Saturday, January 07, 2017

MIRLN --- 18 Dec - 7 Jan 2017 (v20.01)

MIRLN --- 18 Dec - 7 Jan 2017 (v20.01) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

This begins MIRLN’s 20th year!

NEWS | RESOURCES | LOOKING BACK | NOTES

Obama: Espionage is being ‘turbocharged’ by the internet (NPR, 16 Dec 2016) - The world is entering a new cyber era — one with no ground rules, and with the potential for traditional espionage to be “turbocharged” by the Internet, President Obama told NPR in an exclusive interview. “Among the big powers, there has been a traditional understanding of, that everybody is trying to gather intelligence on everybody else,” Obama told Morning Edition ’s Steve Inskeep in a wide-ranging interview on Thursday. “It’s no secret that Russian intelligence officers, or Chinese, or for that matter Israeli or British or other intelligence agencies, their job is to get insight into the workings of other countries that they’re not reading in the newspapers every day.” The informal, unwritten rules of the past are no longer adequate, the president added. “One of the things that we’re going to have to do over the next decade is to ultimately arrive at some rules of what is a new game,” he said. “And that is the way in which traditional propaganda and traditional covert influence efforts are being turbocharged by the Internet.” The president suggested the U.S. is more vulnerable than other nations because the American economy is both bigger and more highly digitized than those of other countries.

top

Guidance issued on determining if companies need a Data Protection Officer under GDPR (Winston & Strawn, 19 Dec 2016) - The new data privacy regulations (the GDPR) requires some companies to have a data protection officer. For many companies, they will need a DPO if they have core activities that require regular and systematic monitoring of individuals on a large scale. Article 37(1)(b). The effective date of the regulations is May 2018. There has been confusion about which companies need such a role. In response, the Article 29 Working Party recently issued a guidance . It gives some clarification for these three concepts: (1) core activities requiring monitoring, (2) regular and systematic monitoring, and (3) large scale. The Working Party expects that companies will document how they determined if they needed a DPO. As companies think about the DPO role, it is helpful to look at how the Working Party thinks about these three concepts. Core activities, the guidance indicates, are those that are key to achieving a company’s goals. Examples given are processing of patient data by a hospital, or the surveillance a private security company might carry out of a shopping center. Routine processing, like HR-related processing, is not a core activity. Examples given of regular and systematic monitoring include “all forms of tracking and profiling on the internet,” as well as email retargeting, location tracking (by mobile apps, for example), loyalty programs, and monitoring fitness data by a wearable device, among others. Finally, with respect to large scale, the Working Party indicates that standards to define this will likely develop over time. For now, examples given include processing geo-location data of customers for statistical purposes related to the company’s services (in the example given, a fast food chain restaurant) and processing of customer data in the “regular course of business” by a bank or insurance company. The guidance also gives direction on the DPO’s role and responsibilities, reminds companies that DPOs do not have the ultimate compliance obligation under GDPR (that responsibility falls on the controller or processor), and even if a company concludes that it does not need a DPO, it may find it “useful” to voluntarily designated someone to be in that role.

top

A lack of Yakking (InsideHigherEd, 19 Dec 2016) - Remember Yik Yak? The app was the scourge of the college campus just last year, with anonymous harassment posted to its local discussion boards causing arrests, demonstrations, sit-ins and more. Administrators grappled with how to respond -- some moved to ban the app or restrict students’ access to it, but those actions drew criticism from civil liberties and free speech groups. Now the app appears to be going the way of Google+, MySpace and Vine. Once a staple on smartphone app store top downloads charts, Yik Yak has this year fallen out of the top several hundred most popular. Students appear to have moved to other platforms -- Snapchat, for example, which is showing impressive reach among 18- to 34-year-olds (as well as all-important appeal to advertisers). As a business, Yik Yak’s momentum is also slowing down. The Verge reported last week that the company, which has raised $73.5 million and was once valued at between $300-400 million, has fired about 60 percent of its employees, shrinking its office from about 50 to 20 people. Some social media experts point to Yik Yak’s shift away from anonymity as one reason why the app is no longer as popular as it once was. Last year, Yik Yak introduced user names -- first optional, later mandatory -- and began highlighting nearby users. The changes were controversial among users, and by that November, the company reversed its course. But more recent changes to the app, such as phone number verification, have continued to trend away from anonymity. “When Yik Yak moved away from anonymity, they took away the most important feature of the app,” said Eric Stoller, a higher education consultant (and Inside Higher Ed blogger) who frequently writes about social media. “Why use Yik Yak when you can use other platforms that have user profiles? Yik Yak was always about user location and anonymity.”

top

How good is law firm security? This report may surprise you (Ride the Lightning, 20 Dec 2016) - As DarkReading recently reported , there is good news about law firm security: The legal sector scored second-best in the latest security ratings report by BitSight, just ahead of retail, and behind the formidable financial industry. It’s hard to surprise me, but this report did. As much as I’ve seen greater attention to cybersecurity by law firms over the past several years, I’ve also seen a lot of data breaches, some public and some not. Since BitSight uses publicly disclosed breaches to benchmark security, it may be that there are a lot of law firm data breaches that have not been publicly disclosed. It is probably also true, since BitSight analyzed 1,269 legal entities, that it probably did not include a lot of solo and small firms. The bad news: More than half of law firms are vulnerable to a known attack called DROWN that breaks encryption and exposes communication and information in Web and e-mail servers and VPNs, and a large percentage of law firms scored low security-wise. BitSight provides a credit-score type security rating system for various industries. On a 250 (lowest) to 900 (highest) security rating scale, finance scored 703; legal, 687; retail, 685; healthcare, 668; energy/utilities, 667; and government, 657. Legal actually dropped two points from last year’s rating of 690. 70% of law firms surveyed in the recent Law Firm Cybersecurity Report by ALM Intelligence said they are under pressure from their clients to beef up internal data security, but only about half conduct regular “fire drills” for incident response. The report said firms were confident in their ability to thwart attacks. Um, that’s not what they tell us. But it does make for good PR. “Many firms’ confidence in their own cyberattack preparedness seems misguided. Our research indicates that most remain surprisingly unprepared for the threat,” said Daniella Isaacson, co-author of the report and ALM Intelligence senior legal analysis. “For example, many never test their cybersecurity protocols. This means that on the day of a breach, those firms are using an unproven response plan.”

top

- but -

3 men made millions by hacking merger lawyers, US says (NYT, 27 Dec 2016) - Law firms that advise on mergers once had to worry about a rogue employee trading on deal tips. Now, they have to worry about hackers doing the same. Federal prosecutors in Manhattan have charged three Chinese citizens with making more than $4 million by trading on information they got by hacking into some of the top merger-advising law firms in New York. The three men targeted at least seven New York law firms to try to obtain information about deals in the works, according to an indictment unsealed on Tuesday. The men were successful in hacking two firms, stealing emails of partners who work on mergers, prosecutors said. The three then bought shares of target companies, selling them after the deals were announced, prosecutors said. Hackers’ ability to breach the defenses of big law firms in search of confidential information about corporate clients — including tips about coming mergers and acquisitions — has long been a concern of federal authorities. Most major law firms have played down the threat posed by hackers and have been reluctant to discuss breaches or even attempted breaches. “This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world,” Preet Bharara , the United States attorney in Manhattan, said in a statement. “You are and will be targets of cyberhacking because you have information valuable to would-be criminals.” [ Polley : see also Law firm hacks traced back to Bay Area transactions (SF Gate, 27 Dec 2016)]

top

- and -

Law firms subject to same cyber risk as others, but is compliance required? (CSO Online, 4 Jan 2017) - This is an article I have been meaning to write ever since we performed an IT audit for a large law firm a year or so ago. The firm was responding to the HIPAA law that requires all third-party vendors working with healthcare organizations to have a Risk Assessment. This further proves my point that most businesses won’t do much in the area of cyber security or compliance, not even an IT risk assessment unless required by law. Let’s look at some specifics about the legal sector: ALM Legal Intelligence has reported the following facts on the legal sector. * * * [ Polley : pretty interesting.]

top

- and -

Court documents for law firm lax security case (Ride the Lightning, 5 Jan 2017) - On December 12 th , I posted about the lawsuit filed by Edelson PC against Chicago’s Johnson & Bell law firm alleging that lax security put client data at risk. No breach was alleged and it was acknowledged that security vulnerabilities had been fixed. The lawsuit has moved into a confidential arbitration and it is likely that we will never learn the outcome. But the court documents are available for review – hat tip to colleague Lance Johnson – and I have posted them here . According to the complaint, “Johnson & Bell has injured its clients by charging and collecting market-rate attorneys’ fees without providing industry standard protections for client confidentiality.” That is really the heart of the argument and I am still dubious that such suits will succeed where no breach or damage can be shown, especially where the law firm took steps to remediate the insecurities when they became known. Nonetheless, happy reading and see what you think of Edelson’s arguments.

top

Big banks are stocking up on blockchain patents (Bloomberg, 21 Dec 2016) - In the headlong rush to revolutionize modern finance, blockchain enthusiasts are overlooking one potentially costly problem: their applications, built on open-source code, may actually belong to someone else. Recently, some of the biggest names in business, from Goldman Sachs to Bank of America and Mastercard, have quietly patented some of the most promising blockchain technologies for themselves. Through mid-November, the number of patents that companies have obtained or said they’ve applied for has roughly doubled since the start of the year, according to law firm Reed Smith. As the blockchain -- essentially a shared, cryptographically secure ledger of transactions -- evolves beyond its techno-utopian roots and startups like Chain and Hyperledger open their source code to the public, the risk is growing that patents will turn into powerful weapons in protracted lawsuits over intellectual property, especially in the hands of trolls trying to cash in on the technology’s skyrocketing rise. Increasingly, experts warn established firms will use them to assert exclusive rights over the work of blockchain’s pioneers. “Open-source code -- that doesn’t necessarily restrict the ability to patent the underlying innovation,” said Patrick Murck, a long-time blockchain legal expert who joined Cooley LLP last month. “Anybody who’s investing in the ecosystem, anybody who’s interested in the technology should be worried about this.”

top

Is distance ed rule DOA? (InsideHigherEd, 21 Dec 2016) - The U.S. Department of Education, with a month to go until the transition of power, has finalized a rule that clarifies how colleges become authorized to offer online programs to students in other states -- an effort in the works since the first years of the Obama administration. But the rule is by all indications dead on arrival. The final rule, released on Dec. 16, requires colleges that offer online education programs to follow each state’s authorization process -- which often involves filling out an application and paying a fee to a local higher education agency -- and clarifies disclosure and student complaint procedures. It also recognizes that states can participate in reciprocity agreements. The rule-making process has been one of fits and starts, complete with court cases, delays and failed negotiations -- and then a surprise last-ditch effort this summer. After collecting input on a draft this fall, the Education Department published the final rule in the Federal Register on Monday. Yet the rule may never go into effect. The Trump administration will have plenty of time to set its own regulatory agenda, given that the rule’s effective date isn’t until July 1, 2018.

top

GE creates ‘Yelp for Lawyers’ to assess outside law firms (Bloomberg, 21 Dec 2016) - General Electric has developed what it’s calling a Yelp for lawyers . An internal website is now available to its approximately 800 in-house lawyers, through which they can search “preferred providers” of outside counsel and learn about their track record with the company. Titled GE Select Connect, more than 200 of the company’s outside law firms maintain profiles (à la Facebook) that feature firm information, including feedback the outside firms have received from GE lawyers, the firm’s diversity staffing levels, hourly rates, along and discounts the company has previously achieved. The internal site will provide GE lawyers with a better handle on discounts they can negotiate with outside law firms, gain easy access to firms’ strengths and weaknesses, as well as phone numbers and emails for primary contacts, said Dan Hendy, associate general counsel at GE, who oversaw the creation of the tool. “It’s a good way to collaborate,” said Hendy, who noted that the law firms listed on the site are only GE’s preferred providers, “a little more than” 200 firms which have signed an agreement stipulating negotiated rates and possibly other benefits over a certain period of time. “It makes being a preferred provider at GE more meaningful,” said Hendy, who framed the website as “a great marketing platform” for outside firms, since preferred law firms can update their profiles with information and news about firm initiatives and matters they’re handling. So far, Hendy said that the use cases are fairly simple and it certainly isn’t being used to select counsel for bet-the-company litigation or blockbuster M&A. He estimated that as much as 80 percent of GE’s 800 lawyers have the ability to hire outside counsel directly. [ Polley : At Schlumberger, we mostly did this in 1999; then, we couldn’t get outside counsel interested.]

top

NIST introduces comprehensive cyber incident recovery guide (Federal Times, 23 Dec 2016) - Noting an overall rise in cybersecurity incidents and inconsistent response capabilities across the federal government, the National Institute of Standards and Technology has published the “Guide for Cybersecurity Event Recovery” to assist agencies in developing plans, processes and procedures to fully restore a weakened system. ”It’s no longer if you are going to have a cybersecurity event, it is when,” said computer scientist Murugiah Souppaya, one of the guide’s authors. According to the Cybersecurity Strategy and Information Plan, published by the Office of Management and Budget, recovery could involve a simple data backup or a far more complicated process of bringing a system back online in stages. The NIST guide addresses this critical facet of risk management by consolidating existing guidance on incident handling and contingency planning, while offering a framework for organizations needing to create strategic playbooks for data breaches, ransomware and other cybersecurity incidents. “To be successful, each organization needs to develop its own plan and playbooks in advance,” said Souppaya. “Then they should run the plays with tabletop exercises, work within their team to understand its level of preparation and repeat.” The NIST guide can be viewed in its entirety on their website.

top

Corporate boards aren’t prepared for cyberattacks (Computerworld, 26 Dec 2016) - Major cyberattacks against organizations of all sizes seem to happen almost weekly. On Dec. 14, Yahoo announced the largest-ever data breach, involving more than 1 billion customer accounts. Despite the scale and potential harm from such attacks, there’s wide recognition that corporate leaders, especially boards of directors, aren’t taking the necessary actions to defend their companies against such attacks. It’s not just a problem of finding the right cyber-defense tools and services, but also one of management awareness and security acumen at the highest level, namely corporate boards. * * * [W]orries seem to have reached some quarters of the corporate governance community. The National Association of Corporate Directors (NACD) recently released a survey of more than 600 corporate board directors and professionals that found only 19% believe their boards have a high level of understanding of cybersecurity risks. That’s an improvement from 11% in a similar poll conducted a year earlier. The survey also found that 59% of respondents find it challenging to oversee cyber risk. The nonprofit NACD, which has 17,000 members, is working with security awareness firm Ridge Global and Carnegie Mellon University to create a Cyber-Risk Oversight program to educate corporate directors about the systemic risks of cyberattacks.

top

New cybersecurity guidelines for medical devices tackle evolving threats (The Verge, 27 Dec 2016) - Today, the US Food and Drug Administration released its recommendations for how medical device manufacturers should maintain the security of internet-connected devices, even after they’ve entered hospitals, patient homes, or patient bodies. Unsecured devices can allow hackers to tamper with how much medication is delivered by the device — with potentially deadly results. First issued in draft form last January , this guidance is more than a year in the making. The 30-page document encourages manufacturers to monitor their medical devices and associated software for bugs, and patch any problems that occur. But the recommendations are not legally enforceable — so they’re largely without teeth. The FDA has been warning the health care industry for years that medical devices are vulnerable to cyberattacks. It’s a legitimate concern: researchers have managed to remotely tamper with devices like defibrillators, pacemakers, and insulin pumps . In 2015, FDA warned hospitals that the Hospira infusion pump , which slowly releases nutrients and medications into a patient’s body, could be accessed and controlled through the hospital’s network. * * * The FDA issued an earlier set of recommendations in October 2014 , which recommended ways for manufacturers to build cybersecurity protections into medical devices as they’re being designed and developed. Today’s guidance focuses on how to maintain medical device cybersecurity after devices have left the factory. The guidelines lay out steps for recognizing and addressing ongoing vulnerabilities. And they recommend that manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share details about security risks and responses as they occur.

top

Another state adopts duty of technology competence; makes it 26 (Bob Ambrogi, 28 Dec 2016) - As this blog continues to follow the states that adopt the duty of technology competence for lawyers, there is another to add: Colorado. That brings to 26 the number of states that have adopted some version of Comment 8 to ABA Model Rule 1.1. Colorado’s version of Comment 8, which was adopted and became effective on April 6, 2016, differs from the Model Rule. Colorado’s version says: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, and changes in communications and other relevant technologies , engage in continuing study and education, and comply with all continuing legal education requirements to which the lawyer is subject. See Comments [18] and [19] to Rule 1.6.” (Emphasis added.) The ABA version says: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology , engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. (Emphasis added.)” Note that the Colorado version cross-references Comments 18 and 19 to Rule 1.6. That rule pertains to confidentiality of client information. The comments advise that lawyers must “make reasonable efforts” to safeguard client information “against unauthorized access by third parties and against inadvertent or unauthorized disclosure.”

top

New York eases proposed cyber regulations after industry complaints (Reuters, 28 Dec 2016) - New York state’s financial regulator on Wednesday issued a revised proposal for the nation’s first cyber security rules for banks and insurers, loosening some security requirements and delaying implementation by two months to March 1. The rules from the New York State Department of Financial Services are being closely because they lay out unprecedented requirements on steps that financial firms must take to protect their networks and customer data from hackers and disclose cyber events to state regulators. “Many organizations are going to have a lot of work to do to come into compliance with these revised regulations,” said Jed Davis, a partner with law firm Day Pitney and former U.S. federal cyber crimes prosecutor. The state revised the rules in response to more than 150 comments on its initial proposed regulations. The New York Insurance Association in one letter called the regulation “too much of a ‘one size fits all’ rule” that was overly specific and too broad. A New York Bankers Association letter warned of unintended consequences that would “hamper efforts to protect the public and may defy its purpose of preventing cyber attacks.” The revised regulations include easing some timelines and requirements, including standards for encrypting data and authenticating access to networks. They also provide more time for compliance, expanding the transition from six months to as long as two years.

top

New French law bars work email after hours (Fortune, 1 Jan 2017) - A new French law establishing workers’ “right to disconnect” goes into effect today. The law requires companies with more than 50 employees to establish hours when staff should not send or answer emails. The goals of the law include making sure employees are fairly paid for work, and preventing burnout by protecting private time. French legislator Benoit Hamon, speaking to the BBC, described the law as an answer to the travails of employees who “leave the office, but they do not leave their work. They remain attached by a kind of electronic leash—like a dog.” While the measure may seem like a boon to workers, it was reportedly the most broadly supported measure of a comprehensive labor package passed in May. The package as a whole was primarily oriented to liberalizing France’s job market, including by making it easier to fire workers, and sparked widespread protests. The email restrictions could provide a benefit to both workers and businesses, by making employees more relaxed and effective. As NPR points out, academic studies have found that workplace email is a significant source of stress. A group of Stanford business professors have estimated that workplace stress added between $125 and $190 billion dollars per year to America’s healthcare costs, amounting to between 5 and 8% of total costs. Overwork accounted for $48 billion of that. Those healthcare costs are largely borne by employers, along with the drag of irritable or absent employees worn down by the colonization of their private lives.

top

US Treasury makes standalone cyber insurance policies more valuable (Aon, 3 Jan 2017) - The United States Department of the Treasury issued a “Notice of Guidance” December 27, 2016, which clarifies that stand-alone “Cyber Liability” insurance policies are included under the Terrorism Risk Insurance Act of 2002, as amended (“TRIA”). TRIA requires insurers to “make available” terrorism risk insurance for commercial property and casualty losses resulting from certified acts of terrorism (insured losses), and provides for shared public and private compensation for such insured losses. Effective April 1, 2017, and consistent with TRIA and the TRIA program regulations, an insurer must provide disclosures and offers that comply with TRIA and the program regulations on any new or renewal policies reported as standalone Cyber Liability insurance. * * *

top

MN Bar returns to Fastcase, six months after switching to Casemaker (Bob Ambrogi, 3 Jan 2017) - In their ongoing competition to win over bar associations as the legal-research member benefit, Fastcase is starting 2017 with an unprecedented victory over Casemaker. Just six months after the Minnesota State Bar Association left Fastcase and switched to Casemaker, it is going back to Fastcase in response to demand by its members. “Our members offered a clear preference for Fastcase,” Gerry Ford, MSBA membership director, told me in an email. “Their most common theme was ease of use. MSBA members find Fastcase to be more user-friendly and its interface to be more intuitive.” I have reported here on other bars switching from Casemaker to Fastcase — such as my own state’s bar in December 2015. But when the MSBA switched last July after having been with Fastcase since 2007, it was the first bar to go from Fastcase to Casemaker. Now, as it switches back just six months later, I can think of no precedent for such a rapid turnabout.

top

A warning about Tallinn 2.0 … whatever it says (Lawfare, 4 Jan 2017) - The Tallinn Manual on the International Law Applicable to Cyber Warfare is the most comprehensive and thoughtful work to date on the applicability of existing international law to cyber warfare. It is routinely referenced and relied upon by civilian and military practitioners across the globe and—if it has not already done so—it may very well achieve the authors’ objective of joining the ranks of the San Remo Manual on International Law Applicable to Armed Conflicts at Sea and the Manual on International Law Applicable to Air and Missile Warfare as one of the authoritative (albeit non-binding) manuals detailing the manner in which international law applies to particular forms of warfare. No doubt the soon-to-be-released Tallinn 2.0 will prove to be equally well received. And that is precisely the problem. Despite the benefits of the Tallinn Manual —a proffer of increased certainty for States that international law does apply to cyber activities; a framework that adopts and applies international legal norms; the general utility of a ready reference for government officials, operators, and legal advisers; and the recording of a group of experts’ opinions that can be scrutinized by others in ways that might help to develop long-term legal consensus—the Tallinn Manual presents two dangers that we should hope Tallinn 2.0 avoids.

top

California law makes ransomware use illegal (On the Wire, 4 Jan 2017) - It was nice to see the calendar turn over to 2017, for a lot of reasons, not the least of which is that on Jan. 1 a new law went into effect in California that outlaws the use of ransomware. The idea of needing a new law to make a form of hacking illegal may seem counterintuitive, but ransomware is a case of criminals outflanking the existing laws. Ransomware emerged in a big way a few years ago and the law enforcement community was not prepared for the explosion of infections. While there have been takedowns of ransomware gangs, they often involve charges of money laundering or other crimes, not the installation of the ransomware itself. In September, California Gov. Jerry Brown signed into law a bill that made the use of ransomware a crime, essentially a form of extortion. The law went into effect on Jan. 1. The new law in California makes the use of ransomware a felony that is punishable by up to four years in prison.

top

Ten worst Section 230 rulings of 2016 (plus the five best) (Eric Goldman, 4 Jan 2017) - 2016 was a tough year in many respects (check out the #Fuck2016 hashtag ), including a swarm of adverse Section 230 rulings. Even in paradigms where the immunity still functions reasonably well, such as user comments on message boards or online marketplace operator liability, rulings this year provided plaintiffs/regulators with powerful tools to undermine the immunity. As bad as 2016 was, after we see the full effects of this year’s rulings, I think we’ll look back nostalgically at 2016 as Section 230’s high-water mark. How’s that for a “happy” new year? So rather than enumerate the 10 most important Section 230 rulings, I’ve cynically decided to just list out the 10 worst rulings this year. For those looking for a ray of optimism, the 5 best rulings are at the end of this post. * * *

top

Massachusetts makes data breach records public online (Infosecurity, 4 Jan 2016) - The state of Massachusetts has upped the ante on data breach transparency: The Office of Consumer Affairs and Business Regulation has decided to make reports of potential identity theft available to the public on its website. Previously, those reports could only be accessed by a public records request. State law requires that any organization that keeps personal information about a Massachusetts resident notify state officials, as well as affected customers, any time that information is compromised. This includes external hacking incidents, unintentional data leakage and insider mistakes, among other scenarios. It also includes incidents outside of the cyberworld—say, if a briefcase with papers is stolen or misplaced. Hundreds of data breaches affecting thousands of Massachusetts residents were reported to the state in 2016, and information on all of them is now available in a handy spreadsheet format that details how many residents were affected, what kind of information was lost, whether the organization in question provided credit monitoring, and more. Massachusetts has been out on front in cybersecurity, recently offering a $5 million grant that will be used to bolster cyber-research and the computing technology used by the University of Massachusetts.

top

RESOURCES

New Technology on the Block: Exploring the legal and regulatory implications of the blockchain (Harvard Law Today, Fall 2016) - * * * The blockchain raises fascinating legal questions, about both transactions and property, says Patrick Murck, a fellow at the Berkman Klein Center, who previously was co-founder of the Bitcoin Foundation (it paid him entirely in bitcoin, which worked fine until his kids started going to day care, he quipped). “Bitcoin is interesting not because it’s digital money but because it’s digi­tal property,” says Murck, noting that bitcoins are actually tokens generated and validated by computer, and property rights can be tied to those tokens. While the blockchain is most closely associated with bitcoin—the two were released together in 2009—its use is not limited to currency. Music companies are experimenting with using it for tracking online transactions, and an open source group called Ethereum has built a blockchain-based platform for managing contracts that also includes a digital currency, or token, called Ether. What it doesn’t have is much of a legal framework. De Filippi and, separately, Murck convened a series of meetings over the last few years to address that. De Filippi’s initially involved mostly Boston-area participants from the Berkman Klein Center and the HLS community and MIT (for example: bit.ly/coalaworkshop), before she broadened the gatherings’ scope. Murck brought together members of the bitcoin community with financial companies, technology firms, lawyers and regulators for a series of meetings called Shared Ledgers Roundtables. All of the meetings were designed to explore the legal framework needed for the blockchain to work safely, and to prevent fraud. * * *

top

Basu on Copyright Law & the Drummer (MLPB, 5 Jan 2017) - Ronojoy Basu, University of Toronto, has published Copyright Law & The Drummer . Here is the abstract: Recent relevant judicial decisions in the US suggest that the question of subsistence of originality in drum beats remains a subject of debate. Unbeknownst to the non-musical world, this question continues to gather momentum and poses some rather interesting questions about degree and threshold of creativity and applicability of Copyright law. This paper explores the copyright-ability of drum patterns, the position of US and Canadian laws on the subject and under what circumstances may such beats be accorded copyright protection.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Big sister Clinton (2.0) (New York Times, 19 March 2007) -- Wondering what this presidential campaign might look like in the world of “Web 2.0” social networking sites? We have our answer: The buzz-generating Internet ad featuring Senator Hillary Rodham Clinton as a scary Big Brother figure, conducting her presidential campaign “conversation” on a giant screen to drone-like humans. The ad, a near-copy of an Apple spot for Macintosh in 1984, has drawn more than 438,00 viewers on YouTube in the last two weeks, (and linked by hundreds of blogs), showing the potential reach of such guerilla ad campaigns. It ends with a female athlete (who seems to be wearing an iPod) smashing the screen image of Mrs. Clinton’s face with a hammer. Then these words appear — “On January 14th the Democratic primary will begin. And you’ll see why 2008 isn’t going to be like ‘1984′” — followed by the closing text, BarackObama.com. Mr. Obama’s camp has disavowed responsibility for the ad, although there are links to it on community pages on Mr. Obama’s Web site. (And, it was apparently mashed by a 59-year-old with the YouTube username ParkRidge47; Mrs. Clinton was born in 1947 and grew up in Park Ridge, Ill., by the way.) A spokesman for Mrs. Clinton had no comment. YouTube clip at http://www.youtube.com/watch?v=6h3G-lMZxjo ; creator unmasked: http://www.newsday.com/news/nationworld/nation/ny-usdems225139825mar22,0,1775351.story?coll=ny-uspolitics-headlines

top

Missing e-mail may be related to prosecutors (New York Times, 13 April 2007) -- The White House said Thursday that missing e-mail messages sent on Republican Party accounts may include some relating to the firing of eight United States attorneys. The disclosure became a fresh political problem for the White House, as Democrats stepped up their inquiry into whether Karl Rove and other top aides to President Bush used the e-mail accounts maintained by the Republican National Committee to circumvent record-keeping requirements. It also exposed the dual electronic lives led by Mr. Rove and 21 other White House officials who maintain separate e-mail accounts for government business and work on political campaigns — and raised serious questions, in the eyes of Democrats, about whether political accounts were used to conduct official work without leaving a paper trail. The clash also seemed to push the White House and Democrats closer to a serious confrontation over executive privilege, with the White House counsel, Fred F. Fielding, asserting that the administration has control over countless other e-mail messages that the Republican National Committee has archived. Democrats are insisting that they are entitled to get the e-mail messages directly from the national committee. Representative Henry A. Waxman, the California Democrat who is chairman of a House committee looking into the use of political e-mail accounts, wrote a letter to the attorney general on Thursday saying he had “particular concerns about Karl Rove” after a briefing his aides received from Rob Kelner, a lawyer for the Republican National Committee. Mr. Rove uses several e-mail accounts, including one with the Republican National Committee, one with the White House and a private domain account that is registered to the political consulting company he once owned.

top

World faces “cyber cold war” threat ( Reuters, 29 Nov 2007) - A “cyber cold war” waged over the world’s computers threatens to become one of the biggest threats to security in the next decade, according to a report published on Thursday. About 120 countries are developing ways to use the Internet as a weapon to target financial markets, government computer systems and utilities, Internet security company McAfee said in an annual report. Intelligence agencies already routinely test other states’ networks looking for weaknesses and their techniques are growing more sophisticated every year, it said. Governments must urgently shore up their defenses against industrial espionage and attacks on infrastructure. The report said China is at the forefront of the cyber war. It said China has been blamed for attacks in the United States, India and Germany. China has repeatedly denied such claims. The report was compiled with input from academics and officials from Britain’s Serious Organised Crime Agency, the U.S. Federal Bureau of Investigation and NATO. Cyber-attacks on private and government Web sites in Estonia in April and May this year were “just the tip of the iceberg,” the report warned. Estonia said thousands of sites were affected in attacks aimed at crippling infrastructure in a country heavily dependent on the Internet. The attacks appeared to have stemmed initially from Russia although the Kremlin denied any wrongdoing. “The complexity and coordination seen was new,” the report quoted an unnamed NATO source as saying. “There were a series of attacks with careful timing using different techniques and specific targets.” EU Information Society commissioner Viviane Reding said in June that what happened in Estonia was a wake-up call. NATO said “urgent work” was needed to improve defenses. The McAfee report predicted that future attacks would be even more sophisticated. “Attacks have progressed from initial curiosity probes to well-funded and well-organised operations for political, military, economic and technical espionage,” it said.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word “MIRLN” in the subject line. Unsubscribe by sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon’s Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman’s Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation’s Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers’ submissions, and the editor’s discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, December 17, 2016

MIRLN --- 27 Nov - 17 Dec 2016 (v19.17)

MIRLN --- 27 Nov - 17 Dec 2016 (v19.17) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | LOOKING BACK | NOTES

ANNOUNCEMENTS

[Sad] Note to Readers (Steptoe, 1 Dec 2016) - After nearly 18 years, E-Commerce Law Week will cease publication after this week. It's been a pleasure. [Polley : I was so sorry to read this; I've loved their droll, concise, informative weekly e-newsletter; if anybody has substitute-candidates to suggest, I'm all ears. In the meantime, hats-off and thanks to ECLW authors/producers Sally Albertazzi, Stewart Baker, and Mike Vatis.]

top

NEWS

ABA House is asked to accredit program that certifies lawyers as privacy law specialists (ABA Journal, 15 Nov 2016) - A program that certifies lawyers as privacy law specialists is expected to go before the ABA House of Delegates in February. The International Association of Privacy Professionals administers the certification program. If the ABA House approves accreditation, lawyers who meet the IAPP's standards could hold themselves out as privacy law specialists without violating state ethics rules that are based on the ABA model rules. Bloomberg BNA has a story . Recognition of the privacy law specialty could benefit both consumers and lawyers, according to Hofstra University law professor Ellen Yaroshefsky. "I think it's advantageous both to lawyers seeking to obtain business but also hopefully to clients who want to reach out to the most sophisticated lawyer they can find," Yaroshefsky told Bloomberg BNA. "Particularly because cyber and security and intellectual property are rapidly expanding fields, there is a perceived need to have a recognized specialty." Fourteen certification programs administered by seven private organizations are currently accredited by the ABA, according to Martin Whittaker, senior counsel for the ABA Center for Professional Responsibility. About a dozen state entities also certify specialties. The ABA Model Rules of Professional Conduct provide that lawyers shouldn't state or imply they are certified as specialists in a particular field of law unless they have been certified as specialists by a group that is approved by the appropriate state authority or that is accredited by the ABA. The IAPP certification program would require lawyers to pass the group's exam; pass a separate exam on legal ethics related to the practice of privacy law; and prove substantial involvement in the privacy law area for three years.

top

The secret agenda of a Facebook quiz (NYT, 19 Nov 2016) - Do you panic easily? Do you often feel blue? Do you have a sharp tongue? Do you get chores done right away? Do you believe in the importance of art? If ever you've answered questions like these on one of the free personality quizzes floating around Facebook, you'll have learned what's known as your Ocean score: How you rate according to the big five psychological traits of Openness, Conscientiousness, Extraversion, Agreeableness and Neuroticism. You may also be responsible the next time America is shocked by an election upset. For several years, a data firm eventually hired by the Trump campaign, Cambridge Analytica, has been using Facebook as a tool to build psychological profiles that represent some 230 million adult Americans. A spinoff of a British consulting company and sometime-defense contractor known for its counterterrorism "psy ops" work in Afghanistan, the firm does so by seeding the social network with personality quizzes. Respondents - by now hundreds of thousands of us, mostly female and mostly young but enough male and older for the firm to make inferences about others with similar behaviors and demographics - get a free look at their Ocean scores. Cambridge Analytica also gets a look at their scores and, thanks to Facebook, gains access to their profiles and real names. Cambridge Analytica worked on the "Leave" side of the Brexit campaign. In the United States it takes only Republicans as clients: Senator Ted Cruz in the primaries, Mr. Trump in the general election. Cambridge is reportedly backed by Robert Mercer , a hedge fund billionaire and a major Republican donor; a key board member is Stephen K. Bannon, the head of Breitbart News who became Mr. Trump's campaign chairman and is set to be his chief strategist in the White House. In the age of Facebook, it has become far easier for campaigners or marketers to combine our online personas with our offline selves, a process that was once controversial but is now so commonplace that there's a term for it, "onboarding." Cambridge Analytica says it has as many as 3,000 to 5,000 data points on each of us, be it voting histories or full-spectrum demographics - age, income, debt, hobbies, criminal histories, purchase histories, religious leanings, health concerns, gun ownership, car ownership, homeownership - from consumer-data giants.

top

FINRA fines Lincoln Financial sub $650,000 for cybersecurity shortcomings (Bracewell, 22 Nov 2016) - A Lincoln Financial Group subsidiary agreed to pay $650,000 to the Financial Industry Regulatory Authority (FINRA) to resolve allegations that it failed to implement sufficient security policies to protect confidential customer information after its web-based customer account database was hacked in 2012. The 2012 breach came on the heels of a $600,000 fine, imposed by FINRA in 2011, for lax security measures relating to its customer database. * * *

top

Ohio imposes tax on online retailers with no physical presence in state (Morgan Lewis, 22 Nov 2016) - The Ohio Supreme Court recently ruled that Ohio may impose its commercial activity tax (CAT) on out-of-state companies that sell products and services to Ohio customers-even if the companies have no physical presence in the state-if such companies have taxable gross receipts sitused to Ohio of at least $500,000. This ruling is yet another example of the increasing willingness of states to extend taxing jurisdiction to nonresident taxpayers that have business, but no physical presence, in a state. On November 17, a split Ohio Supreme Court held that the physical presence standard does not extend to a "business-privilege tax"-even if that tax is measured by receipts from sales of tangible personal property (similar to a sales tax). In a 5-2 decision, the Ohio high court held that "although a physical presence in the state may furnish a sufficient basis for finding a substantial nexus, Quill's holding that physical presence is a necessary condition for imposing the tax obligation does not apply to a business-privilege tax. . ." Rather, since the CAT is imposed only on retailers with at least $500,000 in Ohio receipts, the Ohio Supreme Court held that dollar "limit" is sufficient to establish the required substantial nexus for the imposition of a business-privilege tax. The dissenting judges in the case, by contrast, argued that the silence of the US Congress on nexus issues means that Quill's "physical presence" requirement should still apply, and that only the US Congress or the US Supreme Court can establish a new rule to determine substantial nexus. The tenor of the dissenting judges' opinion could signal that this decision may be appealed to the US Supreme Court.

top

Uber begins background collection of rider location data (TechCrunch, 28 Nov 2016) - Imagine you're on your way to a therapy appointment in a downtown high-rise. You hail an Uber and enter a nearby coffee shop as your destination so you can grab a snack before the appointment. In the car, you scroll through Instagram and check your email. You get out, buy your coffee, and walk around the corner to your therapist's office. If you installed the latest app update, Uber has been tracking your location the entire time. The app update (it's 3.222.4, for those keeping track) changes the way Uber collects location data from its users. Previously, Uber only collected location information while a user had the app open - now, Uber asks users to always share their location with the ride-hailing company. Uber says that, even though it can harvest your location constantly while its app is running in the background on your phone, it won't use that capability. Instead, Uber claims it just needs a little bit more location data to improve its service, and it has to ask for constant access because of the way device-level permissions are structured. Specifically, Uber wants access to a rider's location from the moment she requests a ride until five minutes after the driver drops her off, even if the app is not in the foreground of her phone. Previously, Uber would not collect a rider's background location during the trip, or her location after drop-off. The company will use this information to improve drop-offs and pick-ups, which have consistently been a pain point for Uber and other ride-hailing services. The most common reason for riders and drivers to contact each other is to communicate their location when the app does not provide an accurate pinpoint, and Uber hopes to cut down on confusion during pick-up. Uber also wants to track how often riders cross the street directly after a drop-off, which the company believes could indicate a safety hazard. Riders shouldn't have to dart through traffic to get to their destination, a spokesperson explained, and tracking a user after drop-off can help the company detect whether the driver dropped their passenger off in a risky place.

top

- and -

New site visualises how you rode with Uber in 2016 (Mashable, 15 Dec 2016) - The folks at Uber have made " Year with Uber ", a data visualisation site that offers a view of your Uber riding pattern for the year. The site, which went live Thursday, asks you to log in, then presents you with information about your rides on the platform in 2016 via a click-through slideshow. * * * Alas, the site is only live for riders in Southeast Asian cities such as Singapore, Kuala Lumpur, Bangkok, Jakarta and Manila -- for now. Uber says it'll roll out to more countries progressively.

top

The surprising implications of the Microsoft/Ireland warrant case (Orin Kerr, 29 Nov 2016) - The Justice Department filed a petition for rehearing last month in the Microsoft/Ireland warrant case . Although I'm skeptical that rehearing will be granted, the Justice Department's petition includes some fascinating updates about the practical effect of the Second Circuit's decision. I looked into the Justice Department's allegations on my own, and I was able to get a better sense of what was happening. At the very least, it suggests that the Microsoft case is having some surprising implications. And in some cases, the result seems to be a significant mess. The Second Circuit's decision held that warrants for customer email are unenforceable when the provider opted to store emails on a server outside the United States. The statute only has territorial effect, the Second Circuit reasoned, and that means it doesn't apply to foreign-stored email. Treating the statute as a way to get email rather than a means of limiting access to email, the court ruled that the government couldn't use a domestic warrant to compel the disclosure of emails stored abroad. But here's the twist. The court's decision assumed that Internet providers knew where its customer emails were located and that emails could be accessed from those places. The Second Circuit's opinion therefore left the government with some options. In particular, the government could pursue foreign legal process through Mutual Legal Assistance Treaties for email that was stored abroad. It turns out that this assumption isn't necessarily right. And that is creating some significant headaches. Here's what the Justice Department says in its petition for rehearing: Unlike Microsoft, some major providers cannot easily determine where customer data is physically stored, and some store different parts of customer content data in different countries. Major U.S.-based providers like Google and Yahoo! store a customer's email content across an ever-changing mix of facilities around the world. To the extent content is stored abroad by the provider at the moment the warrant is served, the Opinion has now placed it beyond the reach of a Section 2703 warrant, even when the account owner resides in the United States and the crime under investigation is entirely domestic. At least in the case of Google, the information is also currently beyond the reach of a Mutual Legal Assistance Treaty request or any foreign law enforcement authority, because only Google's U.S.-based employees can access customer email accounts, regardless of where they are stored; indeed, Google cannot reliably identify the particular foreign countries where a customer's email content may be stored. Thus, critical evidence of crimes now rests entirely outside the reach of any law enforcement anywhere in the world, and the randomness of where within an intricate web of servers the requested content resides at a particular moment determines its accessibility to law enforcement.

top

Rule would treat email like other forms of 'instant' service (Florida Bar, 1 Dec 2016) - After the Bar Board of Governors balked at giving its endorsement, the Rules of Judicial Administration has altered a proposed procedural rule amendment affecting response times when documents are served via email. The Appellate Court Rules Committee also altered its request to be exempted from the proposed change, and instead suggests changes within the appellate rules. The board, at its July 29 meeting, considered amendments to the Civil Procedure Rules, the Rules of Judicial Administration, and the Appellate Court rules. The civil rule amendments corrected references to the Rules of Judicial Administration on email service. The RJA amendments removed email service from a subdivision that allowed five additional days for responding to service by regular U.S. Mail and removed email from a section that said email service would be treated as service via U.S. Mail for time computation purposes - which adds five days to those allowable times. Those changes would treat email like other forms of "instant" service such as fax, hand delivery, or service through the court system's statewide e-filing portal. When email service was first addressed in the rules several years ago, committee members said treating it as U.S. Mail delivery would encourage lawyers to use email service because of the extra response time it allowed. But they also said that extra time would likely be removed once email service was widely used. The appellate rule amendment specified that service by email in appellate matters be treated as service by U.S. Mail for time computations and exempted appellate email service from the time reductions in the RJA amendments. Board members said they were concerned that removing the five extra days could lead to "gamesmanship" with delivery of documents late in the day or before weekends to shorten the response time. They also expressed unease that exempting the appellate rules from the change would lead to inconsistency among rules. In response, the Appellate Court Rules Committee, when it met in October during the Bar's Fall Meeting, dropped its request for a blanket exemption. Instead the committee went through its rules and added to the computation of response time in more than 30 places where it felt more time was needed. That was approved by a 35-0 vote. The Rules of Judicial Administration Committee, which also met at the Fall Meeting, reaffirmed removing the extra five days from time computations with email service but also specified that the time computation would not begin until the day after the service, not counting weekends or holidays. Committee members, saying that would address the "gamesmanship" issues, approved that 34-0. The revised rules are expected to be presented to the board again at its January 20 meeting in Tallahassee.

top

Misconfigured drive exposes locations of explosives used by oil industry (SC Magazine, 5 Dec 2016) - Oil company Allied-Horizontal Wireline Services (AHWS) are reported to have misconfigured a storage device, which has resulted in the leak of the locations where it stores the explosives it uses. The company uses explosives to complete an oil-drilling process known as "perforation," which it is licenced to do by the US federal government. The device, exposed by security researcher Chris Vickery in October, also reportedly contained thousands of credentials of staff who work for the organisation and a variety of AHWS employee information. Alongside, other files showed the company's contracts with other oil companies, such as BP and Exxon.

top

Subscription surges and record audiences follow Trump's election (Columbia Journalism Review, 6 Dec 2016) - When CBS chairman Les Moonves said in February that the Donald Trump phenomenon "may not be good for America, but it's damn good for CBS," he likely didn't imagine his comment would apply to the entire news industry come December. While many in the media have expressed concerns over the impact a Trump administration could have on press freedoms, the president-elect's influence already is boosting news organizations' bottom lines. The New York Times said it signed up 10,000 new subscribers per day several times since the election, and the past few weeks recorded a 10-fold increase in new subscriptions over the same period last year. "Often after an election you expect a lull," Times president and CEO Mark Thompson said on Monday at the UBS Global Media & Communications conference in Manhattan. "We're not seeing that, we're seeing a surge." Thompson attributed the rise in subscriptions to "a dramatic increase in the willingness to pay for serious, independent journalism." He also said reaching the Times' goal of 10 million paid subscribers-up from 2.6 million today, about 1.5 million of which are digital-only-"is very possible for us." Most of the new subscribers are digital, though some opted for the Times in print. The company noted the increases are net of cancellations. He said consumers are more willing to pay for online content, driven by an acceptance of monthly fees for services like Netflix. While the Times holds a unique place in the media landscape, other major players across the industry have reported similar audience and subscription bounces. The LA Times saw a 60 percent increase in new digital subscriptions in the weeks following the election, a spokeswoman told CJR. For the month of November, the paper added more than four times as many new subscribers as it did during the same period in 2015. And the LA Times was not the only outlet in the publicly traded Tronc Inc. newspaper chain to report subscription increases; CNBC reported the chain saw an average gain in digital subscribers of 29 percent across its newspapers, which also include the Chicago Tribune and the Hartford Courant . While the Washington Post hasn't yet released specific numbers, a representative from the paper told CJR the Post has seen "a steady increase in subscriptions over the course of this year." The Wall Street Journal in the days after the election reported a 300 percent spike in new subscriptions.

top

T-Mobile announces Digits: one phone number for all your devices (The Verge, 7 Dec 2016) - T-Mobile just revealed its answer to AT&T's NumberSync technology, which lets customers use one phone number across all their connected devices. T-Mobile's version is called Digits and it will launch in a limited, opt-in customer beta beginning today before rolling out to everyone early next year. "You can make and take calls and texts on whatever device is most convenient," the company said in its press release. "Just log in and, bam, your call history, messages and even voicemail are all there. And it's always your same number, so when you call or text from another device, it shows up as you." When it leaves beta, Digits will cost an extra monthly fee, but T-Mobile isn't revealing pricing today. "This is not going to be treated as adding another line to your account," said COO Mike Sievert. "Expect us to be disruptive here." And while its main feature is one number for everything, Digits does offer T-Mobile customers another big perk: multiple numbers on the same device. This will let you swap between personal and work numbers without having to maintain separate lines and accounts. You can also give out an "extra set" of Digits in situations where you might be hesitant to give someone your primary number; this temporary number forwards to your devices like any other call. You can have multiple numbers for whatever purposes you want, based on T-Mobile's promotional video.

top

China stole data from major US law firms (Fortune, 7 Dec 2016) - A series of security breaches that stuck prestigious law firms last year was more pervasive than reported and was carried out by people with ties to the Chinese government, according to evidence seen by Fortune. The incidents involved hackers getting into the email accounts of partners at well-known firms, and then relaying messages and other data from the partners' in-boxes to outside servers. In the case of one firm, the attacks took place over a 94 day period starting in March of 2015, and resulted in the hackers stealing around seven gigabytes of data, according to information obtained by Fortune . That figure would typically amount to tens or hundreds of thousands of emails. The information also revealed the thefts took place in one hour increments, and that the hackers returned repeatedly in search of new information. News of the law firm breaches surfaced earlier this year when the Wall Street Journal reported that hackers had penetrated the computer networks of Cravath Swaine & Moore, Weil Gotshal & Manges and other unidentified firms. The clients of these firms include many of the world's biggest companies, and they are privy to sensitive corporate information. The earlier news of the law firm breaches did not say who conducted the hacking, but Fortune has obtained reliable information that indicates the breach took place as part of a larger initiative by the Chinese government. This initiative also saw the hackers target big U.S. companies, including a major airline. The evidence obtained by Fortune did not disclose a clear motive for the attack but did show the names of law firm partners targeted by the hackers. The practice areas of those partners include mergers and acquisitions and intellectual property, suggesting the goal of the email theft may indeed have been economic in nature.

top

- and -

Chicago law firm accused of lax data security in lawsuit (Bloomberg, 9 Dec 2016) - A federal judge on Friday unveiled a long sealed proposed class-action complaint that accused the law firm, Johnson & Bell, of failing to take adequate steps to protect the data on its servers. The case is currently proceeding in confidential arbitration and the complaint was filed in April by the plaintiff's firm Edelson P.C. on behalf of two of Johnson & Bell's onetime clients, Jason Shore, a California resident, and Coinabul, a Wyoming limited liability company. Johnson & Bell is a Chicago-based firm with about 100 attorneys and was ranked as the 385th largest law firm in the country, according to The American Lawyer. The complaint refers to Johnson & Bell "as a data breach waiting to happen" and claims the firm marketed itself as using top data security to protect its clients' information but in fact had numerous lapses, including - according to the complaint - an online time-keeping system that had not been updated in 10 years. Jay Edelson, the founder of Edelson P.C., said his firm has been conducting a wide-ranging investigation of law firms, and that he anticipates other judges may soon unseal lawsuits his firm filed against other law firms. The unsealed suit accused Johnson & Bell of using several internet-accessible computer networks, such as time-keeping system and its email system, which had not been updated with security patches. The case is Shore et al v. Johnson & Bell, filed in N.D. of Illinois, 16-4363. Read the complaint, via Bloomberg Law here .

top

Terror scanning database for social media raises more questions than answers (Motherboard, 9 Dec 2016) - On Monday, Facebook, Microsoft, Twitter, and YouTube announced a new partnership to create a "shared industry database" that identifies "content that promotes terrorism." Each company will use the database to find "violent terrorist imagery or terrorist recruitment videos or images" on their platforms, and remove the content according to their own policies. The exact technology involved isn't new. The newly announced partnership is likely modeled after what companies already do with child pornography. But the application of this technology to "terrorist content" raises many questions. Who is going to decide whether something promotes terrorism or not? Is a technology that fights child porn appropriate for addressing this particular problem? And most troubling of all-is there even a problem to be solved? Four tech companies may have just signed onto developing a more robust censorship and surveillance system based on a narrative of online radicalization that isn't well-supported by empirical evidence. Many companies-for example, Verizon, which runs an online backup service for customers' files- use a database maintained by the National Center for Missing and Exploited Children (NCMEC) to find child pornography . If they find a match, service providers notify the NCMEC Cyber Tipline, which then passes on that information to law enforcement. The database doesn't contain images themselves, but rather, hashes-digital fingerprints that identify a file. This means that service providers can scan their servers without "looking" at anyone's files. Thanks to PhotoDNA, a technology donated by Microsoft, the hashes are made using biometric information inside the photos and videos , meaning that cropping or resizing the files won't necessarily change the hash value being used. Monday's announcement marks the first time companies have sought to use this kind of technology to combat "terrorist content online." It's an odd match. The hash matching system appealed to many aspects of the fight against child pornography. For one thing it allowed companies to scan for files without finding out anything about non-matching files-so, arguably, without violating anyone's privacy, except with respect to possession of child porn. It also protected people from having to look at child porn in order to identify it-the very act of looking at child porn so it can be removed from the internet can be traumatic to the employees who are policing content on platforms. Neither of these specific upsides to the hash identification system seem to apply to "terrorist content," since the partnership appears to be aimed at publicly posted social media. (I asked Facebook via email whether the hash identification system would be applied to private messages between users, but did not hear back from the company). Furthermore, the companies have stated in their press release that a person on the other end will be looking at the content before taking it down. The press release implies, but does not explicitly say, that matching hits will not be provided to government officials, the way that hits for child pornography are. * * *

top

Google just published eight National Security Letters (TechCrunch, 13 Dec 2016) - Google dropped a single National Security Letter into its most recent transparency report without much fanfare, but today the company published eight more NSLs in an attempt to shed more light on government surveillance of Google users. The eight letters published today were sent to Google from FBI offices across the country. Cumulatively, the NSLs seek broad access to content for around 20 user accounts. The usernames of the targets are redacted, although the FBI does not require it. A Google spokesperson said the usernames were redacted to protect user privacy and that the targeted individuals had been notified. The NSLs were sent to Google over a five-year period, from 2010 to 2015, with the majority coming from the Charlotte, North Carolina field office of the FBI. Others came from Florida, Arizona, New York and California. NSLs have historically been issued with interminable gag orders preventing tech companies from discussing the letters or their contents, but the passage of the USA Freedom Act last year allowed companies to begin disclosing the letters. Yahoo became the first major tech company to disclose NSLs it received from the FBI, publishing three in June . Since then, Google and the Internet Archive have followed suit. Google has fought to make the letters public in part because the FBI can issue them without prior judicial oversight. Many tech companies have argued that, given the wealth of information held in their users' accounts, the data should not be subject to a secret search without the approval of a court. Over the past several years, Google challenged 19 NSLs in court and last year won the right to tell WikiLeaks employees that their data had been requested. Soon, Google will establish a home for its NSL disclosures as part of its transparency report, Salgado said. In the meantime, you can read the eight letters here .

top

GT partners with law firm to offer cyber security audits (CCH Daily, 13 Dec 2016) - Grant Thornton UK has teamed up with international law firm Lewis Silkin to launch a new data and cyber security audit service, which the firms say will help global organisations ensure they are compliant and minimise risks in the face of increasing data breach risk and regulation. The new service, called DataCheckPoint. Is based on an eight stage process including audits incorporating a new scoping and gap analysis methodology which caters for innovative reporting and effective compliance implementation programmes. Grant Thornton says the new service is designed to help clients prepare for the implementation of the general data protection regulation (GDPR) and the security of network and information systems directive (NIS Directive). Both pieces of legislation come into force from May 2018.

top

iPhone user can be forced to produce the passcode to his phone, court rules (Orin Kerr, 14 Dec 2016) - I have blogged a few times about the Fifth Amendment limits of forced decryption, especially in light of a case pending on the issue in the Third Circuit. Although that federal case is still pending, the Florida Court of Appeals (Second District) has handed down a new decision, State v. Stahl , on the same issue. Stahl holds that the government can force an iPhone user to hand over the passcode to unlock the phone so long as the government can show that the user knows the passcode. I think Stahl is correct, and I thought I would explain the case and its reasoning. The facts of Stahl are simple. Stahl has been arrested for allegedly surreptitiously taking pictures up the skirt of a female shopper in a clothing store. The police seized Stahl's iPhone 5, which they think he used to take the pictures. The police have a warrant to search the phone for the images he took to prove his crime. They can't get into the phone, however, because it is locked. The police asked Stahl for the passcode to his iPhone, but he refused to provide it. The government then sought an order compelling Stahl to produce the passcode. The issue in the case is whether the Fifth Amendment bars the order. The trial court concluded that it did because the government did not satisfy the foregone conclusion doctrine. Specifically, the government did not show with reasonable particularity what the contents of the phone were. The Court of Appeals disagreed, ruling that the Fifth Amendment doesn't bar the order under the foregone conclusion doctrine because it's the foregone knowledge of the password, not the contents of the phone, that matter. Here's the analysis from Judge Black : * * *

top

Google just dodged a privacy lawsuit by scanning your emails a tiny bit slower (The Verge, 14 Dec 2016) - Yesterday, Google tentatively agreed to a series of changes in the way it collects data from Gmail, as part of a proposed settlement in Northern California District Court. If the court approves the settlement, Google will eliminate any collection of advertising-specific data before an email is accessible in a user's inbox. The result likely won't be noticeable to users, but it represents a real change to the way Google's systems work, brought about after a voluntary settlement rather than a legal ruling. The case, called Matera vs. Google , began in September 2015, when plaintiffs alleged the email scanning violated California and federal privacy law, calling it "the twenty-first-century equivalent of AT&T eavesdropping on each of its customers' phone conversations, or of the postal service taking information from private correspondence." The suit was specifically brought on behalf of non-Gmail users, who haven't agreed to have their emails scanned under Google's Terms of Service. Because Gmail's ad-targeting system draws on every email a Gmail user receives, it inevitably catches some messages from non-Gmail addresses. Scans that take place before emails are available to the user are particularly sensitive, since they're not yet part of Gmail's inbox. In real terms, that gap lasts only a few milliseconds, but plaintiffs argued it still constituted a breach of both the federal Electronic Communications Privacy Act and the California Information Privacy Act. The fix for Google was simple enough: close the gap. Google will still preemptively scan emails for malware and spam filtering, but any advertising-specific scans will be reserved until the email is accessible to the user. Reached by The Verge , Google declined to comment, but confirmed that the settlement would result in concrete technical changes once approved. The plaintiffs lawyers did not respond to a request for comment. That might seem like a minor distinction, but it's one that's increasingly troublesome for email companies - and lucrative for plaintiffs. Yahoo settled a similar lawsuit in January of this year, agreeing to delay its ad-scanning systems and pay up to $4 million in fees to the attorneys who filed the case. Google has also agreed to pay any costs associated with this week's settlement, including up to $2.2 million in attorney fees and $2,000 for each of the class representatives.

top

Digital Millennium Copyright Act - DMCA agent revamp, act now (Hogan Lovells, 14 Dec 2016) - Online Service Providers (OSPs) must register under a new electronic system by December 31, 2017 but can, and should, as soon as possible. The U.S. Copyright Office has ditched the scanned paper system for registration of DMCA Agents. OSPs seeking safe harbor protections may now register using the new electronic system, which launched December 1, 2016. Only OSPs (e.g. providers of online services or network access including sites that allow posting of user-generated content) that have registered by December 31, 2017 will continue to have Section 512 protection. Since 2011 the Copyright Office has been considering revision of the DMCA Agent system, part of the Digital Millennium Copyright Act , enacted by Congress back in 1998, which enables online services providers to limit their liability for copyright infringement committed by their users. A condition of this "safe harbor" is that the OSP must designate an agent for receiving infringement claims both on the OSP's own website and through the Copyright Office's public directory of designated agents. Adapting to today's realities, the system will now be fully electronic. The new system completely replaces the former paper-based system - a reform that will be implemented by amending 37 CFR part 201.38 (full text here ). The change enables service providers to submit designated agent information more efficiently, the Copyright Office to load the information loaded more quickly, and the public to search it more easily, Filing fees have been reduced from the minimum $105 to a flat fee of $6 per designation (for each filing or amendment). Automated reminders will simplify keeping contact information up-to-date. The designation will now automatically expire after three years unless it is either renewed or confirmed to be still accurate. Online Service providers must submit new designations through the electronic system by December 31, 2017. The Office will no longer accept paper designations. Paper designations filed before December 1, 2016 will continue to satisfy the legal obligations of section 512 until the December 31, 2017 transition deadline. * * *

top

Germany-wide consortium of research libraries announce boycott of Elsevier journals over open access (BoingBoing, 15 Dec 2016) - Germany's DEAL project, which includes over 60 major research institutions, has announced that all of its members are canceling their subscriptions to all of Elsevier's academic and scientific journals, effective January 1, 2017. The boycott is in response to Elsevier's refusal to adopt "transparent business models" to "make publications more openly accessible." Elsevier is notorious even among academic publishers for its hostility to open access, but it also publishes some of the most prestigious journals in many fields. This creates a vicious cycle, where the best publicly funded research is published in Elsevier journals, which then claims ownership over the research (Elsevier, like most academic journals, requires authors to sign their copyrights over, though it does not pay them for their writing, nor does it pay for their research expenses). Then, the public institutions that are producing this research have to pay very high costs to access the journals in which it appears. Journal prices have skyrocketed over the past 40 years. No one institution can afford to boycott Elsevier, but collectively, the institutions have great power. The high price-ticket on journals means that the entire customer base for them is institutions, not individuals, and the increasing prices have narrowed the field of institutions that can afford to participate -- but that has also narrowed the number of institutions that need to cooperate to cripple Elsevier and bring it to heel. Even so, this kind of boycott was unimaginable until recently -- but the rise of guerrilla open access sites like Sci-Hub mean that researchers at participating institutions can continue to access Elsevier papers by other means.

top

Evernote's new privacy policy lets staff read customers' notes 'to improve the service' (MacRumors, 15 Dec 2016) - Some users of Evernote have threatened to stop using the note-taking service after the company announced a new privacy policy scheduled to go into effect on January 23 that allows employees to read customers' notes. The policy changes are related to machine learning algorithms, says Evernote, which are being tested on user content that the company has accumulated since going into operation. Specifically, Evernote explained that staff may need to read customer notes in order to ensure the algorithms are working as they should. The latest update to the Privacy Policy allows some Evernote employees to exercise oversight of machine learning technologies applied to account content. While our computer systems do a pretty good job, sometimes a limited amount of human review is simply unavoidable in order to make sure everything is working exactly as it should. In describing this position more succinctly, Evernote's privacy policy states that employees will look at notes "for troubleshooting purposes or to maintain and improve the Service". But some users are concerned about the vague wording of the clause, which journalist Stacy-Marie Ishmael has called " so broad as to be all inclusive ". Meanwhile, some users have taken to social media to join a growing chorus of revolt. Evernote says that only a limited number of employees who have undergone background checks will be able to access note content and that users can encrypt notes to prevent staff from reading them. But while users can opt out of having their notes reviewed for machine learning purposes, Evernote can still access content for other reasons, including violations of terms of service, to protect the rights, property, or personal safety of Evernote and its users, or to comply with law enforcement requests, warrants, or court orders. Users can read more about the new changes to Evernote's privacy policy here .

top

- and -

Evernote backs off from privacy policy changes, says it 'messed up' (ComputerWorld, 16 Dec 2016) - Evernote has reversed proposed changes to its privacy policy that would allow employees to read user notes to help train machine learning algorithms. CEO Chris O'Neill said the company had " messed up, in no uncertain terms ." The move by the note-taking app follows protests from users, some of whom have threatened to drop the service after the company announced that its policy would change to improve its machine learning capabilities by letting a select number of employees, who would assist with the training of the algorithms, view the private information of its users. The company claims 200 million users around the world. The machine learning technologies would make users more productive as they would allow the automation of functions now done manually, like creating to-do lists or putting together travel itineraries, O'Neill had said earlier on Thursday in defense of the proposed changes. Evernote employees would only see random content in snippets to check that the features are working properly but they wouldn't know who it belongs to, and personal information would be masked, he added. The changes to the privacy policy were to come into effect on Jan. 23.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Blog-aholics (The Atlantic, Jan/Feb 2006) -- Most of us will admit to wasting some time at work. But three new studies suggest that more time is lost now than ever before. According to a survey by the magazine Advertising Age, a leading culprit is Weblogs. The survey indicates that one in four U.S. workers reads blogs regularly while at work, losing, on average, some nine percent of the workweek. This amounts to 551,000 years of labor lost in 2005 alone. If only the bloggers whose words seem so compelling were the ones sending us e-mail: 34 percent of workers surveyed by Information Mapping, Inc. reported wasting thirty to sixty minutes a day trying to interpret "ineffectively" written messages. A third study offers comfort-or at least a way to pass the buck for all the lost time. Having examined productivity in nine countries, it concludes that 37 percent of the time spent at work is wasted-but that poor management and inadequate supervision are largely to blame.

top

Accessibility lawsuit against Target can proceed (ComputerWorld, 8 Sept 2006) -- A federal judge in San Francisco ruled Wednesday that a lawsuit filed against Minneapolis-based Target Corp. by the National Federation of the Blind (NFB) regarding the accessibility of the retailer's Web site can move forward. According to the NFB, the ruling sets a precedent establishing that retailers must make their Web sites accessible to the blind under the Americans with Disabilities Act (ADA). "This ruling is a great victory for blind people throughout the country," said NFB President Marc Maurer. "We are pleased that the court recognized that the blind are entitled to equal access to retail Web sites." When asked if the NFB would file lawsuits against other online retailers and sites, spokesman John Pare said, "You probably could imagine that we would."

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top