Saturday, February 10, 2018

MIRLN --- 21 Jan - 10 Feb 2018 (v21.02)

MIRLN --- 21 Jan - 10 Feb 2018 (v21.02) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

The NSA knows who you are just by the sound of your voice-and their tech predates Apple and Amazon (CNBC, 20 Jan 2018) - For technology users who have marveled at the ability of Siri or Alexa to recognize their voice, consider this: The National Security Agency has apparently been way ahead of Apple or Amazon . The agency has at its disposal voice recognition technology that it employs to identify terrorists, government spies, or anyone they choose - with just a phone call, according to a report by T he Intercept . The disclosure was revealed in a recently published article, part of a trove of documents leaked by former NSA contractor Edward Snowden. The publication wrote that by using recorded audio, the NSA is able to create a "voiceprint," or a map of qualities that mark a voice as singular, and identify the person speaking. The documents also suggest the agency is continuously improving its speech recognition capabilities, the publication noted. According to a classified memo obtained by The Intercept , the agency has employed this technology since at least 2006, with the document referencing technology "that identifies people by the sound of their voices." In fact, the NSA used such technology during Operation Iraqi Freedom, when analysts were able to verify audio thought to be of Saddam Hussein speaking. It suggests that national security operatives had access to high-level voice technology long before Amazon, Apple and Google's solutions became cultural touchstones. A "voiceprint" is "a dynamic computer model of the individual's vocal characteristics," the publication explained, created by an algorithm analyzing features like pitch and mouth shape. Then, using the NSA's formidable bank of recorded audio files, the agency is able to match the speaker to an identity. top

From public Wi-Fi to encrypted emails, NY panel probes security of lawyer communications (NY Law Journal, 233 Jan 2018) - What happens when a lawyer connects a laptop containing sensitive client information to a public Wi-Fi network or prints out documents from a hotel printer? Those scenarios could put lawyers-and their clients-at an increased risk for data leaks and hacking, said panelists at a Tuesday discussion at the New York State Bar Association's annual conference in Manhattan. One takeaway from the discussion, which was centered around data security in an attorney's day-to-day-practice and related ethical obligations, is the importance of using an encrypted communication device in transmitting client information. Encryption is often "client dictated," not law firm-driven, said panelist James Bernard , a partner at Stroock & Stroock & Lavan who also serves as general counsel to his firm. Many clients, particularly financial services companies that are concerned about unauthorized access to personally identifiable information in their customer base, will use encrypted email, sometimes exclusively, in communications with law firms, Bernard said. * * * Another panelist, Karen Peters , a former presiding justice of the Appellate Division, Third Department, said an attorney's ethical obligations vary depending on the firm. "Are you talking about a large law firm with hundreds of lawyers that has an international presence? Then I would think their obligation to ensure confidentially to client data is a much higher obligation," said Peters, noting that such a firm's clients have information that hackers are looking to acquire, unlike a small firm in Plattsburgh, New York, handling family law or Surrogate's Court work. top

Your sloppy Bitcoin drug deals will haunt you for years (Wired, 26 Jan 2018) - Perhaps you bought some illegal narcotics on the Silk Road half a decade ago, back when that digital black market for every contraband imaginable was still online and bustling. You might already regret that decision, for any number of reasons. After all, the four bitcoins you spent on that bag of hallucinogenic mushrooms would now be worth about as much as an Alfa Romeo. But one group of researchers wants to remind you of yet another reason to rue that transaction: If you weren't particularly careful in how you spent your cryptocurrency, the evidence of that drug deal may still be hanging around in plain view of law enforcement, even years after the Silk Road was torn off the dark web. Researchers at Qatar University and the country's Hamad Bin Khalifa University earlier this week published findings that show just how easy it may be to dredge up evidence of years-old bitcoin transactions when spenders didn't carefully launder their payments. In well over 100 cases, they could connect someone's bitcoin payment on a dark web site to that person's public account. In more than 20 instances, they say, they could easily link those public accounts to transactions specifically on the Silk Road, finding even some purchasers' specific names and locations. top

ICE is about to start tracking license plates across the US (The Verge, 26 Jan 2018) - The Immigration and Customs Enforcement (ICE) agency has officially gained agency-wide access to a nationwide license plate recognition database, according to a contract finalized earlier this month . The system gives the agency access to billions of license plate records and new powers of real-time location tracking, raising significant concerns from civil libertarians. The source of the data is not named in the contract, but an ICE representative said the data came from Vigilant Solutions, the leading network for license plate recognition data. "Like most other law enforcement agencies, ICE uses information obtained from license plate readers as one tool in support of its investigations," spokesperson Dani Bennett said in a statement. "ICE is not seeking to build a license plate reader database, and will not collect nor contribute any data to a national public or private database through this contract." While it collects few photos itself, Vigilant Solutions has amassed a database of more than 2 billion license plate photos by ingesting data from partners like vehicle repossession agencies and other private groups. Vigilant also partners with local law enforcement agencies , often collecting even more data from camera-equipped police cars. The result is a massive vehicle-tracking network generating as many as 100 million sightings per month, each tagged with a date, time, and GPS coordinates of the sighting. top

First 'Jackpotting' attacks hit US ATMs (Krebs on Security, 27 Jan 2018) - ATM "jackpotting" - a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand - has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States. To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics - often a combination of both - to control the operations of the ATM. The Secret Service alert explains that the attackers typically use an endoscope - a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body - to locate the internal portion of the cash machine where they can attach a cord that allows them to sync their laptop with the ATM's computer. "Once this is complete, the ATM is controlled by the fraudsters and the ATM will appear Out of Service to potential customers," reads the confidential Secret Service alert. At this point, the crook(s) installing the malware will contact co-conspirators who can remotely control the ATMs and force the machines to dispense cash. "In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds," the alert continues. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash, according to the alert. top

Arizona bar accuses libel lawyers of suing fake defendants (Volokh Conspiracy, 29 Jan 2018) - Friday, the Arizona State Bar filed a disciplinary complaint accusing two lawyers of filing libel lawsuits against fake defendants. Why would anyone do such thing, you might ask? How can you get real money (or real compliance with an injunction) from a fake defendant? Well, say you think some people are libeling you online. You try to get them to take down the libelous material, but you can't find them, or they refuse. You try to get the hosting site to delete the material, but it refuses. (Under the federal 47 U.S.C. § 230 statute, such intermediaries can refuse without fear of liability.) So you e-mail Google, and ask it to remove the page from Google's indexes, so that Google users won't see it. "We don't know whether it's actually libelous," Google responds, "and we aren't equipped to figure that out. But tell you what: You get a court order against the author that concludes the material is libelous, and then maybe we'll consider deindexing it." Now you, or the reputation management company you hired, can get a lawyer and bring that lawsuit. Many people do -- but it's time-consuming and very expensive. And maybe you'll lose: Maybe the defendant will defend, and will point out that the statement is just nonactionable opinion, or is factually accurate, or (what often happens) was written long enough ago that the statute of limitations runs. So you might be out the money, and without a remedy. That's where the fake-defendant lawsuits come in. Someone -- the plaintiff, the reputation management company, or the lawyer -- decides to file suit against a nonexistent defendant. The complaint is filed in court together with a stipulation from the "defendant" (actually filed by whoever is engineering this on the plaintiff's behalf) agreeing that the statement was false and defamatory, and agreeing to the entry of an injunction ordering the "defendant" to remove the statement. The court sees what appears to be agreement between the parties, and issues the injunction. In one such case, I saw the injunction issued a blazingly fast four days after the filing. Lovely! The only problem, of course, is that it's a fraud on the court. top

Pentagon reviews GPS policies after soldiers' Strava tracks are seemingly exposed (NPR, 29 Jan 2018) - Locations and activity of U.S. military bases; jogging and patrol routes of American soldiers - experts say those details are among the GPS data shared by the exercise tracking company Strava, whose Heat Map reflects more than a billion exercise activities globally. The Pentagon says it's looking at adding new training and policies to address security concerns. "Recent data releases emphasize the need for situational awareness when members of the military share personal information," Pentagon spokesman Major Adrian J.T. Rankine-Galloway of the U.S. Marine Corps said in a statement about the implications of the Strava data that has made international headlines. Strava - which includes an option for keeping users' workout data private - published the updated Heat Map late last year. The California-based company calls itself "the social network for athletes," saying that its mobile apps and website connect millions of people every day. * * * Describing what he calls "a security nightmare for governments around the world," foreign policy columnist Jeffrey Lewis describes for The Daily Beast about how he used the Strava data to explore a missile command center in Taiwan whose location is meant to be secret. top

UK gov will fine infrastructure firms up to £17m for lax cybersecurity safeguards (The Inquirer, 29 Jan 2018) - The UK government has announced that it will fine critical infrastructure organisations to £17m if they fail to implement appropriate cybersecurity safeguards. UK gov issued the warning over the weekend, telling bosses of energy, transport, water and health firms to boost their cyber security defences or risk being slapped with hefty fines under the incoming Network and Information Systems (NIS) directive . It said that, in the future, a regulator will be able to assess the cybersecurity infrastructure of the country's critical industries to ensure they're as robust "as possible". This regulator will have the power to issue legally-binding instructions to improve security, and - if appropriate - impose financial penalties, the government warned. The system will be aimed at ensuring that UK electricity, transport, water, energy, transport, health and digital infrastructure firms are able to deal with cybersecurity threats. It will cover IT threats including power outages, hardware failures and environmental hazards. Under these measures, cybersecurity breaches and system failures such as WannaCry will fall under the NIS directive. top

The shrinking half-life of knowledge, and what that means for KM (KnoCo, 30 Jan 2018) - When John Browne was CEO at BP, he talked about "the shrinking half-life of ideas". This always struck me as a very interesting concept; one which was fundamental to Browne's approach to corporate KM. I have since found that he was quoting an older idea from 1962 concerning the shrinking half-life of Knowledge, which has now been popularised and explored by Sam Arbesman (see video) among others. The idea of a half-life comes from nuclear physics, and originally applied to the decay of radioactive nucleii. In knowledge terms it refers to the observation that, as this article tells us: "What we think we know changes over time. Things once accepted as true are shown to be plain wrong. .... But what's really interesting is that studies of the frequency of citations of scientific papers show they become obsolete at a predictable rate. Just as with radioactive decay, you can't tell when any one 'fact' will reach its expiry date, but you can predict how long it will take for half the facts in any discipline to do so. In medicine, for example, 'truth' seems to have a 45-year half-life. Some medical schools teach students that, within a few years, half of what they've been taught will be wrong - they just don't know which half. In mathematics, the rate of decay is much slower: very few accepted mathematical proofs get disproved." Not all knowledge has a short half-life - sometimes the knowledge is linked to the technology, and if you are running a nuclear power station using 1960s control software, then the half-life of the knowledge of the software has to exceed the life of the power station. However in most other areas, where knowledge is evolving and changing, and your competitive advantage lies (at least partly) in having the best and most valid knowledge, then hanging on to old knowledge which is past it's half-life can be competitively dangerous. And the faster the speed of change, the shorter the half-life of knowledge and the greater the danger of using obsolete knowledge. Where knowledge has a short half-life, Knowledge Management is not so much about documenting and protecting "what you know", it is about how fast you can know something new, and how easily you can let go of the old. top

Inserting people into porn movies: The First Amendment textbook problem (2005) (Eugene Volokh, 31 Jan 2018) - I added this problem to the second edition of my First Amendment textbook back in 2005, and accounts suggest that it's now quite timely: Within ten or twenty years [of 2005], there will probably be consumer-usable software that can easily overlay people's photographs and voices onto movies that depict someone else. The program would automatically and seamlessly alter multiple scenes in which the character is shown from different angles, with different facial expressions, doing different things. (Of course, one can already do this in some measure with photos, but this hypothetical program would be much more sophisticated.) Naturally, many people, famous or not, will be unhappy knowing that they are depicted without their permission in others' home sex movies. Imagine that Congress therefore decides to prohibit the distribution and use of the computer program that allows such movies to be made. How would such a law be different for First Amendment purposes from normal obscenity legislation? Do you think the law should be upheld (even if that means changing First Amendment law), and on what grounds? If you think the law should be struck down, what about laws that: (1) prohibit the use of the software to make such pornographic movies without the photographed person's consent; (2) prohibit the noncommercial distribution of the movies, whether to a small group of friends or on the Internet, or; (3) prohibit the commercial distribution of the movies? Don't limit yourself to considering whether such laws are constitutional under existing obscenity doctrine. Consider also whether you think there should be an obscenity exception at all, and whether you think it should be broader or narrower than it now is. top

- and -

Personalized fake porn videos are now for sale on Reddit (Motherboard, 6 Feb 2018) - Until last week, people in Reddit's deepfakes community, which creates fake porn videos of celebrities using a machine learning algorithm, have been content to post their work for free, framing it as their hobby. But increasingly, they're taking the opportunity to make a buck off of nonconsenting women's likenesses, by selling face-swapped fake porn creations for cryptocurrency. In the weeks since we first reported on it, the r/deepfakes subreddit-home base for AI-generated fake porn videos, mostly of unconsenting celebrities-has exploded to more than 85,000 subscribers. One of those subreddits, r/deepfakeservice, is dedicated to commissioning deepfake videos from other users. The pinned rules post includes guidelines for formatting requests and service offers: For requests, the seller would ask for a description of the video, price, what they need to work with (images of the celebrity needed to create the fake video), and how much time it will take. Where there's demand, there are people waiting to turn a profit. The subreddit has been up for about a week and has over 200 subscribers and a handful of requests. It raises the question: If trading fake porn videos for free exists in a legal gray area as we've reported , does putting a price tag on these videos change the game? [See also , Reddit bans 'involuntary porn' communities that trade AI-generated celebrity videos (Tech Crunch, 7 Feb 2018)] top

Get to know the city of Detroit's propaganda arm (Metro Times, 31 Jan 2018) - Early this month, in the days after Detroit Mayor Mike Duggan said he'd be moving forward with a plan to require thousands of Detroit businesses to buy into a costly surveillance program intended to reduce crime, a sponsored post that looked favorably upon the program appeared at the top of our Facebook timeline. The linked content - "Inside the Real Time Crime Center, DPD's 24-hour monitoring station" - had all of the trappings of a news story. There was a headline, a byline, a mix of quotes and information. It was published at a site called " theneighborhoods.org ," suggesting it may have been the work of a community news nonprofit. But the story was not journalism. It was written by the Detroit city government - more specifically, its "Storytelling" department. The department created by Duggan last year is believed to be the first of its kind in the nation. Staffed by six people, some of them former journalists, its primary objective is to populate a website and cable channel called "The Neighborhoods," which launched as Duggan was in the midst of a re-election effort that hinged on his ability to thwart perceptions he'd let the city's neighborhoods languish during his first term. The company line at the time was that the site would "give Detroiters and their neighborhoods a stronger voice," filling a void department head and "chief storyteller" Aaron Foley claimed traditional media hadn't. Five months in, the website appears to be fulfilling that mission - in part. The Neighborhoods' story grid is primarily comprised of features on local businesses, notices on city services, and "things-to-do" listicles that include some neighborhood happenings. But the story posted Jan. 10 did not give Detroiters a "stronger voice" - it omitted their voices almost entirely. In covering the controversial and costly Project Green Light surveillance program following word of a possible mandate, the piece did not include the voices of Detroit business owners who might oppose being forced to buy the technology, nor did it provide quotes from any residents concerned about being filmed - it featured only voices from the law enforcement and counterterrorism intelligence communities. To the undiscerning reader, the report may have seemed innocuous. Project Green Light, a program in which businesses pay for cameras that stream video footage directly into Detroit police headquarters, is generally known for helping drive down crime where it's present. The Neighborhoods' story gave readers a glimpse into the Real Time Crime Center where the footage is streamed, and it supplied an anecdote in which police were able to quickly find and arrest a shooting suspect who was caught on tape. The story also did offer a few words about privacy concerns - though only to quickly shoot them down via an officer who said that if people were made to choose between protection and privacy, they'd choose protection. But the program has drawn criticism from the American Civil Liberties Union of Michigan, and business owners have questioned its benefits . Earlier this month we reported that the expensive technology doesn't appear to be helping stop crimes in progress, and that some business owners feel they benefit only from the perks of the system , which include "priority 1" police response times of 14 minutes. "It's more of a 'pay and we'll come or don't pay and we're not coming,'" Billy Jawad, who runs a gas station on 7 Mile and Meyers, told us. The Neighborhoods story overlooked these dynamics, but it also neglected to mention a glaring news peg. Just days earlier, Duggan had said "the votes in council are there" to pass a law that would require any business open past 10 p.m. to buy the technology - at a cost of at least $4,000, plus monthly fees of $140 and up. The proposal, which the city later said would not come for about a year, could impact up to 4,000 businesses , according to Crain's Detroit Business . top

Google Search results to give 'diverse' answers (BBC, 31 Jan 2018) - Google says it will soon alter its Search tool to provide "diverse perspectives" where appropriate. The change will affect the boxed text that often appears at the top of results pages - known as a Snippet - which contains a response sourced from a third-party site. At present, Google provides only a single box but it will sometimes show multiple Snippets in the future. The change could help Google tackle claims it sometimes spreads lies. But one expert warned the move introduced fresh risks of its own. Google introduced Snippets into its search results in 2014, placing the boxed text below paid listings but above other links. The idea is to provide information that users want without them having to click through to another page. Google acknowledged at the time that "fact quality" would vary depending on the request. But it has been accused of providing "shockingly bad" information in some cases. Google offered a less controversial example of a problem, in a blog detailing its new approach. It said that when users asked if reptiles made "good pets" they were given several reasons why the answer was yes, but if they asked if the animals made "bad pets" they were given contradictory advice. It said this happened because its system was designed to favour content that aligned with the posed question, and suggested that offering different viewpoints would therefore be a better option. "There are often legitimate diverse perspectives offered by publishers, and we want to provide users visibility and access into those perspective from multiple sources," wrote Matthew Gray, Google's Snippets chief. top

Opinion warns against judges doing online research on facts related to cases (ABA Journal, Feb 2018) - In Formal Opinion 478 , the ABA Standing Committee on Ethics and Professional Responsibility addresses the restrictions imposed by the 2007 ABA Model Code of Judicial Conduct on a judge searching the internet for information helpful in deciding a case. The ABA opinion concludes that Rule 2.9(C) of the Model Code prohibits a judge from researching adjudicative facts on the internet unless a fact is subject to judicial notice. Rule 2.9(C) clearly and definitively declares that "a judge shall not investigate facts in a matter independently, and shall consider only the evidence presented and any facts that may properly be judicially noticed." Acknowledging the integral part that search engines play in everyday life, Comment 6 to Rule 2.9 bluntly tells judges that the prohibition "extends to information available in all mediums, including electronic." While recognizing that the internet, including social networking sites, provides immediate access to a limitless amount of information potentially useful to a judge laboring over difficult case-specific factual issues, the recent ABA opinion highlights two important justifications for the prohibition against electronic factual research. First, information found on the web may be fleeting, biased, misleading and sometimes downright false. Second, unless the narrow judicial-notice exception applies, gathering even trustworthy information from the internet compromises the division of responsibility between the judge and the parties so essential to the proper functioning of the adversarial system. The committee emphasizes this point by describing the "defining feature" of the judicial role as a judge's duty to base decisions only on evidence presented in court and available to the parties. The limitations on independent factual research by judges are not solely a matter of judicial ethics. Rule 2.9(C) is one of the few provisions of the Model Code that integrates an evidentiary rule into an ethical standard. Rule 2.9(C) permits a judge to consider a fact from sources other than the evidence submitted by the parties as long as the judge abides by his or her jurisdiction's requirements for taking judicial notice of the fact. Incorporating a rule of evidence into an ethical rule complicates the analysis because, as noted by the committee, judicial notice standards and procedures vary significantly from jurisdiction to jurisdiction. To illustrate how Rule 2.9(C) and the doctrine of judicial notice interface, the committee examines Federal Rule of Evidence 201, which governs judicial notice. * * * top

Freedom of the Press Foundation will preserve Gawker's archives (Tech Crunch, 1 Feb 2018) - Gawker's posts will be captured and saved by the non-profit Freedom of the Press Foundation , following a report that venture capitalist Peter Thiel wants to buy its remaining assets, including archived content and domain names. Thiel bankrolled the lawsuit that led to Gawker's bankruptcy and eventual shutdown in 2016. In a blog post , Parker Higgins, the Freedom of the Press Foundation's director of special projects, said it is launching an online archive collection with Archive-It , a service developed by the Internet Archive (the non-profit that runs the Wayback Machine). The archive will focus on preserving the entire sites of "news outlets we deem to be especially vulnerable to the 'billionaire problem,'" Higgins wrote. Higgins wrote that by archiving news sites, the Freedom of the Press Foundation "seek[s] to reduce the 'upside' for wealthy individuals and organizations who would eliminate embarrassing or unflattering coverage by purchasing outlets outright. In other words, we hope that sites that can't simply be made to disappear will show some immunity to the billionaire problem." Archive-It takes screenshots of webpages at specific times and is used by universities, libraries, museums and other organizations to preserve sites they consider important historic documents. For example, UCLA used it to archive sites related to the Occupy Wall Street protests , while the Internet Archive made a collection of sites, news coverage, blog entries and documents about the Wikileaks releases . The Freedom of the Press Foundation has already used Archive-It to capture the LA Weekly after it was acquired by Semenal Media , which originally tried to keep the identity of its owners secret, and then fired most of the newspaper's editorial staff . Preserved content from Gawker will appear in the Freedom of the Press Foundation's collection, as well as on the Wayback Machine. [ See also, Archiving the alternative press threatened by wealthy buyers (Freedom of the Press Foundation, 31 Jan 2018)] top

A cybersecurity tip sheet for U.S. campaign officials is gaining traction, usage in field (CyberScoop, 1 Feb 2018) - A prominent nonprofit research organization has begun distributing tip sheets to campaign officials in an effort to safeguard the 2018 midterm elections from hackers. Alison Lundergan, Kentucky's secretary of state, and Mac Warner, West Virginia's secretary of state, are now sharing the " Cybersecurity Campaign Playbook " with candidates seeking office in their states. Kentucky and West Virginia represent the first two states in the country to distribute and leverage these guidelines. The playbook was created by Defending Digital Democracy (DDD) - a bipartisan initiative focused on providing tools and strategies to protect the democratic process from cyberattacks. The initiative was launched last summer at the Belfer Center for Science and International Affairs at Harvard Kennedy School. It is led by two former campaign managers who were involved in leading failed presidential campaigns for 2016 democratic candidate Hillary Clinton and 2012 republican candidate Mitt Romney, respectively. The DDD playbook is intended for campaigns that don't have the means to hire professional cybersecurity staff. The recommendations are supposed to be easily digestible for people without technical training. The document was created with the goal of providing political campaigns, candidates and their staff with the basic information to prevent digital attacks. It will be used to "provide campaign operatives with bipartisan and commonsense steps on cybersecurity," Colin Reed, senior vice presidents of public affairs at DDD told CyberScoop. top

3 million Americans live in higher education deserts (InsideHigherEd, 2 Feb 2018) - Roughly three million Americans live more than 25 miles from a broad-access public college and do not have the sort of high-speed internet connection necessary for online college programs, according to a report from the Urban Institute's education policy program. The institute used data from the U.S. Department of Education and the Federal Communications Commission to identify these education "deserts," cross-referencing that information with data from the Census Bureau to determine who lives in them. The report found that 17.6 million adults live in a physical higher education desert, with 3.1 million (1.3 percent of adults in the U.S.) lacking access to online and physical college programs. The report also tracked the demographics of people who live in education deserts. "This study demonstrates what many Native Americans, rural Americans and other Americans living in education deserts already know: the internet has not untethered all of us from our geographic locations," said the report. "As long as broadband access depends on geography, place still plays an important role in access to higher education." top

NIST issues "Blockchain Technology Overview" (Ride The Lightning, 5 Feb 2018) - The National Institute of Standards and Technology (NIST) has issued a report titled " Blockchain Technology Overview ." The report is intended to provide a high-level technical overview and discusses the application of blockchain technology to electronic currency in depth as well as broader applications. "We want to help people understand how blockchains work so that they can appropriately and usefully apply them to technology problems," said NIST computer scientist Dylan Yaga, who is one of the authors of the report. "It's an introduction to the things you should understand and think about if you want to use blockchain." According to Yaga, blockchain technology is a powerful new paradigm for business. "Because the market is growing so rapidly, several stakeholders, customers and agencies asked NIST to create a straightforward description of blockchain so that newcomers to the marketplace could enter with the same knowledge about the technology," according to the NIST press release. The NIST draft report is open to public comments from January 24 to February 23, 2018. top

Businesses with Apple and Cisco products may now pay less for cybersecurity insurance (Tech Crunch, 5 Feb 2018) - Apple and Cisco announced this morning a new deal with insurer Allianz that will allow businesses with their technology products to receive better terms on their cyber insurance coverage, including lower deductibles - or even no deductibles, in some cases. Allianz said it made the decision to offer these better terms after evaluating the technical foundation of Apple and Cisco's products, like Cisco's Ransomware Defense and Apple's iPhone, iPad and Mac. Allianz found Apple and Cisco's products offered businesses a "superior level of security," Apple said in its own announcement about the new deal. The new cyber security insurance solution will involve Aon's cyber security professionals assessing potential customers' current cyber security situation and recommendations on how to improve their defenses. And participating organizations will have access to Cisco and Aon's Incident Response teams in the event of a malware attack. top

An 'iceberg' of unseen crimes: Many cyber offenses go unreported (NYT, 5 Feb 2018) - Utah's chief law enforcement officer was deep in the fight against opioids when he realized that a lack of data on internet sales of fentanyl was hindering investigations. So the officer, Keith D. Squires, the state's public safety commissioner, created a team of analysts to track and chronicle online distribution patterns of the drug. In Philadelphia, hidebound ways of confronting iPhone thefts let thrive illicit networks to distribute stolen cellphones. Detectives treated each robbery as an unrelated street crime - known as "apple picking" - rather than a vast scheme with connected channels used by thieves to sell the stolen phones. And in Nashville, investigators had no meaningful statistics on a nasty new swindle of the digital age: the "cheating husband" email scheme. In it, anonymous extortionists mass-email large numbers of men, threatening to unmask their infidelities. The extortionists have no idea if the men have done anything wrong, but enough of them are guilty, it turns out, that some pay up, sometimes with Bitcoin. Each case demonstrates how the tools used to fight crime and measure crime trends in the United States are outdated. Even as certain kinds of crimes are declining, others are increasing - yet because so many occur online and have no geographic borders, local police departments face new challenges not only fighting them, but also keeping track of them. Politicians often promote crime declines without acknowledging the rise of new cybercrimes. Many of the offenses are not even counted when major crimes around the nation are tallied. Among them: identity theft; sexual exploitation; ransomware attacks ; fentanyl purchases over the dark web; human trafficking for sex or labor; revenge porn; credit card fraud; child exploitation; and gift or credit card schemes that gangs use to raise cash for their traditional operations or vendettas. In a sense, technology has created an extraordinary moment for industrious criminals, increasing profits without the risk of street violence. Digital villainy can be launched from faraway states, or countries, eliminating physical threats the police traditionally confront. Cyberperpetrators remain unknown. Law enforcement officials, meanwhile, ask themselves: Who owns their crimes? Who must investigate them? What are the specific violations? Who are the victims? How can we prevent it? top

The NYT debuts its first augmented reality-enhanced story on iOS (Tech Crunch, 6 Feb 2018) - Apple's investment in AR technologies has been ushering in a new wave of apps , from those that let you perform more practical tasks - like visualizing furniture placement in rooms - to those with mass consumer appeal - like AR gaming, including Niantic's upcoming Harry Potter: Wizards Unite . But AR can also be used to create unique experiences within more traditional apps, too, as The New York Times is showcasing with today's launch of its first-ever AR experiment for storytelling . In The NYT's iOS app for iPhone and iPad, the company is debuting its first AR-enabled article, offering a preview of the Winter Olympics . The article focuses on top Olympic athletes, including figure skater Nathan Chen, snowboarder Anna Gasser, short track speed skater J.R. Celski, and hockey goalie Alex Rigsby. In the app, NYT readers can view the athletes appear in the room beside them, zoom in and out, and walk around in 360 degrees to see them from every side. This lets you get up close and personal with the Olympians, where you're able to see things like how high Chen's skates are off the ice when performing a jump, the offset of Celski's skates, or how far open Alex Rigsby's glove is when making a save. * * * [ Polley : quite impressive - the athletes appear in high-def, right in the middle of my living room; they're frozen in time, and I can walk entirely around them, and approach/back-away to see more detail, close-up. Impressive.] top

An AI that reads privacy policies so that you don't have to (Wired, 9 Feb 2018) - You don't read privacy policies. And of course, that's because they're not actually written for you, or any of the other billions of people who click to agree to their inscrutable legalese. Instead, like bad poetry and teenagers' diaries, those millions upon millions of words are produced for the benefit of their authors, not readers-the lawyers who wrote those get-out clauses to protect their Silicon Valley employers. But one group of academics has proposed a way to make those virtually illegible privacy policies into the actual tool of consumer protection they pretend to be: an artificial intelligence that's fluent in fine print. Today, researchers at Switzerland's Federal Institute of Technology at Lausanne (EPFL), the University of Wisconsin and the University of Michigan announced the release of Polisis -short for "privacy policy analysis"-a new website and browser extension that uses their machine-learning-trained app to automatically read and make sense of any online service's privacy policy , so you don't have to. In about 30 seconds, Polisis can read a privacy policy it's never seen before and extract a readable summary, displayed in a graphic flow chart, of what kind of data a service collects, where that data could be sent, and whether a user can opt out of that collection or sharing. Polisis' creators have also built a chat interface they call Pribot that's designed to answer questions about any privacy policy, intended as a sort of privacy-focused paralegal advisor. Together, the researchers hope those tools can unlock the secrets of how tech firms use your data that have long been hidden in plain sight. "What if we visualize what's in the policy for the user?" asks Hamza Harkous, an EPFL researcher who led the work, describing the thoughts that led the group to their work on Polisis and Pribot. "Not to give every piece of the policy, but just the interesting stuff... What if we turned privacy policies into a conversation?" Plug in the website for Pokemon Go, for instance, and Polisis will immediately find its privacy policy and show you the vast panoply of information that the game collects, from IP addresses and device IDs to location and demographics, as well as how those data sources are split between advertising, marketing, and use by the game itself. It also shows that only a small sliver of that data is subject to a clear opt-in consent. (See how Polisis lays out those data flows in the chart below.) Feed it the website for DNA analysis app Helix, and Polisis shows that health and demographic information is collected for analytics and basic services, but, reassuringly, none of it is used for advertising and marketing, and most of the sensitive data collection is opt-in. top

RESOURCES

SEC Cybersecurity Guidelines: Insights Into the Utility of Risk Factor Disclosures for Investors (ABA Business Law Section, Jan 2018) - In October 2011, the SEC issued new guidelines for disclosure of cybersecurity risks. Some firms responded to these guidelines by issuing new risk factor disclosures. This article examines the guidelines and cybersecurity disclosures in the context of existing laws governing securities regulation. It then examines empirical results from firm disclosures following the new guidelines. Evidence shows a relatively small proportion of firms chose to modify their risk factor disclosures, with most firms choosing not to disclose any specific cybersecurity risk. Moreover, disclosing firms generally experienced significant negative stock market price effects on account of making new disclosures. Rather than viewing disclosure as a positive signal of management attentiveness, investors apparently viewed it as a cautionary sign. top

The Cyberlaw Guide to Protest Art: Roadmap (Harvard Berkman/Klein, 22 Jan 2018) - Art plays a significant role in American democracy. Across the political spectrum, protest art - posters, songs, poems, memes, and more -inspires us, gives us a sense of community, and provides insight into how others think and feel about important and often controversial issues. While protest art has been part of our culture for a very long time, the Internet and social media have changed the available media and the visibility of protest artists. Digital technologies make it easy to find existing works and incorporate them into your own, and art that goes viral online spreads faster than was ever possible in the analog world. Many artists find the law that governs all of this unclear in the physical world, and even murkier online. The authors of this guide are a collection of lawyers and creative folks. We have seen how the law can undermine artists, writers, and musicians when they're caught unaware, and distract them from the work they want to do. But we've also observed how savvy creators use the law to enhance their work and broaden their audiences. This guide is intended to ensure that you, the reader, can be one of the savvy ones. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Sharper aerial pictures spark privacy fears (The Guardian, 24 Jan 2008) - If you were up to no good in the London open air last winter, start working up excuses: you might be on the web. This week, a company launches an online map of central London which includes aerial photography at four times the resolution of existing online maps: the equivalent of looking down from the 10th floor. The map, from 192.com, publishes aerial photography at a resolution of 4cm for London and 12.5cm for the rest of the UK. In the right conditions, images at this resolution are enough to identify individuals - a step that existing online mapping ventures such as Google Earth and Microsoft's Virtual Earth have so far been careful to avoid. Alastair Crawford, 192's chief executive, makes no apologies for the possibilities: "We're considering holding a competition. We want to challenge people to find out how much naughty stuff is happening. If you're having an affair in London, you'd better be careful!" The mapping venture is likely to heat up the debate about the extent to which information about individuals is available on the web - especially as 192.com, which specialises in providing data about individuals gleaned from official sources has announced plans to attach estimated ages to every person in its database of 27 million Britons. top

GOP halts effort to retrieve White House e-mails (Washington Post, 27 Feb 2008) - After promising last year to search its computers for tens of thousands of e-mails sent by White House officials, the Republican National Committee has informed a House committee that it no longer plans to retrieve the communications by restoring computer backup tapes, the panel's chairman said yesterday. The move increases the likelihood that an untold number of RNC e-mails dealing with official White House business during the first term of the Bush administration - including many sent or received by former presidential adviser Karl Rove - will never be recovered, said House Democrats and public records advocates. The RNC had previously told the House Oversight and Government Reform Committee that it was attempting to restore e-mails from 2001 to 2003, when the RNC had a policy of purging all e-mails, including those to and from White House officials, after 30 days. But Chairman Henry A. Waxman (D-Calif.) disclosed during a hearing yesterday that the RNC has now said it "has no intention of trying to restore the missing White House e-mails." "The result is a potentially enormous gap in the historical record," Waxman said, including the buildup to the Iraq war. Spokesman Danny Diaz said in a statement that the RNC "is fully compliant with the spirit and letter of the law." He declined further comment. top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, January 20, 2018

MIRLN --- 1-20 Jan 2018 (v21.01)

MIRLN --- 1-20 Jan 2018 (v21.01) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

FERC proposes rule to expand cyber incident reporting (Fifth Domain, 28 Dec 2017) - The Federal Energy Regulatory Commission wants to expand cyber incident reporting requirements to include any time an adversary attempts to break into an energy company's networks, rather than only those that compromise the company's critical operations. "The proposed development of modified mandatory reporting requirements is intended to improve awareness of existing and future cyber security threats and potential vulnerabilities." At the crux of the proposed rule is the question of what defines a "reportable cyber incident" in the energy industry. According to the current CIP reliability standards, a cyber incident must disrupt core processes in order to be considered critical. "Under these definitions, unsuccessful attempts to compromise or disrupt a responsible entity's core activities are not subject to the current reporting requirements," the proposed rule said. This definition may also leave out cyberattacks designed to steal information or create openings for a future, large scale hack, meaning that incident reports would not give early warning by recording that activity. The new rule was proposed after the Foundation for Resilient Societies filed a petition on January 13, 2017, that FERC institute a rule requiring an enhanced Reliability Standard for malware detection, reporting, mitigation and removal from the Bulk-Power System. top

- and -

SEC plans cybersecurity guidance refresh: What to expect (Data Breach Today, 29 Dec 2017) - The U.S. Securities and Exchange Commission is planning to update its 6-year-old cybersecurity guidance for how publicly traded firms report data breaches to investors. The agency has indicated that it expects to refine guidance around how businesses disclose cybersecurity risks to investors as well as require insider trading programs to include blackout rules in the event that a suspected data breach gets discovered (see Report: SEC Plans Breach Reporting Guidance Refresh ). "Unfortunately, in the reality that we live in now, cyber breaches are going to be increasingly common, and this is in part why the SEC is so fully focused on cybersecurity," says Matt Rossi, a former assistant chief litigation counsel to the SEC who's now an attorney specializing in securities litigation and enforcement as well as data privacy at global law firm Mayer Brown. "Chairman [Jay] Clayton said it's one of the greatest risks to the financial system right now." Indeed, in September, Clayton signaled to a Senate banking committee that companies would be required to disclose more cybersecurity information to investors in a timely manner (see SEC Chair Wants More Cyber Risk Disclosure From Public Firms ). His remarks, ironically, followed the SEC having failed to publicly disclose its own major breach for 16 months (see Hackers May Have Traded on Stolen SEC Data ). In November, meanwhile, William Hinman, the SEC's director of corporation finance, signaled that the regulator's cybersecurity guidance , first issued on Oct. 13, 2011, wouldn't be overhauled but rather amended with some new requirements, such as how breach information gets disclosed internally and escalated to senior management (see Report: SEC Plans Breach Reporting Guidance Refresh ). With the refresh, Rossi says businesses should expect to have to disclose more cyber risks, refine their insider trading policies and prove that they're taking information security seriously. top

Zero-width [fingerprinting] characters (Zach Aysan, 30 Dec 2017) - Journalists watch out-you may be unintentionally revealing sources. In early 2016 I realized that it was possible to use zero-width characters, like zero-width non-joiner or other zero-width characters like the zero-width space to fingerprint text. Even with just a single type of zero-width character the presence or non-presence of the non-visible character is enough bits to fingerprint even the shortest text. We're​ not the​ same text, even though we look the same. We're not the same​ text, even though we look the same. Unlike previous text fingerprinting techniques, zero-width characters are not removed when formatting is removed from text. They're often not even visible in contexts where software experts would expect them to be, like on a programming terminal. I also realized that it is possible to use homoglyph substitution (e.g., replacing the letter "a" with its Cyrillic counterpart, "а"), but I dismissed this as too easy to detect due to the differences in character rendering across fonts and systems. However, differences in dashes (en, em, and hyphens), quotes (straight vs curly), word spelling (color vs colour), and the number of spaces after sentence endings could probably go undetected due to their frequent use in real text. With increased effort, synonyms (huge vs large vs massive) can also be used, though it would require some manual setup because words lack single definitions (due to homonyms) and in some contexts would be easier to detect since differing word lengths may cause sentences to wrap differently across documents. * * * After discovering these techniques I shared them with some friends to try to help track down a cyber criminal which they thought might be an insider threat (it wasn't, it was just a normal blackhat hacker). Then the White House started leaking like an old hose, so I continued to keep quiet. The reason I'm writing about this now is that it appears both homoglyph substitution and zero-width fingerprinting have been discovered by others, so journalists should be informed of the existence of these techniques. If your news organization has a pre-existing trove of documents it should be fairly straightforward to scan them for zero-width characters or mixed character encodings. Detecting synonym substitution would require multiple documents and some custom code, but should be fairly straightforward for an intermediately skilled data scientist or software developer with some time. top

This candidate for Congress will let his constituents decide how he votes (Fast Company, 2 Jan 2018) - Michael Allman is running for Congress as a Republican. But if his constituents lean left of him on a particular issue before Congress, that's how Allman will vote. That's because Allman is running on a direct democracy platform: For every issue, voters in his district will be able to use a blockchain-enabled website to securely log their opinions, and Allman will follow the will of the people. "Everyone thinks what's happening in Washington, D.C., today is broken," says Allman, former CEO of Southern California Gas, who is running for the 52nd district in San Diego County. "Nobody thinks it's working. We can go into a hundred reasons why, but I'd summarize it with just one word: Partisanship. Everybody votes with the party on pretty much everything, and it's a red versus blue, us versus them kind of attitude." Allman has no background in politics, but has worked in the tech industry, and realized that the technology exists to make direct representation possible. Working with a tech company that had an existing platform, he created a custom website that will outline both sides of a general issue-for example, whether or not there should be more gun control laws-or a specific bill. Voters can read through the arguments on both sides, and read selected op-eds. The site can verify that someone is in a particular district and that they're registered to vote, and then register their opinion confidentially. Of course, the success of the system will depend on participation-and even elections typically have low turnout (for midterm elections, turnout is only around 40%). But logging on to the online platform is easier than making it to a polling place, and for ongoing issues, people won't have to vote by a particular deadline. Conceivably, if voters know that their participation could make a difference on an actual vote in Congress-and that impact is guaranteed, rather than making calls or sending emails to representatives-they may be more motivated to act. [ Polley : "Well, it seemed like a good idea at the time."] top

DHS expands license plate dragnet, streams collections to us law enforcement agencies (TechDirt, 4 Jan 2018) - The DHS has provided the public with a Privacy Impact Assessment (PIA) on its use of license plate readers (LPRs). What the document shows is the DHS's hasty abandonment of plans for a national license plate database had little impact on its ability to create a replacement national license plate database. The document deals with border areas primarily, but that shouldn't lead inland drivers to believe they won't be swept up in the collection. The DHS has multiple partners in its license plate gathering efforts , with the foremost beneficiary being the DEA, as Papers, Please! Reports: The latest so-called " Privacy Impact Assessment " (PIA) made public by the US Department of Homeland Security, " CBP License Plate Reader Technology ", provides unsurprising but disturbing details about how the US government's phobias about foreigners and drugs are driving (pun intended) the convergence of border surveillance and dragnet surveillance of the movements of private vehicles within the USA . The CBP defines the border as anything within 100 miles of the country's physical borders, which also include international airports. Consequently, more than 2/3rds of the nation's population reside in the CBP's so-called "Constitution-free zone." The plate readers discussed in the PIA aren't just the ones drivers and visitors might expect. While the CBP operates many of these at static locations at entry points, other LPRs are mounted on CBP vehicles or hidden in areas the CBP patrols. The addition of the DEA adds law enforcement to the mix. This means the DHS is intermingling its collection with existing law enforcement databases, allowing it to build an ad hoc national database without having to inform the public or hire a contractor to build one from the ground up. top

- and -

New CBP border device search policy still permits unconstitutional searches (EFF, 8 Jan 2018) - U.S. Customs and Border Protection (CBP) issued a new policy on border searches of electronic devices that's full of loopholes and vague language and that continues to allow agents to violate travelers' constitutional rights. Although the new policy contains a few improvements over rules first published nine years ago , overall it doesn't go nearly far enough to protect the privacy of innocent travelers or to recognize how exceptionally intrusive electronic device searches are. Nothing announced in the policy changes the fact that these device searches are unconstitutional, and EFF will continue to fight for travelers' rights in our border search lawsuit . Below is a legal analysis of some of the key features of the new policy. * * * top

- and -

Federal agencies may be regularly hiding surveillance methods in criminal cases (Reason, 9 Jan 2018) - The U.S. government uses secret evidence to build criminal cases, according to a report released today by Human Rights Watch. The report offers one of the most comprehensive looks yet at "parallel construction," a tactic where federal law enforcement hides classified or sensitive methods from courts by building a parallel chain of evidence after the fact. The report shows that numerous federal law enforcement agencies send requests to local police to find reasons to perform traffic stops and searches on criminal suspects. Unless something goes wrong, defendants will never know the origins of the government's case against them. The group notes that parallel construction raises several civil rights concerns, chiefly the right to a fair trial. "When you have parallel construction, you have defendants and even judges who don't know how evidence was gathered and can't challenge the constitutionality of that," report author Sarah St. Vincent says. "What you have is very one-sided, where the government, on its own, is deciding what practices it thinks are legal." The method was first revealed in a 2013 Reuters investigation , which detailed how the Special Operations Division, a secretive unit within the Drug Enforcement Administration (DEA), had been funneling surveillance tips to field agents and other agencies to build cases. Meanwhile, it trained agents to "recreate" evidence chains to keep classified methods hidden from defendants, judges, and even federal prosecutors. According to the Human Rights Watch report, the Special Operations Division's activities were nicknamed "the dark side" and exiting agents were given Darth Vader keychains as tokens. DEA training slides that I obtained via a 2014 Freedom of Information Act request shed further light on how widespread the tactic is. The FOIA request also resulted in perhaps my favorite redaction that I have ever received: * * * [Polley: See also , How the government hides secret surveillance programs (Wired, 9 Jan 2018)] top

Raising its bet on analytics, Littler adds first Chief Data Analytics Officer (American Lawyer, 9 Jan 2018) - By hiring Zev Eigen , a data scientist with a Ph.D. from the Massachusetts Institute of Technology, Littler Mendelson publicly placed its bet more than two years ago on the potential that data analytics would change the way law is practiced. Now the rapidly expanding global labor and employment giant is doubling down. Littler is poised to announce its hire of a chief data analytics officer, Aaron Crews , who will be tasked with managing the firm's data capabilities and to help it roll out more technology-based products based on the ideas of the firm's existing data scientists. Littler has already been tapping into the data it has collected for the past five-plus years through its Littler CaseSmart platform. One product spearheaded by Eigen is a prediction model for Equal Employment Opportunity Commission charges that Littler has used internally to gauge outcomes and prices for client matters. Last year the firm also began offering Equal Pay audits, which more than 100 clients have used to determine their risk of discrimination claims. Thomas Bender, co-president and co-managing partner at Littler , said there is an "endless horizon" for the possibilities on how data analytics can change the practice of law. Crews, a former Littler partner and electronic discovery counsel, re-joins the firm after having spent the past six months as general counsel and vice president of strategy at legal artificial intelligence company Text IQ , a position he discussed late last year with LegalTech News . Before that, Crews spent three years as a senior associate general counsel and global head of e-discovery at Wal-Mart Stores Inc. , having joined the retail giant from Littler in 2014. top

Ninth Circuit doubles down: Violating a website's terms of service is not a crime (EFF, 10 Jan 2018) - Good news out of the Ninth Circuit: the federal court of appeals heeded EFF's advice and rejected an attempt by Oracle to hold a company criminally liable for accessing Oracle's website in a manner it didn't like. The court ruled back in 2012 that merely violating a website's terms of use is not a crime under the federal computer crime statute, the Computer Fraud and Abuse Act . But some companies, like Oracle, turned to state computer crime statutes-in this case, California and Nevada-to enforce their computer use preferences. This decision shores up the good precedent from 2012 and makes clear-if it wasn't clear already-that violating a corporate computer use policy is not a crime. Oracle v. Rimini involves Oracle's terms of use prohibition on the use of automated methods to download support materials from the company's website. Rimini, which provides Oracle clients with software support that competes with Oracle's own services, violated that provision by using automated scripts instead of downloading each file individually. Oracle sent Rimini a cease and desist letter demanding that it stop using automated scripts, but Oracle didn't rescind Rimini's authorization to access the files outright. Rimini still had authorization from Oracle to access the files, but Oracle wanted them to access them manually-which would have seriously slowed down Rimini's ability to service customers. Rimini stopped using automatic downloading tools for about a year but then resumed using automated scripts to download support documents and files, since downloading all of the materials manually would have been burdensome, and Oracle sued. The jury found Rimini guilty under both the California and Nevada computer crime statues, and the judge upheld that verdict-concluding that, under both statutes, violating a website's terms of service counts as using a computer without authorization or permission. top

Sedona Conference publishes the Sedona Conference Data Privacy Primer (Ride the Lightning, 11 Jan 2018) - On January 9 th , the Sedona Conference and its Working Group 11 on Data Security and Privacy (WG11) announced the publication of The Sedona Conference Data Privacy Primer . This final version contains several updates following thorough consideration of the public comments submitted between January and April 2017. WG11 developed the Data Privacy Primer to provide a practical framework and guide to basic privacy issues in the United States and to identify key considerations and resources, including key privacy concepts in federal and state law, regulations, and guidance. You can download the publication without charge here . top

Inside Uber's $100,000 payment to a hacker, and the fallout (NYT, 12 Jan 2018) - "Hello Joe," read the November 2016 email from someone identifying himself as "John Doughs." "I have found a major vulnerability in Uber." The email appeared to be no different from other messages that Joe Sullivan, Uber's chief security officer, and his team routinely received through the company's "bug bounty" program, which pays hackers for reporting holes in the ride-hailing service's systems, according to current and former Uber security employees. Yet the note and Uber's eventual $100,000 payment to the hacker, which was initially celebrated internally as a rare win in corporate security, have since turned into a public relations debacle for the company. In November, when Uber disclosed the 2016 incident and how the information of 57 million driver and rider accounts had been at risk, the company's chief executive since August, Dara Khosrowshahi, called it a "failure" that it had not notified people earlier. Mr. Sullivan and a security lawyer, Craig Clark, were fired. In the weeks since, Uber's handling of the hacking has come under major scrutiny. Not only did Uber pay an outsize amount to the hacker, but it also did not disclose that it had briefly lost control of so much consumer and driver data until a year later. The behavior raised questions of a cover-up and a lack of transparency, as well as whether the payment really was just a ransom paid by a security operation that had acted on its own for too long. The hacking is now the subject of at least four lawsuits, with attorneys general in five states investigating whether Uber broke laws on data-breach notifications. In addition, the United States attorney for Northern California has begun a criminal investigation into the matter. Most of all, the hacking and Uber's response have fueled a debate about whether companies that have crusaded to lock up their systems can scrupulously work with hackers without putting themselves on the wrong side of the law. [S]ince the fallout from Uber's disclosure, Silicon Valley companies have taken a harder look at their bounty programs. At least three have put their programs under review, according to two consultants who have confidential relationships with those companies, which they declined to name. Others said criminal prosecutions for not reporting John Doughs would deter ethical hackers who would otherwise come forward, causing even more security breaches. This account of Uber's hacking and the company's response was based on more than a dozen interviews with people who dealt with the incident, many of whom declined to be identified because of the confidentiality of their exchanges. Many are current or former members of Uber's security team, who defended their actions as a prime example of how executives should respond to security problems. The New York Times also obtained more than two dozen internal Uber emails and documents related to the incident. * * * [ Polley : quite interesting] top

Science Fiction Writers of America accuse Internet Archive of piracy (Slashdot, 13 Jan 2018) - An anonymous reader writes: The "Open Library" project of the nonprofit Internet Archive has been scanning books and offering "loans" of DRM-protected versions for e-readers (which expire after the loan period expires). This week the Legal Affairs Committe of the Science Fiction Writers of America issued a new "Infringement Alert" on the practice , complaining that "an unreadable copy of the book is saved on users' devices...and can be made readable by stripping DRM protection." The objection, argues SFWA President Cat Rambo, is that "writers' work is being scanned in and put up for access without notifying them... it is up to the individual writer whether or not their work should be made available in this way." But the infringement alert takes the criticism even further. "We suspect that this is the world's largest ongoing project of unremunerated digital distribution of entire in-copyright books." The Digital Reader blog points out one great irony. " The program initially launched in 2007 . It has been running for ten years, and the SFWA only just now noticed." They add that SFWA's tardiness "leaves critical legal issues unresolved." "Remember, Google won the Google Books case, and had its scanning activities legalized as fair use ex post facto... [I]n fact the Internet Archive has a stronger case than Google did; the latter had a commercial interest in its scans, while the Internet Archive is a non-profit out to serve the public good." top

China's total information awareness: Second-order challenges (Lawfare, 16 Jan 2018) - Every day seems to bring a new article about China's pervasive use of facial recognition technology. Both the New York Times and the Washington Post have reported how widely China is using this technology, collecting and storing video evidence from cameras on every street corner and road, at apartment building entrances, and in businesses, malls, transportation hubs, and public toilets. The Chinese government seeks to consolidate this information with people's criminal and medical records, travel plans, online purchases, and comments on social media. China would link all of this information to every citizen's identification card and face, forming one omnipotent database. Similarly, the Wall Street Journal produced a chilling long-form article tracking a journalist's trip to Xinjiang province. The piece details not just the use of facial recognition software but also more intrusive steps such as the use of DNA collection, iris scanning, voice-pattern analysis, phone scanners, ID card swipes, and security checkpoints, all to further suppress unrest among the predominantly Muslim Uighur population. The piece frames life in Xinjiang as a forecast of what's to come in China more broadly. These developments feel relatively distant, both geographically and as a matter of current U.S. domestic practice. Our government does not collect video feeds from cameras in public toilets and private apartment buildings. Nor does it possess a database containing every citizen's photograph. Nevertheless, federal and local government agencies in the United States are increasing their use of facial recognition software at the border and in law enforcement contexts. There are a range of second-order questions that we should begin to think about as facial recognition software continues to improve and as its use expands, both within and beyond China's borders. * * * [ Polley : Fascinating, and scary piece. TV's The Prisoner , Person of Interest , Black Mirror, Electric Dreams - all looking more realistic.] top

Electronic device advisory for ABA mid-year meeting attendees (ABA, 16 Jan 2018) - Thousands of lawyers, judges and other legal professionals will cross international borders when attending the 2018 ABA Mid-Year Meeting in Vancouver, British Columbia, Canada. Each person leaving and reentering the United States is subject to inspection and search from both United States and Canadian officials. This paper has been prepared by the ABA Center for Professional Responsibility to update legal professionals about searches that U.S. Customs and Border Protection ("CBP") agents might conduct when legal professionals cross an international border with electronic devices containing confidential client or judicial information. While the actual number of travelers whose electronic devices are subject to border inspection is relatively low, a possibility exists that electronic devices may be searched. Part I describes a new Directive, issued January 4, 2018, by the CBP. Part II summarizes the principal Model Rules of Professional Conduct legal professionals should consider. Part III offers a list of protective measures legal professionals may wish to take while planning their travel to the Mid-Year Meeting. [ Polley : See also , NY City Bar " FORMAL OPINION 2017-5: An Attorney's Ethical Duties Regarding U.S. Border Searches of Electronic Devices Containing Clients' Confidential Information " (25 July 2017)] top

Google's art selfies aren't available in Illinois. Here's why. (Chicago Tribune, 17 Jan 2018) - The Google Arts & Culture app's new feature seems to be everywhere as social media streams are flooded with photos of friends and the great works of art that resemble them - that is, nearly everywhere but Illinois. The state is one of two in the country where the Google app's art selfie feature - which matches users' uploaded selfies with portraits or faces depicted in works of art - is not available. Google won't say why. But it's likely because Illinois has one of the nation's most strict laws on the use of biometrics, which include facial, fingerprint and iris scans. "They're being overly cautious" by keeping the feature out of Illinois, said Christopher Dore, a partner at Chicago law firm Edelson, which has brought biometrics suits against tech companies including Facebook. Some Illinois residents are finding workarounds to discover their artwork look-alikes, sending selfies to out-of-state friends who will run their photo through the feature. * * * Texas is the only other state without access to the art selfies, and it, too, has a biometrics law. Illinois' Biometric Information Privacy Act mandates that companies collecting such information obtain prior consent from consumers, detailing how they'll use it and how long it will be kept. It also allows private citizens to sue, while other states have laws that let only the attorney general bring a lawsuit. top

RESOURCES

Security Planner (recommended by Bruce Schneier, 21 Dec 2017) - Security Planner is a custom security advice tool from Citizen Lab. Answer a few questions, and it gives you a few simple things you can do to improve your security. It's not meant to be comprehensive, but instead to give people things they can actually do to immediately improve their security. I don't see it replacing any of the good security guides out there, but instead augmenting them. The advice is peer reviewed, and the team behind Security Planner is committed to keeping it up to date. top

U.S. Army Concept for Cyberspace and Electronic Warfare Operations 2025-2040 (BeSpacific, 15 Jan 2018) - CRS report via FAS. "TRADOC Pamphlet 525-8- 6, The U.S. Army Concept for Cyberspace and Electronic Warfare Operations expands on the ideas presented in TRADOC Pamphlet 525-3- 1, The U.S. Army Operating Concept: Win in a Complex World (AOC). This document describes how the Army will operate in and through cyberspace and the electromagnetic spectrum and will fully integrate cyberspace, electronic warfare (EW), and electromagnetic spectrum operations as part of joint combined arms operations to meet future operational environment challenges. Cyberspace and EW operations provide commanders the ability to conduct simultaneous, linked maneuver in and through multiple domains, and to engage adversaries and populations where they live and operate. Cyberspace and EW operations provide commanders a full range of physical and virtual, as well as kinetic and non-kinetic, capabilities tailored into combinations that enhance the combat power of maneuver elements conducting joint combined operations. Th is concept serves as a foundation for developing future cyberspace and electronic warfare capabilities and helps Army leaders think clearly about future armed conflict, learn about the future through the Army's campaign of learning, analyze future capability gaps and identify opportunities, and implement interim solutions to improve current and future force combat effectiveness.." top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

NLRB rules on employee use of company email for union purposes (Faegre & Benson's John Polley [yes, he's my brother], 8 Jan 2008) - Ever since the advent of email in the workplace, employers have sought guidance about whether they may lawfully prohibit employees from using company email systems to solicit other employees to support a union. However, since most employers permit employees to use company email for at least some personal communications, the concern has been that prohibiting employee use of email for union solicitations would run afoul of nondiscrimination rules under the National Labor Relations Act. In Guard Publishing Company, 351 NLRB No. 70 (December 16, 2007), the National Labor Relations Board finally addressed these issues. In Guard Publishing Company, the NLRB held that an employer may prohibit employees from using a company-owned email system to solicit for "non-job-related reasons," even if the employer had allowed employees to use the email system for various personal reasons such as giving away tickets or announcing the birth of a child. However, Guard Publishing, a 3-2 decision, was sharply divided along party lines, and the terms of office of two of the Board members in the majority (and one in the dissent) expired within days of the decision. Therefore, there is some real doubt about whether this decision will remain law when a new, full Board is constituted. There is also some doubt about whether portions of this decision will survive on appeal. top

IP addresses are personal data, EU regulator says (Washington Post, 22 Jan 2008) - IP addresses, strings of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union's group of data privacy regulators said Monday. Germany's data-protection commissioner, Peter Scharr, leads the E.U. group, which is preparing a report on how well the privacy policies of Internet search engines operated by Google, Yahoo, Microsoft and others comply with E.U. privacy law. Scharr told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address, "then it has to be regarded as personal data." His view differs from that of Google, which insists an IP address merely identifies the location of a computer, not who the individual user is. That is true but does not take into consideration that many people regularly use the same computer and IP address. Scharr acknowledged that IP addresses for a computer may not always be personal or linked to an individual. For example, some computers in Internet cafes or offices are used by several people. These exceptions have not stopped the emergence of a host of "whois" Internet sites, which allow users to type in an IP address and will then generate a name for the person or company linked to it. Treating IP addresses as personal information would have implications for how search engines record data. Google was the first last year to cut the time it stored search information to 18 months. It also reduced the time limit on the cookies that collect information on how people use the Internet from a default of 30 years to an automatic expiration in two years. A privacy advocate at the nonprofit Electronic Privacy Information Center said it was "absurd" for Google to claim that stripping out the last two figures from the stored IP address made the address impossible to identify by making it one of 256 possible configurations. "It's one of the things that make computer people giggle," the center's executive director, Marc Rotenberg, said. "The more the companies know about you, the more commercial value is obtained." Google's global privacy counsel, Peter Fleischer, said Google collects IP addresses to give customers a more accurate service because it knows what part of the world a search result comes from and what language is used - and that was not enough to identify an individual user. top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top