Saturday, July 19, 2014

MIRLN --- 29 June – 19 July 2014 (v17.10)

MIRLN --- 29 June - 19 July 2014 (v17.10) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

CLE | NEWS | RESOURCES | DIFFERENT | LOOKING BACK | NOTES

UPCOMING CLE

ABA Cybersecurity Series (ABA, July 2014) - Join the authors of the best-selling ABA Cybersecurity Handbook as they offer practical cyber-threat information, guidance, and strategies for lawyers, law firm attorneys, in-house counsel, government attorneys, and public interest attorneys. [Y]ou can register for each webinar individually or you can register for one of three webinar packages specifically tailored to your practice area and receive a 20% discount as well as a Certificate of Completion.

top

New ABA Value Pass provides lawyers with yearlong CLE subscription (ABA, 25 June 2014) - Lawyers seeking to create their own personal continuing legal education portfolio directly from the American Bar Association can now obtain a Continuing Legal Education Value Pass , which provides yearlong access to hundreds of ABA distance-learning programs for one price. "We are delighted to provide the legal profession with a flat-rate annual subscription to much of our live distance learning and recorded online programming," ABA Executive Director Jack Rives said. "This further demonstrates the breadth, depth and quality of the content our many entities create for America's lawyers." ABA members can subscribe at the special introductory rate of $575 annually. The pass is also available to nonmembers for $795 annually. The pass provides access to * * *

top

NEWS

US National Archives enshrines Wikipedia in Open Government Plan, plans to upload all holdings to Commons (Wikipedia, 25 June 2014) - The US National Archives and Record Administration (NARA) have committed to engaging with Wikimedia projects in their newest Open Government Plan. The biannual effort is a roadmap for how the agency will accomplish its goals in the digital age. In the first plan, issued in 2010, Archivist of the United States David Ferriero wrote "the cornerstone of the work that we do every day is the belief that citizens have the right to see, examine, and learn from the records that document the actions of their Government. But in this digital age, we have the opportunity to work and communicate more efficiently, effectively, and in completely new ways." * * * [V]olunteers are working with NARA on a new upload script to port images to Commons; the work in progress is posted on Github . At NARA itself, an API is in development that will make it easier to extract the metadata of the images. Given these efforts, McDevitt-Parks says that they will "allow us to more easily upload all of our existing digitized holdings to Wikimedia Commons and similar third-party platforms, and also that in the future upload to platforms like Commons will be the end of all digitization. Looking at it this way, I would say that in a way all of our digitization efforts are also for upload to Wikimedia Commons."

top

Massachusetts high court orders suspect to decrypt his computers (ArsTechnica, 25 June 2014) - Massachusetts' top court ruled, in a 5-2 decision on Wednesday, that a criminal suspect can be ordered to decrypt his seized computer. The Massachusetts Supreme Judicial Court (MSJC) ruling only applies to the state. Various other courts at the state and federal level have disagreed as to whether being forced to type in a decryption password is a violation of the Fifth Amendment right to protect against self-incrimination and its state equivalents (such as Article Twelve of the Massachusetts Declaration of Rights). For example, more than two years ago, the 11th Circuit Court of Appeals ruled that a defendant was not obliged to decrypt his hard drive, as doing so would violate his Fifth Amendment rights. However, that ruling only took effect in the 11th Circuit, which covers parts of the southeastern United States. Just last year, a federal judge refused to force a Wisconsin child pornography suspect to decrypt his laptop. Overall, cases involving decryption are still relatively new and rare. The first known one only dates back to 2007 . [ Polley : In fact, there's applicable case-law going back much further; the facts in this case are interesting.]

top

Can nondisparagement clauses silence negative online reviews? (Legal Intelligencer, 26 June 2014) - What do dentists, wedding photographers, moving companies, locksmiths and online retailers all have in common? Answer: They have each tried to limit negative online customer reviews via nondisparagement clauses in their service agreements. Traditionally found in negotiated settlement or employee severance agreements, nondisparagement (or "no review") clauses are now making their way into non-negotiated service contracts and the oft-ignored terms and conditions of online retailers. With scant decisional case law on point, courts have yet to directly address the fairness (read: enforceability) of these clauses. Recently, legislators in Pennsylvania and elsewhere have entered the fray by introducing bills to curb parties from chilling public speech-or even deeming such clauses illegal, absent voluntary waivers of the right to opine. So the question becomes: Are nondisparagement clauses the wave of the future, or simply the next battleground in the war for online consumer rights? * * * [ Polley : Eric Goldman has blogged extensively about this subject over the last 5 years or so, e.g., here ; there are several MIRLN stories about this, too.]

top

What your cell phone can't tell the police (The New Yorker, 26 June 2014) - On May 28th, Lisa Marie Roberts, of Portland, Oregon, was released from prison after serving nine and a half years for a murder she didn't commit. A key piece of overturned evidence was cell-phone records that allegedly put her at the scene. Roberts pleaded guilty to manslaughter in 2004, after her court-appointed attorney persuaded her that she had no hope of acquittal. The state's attorney had told him that phone records had put Roberts at the scene of the crime, and, to her lawyer, that was almost as damning as DNA. But he was wrong, as are many other attorneys, prosecutors, judges, and juries, who overestimate the precision of cell-phone location records. Rather than pinpoint a suspect's whereabouts, cell-tower records can put someone within an area of several hundred square miles or, in a congested urban area, several square miles. Yet years of prosecutions and plea bargains have been based on a misunderstanding of how cell networks operate. No one knows how often this occurs, but each year police make more than a million requests for cell-phone records. "We think the whole paradigm is absolutely flawed at every level, and shouldn't be used in the courtroom," Michael Cherry, the C.E.O. of Cherry Biometrics, a consulting firm in Falls Church, Virginia, told me. "This whole thing is junk science, a farce." The paradigm is the assumption that, when you make a call on your cell phone, it automatically routes to the nearest cell tower, and that by capturing those records police can determine where you made a call-and thus where you were-at a particular time. That, he explained, is not how the system works. When you hit "send" on your cell phone, a complicated series of events takes place that is governed by algorithms and proprietary software, not just by the location of the cell tower. First, your cell phone sends out a radio-frequency signal to the towers within a radius of up to roughly twenty miles-or fewer, in urban areas-depending on the topography and atmospheric conditions.

top

US oil & gas industry establishes information sharing center (InfoSecurity, 26 June 2014) - As part of a voluntary effort, the oil and natural gas industry is launching the Oil and Natural Gas Information Sharing and Analysis Center ( ONG-ISAC ), dedicated to protecting critical energy infrastructure from computer-based attacks. The ONG-ISAC will serve as a unified, central reservoir of cyber intelligence and a virtual pipeline that facilitates the secure sharing of vetted, actionable and timely cyber intelligence to members. "Cyber-based attacks are one of the fastest-growing threats to America's infrastructure," said David Frazier, chairman of the ONG-ISAC, in a statement. "ONG-ISAC will help our industry to quickly identify and respond to threats against refineries, pipelines and other distribution systems that serve US consumers and businesses. It also will provide industry participants a secure way to share information and stay connected with law enforcement agencies." An industry-owned and operated organization, the ONG-ISAC will facilitate the exchange of information, evaluate risks, and provide up-to-date security guidance to US companies. Participants can submit incidents either anonymously or with attribution via a secure web portal; circulate information on threats and vulnerabilities among ONG-ISAC members, other ISACs, vendors and the US government; provide industry participants with access to cybersecurity experts; alert participants of cyber-threats deemed 'urgent' or 'elevated' in near real-time, within 60 minutes; coordinate industry-wide responses to computer-based attacks; and ensure compliance with all antitrust and federal disclosure guidelines.

top

- and -

Active malware operation let attackers sabotage US energy industry (ArsTechnica, 30 June 2014) - Researchers have uncovered a malware campaign that gave attackers the ability to sabotage the operations of energy grid owners, electricity generation firms, petroleum pipelines, and industrial equipment providers. Called Dragonfly, the hacking group managed to install one of two remote access trojans (RATs) on computers belonging to energy companies located in the US and at least six European countries, according to a research report published Monday by Symantec. One of the RATs, called Havex , was spread by hacking the websites of companies selling software used in industrial control systems (ICS) and waiting for companies in the energy and manufacturing industries to install booby-trapped versions of the legitimate apps. "This campaign follows in the footsteps of Stuxnet, which was the first known major malware campaign to target ICS systems," the Symantec report stated. "While Stuxnet was narrowly targeted at the Iranian nuclear program and had sabotage as its primary goal, Dragonfly appears to have a much broader focus with espionage and persistent access as its current objective with sabotage as an optional capability if required." Dubbed Energetic Bear by other researchers, Dragonfly has been in operation since at least 2011. It initially targeted US and Canadian companies in the defense and aviation industries before shifting its focus to energy concerns. The group bears the hallmarks of a state-sponsored operation, mainly in its organization and high degree of technical sophistication. Its primary motive appears to be espionage, although additional capabilities suggest that sabotage is also of interest. Fingerprints left inside the malware show the attackers mostly worked Monday through Friday during a nine-hour period that corresponded to 9am to 6pm in Eastern Europe, leading Symantec researchers to theorize that was the region where the most Dragonfly members worked.

top

Austrian TOR exit node operator found guilty as an accomplice because someone used his node to commit a crime (TechDirt, 2 July 2014) - Three years ago we wrote about how Austrian police had seized computers from someone running a Tor exit node. This kind of thing happens from time to time, but it appears that folks in Austria have taken it up a notch by... effectively now making it illegal to run a Tor exit node . * * * It's pretty standard to name criminal accomplices liable for "aiding and abetting" the activities of others, but it's a massive and incredibly dangerous stretch to argue that merely running a Tor exit node makes you an accomplice that "contributes to the completion" of a crime. Under this sort of thinking, Volkswagen would be liable if someone drove a VW as the getaway car in a bank robbery. It's a very, very broad interpretation of accomplice liability, in a situation where it clearly does not make sense. Tragically, this comes out the same day that the EFF is promoting why everyone should use Tor . While it accurately notes that no one in the US has been prosecuted for running Tor, it may want to make a note about Austria. Hopefully there is some way to fight back on this ruling and take it to a higher court -- and hopefully whoever reviews it will be better informed about how Tor works and what it means to run an exit node.

top

US privacy panel backs NSA's Internet tapping (NYT, 2 July 2014) - The federal privacy board that sharply criticized the collection of the phone records of Americans by the National Security Agency has come to a starkly different conclusion about the agency's exploitation of Internet connections in the United States to monitor foreigners communicating with one another abroad. That program, according to the Privacy and Civil Liberties Oversight Board, is largely in compliance with both the Constitution and a surveillance law that Congress passed six years ago. [T]he most recent report, adopted by the board on Wednesday, deals with what the agency calls "702 collection," a reference to Section 702 of the Foreign Intelligence Surveillance Act, which was amended in 2008 after The New York Times revealed a program of warrantless wiretapping that the Bush administration started after the Sept. 11, 2001, attacks. "The Section 702 program has enabled the government to acquire a greater range of foreign intelligence than it otherwise would have been able to obtain - and to do so quickly and effectively," the report said. While it found little value in the bulk collection of Americans' telephone data, the board said that the 702 program, aimed at foreigners, "has proven valuable in the government's efforts to combat terrorism as well as in other areas of foreign intelligence." The program is also used to track nuclear proliferation and to monitor the calls and emails of foreign governments and their leaders. The report concluded that "monitoring terrorist networks under Section 702 has enabled the government to learn how they operate, and to understand their priorities, strategies and tactics." In a sign of the Obama administration's relief about the report's conclusion, it was praised by James R. Clapper Jr., the director of national intelligence, who refused to talk publicly about the 702 programs before the Snowden disclosures. Mr. Clapper cited a section of the report that said the board was "impressed with the rigor of the government's efforts to ensure that it acquires only those communications it is authorized to collect, and that it targets only those persons it is authorized to target."

top

- and -

Flawed oversight Board report endorses general warrants (EFF, 1 July 2014) - The Privacy and Civil Liberties Oversight Board (PCLOB) issued a legally flawed and factually incomplete report late Tuesday that endorses Section 702 surveillance. Hiding behind the "complexity" of the technology, it gives short shrift to the very serious privacy concerns that the surveillance has rightly raised for millions of Americans. The board also deferred considering whether the surveillance infringed the privacy of many millions more foreigners abroad. The board skips over the essential privacy problem with the 702 "upstream" program: that the government has access to or is acquiring nearly all communications that travel over the Internet. The board focuses only on the government's methods for searching and filtering out unwanted information. This ignores the fact that the government is collecting and searching through the content of millions of emails, social networking posts, and other Internet communications, steps that occur before the PCLOB analysis starts. This content collection is the centerpiece of EFF's Jewel v. NSA case, a lawsuit battling government spying filed back in 2008. The board's constitutional analysis is also flawed. The Fourth Amendment requires a warrant for searching the content of communication. Under Section 702, the government searches through content without a warrant. Nevertheless, PCLOB's analysis incorrectly assumes that no warrant is required. The report simply says that it "takes no position" on an exception to the warrant requirement when the government seeks foreign intelligence. The Supreme Court has never found this exception. PCLOB findings rely heavily on the existence of government procedures. But, as Chief Justice Roberts recently noted: "the Founders did not fight a revolution to gain the right to government agency protocols." Justice Roberts' thoughts are on point when it comes to NSA spying-mass collection is a general warrant that cannot be cured by government's procedures. The PCLOB's proposed reforms for Section 702 are an anemic set of recommendations that will do little to stop excessive surveillance. For example, rather than rein in government communications searches, the PCLOB simply asks the NSA to study the issue. The PCLOB report provides the public with much needed information about how the 702 program works. But the legal analysis is incorrect and the report fails to offer effective reforms.

top

- and -

Privacy Board report strongly suggests attorney-client communications subject to NSA spying (Center for Constitutional Rights, 2 July 2014) - In response to a new report that addresses warrantless NSA searches made possible by a particular section of the Foreign Intelligence Surveillance Amendments Act (FISA), the Center for Constitutional Rights issued the statement below. The Privacy and Civil Liberties Oversight Board (PCLOB) had previously addressed the collection of communications metadata, and here looked at the implications of collection of communications content under Section 702 of FISA. The Privacy Board's report is disappointingly superficial with respect to the main constitutional concerns raised here. The board includes no mention whatsoever of free speech, due process, and right to counsel when analyzing the legality of the NSA's collection of the content of communications between U.S. residents and persons of interest abroad. Deeply troubling, the report found that attorneys' legally-privileged communications are used and shared by the NSA, CIA and FBI unless they are communications directly with a client who has already been indicted in U.S. courts, which strongly suggests that the contents of privileged attorney-client communications at Guantanamo are subject to NSA warrantless surveillance. This raises serious concerns about the fairness of the military commission system and would seem to violate court orders entered in Guantanamo habeas cases that protect attorney-client privilege.

top

Why more start-ups are sharing ideas without legal protection (NYT, 2 July 2014) - In 2011, Andy Moeck was looking for investors for Moeo, a Los Angeles start-up he was building that makes mobile gaming apps based on real-time sporting events. A friend introduced Mr. Moeck to a partner at the Silicon Valley venture capital firm Kleiner Perkins Caufield Byers, and at their first meeting, Mr. Moeck asked the partner to sign a nondisclosure agreement. Such agreements, known as N.D.A.s, are intended to prevent an idea or technology from being stolen and copied. Mr. Moeck was especially concerned because the venture capital firm was already backing Zynga, another gaming company. "We knew they didn't have a mobile or sports strategy," he said of Zynga. "I didn't want to pitch Kleiner about what we were doing and have them go back and say to Zynga, 'This is how Moeo does it.'" But the Kleiner Perkins investor refused to sign an N.D.A., leaving Mr. Moeck to decide whether to proceed with his pitch. It is a common quandary, and not just in Silicon Valley. Ten years ago, it was not unusual for entrepreneurs to request and potential investors to sign nondisclosure agreements. But today the agreements are largely considered a thing of the past. In fact, some investors say they walk away from a founder who even suggests signing one. This cultural shift, which began in the late 1990s and accelerated during the early 2000s, began in Silicon Valley, said Victor W. Hwang, chief executive of T2 Venture Creation, an investment firm in Portola Valley, Calif. "One of the most advantageous things an entrepreneur can do is talk about their company to anyone who will listen," Mr. Hwang said. * * * Below are some guidelines to consider. They apply when engaging not just investors, but also manufacturers, partners and even customers. * * *

top

Reduce legal research costs with Google Scholar (Lawyerist, 3 July 2014) - Clients have been increasingly reluctant to pay for legal research. In this age of bundled services, they think that research costs should be included with an attorney's hourly or flat-rate fee. If you are seeking ways to reduce research costs, here is one good option: Google Scholar . It is an online research service that you should use to find cases and secondary sources-for free. This article first explains the primary benefits of Google Scholar. But before you cancel your subscription to LexisNexis or Westlaw, read the second part of this article on its limitations. * * *

top

Google blocks access to email to prevent 'needless and massive' Goldman Sachs breach (PC Magazine, 3 July 2014) - American multinational investment banking firm Goldman Sachs Group, Inc. said on Wednesday that Google has complied with a request to block access to an email containing confidential client data , which was mistakenly sent by a contractor to a stranger's Gmail account, according to Reuters . The information included "highly confidential brokerage account information," Reuters reported, citing a complaint filed on Friday in a New York state court in Manhattan. Goldman Sachs had been seeking a court order imploring Google to block access to the email. A Goldman Sachs spokesperson told Reuters that no client information has been breached because the recipient had not accessed the Gmail account between the time the email was sent - on June 23 - and the time Google blocked access. The contractor was testing changes to Goldman Sachs's internal processes when the incident transpired.

top

ICSI works with Yahoo Labs and Lawrence Livermore lab to offer analytics tools for over 100 million Flickr images and videos (Marketwired, 3 July 2014) - The International Computer Science Institute (ICSI), a leading center for computer science research, today announced a collaboration with Yahoo Labs and Lawrence Livermore National Laboratory to process and analyze the recently released Yahoo Flickr Creative Commons 100 Million (YFCC100M) dataset , a publicly available corpus of user-generated content comprising more than 100 million images and videos. ICSI has developed a number of research tools to extract meaning from the vast amounts of multimedia data freely available online, giving researchers the ability to draw powerful conclusions from the data. Such work includes: (a) Audio and visual recognition techniques that can reliably identify the geographic location of a video or photo's origin point. (b) Video concept detection, which uses acoustic analysis and segmentation of similar sounds to treat sounds like keywords, making it possible to reliably search abstract concepts like "baby catching a ball" or "animal dancing to music." ICSI is collaborating directly with Lawrence Livermore Lab to process the massive dataset using the lab's supercomputer, the Cray Catalyst. "The media that people choose to upload with a Creative Commons License are full of information: they tell us about the people in them, where they are and what is happening, even if none of that is explicitly laid out," said Gerald Friedland, research director of Audio and Multimedia at ICSI. "ICSI's sophisticated computing tools help us make sense of that data at scale, and there is so much we can learn by fully leveraging the rich Creative Commons dataset that Flickr has amassed over the past decade."

top

Is your Android device telling the world where you've been? (EFF, 3 July 2014) - Do you own an Android device? Is it less than three years old? If so, then when your phone's screen is off and it's not connected to a Wi-Fi network, there's a high risk that it is broadcasting your location history to anyone within Wi-Fi range that wants to listen. This location history comes in the form of the names of wireless networks your phone has previously connected to. These frequently identify places you've been, including homes ("Tom's Wi-Fi"), workplaces ("Company XYZ office net"), churches and political offices ("County Party HQ"), small businesses ("Toulouse Lautrec's house of ill-repute"), and travel destinations ("Tehran Airport wifi"). This data is arguably more dangerous than that leaked in previous location data scandals because it clearly denotes in human language places that you've spent enough time to use the Wi-Fi.1 Normally eavesdroppers would need to spend some effort extracting this sort of information from the latitude/longitude history typically discussed in location privacy analysis. But even when networks seem less identifiable, there are ways to look them up . We briefly mentioned this problem during our recent post about Apple deciding to randomize MAC addresses in iOS 8 . As we pointed out there, Wi-Fi devices that are not actively connected to a network can send out messages that contain the names of networks they've joined in the past in an effort to speed up the connection process.2 But after writing that post we became curious just how many phones actually exhibited that behavior, and if so, how much information they leaked. To our dismay we discovered that many of the modern Android phones we tested leaked the names of the networks stored in their settings (up to a limit of fifteen). And when we looked at these network lists, we realized that they were in fact dangerously precise location histories. Aside from Android, some other platforms also suffer from this problem and will need to be fixed, although for various reasons, Android devices appear to pose the greatest privacy risk at the moment.

top

What legal protections apply to e-mail stored outside the US? (Orin Kerr on Volokh Conspiracy, 7 July 2014) - A federal magistrate judge in New York recently handed down an opinion on an important and novel question: If the government serves a warrant for a customer's e-mails on a U.S.-based Internet provider, but the e-mails happen to be located on a server outside the U.S., does the provider have to comply with the warrant? The magistrate judge held that the answer is "yes." The provider, Microsoft, recently filed objections to the magistrate's decision in the District Court. A slew of major Internet providers filed amicus briefs in support of Microsoft: Apple/Cisco's is here , AT&T's is here , and Verizon's is here . EFF filed a brief in support of Microsoft, too. The case is now pending before Chief Judge Loretta Preska of the Southern District of New York. In this post, I wanted to run through the complicated legal issues raised by the challenges. As I emphasized in a recent article , the Stored Communications Act just wasn't drafted with the problem of territoriality in mind. It assumed a U.S. Internet with U.S. servers and U.S. users. However the Microsoft challenges goes, Congress needs to amend the statute to deal expressly with the complex problems raised by the global Internet. In this post, though, I'll take the current statute as a given, and I'll run through the constitutional and statutory issues raised by access to e-mail located abroad under current law. My bottom line: I don't think Microsoft can challenge the warrant on Fourth Amendment grounds, and I think it's a close call on whether the warrant is valid on statutory grounds. If Microsoft wins, though, I think the DOJ may be able to get foreign e-mails with a U.S. subpoena, which wouldn't be much of a victory for privacy or sovereignty.

top

Hacked companies face SEC scrutiny over disclosure (Bloomberg, 7 July 2014) - The U.S. Securities and Exchange Commission has opened investigations of multiple companies in recent months examining whether they properly handled and disclosed a growing number of cyberattacks. The investigations are focused on whether the companies adequately guarded data and informed investors about the impact of breaches, according to two people familiar with the matter who asked not to be named because the probes aren't public. Target Corp. (TGT) , the victim of a breach last year that allowed hackers to access payment data for 40 million of its customers' debit and credit cards, is one of the companies facing SEC scrutiny, according to company filings. The prospect of enforcement actions against the targets of cyberattacks marks a new front in the agency's efforts to combat the rising threat hackers pose to public companies, brokerages and financial markets. Previously, the SEC had focused on guiding public companies on how to disclose those risks and making sure financial companies have adequate defenses against hackers. "The SEC issues subpoenas when they believe the disclosure is either incomplete or misleading," said Linda Griggs, a partner at Morgan, Lewis & Bockius LLP who previously worked at the SEC as chief counsel to the agency's chief accountant. "It's totally consistent for them to be looking at this kind of thing." The SEC is also investigating companies' internal controls in cases where the value of assets could have been affected by a breach, one of the people said.

top

- and -

Recent developments concerning cybersecurity disclosure for public companies (Hunton & Williams, June 2014) - Cyber incidents have become more common - and more severe - in recent years. Like other federal agencies, the Securities and Exchange Commission (Commission) has recently been analyzing the applicability of its existing regulations relating to cybersecurity risks. The Commission's efforts are focused on maintaining the integrity of market systems, protecting customer data and the disclosure of material information. We provide an overview of recent developments in public company cybersecurity disclosure of particular interest to public companies.

top

- and ­-

Cybersecurity now tops boardroom concerns (FierceCIO, 11 July 2014) - If data security and privacy aren't front and center on your radar, they better get there quick. A new study finds that data security is now the number one concern in the corporate boardroom. FTI Consulting has just released its Law in the Boardroom Study, and shared highlights of the study in an email to FierceCIO . Nearly 500 directors and general counsel participated in the study. "Data security topped both directors' and general counsels' lists of worries, outranking 2013's top concern of succession and leadership transition," FTI Consulting said. "As hackers get better at their exploits, corporate security is failing to keep up, resulting in the main thing keeping directors up at night." Results of the study were also summarized this week in the FTI Journal, in an article entitled "Managing Cyber Risk: Job #1 for Directors and General Counsel." The study was conducted with New York Stock Exchange Governance Services, and led by Tom Brown, senior managing director and Neal Hochberg, global practice leader of forensic and litigation counseling, both at FTI Consulting. "The risks that come along with the digitation of business (and everything else) are multiplying, as are the costs of protecting against and remediating the impact of cyber-attacks and data breaches," the study says. "This year, information technology cyber risk oversight was chosen by 41 percent of directors and 33 percent of general counsel as an issue upon which they will spend significant time, appreciably more than last year's 28 percent for directors and 27 percent for general counsel." The report also cites data from the Ponemon Institute's 2013 Cost of Cyber Crime Study: United States, which reported that the average annualized cost of cybercrime in 2013 was $11.6 million per company studied, with a range from $1.3 million to $58 million. To put that in context, the average annualized cost in 2012 was $8.9 million.

top

Law firm files defamation action against former client who posted unflattering review on Yelp---and didn't pay fees (MLPB, 8 July 2014) - A Texas law firm has filed a defamation lawsuit in response to the disparaging review of its services a former client posted on Yelp. The client, Joseph A. Browning, claims that the content of his post is accurate and has refused to pay the firm's fees. The firm, Grissom & Thompson, of Austin, says it has no recourse now that Mr. Browning refuses to pay, but also wants him to remove the post. More here in an article in the Texas Lawyer. Read the firm's complaint here. For interested readers, the Browning review is still available on Yelp, but I won't link to it; you can easily find it by searching for it online. Mr. Browning is not the first person to be sued over a Yelp review. Last February, both a woman who reviewed a local contractor's work, and the contractor who then responded to her review, were found liable for defamation.

top

FCC sets new rules for online video clips (The Hill, 11 July 2014) - Regulators are establishing new rules requiring closed captions for online video clips. The Federal Communications Commission (FCC) voted unanimously Friday to approve the rules from Chairman Tom Wheeler. Wheeler - signing along in American Sign Language - repeated a pledge he made at another closed captioning vote earlier this year. "This is just the beginning in dealing with our responsibility to make sure that individuals with special needs are in the front of the technology train, not the back of the technology train," he said. Friday's vote sets requirements for online video clips that have aired on television with closed captions, mimicking current requirements for full-length online videos that originally were broadcast with captions on television. The new requirements apply to video distributors like broadcasters and cable and satellite companies. Under the 2010 Twenty-First Century Communications and Video Accessibility Act, the FCC has the authority to require closed captions for online videos. In 2012, the agency created rules under that law that requires closed captions on full-length online videos that aired with captions on television. The rules approved Friday set staggered deadlines between 2016 and 2017 for clips taken straight from television, montages containing multiple clips and clips of live and near-live programming, like sports and news.

top

Suing file-sharers doesn't work, lawyers warn (TorrentFreak, 13 July 2015) - For more than a decade copyright holders and the U.S. Government have been trying to find the silver bullet to beat piracy. This week the American Bar Association joined the discussion with a 113-page white paper . With their "call for action" the lawyers encourage Congress to draft new anti-piracy legislation and promote voluntary agreements between stakeholders. Among the options on the table is the filing of lawsuits against individual file-sharers, something the RIAA did extensively in the past. Interestingly, the lawyers advise against this option as it's unlikely to have an impact on current piracy rates. According to the lawyers these type of lawsuits are also financially ineffective, oftentimes costing more than they bring in. In addition, they can create bad PR for the copyright holders involved. "While it is technically possible for trademark and copyright owners to proceed with civil litigation against the consuming public who [...] engage in illegal file sharing, campaigns like this have been expensive, do not yield significant financial returns, and can cause a public relations problem for the plaintiff in addressing its consuming public," the lawyers write. [ Polley : see RIAA story below in " Looking Back "]

top

Annual review of social media policies may not address regulatory risks, says expert (Out-Law.com, 14 July 2014) - Technology law specialist Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that businesses that only conduct a review of social media strategy once a year may be exposing themselves to legal risks. "There have been a number of recent changes to the law and the way that regulators are approaching the law as well as number of forthcoming changes that highlight the need for companies to conduct a more regular review of their social media use than just annually," Scanlon said. "For instance, enforcement action by the Financial Conduct Authority last month indicates the approach the regulator is willing to take against financial services companies that breach rules on financial promotions. Rulings by the Court of Justice of the EU have also raised the prospect of firms having to think more carefully about how they process personal data, even if published elsewhere. Both of these examples raise compliance issues in a social media setting," he said. Scanlon also pointed to changes to defamation laws in England and Wales which came into force earlier this year as an issue that could impact on social media use, and further identified existing copyright and communication laws , as well as advertising and consumer protection rules , that must be adhered to by companies publishing on social media. "There are many issues that organisations must be aware could affect them as a result of engaging with customers via social media," Scanlon said. "Most organisations will likely be aware of their basic obligations, such as those to do with data protection and defamation, but there are some legal changes that may go unnoticed unless there are regular reviews of social media strategy scheduled."

top

Project 18F: "Delivery is the Strategy" (Cebe IT, 15 July 2014) - Project 18F is part of the US General Services Administration, the procurement arm of the federal government, feared by suppliers and not quite famous for its ability to innovate or move fast. But 18F is different. Staffed from the ground up by a lean team of (mostly young) technologists, including the Presidential Innovation Fellows, it "builds effective, user-centric digital services focused on the interaction between government and the people and businesses it serves." Their slogan is "delivery is the strategy." For example, it took them just 17 days (in government terms, that's a nanosecond) to deliver from scratch a Web site, notalone.gov, designed to track reports of sexual assault on campuses. Another project, myusa.gov, is a sort of "social API" for e-gov applications. The idea is that a citizen will create a profile once, and government applications that use the API will no longer need to ask people to re-enter their data each time they fill a form online; once the user logs in, the required data will be pulled from his or her profile.

Chinese hackers extending reach to smaller US agencies (NYT, 15 July 2014) - After years of cyberattacks on the networks of high-profile government targets like the Pentagon, Chinese hackers appear to have turned their attention to far more obscure federal agencies. Law enforcement and cybersecurity analysts in March detected intrusions on the computer networks of the Government Printing Office and the Government Accountability Office, senior American officials said this week. The printing office catalogs and publishes information for the White House, Congress and many federal departments and agencies. It also prints passports for the State Department. The accountability office, known as the congressional watchdog, investigates federal spending and the effectiveness of government programs. The attacks occurred around the same time Chinese hackers breached the networks of the Office of Personnel Management , which houses the personal information of all federal employees and more detailed information on tens of thousands of employees who have applied for top-secret security clearances. Some of those networks were so out of date that the hackers seemed confused about how to navigate them, officials said. But the intrusions puzzled American officials because hackers have usually targeted offices that have far more classified information.

top

"Hidden from Google" shows sites censored under EU's right-to-be-forgotten law (GigaOM, 16 July 2014) - News stories about a child rapist, a shoplifter and a financial scandal have all gone missing from Google search results in recent weeks - but now links to the stories have reappeared on " Hidden from Google ," a website that is archiving examples of internet censorship that are taking place under a controversial new law. The law allows EU citizens to force search engines to remove links to websites that they believe display outdated or irrelevant information. The law, which took effect in May in response to a court ruling , has led to an avalanche of "delete me" requests to Google, including many from rogues and criminals . The law has already led search results from major news outlets like the BBC and the Guardian to disappear , which is what led U.S. web developer Afaq Tariq to create the "Hidden from Google" page. The site provides a link to the story removed from Google, along with the relevant search term and the source that revealed the missing information. Censored pages include a BBC story about Carlos Silvano, a Portuguese pedophile, and a Daily Mail story about Gregory Sim, who had sex on a crowded train in 2008. Tariq told the BBC that the list is now very short because he wants to ensure that "an article is being censored consistently across European domains" before he includes it. Overall, the "Hidden from Google" page is likely to add to the ongoing alarm and confusion over the new European law. Implementation of the law has been chaotic as a result of vague instructions from the European Court of Justice, which declared in May that EU citizens could tell Google to delete search results under a 20-year-old data law, but that results in the public interest could remain.

top

RESOURCES

"Loopholes for Circumventing the Constitution: Warrantless Bulk Surveillance on Americans by Collecting Network Traffic Abroad" (PET Symposium, July 2014) Abstract: In this multi-disciplinary paper, we reveal interdependent legal and technical loopholes that intelligence agencies of the U.S. government could use to circumvent constitutional and statutory safeguards for U.S. persons. We outline known and new circumvention techniques that can leave the Internet traffic of Americans as vulnerable to surveillance, and as unprotected by U.S. law, as the Internet traffic of foreigners.

top

Steptoe launches data breach toolkit (Steptoe, 17 July 2014) - Data breaches can have a devastating effect on a company's revenue and reputation. The true financial impact of a breach includes not just the expense of responding to the incident and the potential loss of invaluable trade secrets, but also the costs of defending the company in litigation and investigations by state, federal, and possibly foreign regulators. We are therefore pleased to announce our Data Breach Toolkit , a new resource to help companies minimize the chances of a breach, evaluate a company's level of preparation for a breach, and respond quickly and effectively to any breach that does occur despite the best preparation. It will help put companies in a strong position to defend against the second round of attacks - this time by plaintiffs' lawyers and regulators. The toolkit also includes a useful outline of U.S. federal and state breach notification laws.

top

DIFFERENT

@congress-edits (activated 11 July 2014) - I'm a bot that tweets anonymous Wikipedia edits that are made from IP addresses in the US Congress. You can find the code at ‪https://github.com/edsu/anon

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Music downloads decline after RIAA lawsuits (CNET, 4 Jan 2004) -- The music industry's controversial lawsuits against online song swappers appear to have forced U.S. computer users to severely curb their free music downloading habit, according to new research released Sunday. The percentage of Americans who downloaded music from the Internet fell to 14 percent over the four weeks ended Dec. 14, from 29 percent in a 30-day sample conducted in March, April and May, according to a telephone survey of 1,358 Internet users conducted by the Pew Internet & American Life Project. Since September, the Recording Industry Association of America (RIAA) has filed about 400 lawsuits against music downloaders, claiming "egregious" copyright infringement and seeking up to $150,000 per violation. About half of the people hit with such lawsuits have settled out of court, usually for $5,000 or less, while others have mounted fierce legal challenges to the lawsuits. The number of downloaders fell to about 18 million people in the winter period, from 35 million in the spring, the Pew study found. The steepest drops in usage were found among women, people with some college education and parents with children living at home. Students and broadband users also showed large drops in downloading. In addition, the research showed that the use of peer-to-peer file sharing programs, which allow users to swap music for free, fell significantly in November from the year earlier. The user base of leading platform Kazaa shrank by 15 percent while Grokster's declined 59 percent, according to comScore Media Metrix, Pew's data partner for the study.

top

Livewire: web unites and divides legal profession (Reuters, 27 Dec 2003) -- California prosecutors took the unusual step of setting up a Web site on the Michael Jackson case to alleviate a media frenzy and, in doing so, triggered a debate on use of the Web within the legal community. Some legal experts said that posting documents detailing the criminal charges against the 45-year-old entertainer was a breakthrough for public access. Others countered that it would undermine the spirit of the law and court proceedings, creating even more of a circus-like atmosphere. Over the last five years, the Web has often been used to spin the views of one side or another in sensational civil cases, like the Microsoft class-action case. But lawyers and law professors said it was rare for a governmental prosecuting attorney's office to set up a Web site devoted entirely to a particular criminal case. Many said they expect it to become a trend, and, while a specialized Web site appears to be an anomaly in criminal cases, media-hounded prosecutors in other high-profile cases like the Kobe Bryant rape case and the upcoming Scott Peterson (news - web sites) murder trial have also put links on their Web sites to documents. "The Web has been such a driver of information in civil cases, it has really changed defense tactics. The legal battles that now go on over the Web are not insubstantial," said Katrina Dewey, editor of the LA Daily Journal legal newspaper. "And now, this (trend) just moved it into the criminal arena," she said, referring to the Jackson Web site set up by the Santa Barbara County District Attorney Tom Sneddon at (http://www.sbscpressinfo.org).

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, June 28, 2014

MIRLN --- 8-28 June 2014 (v17.09)

MIRLN --- 8-28 June 2014 (v17.09) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | LOOKING BACK | NOTES

Cybersecurity in the boardroom: the new reality for Directors (IAPP, 27 May 2014) - Not long ago, cybersecurity was a term rarely, if ever, heard in the boardroom. Rather, information security was deemed to be a risk managed solely by the chief information or technology officer. Those days are gone. With the litany of high profile cybersecurity hacks-and the potential resulting drop in shareholder value, regulatory inquiries and litigations which inevitably follow-cybersecurity has become an increasingly challenging risk that boards must address. The board's role in understanding and monitoring cybersecurity risk has been underscored by a new breed of lawsuits alleging boards were asleep at the switch in the face of a known danger. Target, for example, is now facing a shareholder derivative lawsuit-Case number 14-cv-14-cv-203-alleging Target's board members and directors breached their fiduciary duties to the company by failing "to maintain proper internal controls" related to data security and misleading affected consumers about the scope of the breach after it occurred. That complaint alleges Target was damaged by having to pay costs associated with the data breach, including expending money for credit monitoring services for affected customers, causing Target "to be exposed to millions of dollars of potential liability in class-action lawsuits," and through "substantial damage" to "the company's sales during the 2013 holiday season, its market capitalization, goodwill, consumer confidence and brand trust." It remains to be seen whether the lawsuits against directors and officers will succeed. Regardless of their outcomes, however, these suits highlight that the board plays a fundamental role in preventing and detecting risks associated with information security breaches. The board's role in cybersecurity was also emphasized by the SEC during its March 26 Cybersecurity Roundtable, where one of the key themes was the instrumental role the board of directors and senior management should play in leading an organization's cybersecurity preparedness and resilience to cybersecurity attacks. One roundtable panelist opined in that regard that senior management can play an important role in creating a cybersecurity culture that "starts at the keyboard" and in which cybersecurity is not seen as a technology issue for the IT department to resolve but a business issue in which all employees take action and understand their role in protecting their companies. While cybersecurity risk is often considered an intimidating area for directors to address due to its technical nature, it is important to remember that directors are not required to be experts in this area but are entitled to rely on management and outside experts for advice. In attempting to fulfill their fiduciary duties to the company by managing cybersecurity risks, the following are some guideposts for directors to follow: * * *

top

- and -

AIG, NACD, and ISA issue cyber-risk oversight guidance for corporate directors (GlobeNewswire, 11 June 2014) - Designed to provide corporate directors with expert guidelines to improve their cybersecurity oversight, American International Group (AIG) , the National Association of Corporate Directors (NACD) , and the Internet Security Alliance (ISA) today announced the release of the latest issue in NACD's Director's Handbook Series, Cyber-Risk Oversight. Access this new resource at www.NACDonline.org/Cyber . "Ninety percent of directors participating in our latest governance survey indicated they would like to improve their understanding of cybersecurity risk," said Ken Daly, NACD president and CEO. "This handbook provides boards with practical tools to do just that, including self-assessment questions for directors, sample board report dashboards, and guidelines for conversations with management." This unique publication is organized around five key principles and covers a wide spectrum of board-level considerations related to oversight of cybersecurity, including board composition, liability implications, disclosure issues, access to expertise, and risk appetite calibration. "Recent breaches in both the public and private sectors have put the issue of cybersecurity on every board's agenda," said Larry Clinton, president and CEO of ISA. "This handbook is a natural extension of ISA's mission to create private sector standards and practices that integrate both the technological and economic aspects of cybersecurity." Boards should adapt the recommendations set forth in the handbook based on their company's unique characteristics, including size, life-cycle stage, business strategy, industry sector, geographic footprint, and culture.

top

- and -

Why senior leaders are the front line against cyberattacks (McKinsey, June 2014) - The importance of cybersecurity is no secret to anyone who's opened a newspaper or attended a board meeting. So, senior executives may ask, what's the holdup? The answer is simple: understanding the issue is quite different from effectively addressing it. A number of structural and organizational issues complicate the process of implementing business-driven, risk-management-oriented cybersecurity operating models, and only sustained support from senior management can ensure progress and ultimately mitigate the risk of cyberattacks. * * * [ Polley : This McKinsey & Co report is quite useful.]

top

Health data breach victims have standing to sue says West Virginia Supreme Court (Nat'l Law Review, 3 June 2014) - The most common defense against class actions for data breach has itself been breached in a ruling last week by the West Virginia Supreme Court. The Court's opinion held that representatives of the class of medical clinic patients whose names, contact details, social security numbers and medical information had been accidentally posted to a publicly accessible web site had standing to sue the clinic notwithstanding that no class representative had established that anyone had actually accessed the mistakenly released information and no one had suffered any quantifiable economic loss as a result. The most frequently relied upon defense against suits for damages for a release of personal information is that the plaintiff or class of plaintiffs lack standing because the harm they suffered as a result of the breach is conjectural or speculative. The West Virginia case differs from other data breach standing cases in two respects: (i) it concerns health data, in addition to personal identifying information, and health data has the benefit of legal protections that other personal information does not enjoy; and (ii) West Virginia has a judicial history of allowing actions based upon an invasion of the right of privacy without proof of special economic (liquidated, out-of-pocket) damages. The Court said that while the mere risk of future identify theft alone does not constitute in injury in fact sufficient to confer standing, the plaintiffs also asserted causes of action for breach of physician-patient confidentiality and invasion of privacy, and that those claims were not hypothetical or speculative. The breach by a doctor of his duty of confidentiality to the patient is an independent basis of a tort claim that may result in damages for the loss of the confidential relationship. Likewise, under West Virginia law (and in a number of other states as well) an unwarranted invasion of personal privacy, which includes the appropriation of another's name or likeness or that places another in a false light before the public, is grounds for an action in tort against the perpetrator.

top

FAA orders Boeing to protect 737s from computer hackers (USA Today, 6 June 2014) - The Federal Aviation Administration is ordering Boeing to modify the technology aboard late-model 737 aircraft to prevent computer hackers from damaging the planes. The order published Friday in the Federal Register is effective immediately, although the agency allowed a comment period until July 21. The special conditions are urgent because the FAA is trying to avoid slowing down design and delivery of new planes, according to the agency. Doug Alder, a Boeing spokesman, said the special conditions will institutionalize actions that the manufacturer was already taken or planned, in line with similar protections for the 747-8, 777 and 787. The special conditions apply to these aircraft because their technology is connected more thoroughly than other planes with computer networks outside the aircraft, making the 737 more vulnerable, according to FAA. The plane's technology "may allow the exploitation of network security vulnerabilities resulting in intentional or unintentional destruction, disruption, degradation, or exploitation of data, systems and networks critical to the safety and maintenance of the airplane," the FAA said. The order from Jeffrey Duven, manager of FAA's certification services, calls for Boeing to "ensure that the airplanes' electronic systems are protected from access by unauthorized sources external to the plane, including those possibly caused by maintenance activity."

top

Cyberattack insurance a challenge for business (NYT, 8 June 2014) - Julia Roberts's smile is insured. So are Heidi Klum's legs, Daniel Craig's body and Jennifer Lopez's derrière. But the fastest-growing niche in the industry today is cyberinsurance. Specialized policies to protect against online attacks are offered by about 50 carriers, including big names like the American International Group, Chubb and Ace. As data breaches have become a reality of the business world, more companies are buying policies; demand increased 21 percent last year from 2012, according to Marsh, a risk management company and insurance broker. Yet companies say it is difficult to get as much coverage as they need, leaving them vulnerable to uncertain losses. The main problem is quantifying losses from attacks, because they are often intangible - lost sales or damage to a brand name, like the public relations disaster Target suffered after the breach of its point-of-sale systems late last year. "The losses that are more tangible and more readily quantifiable are the ones you'll be able to insure against more easily," said Ed Powers, who heads the online risk services practice at Deloitte & Touche, the accounting firm. "The ones that are less tangible and less quantifiable are more challenging, but those are often the bigger ones." At the same time, underwriters lack the data they need to figure out how likely it is that an attack will occur, or what it will cost. The problems companies face in getting insurance are illustrated by the situation Target faced last year. At the time of its breach, the retailer had cobbled together $100 million in coverage, on top of a $10 million deductible, according to regulatory filings. The coverage, which came from multiple carriers, will barely compensate for the $1 billion in losses some analysts are forecasting. Since the breach was discovered, the company has incurred $88 million in breach-related expenses, its filings say, and it expects insurance to cover $52 million of that.

top

- and -

The state of cyberinsurance (Bruce Schneier, 16 June 2014) - Good essay on the current state of cyberinsurance: So where does that leave the growing cyber insurance industry as it tries to figure out what losses it should cover and appropriate premiums and deductibles? One implication is that the industry faces much greater challenges than trying to quantify or cover intangible -- and perhaps largely imaginary -- losses to brands' reputations. In light of the evidence that these losses may be fairly short-lived, that problem pales next to the challenges of determining what should be required of the insured under such policies. Insurers -- just like the rest of us -- don't have a good handle on what security practices and controls are most effective, so they don't know what to require of their customers. If I'm going to insure you against some type of risk, I want to know that you're taking appropriate steps to prevent that risk yourself 00 installing smoke detectors or wearing your seat belt or locking your door. Insurers require these safety measures when they can because there's a worry that you'll be so reliant on the insurance coverage that you'll stop taking those necessary precautions, a phenomenon known as moral hazard. Solving the moral hazard problem for cyberinsurance requires collecting better data than we currently have on what works --and what doesn't -- to prevent security breaches.

top

Google books round 86: libraries win yet again (James Grimmelmann, 10 June 2014) - The Second Circuit's decision in Authors Guild v. HathiTrust is out. This, as a reminder, is the offshoot of the Google Books litigation in which the Authors Guild inexplicably sued Google's library partners. The trial judge, Harold Baer, held for the libraries in 2012 in a positively exuberant opinion: I cannot imagine a definition of fair use that would not encompass the transformative uses made by Defendants' MDP [Mass Digitization Project] and would require that I terminate this invaluable contribution to the progress of science and cultivation of the arts that at the same time effectuates the ideals espoused by the ADA. The Second Circuit's opinion drops the grand rhetoric, but otherwise the bottom line is basically the same: mass digitization to make a search engine is fair use, and so is giving digital copies to the print-disabled. The opinion on appeal is sober, conservative, and to the point; it is the work of a court that does not think this is a hard case. * * * These holdings merely affirm the District Court's conclusions, but they are still a big deal. The Second Circuit's decisions are binding precedent in New York, the nation's publishing capital, and are highly influential beyond. Five judges have now upheld the legality of scanning books to make a search engine; none have disagreed.

top

The Bank of England goes to cyber war (WSJ, 10 June 2014) - The Bank of England has launched a new cyber security strategy for financial institutions in the U.K., as the sector struggles to protect itself against the increased threat of cyber-attacks.

The framework, called CBEST, is based on penetration tests that mimic techniques and procedures used by cyber criminals to harm large financial organizations, such as banks and stock exchanges, our sister publication Financial News reports Tuesday.

The new strategy is based on real threat intelligence gathered about potential attacks to a specific financial institution. The intelligence is gathered through the monitoring of thousands of online sources, including hacker forums, blogs and chat rooms.

Research will be carried out on an ad hoc basis by cyber intelligence firms vetted by the Council for Registered Ethical Security Testers, or CREST, a non-profit representing the information security industry.

top

Comcast is turning the US into its own private hotspot (TechCrunch, 10 June 2014) - On paper it looks like a win-win: in the next few days, Comcast is quietly turning on public hotspots in its customers' routers , essentially turning private homes into public hotspots. Comcast customers get free Wi-Fi wherever there is a Comcast box and the company gets to build out a private network to compete with telecoms. Win-win. Fifty thousand users with Arris Touchstone Telephony Wireless Gateway Modems - essentially basic modems that cable providers drop off at your home - have already been turned into public hotspots in Houston, and there are plans to enable 150,000 more. Most subscribers will be enabled in the next few months. It's not like they didn't warn you. After all, news of this bold Xfinity Wifi project popped up months ago and began rolling out in 2013. But here's the problem: Comcast is essentially using your private residence as a corporate resource. They're using your electricity. They're using your Internet connection (although they claim they aren't) and they're opening up your private browsing to potential hackers. While Comcast will claim that these two streams are independent, there is nothing to stop a dedicated hacker from figuring out how to snoop data passing through the router. There is also nothing to stop someone from downloading illicit material, software, and other junk from your hotspot and then reporting you for theft or worse. Again, it's all ostensibly secure, but, like all things, it really isn't. Finally, it's also an opt-out solution, which means it is enabled by default and you, the consumer have to turn it off. But Comcast doesn't want that. "We encourage all subscribers to keep this feature enabled as it allows more people to enjoy the benefits of Xfinity Wi-Fi around the neighborhood," said a company spokesperson last year. Not convinced? Dwight Silverman offers instructions for turning it off .

top

- and -

New open-source router firmware opens your Wi-Fi network to strangers (ArsTechnica, 20 June 2014) - We've often heard security folks explain their belief that one of the best ways to protect Web privacy and security on one's home turf is to lock down one's private Wi-Fi network with a strong password. But a coalition of advocacy organizations is calling such conventional wisdom into question. Members of the "Open Wireless Movement," including the Electronic Frontier Foundation (EFF), Free Press, Mozilla, and Fight for the Future are advocating that we open up our Wi-Fi private networks (or at least a small slice of our available bandwidth) to strangers. They claim that such a random act of kindness can actually make us safer online while simultaneously facilitating a better allocation of finite broadband resources. The OpenWireless.org website explains the group's initiative. "We are aiming to build technologies that would make it easy for Internet subscribers to portion off their wireless networks for guests and the public while maintaining security, protecting privacy, and preserving quality of access," its mission statement reads. "And we are working to debunk myths (and confront truths) about open wireless while creating technologies and legal precedent to ensure it is safe, private, and legal to open your network." One such technology, which EFF plans to unveil at the Hackers on Planet Earth (HOPE X) conference next month, is open-sourced router firmware called Open Wireless Router. This firmware would enable individuals to share a portion of their Wi-Fi networks with anyone nearby, password-free, as Adi Kamdar , an EFF activist, told Ars on Friday. Home network sharing tools are not new , and the EFF has been touting the benefits of open-sourcing Web connections for years, but Kamdar believes this new tool marks the second phase in the open wireless initiative. Unlike previous tools, he claims, EFF's software will be free for all, will not require any sort of registration, and will actually make surfing the Web safer and more efficient. Open Wi-Fi initiative members have argued that the act of providing wireless networks to others is a form of "basic politeness… like providing heat and electricity, or a hot cup of tea" to a neighbor, as security expert Bruce Schneier described it.

top

In major privacy ruling, court says police need warrant to track phone users' location (GigaOM, 11 June 2014) - In a victory for privacy advocates, a federal appeals court in Florida ruled that law enforcement agents cannot force mobile carriers to turn over the location history of their customers without a search warrant. The case involved an appeal by Quartavius Davis, who was convicted by a jury for his role in a violent armed robbery spree targeting restaurants and gas stations. The evidence included location data gleaned from cellphone towers that showed Davis had been in proximity of the various businesses. In finding that the police should had obtained a warrant to obtain the location data, the 11th Circuit Court of Appeals unanimously ruled that the government violated Davis' Fourth Amendment right against unreasonable search and seizure. The case is groundbreaking because higher courts have yet to rule definitively on whether people have a privacy right in the location disclosed by their cell phones. Citing a recent Supreme Court case that suggested police in some cases need a warrant to track a suspect's automobile, the appeals court noted that a cell phone carries deeper privacy implications. The court also drew a firm line between what police must do to obtain call records from a phone company, which can share records without a warrant under the so-called "third-party doctrine," versus what is required to obtain a person's location. Declaring that a person's location is more analogous to the content of a phone call (for which police do need a warrant), the court stated that people can reasonable expect that their mobile carrier will not hand over a historic record of the places they have been. Finally, the case also highlights the ability of cellphone towers to observe and record a phone user's location. While the court acknowledged that the tower's do not disclose a person's precise location, it ruled that they reveal enough information to trigger the Fourth Amendment's privacy protection.

top

Amazon blocking Warner movies pre-orders in latest feud (Bloomberg, 11 June 2014) - Customers trying to pre-order films such as "The Lego Movie," "300: Rise of an Empire" and "Winter's Tale" are instead asked to sign up to be notified when the item becomes available. Digital downloads of the movies are available for purchase through Amazon Instant Video. The world's biggest online retailer is seeking concessions from Warner Bros. that would give it more of a margin on sales of DVDs and digital versions of its movies, said a person familiar with the matter, who asked not to be identified because the negotiations are private. Amazon is already in a standoff with Hachette Book Group over e-book pricing in a tussle that will help determine whether publishers can gain any leverage against the online retailer and biggest seller of e-books. To ratchet up pressure on Hachette, Amazon started delaying shipments and blocking some book pre-orders -- including big-name titles such as "The Silkworm," J.K. Rowling's new novel written under a pseudonym.

top

7 apps for cataloguing your home library (InsideHigherEd, 12 June 2014) - Summer is just around the corner, and I've been drawing up a list of all the things I'd like to accomplish before next academic year. It's a fine time to relax, to step back and reassess my existing workflow, and to reorganize. One of the projects I'm trying this summer? Cataloging my own library. Do you ever spend too long looking for a book that you just know you already have? Have you ever accidentally purchased a book twice? Sadly, I can answer "yes" to both of these questions. One of my problems is that I can never remember if I own a particular book, or if I've just checked it out of the library frequently enough that I think it's a permanent fixture in my personal collection. I also often struggle to remember if I own a book in hard copy or Kindle form. And one of my least favorite feelings is when I know that I've loaned a book to a friend or colleague, but I'm unable to remember which person borrowed it or when. So, inspired by fellow GradHacker Justin Dunnavant's post on using Goodreads to organize his library , I've decided that it's time to reorganize my own collection of books. My requirements: must be an iOS-friendly app, must be less than $5, and must allow me to track borrowing. Here are a few of the contenders I've been considering, for any of you who might be interested in doing the same * * *

top

Why online tracking is getting creepier (ProPublica, 12 June 2014) - The marketers that follow you around the web are getting nosier. Currently, many companies track where users go on the Web-often through cookies-in order to display customized ads. That's why if you look at a pair of shoes on one site, ads for those shoes may follow you around the Web. But online marketers are increasingly seeking to track users offline, as well, by collecting data about people's offline habits-such as recent purchases, where you live, how many kids you have, and what kind of car you drive. Here's how it works, according to some revealing marketing literature we came across from digital marketing firm LiveRamp: (1) A retailer-let's call it The Pricey Store-collects the e-mail addresses of its high-spending customers. (Ever wonder why stores keep bugging you for your email at the checkout counter these days?) (2) The Pricey Store brings the list to LiveRamp, which locates the customers online when the customers use their email address to log into a website that has a relationship with LiveRamp. (The identity of these websites is a closely guarded secret.) The website that has a relationship with LiveRamp then allows LiveRamp to "tag" the customers' computer with a tracker. (3) When those high-spending customers arrive at PriceyStore.com, they see a version of the site customized to "show more expensive offerings to them." (Yes, the marketing documents really say that.) Tracking people using their real names-often called "onboarding"-is a hot trend in Silicon Valley. In 2012, ProPublica documented how political campaigns used onboarding to bombard voters with ads based on their party affiliation and donor history. Since then, Twitter and Facebook have both started offering onboarding services allowing advertisers to find their customers online.

top

- and -

Facebook turns user tracking 'bug' into data mining 'feature' for advertisers (ZDnet, 17 June 2014) - Facebook announced changes to its privacy and advertising policies on its company blog last Thursday, extending Facebook's ability to track users outside of Facebook -- undoing previous assurances it "does not track users across the web." The press reports initially sounded like good news, announcing that Facebook would be "letting people better control their advertising preferences." Indeed, users will soon be able to click on a little arrow on an ad, which will show them a simplified version of Facebook's marketing dossier on them, and the user can check or un-check different advertising interests. Facebook also announced Thursday it will begin tracking its users' browsing and activities on websites and apps outside Facebook, starting within a few weeks. Facebook said it will begin to disregard its users' choice of using their in-browser "Do Not Track" setting: Soon, anyone who clicks "ask websites not to track me" in Safari (or any other browser) will be completely ignored by Facebook. Google and Yahoo already ignore people's Do Not Track settings; fortunately, Twitter, Microsoft and Pinterest still respect the browser setting.

top

Feds tell local law enforcement to remain silent about cellphone surveillance (ABA Journal, 13 June 2014) - The federal government is putting pressure on local law enforcement to keep quiet about its use of Stingray and other surveillance technology used to gather data off of mobile phones. The Associated Press reports that the Obama administration has taken the rare step of becoming actively involved with state records request cases and local criminal trials in an effort to keep details of its surveillance secret. As a result, the AP reports that police departments have either refused to turn over, or have heavily redacted, documents and materials relating to such surveillance. One well-known piece of technology used by cops is Stingray. The device gathers information off a mobile phone by impersonating a cell tower and getting a phone to transmit data to it. According to the AP, Stingray allows police to obtain data off a mobile phone without having to get the cooperation of a user's mobile carrier, like Verizon Wireless or AT&T. Several civil liberties groups have tried to get state and federal agencies to release more information about what kind of information they are taking. "These extreme secrecy efforts are in relation to very controversial, local government surveillance practices using highly invasive technology," said Nathan Freed Wessler, a staff attorney with the American Civil Liberties Union, to the AP. "If public participation means anything, people should have the facts about what the government is doing to them." The FBI is contesting a lawsuit filed in Tucson, Ariz, that seeks to force it to give up its information by claiming that such disclosures would "result in the FBI's inability to protect the public from terrorism and other criminal activity because through public disclosures, this technology has been rendered essentially useless for future investigations." [ Polley : see also Your Secret Stingray's No Secret Anymore: The Vanishing Government Monopoly Over Cell Phone Surveillance and Its Impact on National Security and Consumer Privacy (SSRN, by Stephanie Pell and Chris Soghoian, 15 May 2014)]

top

Companies involved in M&A activity more likely targets of cyberattacks (Cooley, 13 June 2014) - According to this article in the WSJ , companies involved in M&A activity had better make special efforts with regard to cybersecurity. In the course of the transaction, thieves may try to gain access to internal systems. extract negotiating positions or other information about the transaction, or make off with trade secrets or other inside information. Apparently, data thieves target companies engaged in M&A deals because, in light of the confusion that often surrounds M&A activity, employees are more vulnerable to cyberattacks. Employees of merged companies do not know who may be sending them emails and are more likely to open them. For example, in one case, cyberthieves went phishing by sending emails to employees of a newly acquired subsidiary announcing the acquisition. That email included malware that allowed the hackers to enter the company's network and steal proprietary data. Similarly, executives travelling for deal negotiations can also be a prime target for data thieves. To help address these risks, employees should be advised to be more cautious about opening emails when the company is going through a merger or acquisition. It may also be perilous for travelling executives to use Wi-Fi on mobile devices or plug into free Wi-Fi in hotels and public areas. In addition, companies should also "be careful not to link up their networks until the new network has been tested by the security team to make sure it's safe."

top

Apple starts letting Bitcoin transfer apps back into its app store (TechCrunch, 16 June 2014) - Apple's Bitcoin freeze appears to be thawing fast, with bitcoin wallet apps that offer the ability to transfer BTC now filtering back into the App Store. The move was picked up by Coindesk yesterday which noted that the Coin Pocket BTC wallet app was back in the store. The Coin Pocket app allows users to send and receive bitcoin from an iOS device, as well as offering an in-app QR code scanner; a private key sweep and encryption feature; and the ability to check bitcoin to USD conversion rates. Last year Apple was bumping bitcoin wallets from the App Store, taking a cautious approach to the virtual currency and enraging bitcoin enthusiasts in the process . Half a year on it looks like Cupertino is pulling the handbrake hard to make a sharp U-turn on BTC. As well as apps allowing BTC transfers others that allow in-app bitcoin purchases, such as eGifter, are also being let into the App Store, offering a channel for developers to circumvent Apple's 30% share of in-app purchases if their users are savvy enough to be able to pay with BTC. Despite Apple's prior freezing out of certain bitcoin apps, the arrival of an app like Coin Pocket which offers BTC transfer is not a huge surprise given that, at its WWDC developer conference earlier this month, Apple added a new rule to its developer agreement that sanctioned apps offering the transmission of "approved virtual currencies". [ Polley : I've installed Coin Pocket and am experimenting with Bitcoin; see also A beginner's guide to Bitcoin (Boing Boing, 4 June 2014)]

top

Nokia paid millions in ransom to stop release of signing key in 2007 (Ars Technica, 18 June 2014) - On Tuesday, MTV News in Finland reported for the first time that in 2007, Nokia paid millions of euros to someone who had acquired the Symbian encryption signing key to prevent its distribution. If released, that key would have allowed Nokia phones to accept non-authorized applications. At the time, Nokia was the world's leading smartphone manufacturer. After receiving the ransom demand, Nokia informed the National Bureau of Investigation , which appears to have orchestrated a surveillance operation. Nokia paid the multi-million euro ransom in cash, left in a bag at a parking lot near the Särkänniemi amusement park in the city of Tampere. As MTV News reported, "Police, however, lost track of the blackmailer and the money was gone. The case is still unsolved."

top

The GM lawyers were here (Corporate Counsel, 18 June 2014) - The deadly ignition switch fiasco at General Motors Co. has spawned a remarkable breadth of legal issues, ranging from the law department's role in recalls to the company's duty, if any, to compensate victims after it declared bankruptcy. Indeed, seldom has a legal department been thrust into such a high-profile role in a huge public controversy. The ignition switch debacle inevitably cast the legal team in a harsh light and led to the oft-repeated phrase: Where were the lawyers? Well, they were right here. GM's legal department has had three different, and impressive, leaders since the defective switch was uncovered. Any one of them might have led the company down a very different path, and perhaps saved lives along the way. But they didn't. Instead they allowed the company to waste nearly 10 years. That's 10 years of committee meetings and haggling and ignoring possible solutions. And 10 years of not issuing a recall while GM cars crashed and people died. * * * The company has suffered a massive blow to its reputation. It faces dozens of lawsuits carrying billions of dollars in potential liability. GM conducted an internal investigation, and a report was released in early June. At least four in-house lawyers, one a vice president, lost their jobs-though not general counsel Michael Millikin. No former or current GM lawyer responded to requests for comment for this story. The Valukas report made several recommendations to reform how the legal department works. The U.S. Department of Justice is conducting a criminal investigation, and several state attorneys general were also investigating the matter. * * * At the heart of it all is a legal department of about 200 attorneys who failed to communicate. And that's putting their failure in the best possible light. Some observers prefer the phrase "cover-up." At least one class action suit over the defect clearly points at the lawyers' role in not disclosing the truth during GM's 2009 bankruptcy proceedings. First the complaint offers a detailed timeline of GM actions, along with emails that show the company knew about the defect for over a decade. Then the complaint states that it is "inconceivable that individuals within GM's upper management and general counsel's office did not know about the ignition switch defect in GM vehicles, or the attendant contingent liabilities, when GM entered bankruptcy in June 2009." [ Polley : I was deputy GC in a similar-sized multinational; I'd have been fired if I hadn't know what my people were doing. It seems to me that Millikin should be fired if he knew, and fired if he didn't. In a related vein, see GM recalls: How General Motors silenced a whistle-blower (Bloomberg, 18 June 2014), and How GM's lawyers failed in their duties (NYT, 9 June 2014). Along with the Wal-Mart Mexico bribery/FCPA story from 2012, I can't think of more egregious examples of disastrous corporate culture.]

top

The strange demise of TrueCrypt and what it says about cybersecurity (Paul Rosenzweig on Lawfare, 18 June 2014) - A small earthquake happened at the end of May - a well-regarded, widely known encryption program called TrueCrypt shut its doors. For those who care about surveillance, encryption, and open-source methodologies, the change was abrupt and disturbing. It's the type of thing that goes unnoticed by the broader public, but has quiet effects that should not go unremarked. * * * What are we to make of all this? Well, for starters, I like a mystery as much as anyone and you have to admit this is a good one. Famous product all of a sudden pulled from the market. Why? Nobody knows. So it's just a good yarn … But beyond that, the episode re-emphasizes the challenge of an "open source" method of security. [Lawyerly footnote: There are some who dispute that TrueCrypt was truly open-source because it was licensed, so you couldn't modify it at will. I use the term here to mean that the code could be seen, reviewed, prodded, tested, and deconstructed.] As with Heartbleed , open source methods work only for as long as volunteers are willing to work on the project. I tend to think that you get what you pay for - and if nobody was paying the TrueCrypt developer(s) it is not at all surprising that he/they eventually just decided to find a better way to spend his time (heck, maybe he got married - or maybe she did …). Third, the incident serves to reemphasize how much the whole Snowden affair has disrupted settled expectations. Pre-Snowden, concerns over encryption were limited to a much smaller minority of folks and the demise of TrueCrypt would not have been accompanied by grim views of government enforcement. Today, those are common place. Finally, the episode serves to also illuminate how broken our system of security is. We can't trust the government to provide it; we can't trust private corporations to provide it; and we can't rely on the kindness of strangers to provide it either. Unless you are one of the rare individuals who can build and install their own encryption code (I am =not=!) you are inevitably reliant on somebody else for your security. Yet nobody is somebody you can trust. And that leaves us hopelessly vulnerable - not just to mistrusted governments but to malevolent actors across the globe. The Russian cyber gangs must rejoice at the demise of TrueCrypt. [ Polley : worth reading the whole post.]

top

Medtronic says was victim of cyber attack, lost patient records (Reuters, 20 June 2014) - Medtronic Inc, the world's largest stand-alone medical device maker, was the victim of a cyber attack and lost some patient records in separate incidents last year, it said in a regulatory filing on Friday. "Medtronic, along with two other large medical device manufacturers, discovered an unauthorized intrusion to our systems that was believed to originate from hackers in Asia," the company said in a 10-K filing with the U.S. Securities and Exchange Commission. Medtronic officials could not be reached to elaborate on the contents of the 10-K filing, which did not identify the other companies involved in the breach.

top

Scan license plates so you can text flirty messages to cute drivers with GM's new app (Digital Trends, 21 June 2014) - There are plenty of smartphone apps that make it easier to flirt and set up dates with strangers, but GM has an ace up its sleeve that may trump all of them. No, the car manufacturer isn't muscling its way into the dating game - at least not directly. But its China R&D team has developed an Android app that lets a driver scan a license plate in order to start texting the owner of that car. The romantic implications of DiDi Plate, a prototype app debuted earlier this month at the Telematics Detroit 2014 conference, are obvious enough, even to GM. A video demo at the conference run by John Du, director of GM's China R&D Division, even highlighted a scenario where a male driver scans the license plate in front of him in order to see that female driver's profile. He smoothly proceeds to tell her that he's going to a mountain and would like someone to go with, to which she responds, "OK, let's go together." However, there are other practical (and less creepy) uses for the app. For instance, the demo showed a driver whose car was blocked in a parking lot scanning the license plate of the inconveniently placed car and asking the owner to move their automobile. Du added that his team has found a way to make the prototype app work with Google Glass, which would make its uses more dynamic or unsettling, depending on how you view it.

top

Unblinking eyes track employees (NYT, 21 June 2014) - Advanced technological tools are beginning to make it possible to measure and monitor employees as never before, with the promise of fundamentally changing how we work - along with raising concerns about privacy and the specter of unchecked surveillance in the workplace. Through these new means, companies have found, for example, that workers are more productive if they have more social interaction. So a bank's call center introduced a shared 15-minute coffee break, and a pharmaceutical company replaced coffee makers used by a few marketing workers with a larger cafe area. The result? Increased sales and less turnover. Yet the prospect of fine-grained, digital monitoring of workers' behavior worries privacy advocates. Companies, they say, have few legal obligations other than informing employees. "Whether this kind of monitoring is effective or not, it's a concern," said Lee Tien, a senior staff lawyer at the Electronic Frontier Foundation in San Francisco. Sociometric Solutions is already working with 20 companies in the banking, technology, pharmaceutical and health care industries, involving thousands of employees. The workers must opt in to have their data collected. Mr. Waber's company signs a contract with each one guaranteeing that no individual data is given to the employer (only aggregate statistics) and that no conversations are recorded. "Privacy policy," Mr. Waber said, "is going to have to deal with the workplace and not just the consumer issues." The payoff for well-designed workplace monitoring, Mr. Waber said, can be significant. The underlying theme of human dynamics research is that people are social learners, so arranging work to increase productive face-to-face communication yields measurable benefits. For example, the company studied workers in Bank of America call centers and observed that those in tightknit communications groups were more productive and less likely to quit. To increase social communication, the shared 15-minute coffee break was introduced to the daily routine. Afterward, call-handling productivity increased more than 10 percent, and turnover declined nearly 70 percent, Mr. Waber said. Mr. Waber's company also provided the data-guided insight to help the pharmaceutical company increase sales with its new cafe area. At a tech company, his company found, workers who sat at larger tables in the cafeteria, thus communicating more, were more productive than workers who sat at smaller tables. Bryan Koop, a commercial office developer who has worked with Sociometric Solutions, points to the potential for more scientifically designed work environments. There are current fashions in office design, he said, that are assumed to increase productivity, like stationing workers at communal bench-style tables and constructing work cubicles with lower dividers. "We don't know if those tactics work," Mr. Koop said. "What we're starting to see is the ability to quantitatively measure things instead of just going by intuition."

top

State Department issues ITAR advisory opinion on cloud computing (Hogan Lovells, 24 June 2014) - In a recent advisory opinion related to an exemption under the International Traffic In Arms Regulations (ITAR), the State Department confirmed that a company could use a data security method called "tokenization" to protect export-controlled technical data stored in the cloud on servers located outside the United States, provided the company satisfied the conditions of the exemption and took "sufficient means" to prevent foreign persons from accessing such technical data. Although the advisory opinion is quite narrow in scope, it is the first publicly-available formal position from the State Department on the ITAR implications of cloud computing. The requesting company has posted a redacted version of the advisory opinion here , and the State Department has posted its clarification of the opinion - emphasizing the narrow scope of the opinion and taking issue with the company's initial press release characterizing the opinion - here . Given the agency's public objection to the company's original interpretation of the advisory opinion, exporters that use cloud-based services will need to continue to be very cautious about the storage of ITAR data on cloud-based servers and should consider seeking guidance from the State Department on these issues. [ Polley : Roland Trope spotted this caveat in the advisory opinion: "The advisory opinion is not intended to imply that 'sufficient means' to accomplish the requisite assurance levels exists today technologically, nor does it suggest that tokenization by itself could achieve that end" . Interesting.]

top

Did the Justices really understand Aereo? (LA Times editorial, 25 June 2014) - In siding with broadcasters against Aereo, a pay-TV service that lets subscribers watch local stations through the Internet, the Supreme Court resorted to a simple principle: If it looks like a duck and walks like a duck, the law should treat it as a duck, no matter what kind of creature it is. But in doing so, the court threw a legal shadow over a slew of other tech-driven companies. Writing for the court's majority, Justice Stephen G. Breyer pooh-poohed the technological distinctions between Aereo and cable TV. But as dissenting Justice Antonin Scalia observed, the majority glossed over a crucial detail: Aereo may be providing the equipment, but its customers are the ones transmitting the programs. By shifting responsibility for those transmissions to Aereo because it "looks like cable," Scalia wrote, the court threw into doubt a long-settled principle that technology providers don't violate copyrights just by enabling others to do so.

top

Over NSA worries, Germany ends government contract with Verizon (ArsTechnica, 26 June 2014) - Germany has opted not to renew its government contract with Verizon, citing concerns over spying by the National Security Agency. The contract will expire in 2015, and the move marks a rare concrete step from Berlin following the October 2013 revelations that the NSA was spying on Chancellor Angela Merkel. In a German-language statement (Google Translate) posted to the Ministry of the Interior's website, Berlin noted that it needs "an infrastructure with an increased level of security." Verizon has maintained the contract since 2010. "There are indications that Verizon is legally required to provide certain things to the NSA, and that's one of the reasons the cooperation with Verizon won't continue," Interior Ministry spokesman Tobias Plate told reporters , according to the Associated Press.

top

Law firms' own employees are among the major cyberthreats to be protected against (ABA Journal, 1 July 2014) - Law firms face an array of cyberthreats from foreign governments, competitors and hackers. And then there's the threat that has always existed in the offline world, but has migrated online: inside jobs-or what cybersecurity experts call extrusion. That threat comes from firm employees who may be disgruntled or who want to make a quick buck from selling private information. While there's no such thing as 100 percent protection against extrusion, to guard against it experts recommend tight background checks, formal written policies, perpetual vigilance, appropriate attention to technical considerations, and striking a balance between security and usability of the firm's files and data. While inside jobs may not be common, they do happen, says Edwin Reeser, an Altadena, California, sole practitioner who writes about law management issues. To start with, firms must perform background reviews and make judgments about a potential employee's reliability during the hiring process, says Alan Charles Raul, a Washington, D.C., partner at Sidley Austin and author of a chapter in The ABA Cybersecurity Handbook . "You need intake scrutiny," he says. Writing and disseminating formal policies helps ensure that honest personnel know to be aware of and report any suspicious activity, Raul says. Those policies should make clear that firms have the right to monitor their networks to enforce compliance and prevent wrongdoing, and that no expectation of privacy should exist in the use of the firm's network. "The formal, written policies are not necessarily going to deter the renegade," he says. "But by sensitizing all the honest employees, you do make the environment less hospitable for dishonest employees." [ Polley : I was co-editor of the mentioned Handbook, which is an ABA best-seller. The ABA is about to launch a follow-on cybersecurity curriculum for lawyers and law firms.]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

"Digital Evidence and the New Criminal Procedure" - 10 Years Later (Orin Kerr, 27 June 2014) - In Riley v. California , handed down on Wednesday, the Supreme Court blessed the creation of new Fourth Amendment rules to account for the new facts of computer search and seizure. In light of Riley , I hope readers won't mind me reposting an article that I first noted here at the blog a decade ago: Digital Evidence and the New Criminal Procedure , 105 Colum. L. Rev. 279 (2005). When I circulated a draft of this essay in 2004, some colleagues suggested that it was over-the-top to make the grand claim that computers would lead to a new set of criminal procedure rules. Helpful for law review placement, sure. But awfully unlikely to happen. A decade later, thanks to cases like Riley and Ganias , I'm hoping that the article comes off more as prescient than foolish. A bit dated, as a decade is like a century in Internet time. But hopefully more prescient than foolish. The abstract: This essay shows how existing rules of criminal procedure are poorly equipped to regulate the collection of digital evidence. It predicts that new rules of criminal procedure will evolve to regulate digital evidence investigations, and offers preliminary thoughts on what those rules should look like and what institutions should generate them. This Essay explores the dynamics of computer crime investigations and the new methods of collecting electronic evidence. It contends that the new dynamics demonstrate the need for procedural doctrines designed specifically to regulate digital evidence collection. The rules should impose some new restrictions on police conduct and repeal other limits with an eye to the new social and technological practices that are common to how we use and misuse computers. Further, the Essay suggests that we should look beyond the judiciary and the Fourth Amendment for the source of these new rules. While some changes can and likely will come from the courts, many more can come from legislatures and executive agencies that can offer new and creative approaches not tied directly to our constitutional traditions.

top

Notebooks to dial up built-in phones (CNET, 18 Feb 2004) -- Toward the end of the year, more people will be talking to their notebooks. Manufacturers plan to start selling notebooks with integrated Voice over Internet Protocol (VoIP) this year and plan later to offer notebooks with built-in cell phone capabilities, Anand Chandrasekher, vice president and general manager of the Intel Mobile Platforms Group, said in an interview. The phone module will also let people review incoming e-mail and calendar information while the notebook remains in sleep state. Thematically, these additional communications features are termed Extended Mobile Access (EMA).

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top