignored. Tired of Twitter? Facebook fatigued? It's time to head back to RSS." Let's be clear: RSS isn't coming back alive so much as it is officially entering its undead phase. Don't get me wrong, I love RSS. At its core, it is a beautiful manifestation of some of the most visionary principles of the internet, namely transparency and openness. The protocol really is simple and human-readable. It feels like how the internet was originally designed with static, full-text articles in HTML. Perhaps most importantly, it is decentralized, with no power structure trying to stuff other content in front of your face. It's wonderfully idealistic, but the reality of RSS is that it lacks the features required by nearly every actor in the modern content ecosystem, and I would strongly suspect that its return is not forthcoming. [Polley : interesting; I use RSS to find about 20% of the content that goes into MIRLN.] top

Using Turnitin to teach students not to plagiarize (InsideHigherEd, 10 April 2018) - By now, most educators know about Turnitin, and many of us have used it to scare our students out of submitting work written by someone else, whether that writer was a friend, an internet entrepreneur or even (in the most obvious cases) Wikipedia. The first time I used it to check for plagiarism, I have to admit that it was purely for the fear factor, as I hadn't learned much about the benefits the resource has to offer. I just looked at the similarity percentages to see how high they were, warning students that they would be penalized if they had plagiarized. It took me a while to understand how Turnitin can also be useful to students if they are taught how to take advantage of it as a tool. * * * Here's how I tell students to use Turnitin to check their papers. First, I set it up on my end so that they can submit multiple times and see their similarity percentages. Students have told me sometimes their other professors won't allow this, which might be to further discourage plagiarism attempts by preventing students from knowing whether they need to make changes, but I feel that this restricts a powerful teachable moment. Next, when students have polished their drafts to a point where they think they're finished, they submit and wait for the percentage. Obviously, a high percentage is less than ideal, but that alone won't provide everything they need to know. Plagiarism is still possible with a low score, so I then have them click "markup document" and the originality tab. A truer originality percentage will show up if they use the filter, located on the right-hand side, to exclude any quotes they have used, as those will obviously come directly from sources. I also tell them to click "exclude bibliography," as titles of sources they have used will also come up highlighted. Any other writing that is too close to a source will be marked in various colors. This is a good check to see where they may need to make some tweaks. * * * [ Polley : quite interesting.] top

RESOURCES

Starting A Mobile Hotspot Lending Program (Maine.gov, March 2018) - Implementing a Mobile Hotspot Lending Program at your library offers up a world of possibilities for your patrons. Enabling patrons to take the Internet home offers a number of unique benefits such as: * * * By loaning out the Internet, just like a book, your Library can provide its patrons with 24/7 access to Internet. In an increasingly interconnected world, the Internet is vital in day to day life. Offering mobile hotspot devices to your patrons will help meet their information needs in new and exciting ways. top

Borgesius and Steenbruggen on The Right to Communications Confidentiality in Europe: Protecting Trust, Privacy, and Freedom of Expression (MLPB, 11 April 2018) - Frederik Zuiderveen Borgesius, University of Amsterdam, IVir Institute for Information Law (IViR), and Wilfred Steenbruggen, Bird & Bird, have published The Right to Communications Confidentiality in Europe: Protecting Trust, Privacy, and Freedom of Expression. Here is the abstract: In the European Union, the General Data Protection Regulation (GDPR) provides comprehensive rules for the processing of personal data. In addition, the EU lawmaker intends to adopt specific rules to protect confidentiality of communications, in a separate ePrivacy Regulation. Some have argued that there is no need for such additional rules for communications confidentiality. This paper discusses the protection of the right to confidentiality of communications in Europe. We look at the right's origins as a fundamental right to assess the rationale for protecting the right. We also analyse how the right is currently protected under the European Convention on Human Rights and under EU law. We show that the right to communications confidentiality protects three values: trust in communication services, privacy, and freedom of expression. The right aims to ensure that individuals and businesses can safely entrust communication to service providers. Initially, the right protected only postal letters, but it has gradually developed into a strong safeguard for the protection of confidentiality of communications, regardless of the technology used. Hence, the right does not merely serve individual privacy interests, but also other interests that are crucial for the functioning of our information society. We conclude that separate EU rules to protect communications confidentiality, next to the GDPR, are justified and necessary to protect trust, privacy and freedom and expression. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Comcast to stop blocking Internet traffic (NBC, 27 March 2008) - Comcast Corp., an Internet service provider under investigation for hampering online file-sharing by its subscribers, announced Thursday an about-face in its stance and said it will treat all types of Internet traffic equally. Comcast said it will collaborate with BitTorrent Inc., the company founded by the creator of the popular BitTorrent file-sharing protocol, to come up with better ways to transport large files over the Internet instead of delaying file transfers. Since user reports of interference with file-sharing traffic were confirmed by an Associated Press investigation in October, Comcast has been vigorously defending its practices, most recently at a hearing of the Federal Communications Commission in February. Consumer and "Net Neutrality" advocates have been equally vigorous in their attacks on the company, saying that by secretly blocking some connections between file-sharing computers, Comcast made itself a judge and gatekeeper for the Internet. They also accused Comcast of stifling delivery of Internet video, an emerging competitor to the cable company's core business. Comcast has said that its practices were necessary to keep file-sharing traffic from overwhelming local cable lines, where neighbors share capacity with one another. On Thursday, Comcast said that by the end of the year, it will move to a system that manages capacity without favoring one type of traffic over another. top

Abracadabra! Bush makes privacy board vanish (Wired, 4 Feb 2008) - The Bush administration has failed to nominate any candidates to a newly empowered privacy and civil-liberties commission. This leaves the board without any members, even as Congress prepares to give the Bush administration extraordinary powers to wiretap without warrants inside the United States. The failure rankles Sens. Joe Lieberman (I-Connecticut) and Susan Collins (R-Maine), respectively chairman and ranking minority member of the Senate's Homeland Security Committee. "I urge the president to move swiftly to nominate members to the new board to preserve the public's faith in our promise to protect their privacy and civil liberties as we work to protect the country against terrorism," Lieberman said in a statement. "The White House's failure to move forward with appointing the new board is unacceptable, and I call on the administration to do so as quickly as possible to prevent a gap in this vital mission," Collins said in a statement. top