Saturday, September 16, 2017

MIRLN --- 27 August – 16 Sept 2017 (v20.13)

MIRLN --- 27 August - 16 Sept 2017 (v20.13) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

An Attorney's Ethical Duties Regarding U.S. Border Searches of Electronic Devices Containing Clients' Confidential Information (Bar of the City of NY Formal Opinion 2017-5, July 2017) - Under the New York Rules of Professional Conduct (the "Rules"), a New York lawyer has certain ethical obligations when crossing the U.S. border with confidential client information. Before crossing the border, the Rules require a lawyer to take reasonable steps to avoid disclosing confidential information in the event a border agent seeks to search the attorney's electronic device. The "reasonableness" standard does not imply that particular protective measures must invariably be adopted in all circumstances to safeguard clients' confidential information; however, this opinion identifies measures that may satisfy the obligation to safeguard clients' confidences in this situation. Additionally, Under Rule 1.6(b)(6), the lawyer may not disclose a client's confidential information in response to a claim of lawful authority unless doing so is "reasonably necessary" to comply with a border agent's claim of lawful authority. This includes first making reasonable efforts to assert the attorney-client privilege and to otherwise avert or limit the disclosure of confidential information. Finally, if the attorney discloses clients' confidential information to a third party during a border search, the attorney must inform affected clients about such disclosures pursuant to Rule 1.4. [ Polley : Spotted by MIRLN reader Roland Trope - @RolandTrope. Very interesting opinion, and should be influential well beyond NYC; contains a scary sentence: " in many cases the attorney will entirely avoid carrying clients' confidential information in an electronic device ", and footnotes the increasing possibility that the same issues may arise upon entry to other countries.] top

VW engineer sentenced to 40-month prison term in diesel case (Reuters, 25 Aug 2017) - A federal judge in Detroit sentenced former engineer James Liang to 40 months in prison on Friday for his role in Volkswagen AG's multiyear scheme to sell diesel cars that generated more pollution than U.S. clean air rules allowed. U.S. District Court Judge Sean Cox also ordered Liang to pay a $200,000 fine, 10 times the amount sought by federal prosecutors. Cox said he hoped the prison sentence and fine would deter other auto industry engineers and executives from similar schemes to deceive regulators and consumers. Prosecutors last week recommended that Liang, 63, receive a three-year prison sentence, reflecting credit for his months of cooperation with the U.S. investigation of Volkswagen's diesel emissions fraud. Liang could have received a five-year prison term under federal sentencing guidelines. Liang's lawyers had asked for a sentence of home detention and community service. Volkswagen pleaded guilty in March to three felony charges under an agreement with prosecutors to resolve the U.S. criminal probe of the company itself. It agreed to spend as much as $25 billion in the United States to resolve claims from owners and regulators and offered to buy back about 500,000 vehicles. top

Despite privacy outrage, AccuWeather still shares precise location data with ad firms (ZDnet, 25 Aug 2017) - AccuWeather is still sending precise geolocation data to a third-party advertiser, ZDNet can confirm, despite updating its app earlier this week to remove a feature that collected user's location data without their permission. In case you missed it , AccuWeather was until this week sending the near-precise location of its iPhone app users to Reveal Mobile, a data monetization firm -- even when location sharing was switched off. Security researcher Will Strafach, who first reported the issue , also accused the company of sharing a user's precise GPS coordinates under the guise of providing local weather alerts. The news sparked outrage and anger. AccuWeather responded with a forced apology, which one leading Apple critic John Gruber called a "bulls**t response." However, tests conducted by Strafach show that the updated app, released Thursday, still shares precise geolocation data with a data monetization and advertising firm. ZDNet independently verified the findings. We found that AccuWeather was still, with location sharing enabled, sending precise GPS coordinates and altitude albeit to a different advertiser, without the user's explicit consent. That data can be used to pinpoint down to a few meters a person's location -- even which floor of a building they are on. top

How the NSA identified Satoshi Nakamoto (Medium, 26 Aug 2017) - The 'creator' of Bitcoin, Satoshi Nakamoto, is the world's most elusive billionaire. Very few people outside of the Department of Homeland Security know Satoshi's real name. In fact, DHS will not publicly confirm that even THEY know the billionaire's identity. Satoshi has taken great care to keep his identity secret employing the latest encryption and obfuscation methods in his communications. Despite these efforts (according to my source at the DHS) Satoshi Nakamoto gave investigators the only tool they needed to find him -  his own words . Using stylometry one is able to compare texts to determine authorship of a particular work. Throughout the years Satoshi wrote thousands of posts and emails and most of which are publicly available. According to my source, the NSA was able to the use the 'writer invariant' method of stylometry to compare Satoshi's 'known' writings with trillions of writing samples from people across the globe. By taking Satoshi's texts and finding the 50 most common words, the NSA was able to break down his text into 5,000 word chunks and analyse each to find the frequency of those 50 words. This would result in a unique 50-number identifier for each chunk. The NSA then placed each of these numbers into a 50-dimensional space and flatten them into a plane using principal components analysis. The result is a 'fingerprint' for anything written by Satoshi that could easily be compared to any other writing. The NSA then took bulk emails and texts collected from their mass surveillance efforts. First through PRISM (a court-approved front-door access to Google and Yahoo user accounts) and then through MUSCULAR (where the NSA copies the data flows across fiber optic cables that carry information among the data centers of Google, Yahoo, Amazon, and Facebook) the NSA was able to place trillions of writings from more than a billion people in the same plane as Satoshi's writings to find his true identity. The effort took less than a month and resulted in positive match. Why go to so much trouble to identify Satoshi? My source tells me that the Obama administration was concerned that Satoshi was an agent of Russia or China - that Bitcoin might be weaponized against us in the future. Knowing the source would help the administration understand their motives. top

Cyber crime now targeting law firms (Law Journal Newsletters, August 2017) - Cyber attacks and theft are on the rise around the country, and law firms are becoming prime targets. Similar to healthcare providers, a law firm's data ( i.e. , client files) can be the gold standard. Unlike manufacturers, banks and retailers, law firms are unique organizations that result in them being highly vulnerable. * * * Once firms recognize they are targets, and all are, they must be proactive in addressing the situation. Where to start? A comprehensive cyber risk assessment is critical to structuring a strong, multi-pronged defense. Think enterprise risk management - not to mention ethical concerns if breached. The American Bar Association just re-visited the issue of cybersecurity as an ethical consideration for attorneys and sets out some limited guidance. (See the ABA's Cybersecurity Legal Task Force .) An assessment becomes the guide to building a robust cybersecurity defense for any law firm. However, once a firm's security is implemented and verified, the process cannot stop there. Just like malpractice insurance, cybersecurity insurance is a must these days. For many firms, a breach exposing large amounts of clients' private information can quickly escalate into a bet-the-firm proposition to survive. The average cost for responding to a breach is approximately $221 per client. Do the math. And that does not even begin to address a firm's costs to re-secure their network, public relations expenses, lost income, and the likely lawsuits from unhappy clients. * * * [ Polley : Nice to see the reference to the ABA's Task Force, which I'm co-chairing with Ruth Bro. Otherwise, the story is unremarkable.] top

Meet the sometime-streamer: TV watchers who sign up for one show - then cancel (WaPo. 28 Aug 2017) - Winter has finally come for "Game of Thrones," whose latest season finale, which aired Sunday, left the land of Westeros in as deep a crisis as it's seen in thousands of years. But with the HBO fantasy series now on hiatus until at least the end of 2018, some viewers say they're taking a break from HBO entirely - highlighting a challenge facing many entertainment companies in an era of constant stimulation and on-demand digital services. Colleen Morrison, a "Game of Thrones" fan in New Jersey, signed up for HBO's online streaming app in June. Now, Morrison says, it's going to be an easy decision to cancel her subscription this week after she re-watches the season finale a second time. "I didn't mind paying the $15 each month because it's the kind of show where I wanted an immediate viewing to avoid spoilers, but I'm also not interested in keeping the service since I'm not invested in anything else," she said. Morrison is part of a small but savvy crowd of consumers who know exactly what they want out of their TV experience. Cost-conscious and empowered by the Internet's convenience-at-a-click mentality, these consumers take advantage of free trials, no-contract commitments and the media industry's own struggle in the face of technological change to help guard their wallets. Ignoring the barrage of in-house teasers and promos for other related content, these viewers resist the siren song of TV networks that, more than ever, are being forced to battle one another for attention dominance. An abundance of high-quality television shows from Netflix, Hulu and old-school cable programmers like AMC, HBO and Showtime are helping some consumers become more discerning in their tastes - and less loyal. Abandoning one series or channel for another has never been more convenient or less risky, particularly when many cable channels offer streaming apps directly to the public instead of through cable companies or other traditional TV providers. "In a world where you can turn anything on and off whenever you want, you're always fighting for my wallet," said Rich Greenfield, a media analyst at BTIG. "I can cancel Hulu or Sling TV or HBO or DirecTV Now - any of these things have become 'point at a button and click.'" top

- and -

AT&T expands free HBO to both its unlimited wireless plans (TechCrunch, 12 Sept 2017) - AT&T announced this morning it's adding free HBO to all customers on its unlimited wireless plans, including both Unlimited Plus and Unlimited Choice. The carrier in April had offered free HBO only to those on Unlimited Plus - its premium tier - but today's move brings the network to the Unlimited Choice plan as well. Currently, AT&T's Unlimited Choice plan offers unlimited data, talk and text for $60 per month, or 4 lines for under $40 per line. The option will become available to both new and existing AT&T Unlimited Choice customers starting on Friday, September 15th, says AT&T. As before when it rolled out free HBO to Unlimited Plus customers, AT&T is also sweetening this new deal by offering a $25 monthly video credit for Unlimited Choice customers that can be used towards any applicable AT&T video service, including its streaming service for cord cutters, DirecTV Now, as well as DirecTV and U-Verse TV. With the $25 credit, that means AT&T customers can basically add on over-the-top streaming TV for $10 per month, as DirecTV Now's plans begin at $35 per month. The fine print, however, notes that the credit starts within three billing cycles, so don't expect it right away. Customers with an existing AT&T video service will have HBO added for no extra charge to their existing plan, while current HBO subscribers will just no longer have to pay, the announcement explains. For those who don't subscribe to HBO through an AT&T video service, they'll be able to access HBO through the DirecTV Now and HBO GO applications. top

To tackle robocalls from illegally spoofed numbers, FCC proposes whopping $82m fine (CommLawBlog, 29 Aug 2017) - Earlier this month, in its war against illegal robocalling campaigns the Federal Communications Commission (FCC) proposed another hefty fine . That is, a fine of 82 million dollars. The target of the FCC's wrath? Mr. Philip Roesel, who wasn't just calling a la Adele style . Instead, Mr. Roesel is accused of both illegal robocalling in violation of the Telephone Consumer Protection Act (TCPA) (for a refresher on the TCPA and robocalls, take a look here ) and illegal spoofing, which the FCC claims violated the Truth in Caller ID Act of 2009 (TCIA). For his 21 million illegal robocalls, Mr. Roesel received merely a sternly worded citation from the FCC (more on why later). Following a recent trend, the FCC's massive $82 million fine proposed against Roesel relied primarily on the TCIA's prohibition against the transmission of misleading or inaccurate caller ID information, commonly referred to as spoofing, "with the intent to defraud, cause harm or wrongfully obtain anything of value." What's unique about this proposed fine is two-fold. First, the monetary value of the fine itself is one to write home about. While it doesn't match the record $120 million fine issued earlier this year in another TCIA case, $82 million isn't chump change. As with past TCIA penalties, the FCC set the base fine for each spoofed call at $1,000, which quickly adds up when there are millions of calls being made each month - though the FCC calculated the proposed fine on only the 82,000 calls verified to have come from spoofed numbers. Second, this fine is yet another instance where the TCIA has been used by the FCC to issue a penalty against illegal robocallers. It's a trend that the FCC started not too long ago but is likely to continue into the future for several reasons. [ Polley : see also Phone industry turns to James Bond for answer to robocall villainy (LA Times, 1 Sept 2017)] top

Watchdog pressed to probe post-data breach services (The Hill, 30 Aug 2017) - Democratic members of the House Energy and Commerce Committee are pressing a government watchdog to further investigate whether existing credit monitoring services do enough to protect consumers affected by data breaches. The Government Accountability Office (GAO) released a report in March on identity theft services offered by the federal government and private companies to consumers who have had their information exposed. While the watchdog concluded that services like credit monitoring offer some benefits, auditors said that they are "limited" in preventing some types of fraud. Democratic Reps. Frank Pallone Jr. (N.J.), Diana DeGette (Colo.) and Jan Schakowsky (Ill.) are now asking the GAO to explore a number of questions raised by the audit, including looking into whether certain credit monitoring services are more effective than others. They also want the watchdog to examine additional options that aren't currently used by private or public companies to protect consumers in the wake of breaches and to divulge "the recent trends in breaches or information theft." top

16 colleges, 1 law firm (InsideHigherEd, 31 Aug 2017) - Collaboration is hard -- so much so that while a majority of campus business officials think their college or university should share back-office functions with other institutions, fewer than one in four say their leaders have seriously considered doing so, according to Inside Higher Ed 's recent survey of business officers . The Associated Colleges of the South is a well-established consortium of 16 private liberal arts colleges that have a history of working together on international programs, teaching workshops and digital learning initiatives, as well as some joint purchasing agreements. But in an environment that the group's leader, R. Owen Williams, believes increasingly requires the colleges to drive down their internal costs (and hence their tuition prices), the coalition is taking collaboration to a new level: a seemingly unprecedented agreement for the 16 independent ACS colleges to share one national law firm, Steptoe & Johnson PLLC, based in West Virginia. Under the arrangement, in which the members are expected to participate to varying degrees, the colleges will continue to use their in-house legal teams (which half of them have) and local law firms for legal work involving the nuances of state law and transactions such as zoning or real estate. But Steptoe will offer both preventative educational advice designed to help keep the 16 colleges out of legal trouble, by better navigating the increasingly complex regulatory environment they face, and project-based legal services at a sharply reduced rate on issues such as federal regulatory compliance, academic freedom, domestic and international admissions, and nonprofit governance. top

Justice Dept implores FCC to combat prison cellphone problem (AP, 31 Aug 2017) - The U.S. Department of Justice is pressing federal regulators to come up with a way of keeping inmates from using cellphones in the nation's prisons. In a letter obtained Thursday by The Associated Press, Assistant Attorney General Beth Williams told the Federal Communications Commission that addressing the security threat posed by contraband cellphones "should be a chief priority" of both the FCC and Justice, which oversees the federal Bureau of Prisons. The letter follows an appeal from South Carolina's prisons director to Attorney General Jeff Sessions in June, beseeching the top prosecutor for help pursuing FCC permission to jam cell signals of the phones, which are thrown over fences, smuggled by errant employees, even delivered by drone. A decades-old law says federal officials can grant permission to jam the public airwaves only to federal agencies, not state or local ones. Telecommunications companies are opposed, saying jamming cell signals could set a bad precedent and interfere with legal cell users nearby. top

You can now download information from every congressional session since 1973 (Motherboard, 31 Aug 2017) - Since 2009, developers have been able to use the ProPublica Congress API (first developed by The New York Times ) to retrieve data about the thousands of bills introduced during every two-year session in the House of Representatives. Until now though, you had to download each piece of information separately, and you needed to know how to write API calls. For example, if you wanted to discover who sponsored a bill and also how members of Congress voted on it, you would need to download those pieces of data individually, and know how to call for them in the software code. That's no longer the case. Wednesday, ProPublica announced that you can now download all the information about all of the bills in each legislative session using its new bulk bill data set . You can get all of the data for free in the ProPublica data store. There's also a data dictionary that can be used to decipher the bills here , and you can download them in either JSON or XML formats. Two times a day, ProPublica will generate a single zip file containing metadata for every bill introduced in the current congress. That way, if you're interested in learning about legislation currently being considered, you'll be able to get info about it quickly. The tool also lets you download archived sessions-dating back to 1973. Want to know how the war on drugs progressed through the 1980s, and how each member of Congress voted on related legislation? No problem, just download the bulk data for the corresponding time period, and start poking around. ProPublica hopes the new data will "be useful to researchers, journalists and any other citizen trying to better understand our country's legislature," Jeremy B. Merrill, a news apps developer at the organization, wrote in a post announcing the new tool. top

Russian election hacking efforts, wider than previously known, draw little scrutiny (NYT, 1 Sept 2017) - The calls started flooding in from hundreds of irate North Carolina voters just after 7 a.m. on Election Day last November. Dozens were told they were ineligible to vote and were turned away at the polls, even when they displayed current registration cards. Others were sent from one polling place to another, only to be rejected. Scores of voters were incorrectly told they had cast ballots days earlier. In one precinct, voting halted for two hours. Susan Greenhalgh, a troubleshooter at a nonpartisan election monitoring group, was alarmed. Most of the complaints came from Durham, a blue-leaning county in a swing state. The problems involved electronic poll books - tablets and laptops, loaded with check-in software, that have increasingly replaced the thick binders of paper used to verify voters' identities and registration status. She knew that the company that provided Durham's software, VR Systems, had been penetrated by Russian hackers months before. "It felt like tampering, or some kind of cyberattack," Ms. Greenhalgh said about the voting troubles in Durham. There are plenty of other reasons for such breakdowns - local officials blamed human error and software malfunctions - and no clear-cut evidence of digital sabotage has emerged, much less a Russian role in it. Despite the disruptions, a record number of votes were cast in Durham, following a pattern there of overwhelming support for Democratic presidential candidates, this time Hillary Clinton . But months later, for Ms. Greenhalgh, other election security experts and some state officials, questions still linger about what happened that day in Durham as well as other counties in North Carolina, Virginia, Georgia and Arizona. After a presidential campaign scarred by Russian meddling, local, state and federal agencies have conducted little of the type of digital forensic investigation required to assess the impact, if any, on voting in at least 21 states whose election systems were targeted by Russian hackers, according to interviews with nearly two dozen national security and state officials and election technology specialists. The assaults on the vast back-end election apparatus - voter-registration operations, state and local election databases, e-poll books and other equipment - have received far less attention than other aspects of the Russian interference, such as the hacking of Democratic emails and spreading of false or damaging information about Mrs. Clinton. Yet the hacking of electoral systems was more extensive than previously disclosed, The New York Times found. Beyond VR Systems, hackers breached at least two other providers of critical election services well ahead of the 2016 voting, said current and former intelligence officials, speaking on condition of anonymity because the information is classified. The officials would not disclose the names of the companies. Intelligence officials in January reassured Americans that there was no indication that Russian hackers had altered the vote count on Election Day, the bottom-line outcome. But the assurances stopped there. Government officials said that they intentionally did not address the security of the back-end election systems, whose disruption could prevent voters from even casting ballots. That's partly because states control elections; they have fewer resources than the federal government but have long been loath to allow even cursory federal intrusions into the voting process. * * * top

Harvard professor tells students they should come to class (InsideHigherEd, 5 Sept 2017) - This year's FAQ for CS50, Harvard University's largest course, featured this statement: "Unlike last year, students are encouraged to attend all lectures in person this year." Encouraging the 800-plus students enrolled in the introductory computer programming course may sound typical. But it's a reversal for the course, which is regularly described as one of the most popular and rigorous at Harvard, and a model of effective teaching . Last year David J. Malan, the Gordon McKay Professor of the Practice of Computer Science, made attending lectures optional. In a very public version of flipping the classroom, Malan said it would be fine for students to watch videos that are made of each lecture. In an essay a year ago , Malan wrote that he was requiring students to attend only the first and last lectures of the course. And he questioned the value of saying everyone should attend every lecture. * * * In an email to Inside Higher Ed, Malan said that there was no decline in learning outcomes in the course, even as the number of students who attended lectures in person was not as high as in past years. Malan also said that he realizes there will still be students who have scheduling conflicts with other courses such that they may rely on the recordings, which will be produced live this year. And other students may benefit from watching the recordings after attending the lectures in person. So why revert to telling students they are expected in class? "Enough former students reported that something was missing, not just the students themselves but the energy of an audience, that we decided to bring [encouraging students to attend] live lectures back this fall," Malan said. One of Harvard's satire websites has suggested that -- following Malan's shift -- another course should do the opposite. top

Military appeals court says demands to unlock phones may violate the Fifth Amendment (TechDirt, 6 Sept 2017) - A decision [PDF] handed down by the Appeals Court presiding over military cases that almost affirms Fifth Amendment protections against being forced unlock devices and/or hand over passwords. Almost. The CAAF (Court of Appeals for the Armed Forces) doesn't quite connect the final dot, but does at least discuss the issue, rather than dismiss the Fifth Amendment question out of hand. (h/t FourthAmendment.com ] The case stems from a harassment case against a soldier who violated (apparently repeatedly) a no-contact order separating him from his wife. After being taken into custody, Sgt. Edward Mitchell demanded to speak to a lawyer. Rather than provide him with a lawyer, investigators asked him to unlock his phone instead. * * * top

Another state adopts duty of technology competence, bringing total to 28 (Bob Ambrogi, 6 Sept 2017) - In my continuing effort to keep a tally of the states that have adopted the duty of technology competence, I've discovered another, Nebraska, which brings the total to 28 states. The Nebraska Supreme Court adopted the amendment on June 28, 2017. It amends comment 6 to Nebraska Rule of Professional Conduct § 3-501.1 - the corollary to ABA Model Rule 1.1 on competence - to read as follows: To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. The italicized phrase is the same as the language that the ABA recommended in 2012 when it approved a change to the Model Rules of Professional Conduct to make clear that lawyers have a duty to be competent not only in the law and its practice, but also in technology. top

Gender analytics: Using litigation data to evaluate law firm diversity (PatentlyO, 6 Sept 2017) - More women are entering the legal profession than ever -women now make up about half of all law students and 36% of all licensed attorneys - but these ratios are not reflected at the highest levels of firm positions. Judges anecdotally report that women rarely act as lead counsel in litigation, and the percentage of female partners at firms hovers around 22% . Corporate clients are aware of the gender imbalance and actively seek out firms that reflect their own commitment to gender diversity. Clients now regularly request firm diversity statistics as part of law firm pitches, putting pressure on firms to support female attorneys at the highest ranks. Law firms typically measure diversity by tracking headcount; the number of male and female associates and partners in their ranks. These metrics can ignore the often more meaningful metric of how often female attorneys actually appear in court-room litigation. Modern legal analytics can play an important role in increasing transparency in law firm gender diversity. Traditional legal analytics show how often parties or law firms win cases, or the likelihood of winning legal relief in front of a particular judge. However, they can also be used to rank and analyze more general litigation trends, including gender diversity. To identify firms with the most balanced male-female attorney ratio, Docket Alarm scours the litigation record, looking at the names of attorneys and their law firm. The gender of each attorney in a case is identified based on the attorney's first name and other factors. The result is that we can now measure firm gender diversity based on attorneys actually staffed on cases, i.e. , those that most substantively participate in litigation, not just by firm head-count. The analysis began with the Patent Trial and Appeal Board ("PTAB"), a specialized court focused on patent validity. The analysis shows that patent litigation is dominated by male attorneys. Of the top 100 law firms, 55 have less than 10% female attorneys on cases, and 8 firms have never had a single female attorney work on their PTAB AIA-Trial cases. On average, attorney appearances are only 12% female. When representing patent owners, the percentage of female attorneys drops further to 9.8%. * * * top

News use across social media platforms 2017 (Pew, 7 Sept 2017) - As of August 2017, two-thirds (67%) of Americans report that they get at least some of their news on social media - with two-in-ten doing so often, according to a new survey from Pew Research Center. This is a modest increase since early 2016, when (during the height of the presidential primaries) 62% of U.S. adults reported getting news from social media. While a small increase overall, this growth is driven by more substantial increases among Americans who are older, less educated, and nonwhite. This study is based on a survey conducted August 8-21, 2017, with 4,971 U.S. adults who are members of Pew Research Center's nationally representative American Trends Panel. For the first time in the Center's surveys, more than half (55%) of Americans ages 50 or older report getting news on social media sites. That is 10 percentage points higher than the 45% who said so in 2016. Those under 50, meanwhile, remain more likely than their elders to get news from these sites (78% do, unchanged from 2016). Furthermore, about three-quarters of nonwhites (74%) get news on social media sites, up from 64% in 2016. This growth means that nonwhites are now more likely than whites to get news while on social media. And social media news use also increased among those with less than a bachelor's degree, up nine percentage points from 60% in 2016 to 69% in 2017. Alternatively, among those with at least a college degree, social media news use declined slightly. top

EU ministers test responses in first computer war game (Reuters, 7 Sept 2017) - European Union defense ministers tested their ability to respond to a potential attack by computer hackers in their first cyber war game on Thursday, based on a simulated attack on one of the bloc's military missions abroad. In the simulation, hackers sabotaged the EU's naval mission in the Mediterranean and launched a campaign on social media to discredit the EU operations and provoke protests. Each of the defense ministers tried to contain the crisis over the course of the 90-minute, closed-door exercise in Tallinn that officials sought to make real by creating mock news videos giving updates on an escalating situation. * * * NATO last year recognized cyberspace as a domain of warfare and said it justified activating the alliance's collective defense clause. The European Union has broadened its information-sharing between governments and is expected to present a new cyber defense plan. The EU exercise made ministers consider how to work more closely with NATO, whose Secretary-General Jens Stoltenberg was there as an observer, diplomats present said. "Over the last year, we saw a 60 percent increase in the number of cyber attacks against NATO networks," Stoltenberg told reporters. "A timely exchange of information (with the EU) is key to responding to any cyber attacks." top

Virginia halts use of voting machines considered vulnerable to hacking (Reuters, 8 Sept 2017) - Virginia on Friday agreed to stop using paperless touchscreen voting machines that had been flagged by cyber security experts as potentially vulnerable to hackers and lacking sufficient vote auditing capabilities. The action represented one of the most concrete steps taken by a U.S. state to bolster the cyber security of election systems since the 2016 presidential race, when U.S. intelligence agencies say Russia waged a digital influence campaign to help President Donald Trump win. Virginia's board of elections voted to accept a recommendation from its state election director, Edgardo Cortes, to decertify so-called direct-recording electronic machines, which count votes digitally and do not produce paper trails that can be checked against a final result. Five states still rely solely on direct record electronic machines, according to Verified Voting. They include New Jersey, which will also elect a new governor this year. Eight other states rely on a mix of paper ballots and paperless direct recording electronic machines, the group said. top

'Big tech' companies such as Facebook are skating on thin ice (Roger Cochetti in The Hill, 9 Sept 2017) - Internet sex trafficking issues exploded recently when Sens. Rob Portman (R-Ohio) and Claire McCaskill (D-Mo.) introduced S.1693, which could expose internet companies to liability for enabling sex trafficking. Nearly the entire internet industry opposes the legislation, but more than a quarter of both chambers have nonetheless co-sponsored the legislation. It's worth understanding how Section 230 came about and affected the internet ecosystem, and how recent efforts may now be putting it at risk. The world was a very different place in 1995. There were probably 15-20 million internet users and Prodigy, CompuServe and America Online dominated the online industry. Dial-up computer bulletin boards were popular, although many courts had held that their operators were publishers and responsible for the content they displayed. People increasingly believed that making any effort to curate content posted on one's internet service would make the operator responsible for all displayed content. The Senate had actually gone so far as to approve language declaring that online operators were subject to the same obscenity regulations as television broadcasters. The internet looked like it was headed for a life of endless lawsuits and regulations. Then-Reps. Chris Cox (R-Calif.) Ron Wyden (D-Ore.) originally introduced Section 230 to prevent online service providers from being treated as if they were either publishers or TV broadcasters. It introduced the critically important concept of very limited or no intermediary liability for the content created by others. It was approved in the House as a part of the 1996 Telecom Act. * * * Internationally, at the time, few governments had much of an idea of how the internet fit into existing regulations. The internet wasn't a computer bulletin board, a magazine, a bookstore, a telephone service, a closed computer network, broadcast TV, or cable TV. This is why 230 became important: It provided a simple explanation of the internet. The internet has some characteristics of a private computer service and some of a telephone service. Like a telephone service, the intermediaries couldn't be responsible for the content that flows over their network and like a private computer service, operators have a right to get rid of dangerous content. This explanation of how a then-unimportant medium should be viewed caught on internationally; and it's no exaggeration to say that it allowed the Internet as we know it to come into existence. That was then and this is now. Over the last 22 years, a lot has changed. Billions use the internet and virtually every policy-maker knows something about how it works. Big data and AI enable content monitoring that was considered science fiction in 1995 and nudity is far from the top concern about internet content. * * * top

Turks detained for using encrypted app 'had human rights breached' (The Guardian, 11 Sept 2017) - Tens of thousands of Turkish citizens detained or dismissed from their jobs on the basis of downloading an encrypted messaging app have had their human rights breached, a legal opinion published in London has found. The study , commissioned by opponents of the Turkish president, Recep Tayyip Erdoğan, argues that the arrest of 75,000 suspects primarily because they downloaded the ByLock app is arbitrary and illegal. It reflects growing concern about the legality of the Turkish government's crackdown in the aftermath of last year's failed coup . The legal opinion was commissioned by a pro-Gülen organisation based in Europe. The two British lawyers involved, William Clegg QC and Simon Baker, are experienced barristers. The report examines transcripts of recent trials of alleged Gülenists in Turkey as well as Turkish intelligence reports on ByLock. It concludes that the cases presented so far breach the European convention on human rights, which Turkey is signed up to. top

Tesla remotely extended the range of drivers in Florida for free... and that's NOT a good thing (TechDirt, 11 Sept 2017) - In the lead up to Hurricane Irma hitting Florida over the weekend, Tesla did something kind of interesting: it gave a "free" upgrade to a bunch of Tesla drivers in Florida , extending the range of those vehicles, to make it easier for them to evacuate the state. Now, as an initial response, this may seem praiseworthy. The company did something (at no cost to car-owners) to help them evacuate from a serious danger zone. In a complete vacuum, that sounds like a good idea. But there are a variety of problems with it when put back into context. The first thing you need to understand is that while Tesla sells different version of its Model S, with different ranges, the range is actually entirely software-dependent. That is, it uses the same batteries in different cars -- it just limits how much they'll charge via software. Thus, spend more on a "nicer" model and more of the battery is used. So all that happened here was that Tesla "upgraded" these cars with an over the air update. In some ways, this feels kind of neat -- it means that a Tesla owner could "purchase" an upgrade to extend the range of the car. But it should also be somewhat terrifying. In some areas, this has led to discussions about the possibility of hacking the software on the cheaper version to unlock the greater battery power -- and I, for one, can't wait to see the CFAA lawsuit that eventually comes out of that should it ever happen (at least some people are hacking into the Tesla's battery management system, but just to determine how much capacity is really available). But this brings us back to the same old discussion of whether or not you really own what you've bought. When a company can automagically update the physical product you bought from them, it at least raises some serious questions. Yes, in this case, it's being used for a good purpose: to hopefully make it easier for Tesla owners to get the hell out of Florida. But it works the other way too, as law professor Elizabeth Jo points out * * * top

The next Yik Yak? (InsideHigherEd, 12 Sept 2017) - As thousands of students armed with smartphones start the new school year, they'll have plenty of social media options to choose from to find friends and connect with their peers. But at a select group of college campuses, a new player has entered the scene -- a student-centered networking app called Islands . Billed as "Slack for college students," Islands is a location-based app designed specifically with college students, rather than business colleagues, in mind. In an interview, Greg Isenberg, CEO of Islands, said that he wanted to create an experience that will "delight people" and help "connect the disconnected." Of course, students already have a lot of ways to connect with each other on campus, but Isenberg believes that a lot of students use apps like GroupMe out of necessity rather than by choice. "Ask any college kid what they think of GroupMe, and at least 75 percent will have had a negative experience with it," said Isenberg. "It's crazy, because if you ask them what are the three biggest apps they use on campus, they'll tell you Instagram, Snapchat and GroupMe. You have millions of daily active users using a product, and they're not even loving the experience." The premise of the Islands app is simple. If you're within range of a college campus with access to the app, you'll be able to log in with your Facebook account or email. Inside the app you'll find a number of different group chats, or "islands." Some are public, meaning anyone can join. Some are private, and you must request to join the group. Example public islands available when you log into the app include Buy & Sell, Pickup Basketball and Undergraduate Library. The aim of the app is to connect students to groups of people "they might never have found" otherwise -- whether that is a new best friend, a study partner or someone to play sports with. The way that you choose to communicate when you start a private island is customizable, Isenberg explains. "We give people the Lego building blocks to create a space however they want. If they want to have a room that is anonymous, they could. If they want to have a room where all the messages disappear after an hour, great. If they want the room to just be for sharing photos, they can do that." * * * top

RESOURCES

Algorithms in the Criminal Justice System: Assessing the Use of Risk Assessments in Sentencing (Harvard, 25 Aug 2017) - In the summer of 2016, some unusual headlines began appearing in news outlets across the United States. "Secret Algorithms That Predict Future Criminals Get a Thumbs Up From the Wisconsin Supreme Court," read one. Another declared: "There's software used across the country to predict future criminals. And it's biased against blacks." These news stories (and others like them) drew attention to a previously obscure but fast-growing area in the field of criminal justice: the use of risk assessment software, powered by sophisticated and sometimes proprietary algorithms, to predict whether individual criminals are likely candidates for recidivism. In recent years, these programs have spread like wildfire throughout the American judicial system. They are now being used in a broad capacity, in areas ranging from pre-trial risk assessment to sentencing and probation hearings. This paper focuses on the latest-and perhaps most concerning-use of these risk assessment tools: their incorporation into the criminal sentencing process, a development which raises fundamental legal and ethical questions about fairness, accountability, and transparency. The goal is to provide an overview of these issues and offer a set of key considerations and questions for further research that can help local policymakers who are currently implementing or considering implementing similar systems. We start by putting this trend in context: the history of actuarial risk in the American legal system and the evolution of algorithmic risk assessments as the latest incarnation of a much broader trend. We go on to discuss how these tools are used in sentencing specifically and how that differs from other contexts like pre-trial risk assessment. We then delve into the legal and policy questions raised by the use of risk assessment software in sentencing decisions, including the potential for constitutional challenges under the Due Process and Equal Protection clauses of the Fourteenth Amendment. Finally, we summarize the challenges that these systems create for law and policymakers in the United States, and outline a series of possible best practices to ensure that these systems are deployed in a manner that promotes fairness, transparency, and accountability in the criminal justice system. This is a paper of the Responsive Communities project produced by Harvard students Priscilla Guo, Danielle Kehl, and Sam Kessler. This paper is a product of the students' work in the HLS Responsive Communities Lab course, co-led by Susan Crawford and Waide Warner. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Tech firms, rights groups to form Web conduct code (CNET, 18 Feb 2007) -- Technology companies Microsoft, Google, Yahoo and Vodafone are in talks with human rights and press freedom groups to draw up an Internet code of conduct to protect free speech and privacy of Web users. The parties said in a statement Friday that they aim to produce a code by the end of this year that would counter such trends as the increased jailing of Internet journalists, monitoring of legitimate online activity, and censorship. Talks are being led by the Washington-based Center for Democracy and Technology and San Francisco nonprofit Business for Social Responsibility. They are trying to craft a code to hold companies accountable if they cooperate with governments to suppress free speech or violate human rights. "Technology companies have played a vital role building the economy and providing tools important for democratic reform in developing countries," said Leslie Harris, executive director of the Center for Democracy and Technology. "But some governments have found ways to turn technology against their citizens--monitoring legitimate online activities and censoring democratic material," Harris said. top

TJX data breach: at 45.6m card numbers, it's the biggest ever (Computerworld, 29 March 2007) -- After more than two months of refusing to reveal the size and scope of its data breach, TJX Companies Inc. is finally offering more details about the extent of the compromise. In filings with the U.S. Securities and Exchange Commission yesterday, the company said 45.6 million credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders. That number eclipses the 40 million records compromised in the mid-2005 breach at CardSystems Solutions and makes the TJX compromise the worst ever involving the loss of personal data. In addition, personal data provided in connection with the return of merchandise without receipts by about 451,000 individuals in 2003 was also stolen. The company is in the process of contacting individuals affected by the breach, TJX said in its filings. "Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed," the company said. Framingham, Mass.-based TJX is the owner of a number of retail brands, including T.J.Maxx, Marshalls and Bob's Stores. In January, the company announced that someone had illegally accessed one of its payment systems and made off with card data belonging to an unspecified number of customers in the U.S., Canada, Puerto Rico and potentially the U.K. and Ireland. top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, August 26, 2017

MIRLN --- 6-26 August 2017 (v20.12)

MIRLN --- 6-26 August 2017 (v20.12) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Estonia steps up plan to counter cyber attacks by siting critical systems offshore (ZDnet, 3 Aug 2017) - To thwart a cyber-attack on its national infrastructure or even an invasion, Estonia is getting ready to open its first data embassy overseas. In 2014, Estonia introduced initial plans to create 'data embassies ' capable of running duplicates of its critical systems, including databases and services, in secure data centers on foreign soil. Now, three years on, the then seemingly utopian plan is becoming a reality. Estonia has signed its first official contract with Luxembourg to guarantee diplomatic immunity for all the Baltic state's systems that are to be duplicated and run from a data center in the principality. "Next, we have to sign rental and service contracts to use Luxembourg's national data center and then we can start building the technology and 'furnishing' the data embassy," Mikk Lellsaar, ministry of economic affairs and communications executive specialist tells ZDNet. He says the embassy in Luxembourg is going to mirror many data systems of critical importance, such as the state treasury information system, state pension insurance registry, identity documents registry, business register, land register, and land cadastre among many others. top

Facebook is starting to put more posts from local politicians into people's News Feed (ReCode, 4 Aug 2017) - Facebook is testing a new feature that inserts posts from local politicians into users' News Feeds, even if they don't necessarily follow those politicians. The new feature, which was first noticed by one of my Recode colleagues, included a label titled "This week in your government." A Facebook spokesperson confirmed that the feature is a test. "We are testing a new civic engagement feature that shows people on Facebook the top posts from their elected officials," this spokesperson said in a statement. "Our goal is to give people a simple way to learn about what's happening at all levels of their government." The feature will appear, at most, once per week, and only for users who follow at least one local, state or federal representative from their area. Facebook knows who your local reps are if you handed over your address to use the company's voting plan feature - or its "Town Hall" feature, which helps people find and follow their elected officials. Otherwise, you'll just see posts from politicians at the state and federal levels. Facebook has been active in the past year about getting its user base more involved in politics. In addition to the features mentioned above, which were rolled out before the November presidential election, Facebook also let users register to vote via the social network, and CEO Mark Zuckerberg claims more than two million people did so. Adding this new feature might inspire more politicians to post to Facebook, especially if they think their posts will be promoted to more voters. It's unclear if Facebook takes political affiliation into account when deciding which posts to show people, but if it does not, it could also be a way for politicians to get their message to voters across the aisle. top

Your voter records are compromised. Can you sue? Theories of harm in data-breach litigation (Lawfare, 7 Aug 2017) - Last year, the Republican National Committee hired a firm called Deep Root Analytics to collect voter information. The firm accidentally exposed approximately 198 million personal voter records. This was 1.1 terabytes of personal information that the company left on a cloud server without password protection for two weeks. On June 21 of this year, victims filed a class action in Florida court against Deep Root Analytics for harm resulting from a data breach. Donald Trump has denounced such breaches as "gross negligence." The Deep Root lawsuit took him at his word, using that quote as evidence to make a claim on the legal theory of negligence. The complaint demands more than $5 million in damages. Defendants in data-breach cases (in this case, Deep Root Analytics is the defendant) often challenge a claim on the grounds that the pleading does not include an injury that is (1) "concrete, particularized and actual or imminent," (2) caused by the defendant, and (3) redressable by a court of law. * * * top

Gov. Rauner signs bill to protect Illinois from cyberthreats (Illinois.gov, 7 Aug 2017) - Today, Governor Rauner signed House Bill 2371, requiring all executive branch State of Illinois employees responsible to the Governor, not including public university employees, to undergo annual cybersecurity training to understand the risks, threats and best practices to defend against cyber threats." Hackers and cyber criminals continually grow more sophisticated in their attempts to steal sensitive data and infect state computer systems. It is crucial that state employees have knowledge to protect themselves and the state from the impact of cyber-attacks. This legislation is another advancement in the governor's vision for a cyber-secure Illinois to better protect the personal information of state residents and ensure critical state services are not interrupted. top

Harvard goes outside to go online (InsideHigherEd, 8 Aug 2017) - If any American university might be positioned to begin a new online program all by itself, Harvard University -- with its world-famous brand, many-billion-dollar endowment and founding relationship with the online course provider edX -- might be it. But the university announced Monday that three of its schools would create a new business analytics certificate program with 2U, the online program management company. A collaboration between 2U and professors at the Harvard Business School, the John A. Paulson School of Engineering and Applied Sciences, and the department of statistics in Harvard's main college, the Faculty of Arts and Sciences, the program will teach students how to leverage data and analytics to drive business growth. Aimed at executives in full-time work, the program will be delivered through 2U's online platform and will feature live, seminar-style classes with Harvard faculty members. The program will cost around $50,000 for three semesters, with an estimated time requirement of 10 hours per week. Chip Paucek, CEO of 2U, said the technology 2U can offer universities goes far beyond "just what the student sees." The company can use analytics to predict things such as enrollment and completion of courses, in addition to making programs widely accessible, and securing content from cyberattack. Aside from technology, 2U also offers up-front money. The company "invests heavily in each of its partnerships," said Paucek, typically spending between $5 million and $10 million in the first few years. Each 2U partnership lasts a minimum of 10 years to give the company time to recoup its investment from a significant slice of the student enrollment fees. Paucek said the partnership with Harvard was a high point in the company's 10-year history, and that the company was "honored to be a brand ambassador for one of the best-known brands in the world." Deciding to work with 2U was "not a trivial decision" for Harvard, said Paucek, adding that university officials "were clear they would not commit to it if it was not one of the world's best programs." Conversations about working together began around five years ago, according to Paucek. But it was not until two years ago that talks centered specifically on creating a business analytics program. top

EFF to court: Border agents need warrants to search contents of digital devices (EFF, 8 Aug 2017) - Searches of mobile phones, laptops, and other digital devices by federal agents at international airports and U.S. land borders are highly intrusive forays into travelers' private information that require a warrant, the Electronic Frontier Foundation (EFF) said in a court filing yesterday. EFF urged the U.S. Circuit Court of Appeals for the Fifth Circuit to require law enforcement officers at the border to obtain a warrant before performing manual or forensic searches of digital devices . Warrantless border searches of backpacks, purses, or luggage are allowed under an exception to the Fourth Amendment for routine immigration and customs enforcement. Yet EFF argues that, since digital devices can provide so much highly personal, private information-our contacts, our email conversations, our work documents, our schedules-agents should be required to show they have probable cause to believe that the device contains evidence of a violation of the immigration or customs laws. Only after a judge has signed off on a search warrant should border agents be allowed to rifle through the contents of cell phones, laptops, or tablets. Digital device searches at the border have more than doubled since the inauguration of President Trump. top

Two studies suggest trouble ahead for paywall journals (Phys.org, 8 Aug 2017) - Two independent studies looking at two aspects of paywalls versus free access to research papers suggest that trouble may lie ahead for traditional journals that continue to expect payment for access to peer-reviewed research papers. In the first study, a small team of researchers from the U.S. and Germany looked at the number of freely available papers on the internet using a web extension called Unpaywall-users enter information and the extension lists sources online for free. In the second study, a team with members from Canada, the U.S. and Germany looked at the popularity of a website known as Sci-Hub that collects and freely distributes research papers. Both groups have written papers describing their studies and results and have uploaded them to the PeerJ Preprints server. Free access to research papers is a hot topic in the research community, perhaps indicating coming changes to the status quo. The traditional model, in which a researcher pays for the privilege of reading published articles on journal sites like Science and Nature in order to cite work by others, is under fire. Many have claimed the system is unfair to those who cannot afford to pay such fees. Meanwhile, journal sites maintain their stance that the only way they can continue to exist as profitable entities is to charge access fees. They note also that they provide a valuable service-peer review. In these two new efforts, the researchers with both teams hint that the argument may soon become moot, as people who want to read research papers for free find easier access. In the first paper, the researchers worked with the team that makes the Unpaywall extension to get statistics on its use. They report finding that nearly half (47 percent) of all of the papers that people searched for using the app in 2015 were available for free. They also report that overall, users were able to find free versions of 28 percent of articles they were looking for. In the second paper , the researchers worked with the team behind Sci-Hub, which many have described as a pirating site. They report that visitors could access 85 percent of articles that were still behind a paywall. They found also that the percentage was even higher for papers held behind Elsevier paywalls. They note that the team at Sci-Hub told them that efforts to shut down their site through legal means have resulted in free press, increasing its user base-a term they described as the "Streisand Effect"-after Barbra Streisand, who famously tried to stop distribution of aerial photographs of her home several years ago, inadvertently exposing the photographs to many more people. top

Parting with our books (InsideHigherEd, 8 Aug 2017) - A few weeks ago, we moved into a new house-one much smaller than the home we lived in for 14 years before moving out of state. As part of our family's move to our transitional housing after taking a new job out of state last year, we downsized considerably. We gave away furniture, mementos that meant less and less as more and more time had passed by. We discarded the kids' first outfits from the hospital after their birth, their finger paintings, their first attempts at coloring within the lines, their first try at writing their own names, and a multitude of certificates of accomplishments. In fact, I managed to throw away a purse with my daughter's life fortune, a few hundred dollars that she will never forgive me for accidentally discarding. Disposing of these old and generally-considered sentimental items was nowhere near what it felt like giving away old my old books. The first time I went through the book purge, it was hard. I hate moving and wanted to be done with it! Getting rid of old textbooks on building democratic societies, the fall of the Soviet Union, the rise of the Tiger economies, Mexican political history, economics and econometrics, and even most of my Dostoyevsky collection was somewhat painful, but practical. I knew then that, wherever we would end up living, most of the rooms would not have floor-to-ceiling bookcases as we had in most rooms of the home in which we had thought we would die. It was painful, but it had to be done. Moving into a permanent home now, I went through the book purge again. This time, I gave away more recent books, including some that I had not yet read. When my one of my best friends was writing her dissertation on French and Caribbean literature, I bought so many of the books that she found interesting and I found interesting when she talked about them. They were fiction, which I generally find difficult to read. I bought a ton of them, but read few. This weekend, as I packed those books in French and English, I wondered if there would come a day when I would ever finish Simone de Beauvoir's Le Deuxieme Sexe or the Marie Vieux Chauvet, Jacques Roumain, Rene Depestre and so many other books that I bought a decade ago. The truth is that the probability of me ever finishing or even starting some of those books was very slim-statistically insignificant from zero. So, I packed them feeling never more grateful for my undergraduate, liberal education that exposed me to so much more than statistical methods and measurement, where my reading interests were parked for a very long time. Had it not been for those general education courses, I would have likely stopped reading fiction and literature after high school. I would lack culture (though I can't claim to have a ton of it now). I realized as I packed these new sets of books to give away that, by the time I should ever want to read them, they will be available electronically or in some other form that I can't even imagine now. In many ways, I am old-fashioned. I cannot read books on a Kindle and I never learned how to type, so I pick the letters one by one even as I write this post. This made parting with those books even more emotional. The world is changing, but we don't know what the change will look like exactly. Maybe letting go of the books is somewhat symbolic of letting go of an unrealized aspiration of the cultured person I had the potential of becoming. The universe of things I read about now seems both broader and narrower at the same time. Perhaps, this post should have been titled "In Praise of Liberal Education," but there are so many of those essays already. Parting with our books is hard, but the technology that exists today and will soon come will make it easier to go back to that person that I was becoming. [ Polley : strongly resonated with me.] top

Ratings principles: Now coming to cybersecurity (CorporateCounsel.net, 9 Aug 2017) - Recently, a group of more than 40 prominent banks, retailers & tech companies released these " Principles for Fair & Accurate Securities Ratings ." Here's a teaser from this BakerHostetler blog (also see this Reuters article ): The principles are designed to promote fair and accurate cybersecurity ratings - in response to the recent emergence of several ratings companies that collect and analyze publicly accessible data to analyze a company's cybersecurity risk posture. The ratings are increasingly used by insurers - as well as in M&A and other business decisions. The data for risk ratings is typically collected without the target company's knowledge and comes from a variety of sources - e.g. hackers' forums, darknet data, Internet traffic stats, port-scanning tools & open-source malware intelligence sources. Ratings companies then use proprietary methodologies and algorithms to analyze the data and assign a grade. Importantly, however, cybersecurity ratings have the potential for being inaccurate, incomplete, unverifiable and unreliable - if, for example, the source data is inaccurate or the methodology doesn't account for risk mitigations in place at a company. The principles developed by the consortium were designed to increase confidence in and the usability of fair and accurate cybersecurity ratings by addressing the potential problems. The principles were modeled after the Fair Credit Reporting Act. We don't know if cybersecurity risk ratings will become anywhere near as important as credit ratings - but keep them on your radar. The signatories to the principles include Aetna, American Express, Bank of America, Chevron, Eli Lilly, Fannie Mae, FICO, Goldman Sachs, Home Depot, Honeywell, JP Morgan, Microsoft, State Street & lots of other big names. top

- and -

When is "Hacking Disclosure" required in SEC filings? (CorporateCounsel.net, 9 Aug 2017) - By now, most companies have a cyber incident response plan - which should include contacting a securities lawyer to evaluate disclosure requirements. As outlined in this Goodwin memo , these decisions continue to depend on a fact-specific materiality analysis: What is "material" ends up being far less clear, and there is plenty of room for a public company to determine in good faith that a specific cyber incident does not require separate disclosure. Where the obligation is unclear, a company's reluctance to disclose is understandable: Disclosure may highlight vulnerabilities, and will bring unwelcome attention from customers, regulators and others. The plaintiffs' bar will also circle, smelling the possibility of a class action, and they will not view the company and its managers as the victims. While the SEC won't second-guess a good-faith analysis, they also won't shy away from investigating disclosure lags - see this WSJ article about whether Yahoo's data breach should've been reported sooner to investors. The memo identifies factors affecting disclosure decisions - such as the significance of other notice obligations, existing risk factors & potential remediation costs. Since the decision will probably have to be made quickly, it's not a bad idea to create a decision tree in advance. Our " Cybersecurity Disclosure Checklist " is a good starting point, and check out this blog as well… top

- and -

SEC observations on cybersecurity Sweep 2 (Artemis, 14 Aug 2017) - On Monday, the SEC released "Observations" on the seminal 2015 Cybersecurity Examination Initiative or what they are now referring to as "Sweep 2." While we find this document to be an unremarkable kitchen-sink of cyber-findings, the SEC has offered a concept for what they consider to be robust practices and perhaps a roadmap for achieving a higher level of Cybersecurity maturity for firms. We have reviewed the release and have distilled what we believe to be the key takeaways and suggestions for improving your program. To the degree that observations on a near two-year old examination period are accurate or relevant is questionable. A whole new class of security tools is available, infrastructure and movement toward cloud-based services continues, and firms have been plodding forward on information security practices despite the SEC's nearly two-year silence on the subject. This is not completely fair as the SEC did include Cybersecurity as a concern under "Assessing Market-Wide Risks" in the 2017 Examination Priorities and issued a more timely, May 17 Risk Alert on Ransomware in the wake of WannaCry attacks. There is progression in the SEC's approach to Cybersecurity and now fourth Risk Alert, and the Commission has been clear that they are still finding facts and learning in an area of persistent high risk and developing regulatory scrutiny. The SEC started the initiative with a clear focus on Policies and Procedures and fundamental identification and protection practices. IT security evolves organically from basic blocking and tackling of controls to more advanced practices such as monitoring/detection and testing/validation. The SEC's understanding and corresponding expectations of financial services firms appears to be developing along similar lines - to a call for greater granularity and specificity in certain IT security activities. * * * top

AVVO blasts new ethics opinions on attorney match services (New York Law Journal, 9 Aug 2017) - New York has become the latest state to target attorney match service Avvo Inc. for ethical violations. A new bar association ethics opinion says a lawyer paying Avvo's marketing fee to participate in its legal services program is making an improper payment for a recommendation, in violation of state ethics rules. The New York State Bar Association released the opinion by its committee on professional ethics on Wednesday. While the state bar's ethics opinions are advisory only, they are widely read and followed. Lawyers who continue to participate in Avvo's legal services program "do so at their own peril," said state bar president Sharon Stern Gerstman, counsel at Buffalo law firm Magavern Magavern Grimm. But in an interview, Avvo's chief legal counsel, Josh King, encouraged New York lawyers to continue participating, adding that Avvo would back any lawyer facing disciplinary action for his or her participation. To date, King said he is not aware of any attorney in such a position. The ethics opinion examines Avvo Legal Services, which King said has existed for about a year and a half and is only a narrow portion of Avvo's business. Although he declined to say how many New York attorneys participated, he said it can be measured in the "hundreds" and less than 2,000. The New York ethics opinion follows recent actions in other states such as New Jersey, where a joint opinion by three state's Supreme Court committees has blacklisted three web-based services that match litigants with attorneys, including Avvo, because of concerns over illicit fee-sharing and referral fees. Other states with ethics concerns over lawyer website services include Ohio, Pennsylvania and South Carolina. top

Bloomberg Law adds practice center devoted to e-discovery (Bob Ambrogi, 9 Aug 2017) - Bloomberg Law today is officially announcing the addition to its research platform of the E-Discovery Practice Center, a curated collection of a range of court opinions, tools, sample forms, news and expert guidance related to both federal and state e-discovery practice. The practice center is available to all Bloomberg Law subscribers at no additional cost. Bloomberg says it is the only legal research platform to have a resource of this kind devoted to e-discovery. Bloomberg "soft launched" the practice center for some customers at the recent annual meeting of the American Association of Law Libraries, but today is formally announcing its availability to all customers. The practice center's main page includes federal and state court opinions related to e-discovery, federal and state rules and laws related to e-discovery, news and law reports, and BNA's E-Discovery Portfolio series, which provides an entry point to resources such as practice guides, books and treatises, and law reviews, as well as specific guidance on such issues as understanding and preventing spoliation. E-discovery rules for all states are included. Another section of the practice center provides materials grouped by stage of e-discovery, such as preservation, production and technology-assisted review. Here you can find resources such as a checklist for preparing for a Rule 26 meeting and a guide to preparing a legal hold notice, as well as sample forms for legal holds. top

US judge says LinkedIn cannot block startup from public profile data (Reuters, 14 Aug 2017) - A U.S. federal judge on Monday ruled that Microsoft Corp's (MSFT.O) LinkedIn unit cannot prevent a startup from accessing public profile data, in a test of how much control a social media site can wield over information its users have deemed to be public. U.S. District Judge Edward Chen in San Francisco granted a preliminary injunction request brought by hiQ Labs, and ordered LinkedIn to remove within 24 hours any technology preventing hiQ from accessing public profiles. The case is considered to have implications beyond LinkedIn and hiQ Labs and could dictate just how much control companies have over publicly available data that is hosted on their services. "To the extent LinkedIn has already put in place technology to prevent hiQ from accessing these public profiles, it is ordered to remove any such barriers," Chen's order reads. HiQ Labs called the decision an important victory for companies that rely on publicly available data for their businesses. "HiQ believes that public data must remain public, and innovation on the internet should not be stifled by legal bullying or the anti-competitive hoarding of public data by a small group of powerful companies," the company said in a statement Monday evening. That sentiment was echoed by Falon Fatemi, chief executive of Node, a San Francisco startup that uses publicly available data and artificial intelligence to help companies identify potential customers. "If LinkedIn is going to allow profiles to be indexed by search engines to benefit their platform then why shouldn't the rest of the internet benefit from that as well?" she said. The dispute between the two tech companies has been going on since May, when LinkedIn issued a letter to hiQ Labs instructing the startup to stop scraping data from its service. HiQ Labs responded by filing a lawsuit against LinkedIn in June, alleging that the Microsoft-owned social network was in violation of antitrust laws. top

LinkedIn connection request doesn't violate non-solicitation clause (Eric Goldman, 14 Aug 2017) - This is another case considering when LinkedIn activity violates a non-solicitation clause. Bankers Life, a company that sells insurance and financial products, sued one of its ex-employees (and his new employer, ASB) alleging among other things that the ex-employee violated his non-solicitation covenant through his communications on social media. * * * Gelineau's alleged violation? He sent LinkedIn requests to three Bankers Life employees who could "then click on to Gelineau's profile and . . . see a job posting for ASB." Bankers Life also alleged that Gelineau instructed another ASB employee to solicit Bankers Life employees, but the court found Bankers Life's evidence insufficient with respect to this claim. * * * This case is a nice complement to the Mobile Mini case I blogged about last month. There, the posts in question were essentially sales pitches, and the court says they likely violate the non-solicitation clause, whether sent as direct messages or not. Here, the LinkedIn messages had no call to action other than to connect. So it's not unexpected that the court finds there is no violation. It's surprising to see an employer think that a generic "let's connect!" email campaign could violate a non-solicitation clause. But Bankers Life did, and the court rightly shut it down. top

ABA and Jones Day launch website to connect veterans to legal services (Bob Ambrogi, 14 Aug 2017) - At its annual meeting in New York Saturday, the American Bar Association announced the launch of VetLex.org , a website, developed in partnership with the law firm Jones Day , that matches veterans in need of pro bono legal services with attorneys willing to provide such services. For now, the new site is only accepting registrations from attorneys, law firms and legal organizations interesting in providing services. By Veterans Day, the site will open on a pilot basis in a limited number of cities and states to accept veterans' cases. The site will become fully operational nationally in 2018, the ABA's announcement said. Once the site opens to veterans, it will provide an online too for them to obtain pro bono counsel for their specific legal needs, including civil, criminal or administrative matters. It will also provide educational information on basic legal concepts, and serve as a repository for paperwork, such as DD 214s, that is required by various service providers. The ABA expects that the site will also be used by organizations that serve veterans in helping them find lawyers to assist their clients. Lawyers who register at the site will be asked to create a profile that defines the kinds of cases they are willing to take. The site will also provide training in handling certain kinds of kinds. * * * top

The Miami Heat are switching to smartphone-only tickets for home games this season (The Verge, 14 Aug 2017) - If you're planning on attending a Miami Heat game at the team's home court American Airlines Arena this coming season, you'll need to own a smartphone. The basketball team announced last week that it would be switching over to mobile-based tickets for entry at home games, becoming the first in the NBA to enact such a policy, via ESPN . According to a statement from the team, the new policy is due to the fact that roughly one in every three fans used mobile tickets to attend games last season. While other teams in the NBA like the Timberwolves and the Cavaliers have primarily switched over to mobile tickets, those teams still offer the option for fans use a driver's license and credit card to get into the stadium. The new policy applies to all Heat tickets, too. So, if you walk up to American Airlines Arena and buy tickets at the box office, you'll still get them on your phone now. top

Massive new searchable database of federal court opinions, including ones that haven't been formally published (WaPo Eugene Volokh, 15 Aug 2017) - The Free Law Project, famous for its RECAP browser extension for PACER users , has now scraped all the federal court opinions available for free on PACER, and put them in a free database with a fairly powerful search engine : At Free Law Project, we have gathered millions of court documents over the years, but it's with distinct pride that we announce that we have now completed our biggest crawl ever. After nearly a year of work, and with support from the U.S. Department of Labor and Georgia State University, we have collected every free written order and opinion that is available in PACER. To accomplish this we used PACER's "Written Opinion Report," which provides many opinions for free. This collection contains approximately 3.4 million orders and opinions from approximately 1.5 million federal district and bankruptcy court cases dating back to 1960. More than four hundred thousand of these documents were scanned and required OCR, amounting to nearly two million pages of text extraction that we completed for this project. All of the documents amassed are available for search in the RECAP Archive of PACER documents and via our APIs. New opinions will be downloaded every night to keep the collection up to date. top

Tech companies urge Supreme Court to boost cellphone privacy (Reuters, 15 Aug 2017) - More than a dozen high technology companies and the biggest wireless operator in the United States, Verizon Communications Inc., have called on the U.S. Supreme Court to make it harder for government officials to access individuals' sensitive cellphone data. The companies filed a 44-page brief with the court on Monday night in a high-profile dispute over whether police should have to get a warrant before obtaining data that could reveal a cellphone user's whereabouts. Signed by some of Silicon Valley's biggest names, including Apple, Facebook, Twitter, Snap and Alphabet's Google, the brief said that as individuals' data is increasingly collected through digital devices, greater privacy protections are needed under the law. "That users rely on technology companies to process their data for limited purposes does not mean that they expect their intimate data to be monitored by the government without a warrant," the brief said. * * * Nathan Freed Wessler, an attorney with the American Civil Liberties Union who is representing Carpenter, said the companies' brief represented a "robust defense of their customers' privacy rights in the digital age." Verizon's participation in the brief was important, he added, given that it receives, like other wireless carriers, thousands of requests for cellphone location records every year from law enforcement. The requests are routinely granted. top

- and -

Verizon-yes, Verizon-just stood up for your privacy (Wired, 16 Aug 2017)] - Fourteen of the biggest US tech companies filed a brief with the Supreme Court on Monday supporting more rigorous warrant requirements for law enforcement seeking certain cell phone data, such as location information. In the statement, the signatories-Google, Apple, Facebook, and Microsoft among them-argue that the government leans on outdated laws from the 1970s to justify Fourth Amendment overreach. One perhaps surprising voice in the chorus of protesters? Verizon. Verizon's support means that the largest wireless service provider in the US, and a powerful force in Silicon Valley, has bucked a longtime trend of telecom acquiescence. While carriers have generally been willing to comply with a broad range of government requests-even building out extensive infrastructure to aid surveillance-Verizon has this time joined with academics, analysts, and the company's more privacy-focused corporate peers. Carpenter v. United States is "one of the most important Fourth Amendment cases in recent memory," Craig Silliman, Verizon's executive vice president for public policy and general counsel, wrote on Monday. "Although the specific issue presented to the Court is about location information, the case presents a broader issue about a customer's reasonable expectation of privacy for other types of sensitive data she shares with any third party.… Our hope is that when it decides this case, the Court will help us better apply old Fourth Amendment doctrines to an evolving digital era." Carpenter v. United States, which the Supreme Court will hear this fall, relates to the acquisition, without a warrant, of months of individuals' location records by law enforcement officials in 2011. Officials looked back on 12,898 location records, spanning a four-month period, of one of these individuals, Timothy Carpenter, to build their case; Carpenter was eventually convicted. His appeal argues that location-data collection by law enforcement without a warrant violates his Fourth Amendment rights-and Verizon agrees. top

Justice Department fights web hosting company for Trump protester information (Lawfare, 15 Aug 2017) - The Justice Department is fighting for information on all of the visitors to the website disruptj20.org , as well as log files on when and from where the visitors logged onto the site, what they looked at, and emails related to the site. The site at the center of the storm bills itself as a platform connecting Trump protesters and "support[ing] the massive and spontaneous eruption of resistance across the United States that's happened since the election." At the New York Times , Charlie Savage reports that federal investigators have issued a search warrant to the internet hosting company DreamHost, which is now challenging the warrant as unconstitutionally broad-complying with it would allegedly require handing over 1.3 million visitor IP addresses and the information, emails and photos of thousands of users. Also see the Washington Post story last night from Ellen Nakashima. Dreamhost announced the fight yesterday in a blog post entitled "We Fight for the Users." Here are the key documents: the search warrant ; the Justice Department's motion to show cause ; and DreamHost LLC's third-party response in opposition to the Department's motion. [ Polley : see also Justice Dept. demands data on visitors to anti-Trump website, sparking fight (NYT, 15 Aug 2017)] top

- and -

Justice Department walks back demand for information on anti-Trump website (The Berge, 22 Aug 2017) - After controversy over a broad search warrant that could have identified visitors to an anti-Trump website, the Justice Department says it's scaling back a demand for information from hosting service DreamHost. Last week, DreamHost disclosed that it was involved in a legal dispute with the department over access to records on the website "disruptj20.org," which organized protests tied to Donald Trump's inauguration. The warrant issued by the department was so broad, DreamHost said, that it was effectively requesting information that could identify lawful protestors - including information on more than 1.3 million IP addresses from visitors to the site. The warrant immediately drew condemnation from some privacy law experts. In a legal filing today , the Justice Department argues that the warrant was proper, but also says DreamHost has since brought up information that was previously "unknown." In light of that, it has offered to carve out information demanded in the warrant, specifically pledging to not request information like HTTP logs tied to IP addresses. The department says it is only looking for information related to criminal activity on the site, and says that "the government is focused on the use of the Website to organize, to plan, and to effect a criminal act - that is, a riot." Peaceful protestors, the government argues, are not the targets of the warrant. The filing asks the court to proceed with the new, less burdensome request, which, apart from the carved-out sections, still requests "all records or other information, pertaining to the Account, including all files, databases, and database records stored by DreamHost in relation to that Account." It's unclear if DreamHost will continue to fight the new demand. The company did not immediately respond to a request for comment. top

NotPetya ransomware attack cost us $300m - shipping giant Maersk (The Register, 16 Aug 2017) - The world's largest container shipping biz has revealed the losses it suffered after getting hit by the NotPetya ransomware outbreak, and the results aren't pretty. The malware surfaced in Ukraine in June after being spread by a malicious update to MeDoc, the country's most popular accounting software. Maersk picked up an infection that hooked into its global network and shut down the shipping company, forcing it to halt operations at 76 port terminals around the world. "In the last week of the quarter we were hit by a cyber-attack, which mainly impacted Maersk Line, APM Terminals and Damco," CEO Soren Skou said in a statement today. "Business volumes were negatively affected for a couple of weeks in July and as a consequence, our Q3 results will be impacted. We expect that the cyber-attack will impact results negatively by USD 200-300m." Admittedly Maersk is massive - it's responsible for around 15 per cent of the world's entire shipping network - but that kind of financial damage is close to a record for such an attack. Then again, the company's entire network was down for days, Skou told the Financial Times. top

Fitch: NAIC rules may boost US insurers' cyber risk management (FitchRatings, 16 Aug 2017) - The National Association of Insurance Commissioner's (NAIC) CyberSecurity Working Group approved the Insurance Data Security Model Law, which if approved by the NAIC Executive Committee, will promote more rigorous cyber risk management practices in the U.S. insurance market, Fitch Ratings says. At the same time it will add to insurers' compliance costs and associated risks of penalties for compliance violations. In its current form the proposed model law is credit-neutral for the U.S insurance sector. It is largely complementary to other federal and state regulations for cybersecurity, including the New York State Department of Financial Services cybersecurity regulations from March 1, 2017, which apply to more than 3,000 financial service firms doing business in New York. The proposed model law still needs approval of the Innovation and Technology Task Force and NAIC Executive Committee to be a considered a model law. Application of model laws require state-by-state approval, which will take considerable time, and some individual states may adopt their own approaches to regulating insurers' cybersecurity. The NAIC's framework establishes industry standards for data security that will apply to a broad range of parties including insurance companies, agents and brokers. Organizations will be required to have a written information security program for protecting sensitive data, including incident response and data recovery plans to demonstrate their preparedness for cyber events. Companies will have to certify compliance annually to their state insurance commissioner and give notification of data breaches within 72 hours. The model law will also motivate insurers to incorporate cybersecurity into their overall enterprise risk management and corporate governance practices. Key provisions include minimum practices of board and senior management reporting and oversight of information security practices, and monitoring of third party service provider arrangements and the outcome of cybersecurity events. top

Berkman Klein study finds partisan right-wing websites shaped mainstream press coverage before 2016 election (Harvard, 16 Aug 2017) - The Berkman Klein Center for Internet & Society at Harvard University today released a comprehensive analysis of online media and social media coverage of the 2016 presidential campaign. The report, " Partisanship, Propaganda, and Disinformation: Online Media and the 2016 U.S. Presidential Election ," documents how highly partisan right-wing sources helped shape mainstream press coverage and seize the public's attention in the 18-month period leading up to the election. "In this study, we document polarization in the media ecosystem that is distinctly asymmetric. Whereas the left half of our spectrum is filled with many media sources from center to left, the right half of the spectrum has a substantial gap between center and right. The core of attention from the center-right to the left is large mainstream media organizations of the center-left. The right-wing media sphere skews to the far right and is dominated by highly partisan news organizations," co-author and principal investigator Yochai Benkler stated. The study found that on the conservative side, more attention was paid to pro-Trump, highly partisan media outlets. On the liberal side, by contrast, the center of gravity was made up largely of long-standing media organizations. Robert Faris, the Berkman Klein Center's research director, noted, "Consistent with concerns over echo chambers and filter bubbles, social media users on the left and the right rarely share material from outside their respective spheres, except where they find coverage that is favorable to their choice of candidate. A key difference between the right and left is that Trump supporters found substantial coverage favorable to their side in left and center-left media, particularly coverage critical of Clinton. In contrast, the messaging from right-wing media was consistently pro-Trump." top

ILTA 2017: Where have all the lawyers gone? (Lawyerist, 17 Aug 2017) - In looking at this year's International Legal Technology Association (ILTA) attendance list, I saw lots of legal professionals from well-known and well-heeled law firms, a big group of big tech vendors, a few legal startups, and very few practicing lawyers. Why aren't there more practicing lawyers here? Indeed, I seem to be one of the few outside practicing lawyers in attendance. So much so in meet ups and informal chats, when I tell people I am an active practitioner, I am usually met with raised eyebrows. ILTA touts that the conference "is the premier educational and networking event for the legal sector" that "empowers us to share what works, what doesn't and what's next." If that's the case, it would seem to be one of the more important events for practicing lawyers to attend. * * * There was even a session where in-house counsel from such companies as Microsoft, Exelon, and Sanofi, offered their opinions on what they wanted from their law firms. I think I was the only practicing lawyer in the room. It's as if the big firms for whom most of the legal professionals here work for have basically farmed out all things tech and don't want to get their hands dirty. And therein lies the problem: by creating this gap between the lawyers using the technology and what some lawyers call "staff" a lack of understanding and communication exists. Warren Rheaume of Davis Wright Tremaine, a speaker on the politics of change-and one of the few other practitioners in attendance-calls it a crisis. top

Consortium formed to drive blockchain adoption in legal industry (Bob Ambrogi, 17 Aug 2017) - Bob Craig, chief information officer at Baker Hostetler, has a vision of a technology that will transform the business of law. That technology is blockchain. Craig and his firm are part of a group of law firms and technology companies that this week announced the formation of the Global Legal Blockchain Consortium . The consortium will work to drive the adoption and standardization of blockchain in the legal industry, with the larger goal of improving the security and interoperability of the global legal technology ecosystem. Members of the consortium include the law firms Baker Hostetler and Orrick, IBM Watson Legal, and the newly formed company Integra Ledger , which is hoping to become the ledger used throughout the legal industry for blockchain digital identities. At an event Tuesday to announce the consortium's formation, Craig said that establishment of consortia has become common in many industries as a way to get the right people around the table to explore how blockchain technology can solve real-world business problems or, in this case, real-world legal problems. top

- and -

Bitcoin-accepting sites leave cookie trail that crumbles anonymity (The Register, 20 Aug 2017) - Bitcoin transactions might be anonymous, but on the Internet, its users aren't - and according to research out of Princeton University, linking the two together is trivial on the modern, much-tracked Internet. In fact, linking a user's cookies to their Bitcoin transactions is so straightforward, it's almost surprising it took this long for a paper like this to be published. The paper sees privacy researcher Dillon Reisman and Princeton's Steven Goldfeder, Harry Kalodner and Arvind Narayanan demonstrate just how straightforward it can be to link cookies to cryptocurrency transactions: Only small amounts of transaction information need to leak, they write, in order for "Alice" to be associated with her Bitcoin transactions. It's possible to infer the identity of users if they use privacy-protecting services like CoinJoin, a protocol designed to make Bitcoin transactions more anonymous. The protocol aims is to make it impossible to infer which inputs and outputs belong to each other. Of 130 online merchants that accept Bitcoin, the researchers say, 53 leak payment information to 40 third parties, "most frequently from shopping cart pages," and most of these on purpose (for advertising, analytics and the like). Worse, "many merchant websites have far more serious (and likely unintentional) information leaks that directly reveal the exact transaction on the blockchain to dozens of trackers". top

- and -

IRS now has a tool to unmask bitcoin tax cheats (Daily Beast, 22 Aug 2017) - You can use bitcoin . But you can't hide from the taxman. At least, that's the hope of the Internal Revenue Service, which has purchased specialist software to track those using bitcoin, contract obtained by The Daily Beast. The document highlights how law enforcement isn't only concerned with criminals accumulating bitcoin from selling drugs or hacking targets, but also those who use the currency to hide wealth or avoid paying taxes. The IRS has claimed that only 802 people declared bitcoin losses or profits in 2015; clearly fewer than the actual number of people trading the cryptocurrency-especially as more investors dip into the world of cryptocurrencies, and the value of bitcoin punches past the $4,000 mark. Maybe lots of bitcoin traders didn't realize the government expects to collect tax on their digital earnings, or perhaps some thought they'd be able to get away with stockpiling bitcoin thanks to the perception that the cryptocurrency is largely anonymous. "The purpose of this acquisition is… to help us trace the movement of money through the bitcoin economy," a section of the contract reads. The Daily Beast obtained the document through the Freedom of Information Act. The contractor in this case is Chainalysis, a startup offering its "Reactor" tool to visualize, track, and analyze bitcoin transactions. Chainalysis' include law enforcement agencies, banks, and regulatory entities . The software can follow bitcoin as it moves from one wallet to another, and eventually to an exchange where the bitcoin user will likely cash out into dollars or another currency. This is the point law enforcement could issue a subpoena to the exchange and figure out who is really behind the bitcoin. top

- and -

Hacking Coinbase: The great bitcoin bank robbery (Fortune, 22 Aug 2017) - Sean Everett wasn't sure how his bullish bet on cryptocurrency would turn out. But he definitely didn't expect it to be over so soon. In March, he sold all his stocks, including Apple and Amazon, and used a chunk of the proceeds to buy Bitcoin and Ethereum on a site called Coinbase. The decision made Everett, the CEO of artificial intelligence startup Prome, almost instantly richer, as the blockchain-based currencies' value rocketed up exponentially over the next several weeks. But then, while he was out walking the dog after 10 p.m. on Wednesday, May 17, Everett got the call. It was T-Mobile, ringing him to confirm that it was switching his phone number to a different device. It was a suspicious move that Everett had most certainly not requested. But even as he pleaded with the agent to block the switch, it was too late. Less than five minutes later, Everett's cell service abruptly shut off, and as he rushed to his computer, he saw himself being robbed in real time. A raft of email notifications confirmed that someone had taken control of his main Gmail account, then broken into his Coinbase "wallet." They'd gotten in with the help of his switched-over phone number: Everett's account required him to log in with a two-factor authentication code sent by text message, as a second safeguard-and now the text had gone straight to the thief. * * * [ Polley : Long, and fascinating; see also Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency (NYT, 22 Aug 2017)] top

New NIST draft embeds privacy into US govt security for the first time (The Register, 18 Aug 2017) - A draft of new IT security measures by the US National Institute of Standards and Technology (NIST) has for the first time pulled privacy into its core text as well as expanded its scope to include the internet of things and smart home technology. The proposed "Security and Privacy Controls for Information Systems and Organizations" will be the go-to set of standards and guidelines for US federal agencies and acts as a baseline for broader industry. As such, it has a huge impact on how technology is used and implemented across America This version of the document - its fifth draft - concerns itself with edge computing: the rapidly expanding world of interconnected systems and devices that continue to be added to IT systems and the broader internet. With so many of these powerful computing devices now in the hands of millions of private citizens, that review has inevitably led NIST to consider privacy implications and for the first time privacy has gone from being an appendix to being pulled into the main body of the document. "The ultimate objective is to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable," the document states. Another interesting side effect of the new focus is that NIST has stopped pretending that it is only influencing federal agencies (all federal agencies will now be required to follow this NIST guidance following executive action by President Trump) and is actively pitching its contents to private enterprise in the hope of building a more resilient overall network. Major changes include: * * * top

Law firms, legal departments predicted to focus more on IT risk (LegalTech, 21 Aug 2017) - Legal departments and law firms are likely to continue to focus more on information technology risk, given a recent projection that global spending on information security services and products will continue to rise. According to a recent Gartner study , overall global spending in the sector will total $86.4 billion this year, an increase of 7 percent over last year. Similarly, spending is predicted to jump to $93 billion in 2018, the study said. "Gartner's latest report about increased spending on security comes as no surprise, given the increase in data breaches, ransomware and the introduction of GDPR [the General Data Protection Regulation] in 2018," Darren R. Hayes, a professor at Pace University, told Legaltech News. "While the liability associated with data breaches in the U.S. may be limited to reputation, the potential fines associated with the introduction of GDPR [in Europe] should be a wake-up call for multinational corporations," he said. "Google [was] … already fined $2.7 billion by an EU [European Union] antitrust ruling in June of this year so it is clear that the EU will enforce its new draconian cyber-related laws." And GDPR compliance is likely to put a strain on legal professionals. In recent years, financial institutions have prioritized regulatory compliance, as regulatory fines have reached an estimated $100 billion annually, Hayes said. Breach response costs are also increasing, and this problem will be exacerbated by GDPR. The Gartner study predicts GDPR will drive 65 percent of data loss prevention buying decisions through 2018, and security services will continue to be the fastest growing segment in the sector, especially IT consulting, outsourcing and implementation services. "Legal and compliance departments can expect to focus more on IT risk in the near future, which includes greater scrutiny of third-party IT service providers and their associated service level agreements," he added. top

The Twitter #hashtag is 10 years old (CNN, 23 Aug 2017) - The hashtag character (#) popularized on Twitter ( TWTR , Tech30 ) was tweeted for the first time by designer Chris Messina on this day in 2007. He asked his followers: "how do you feel about using # (pound) for groups. As in #barcamp [msg]?" But the hashtag wasn't born on Twitter. The hash -- also called the octothorp -- first appeared on touch-tone telephones in the 1960s. We still use the character to interact with automated phone systems. Users on Internet Relay Chat, a popular chat room software, long used the pound sign on the internet to join different channels. It's unclear who invented the IRC hashtag. Facebook adopted hashtags years later in 2013, but it serves the same purpose. top

RESOURCES

General Data Protection Regulation (GDPR) and the Proposed ePrivacy Regulation (MLPB, 18 Aug 2017) - W. Gregory Voss, Toulouse Business School, has published First the GDPR, Now the Proposed ePrivacy Regulation at 21 Journal of Internet Law 3 (July 2017). Here is the abstract: On January 10, 2017, less than nine months after the General Data Protection Regulation (GDPR) was adopted by the European Union, the European Commission issued its proposal for a new ePrivacy Regulation. In analyzing this new proposal, this article first places European Union ePrivacy legislation in context before detailing the main points of the proposed ePrivacy Regulation, including its broad territorial scope, its material scope, its interface with the GDPR, as well as provisions on cookies, confidentiality of communications, application of the concept of consent and unsolicited direct marketing communications and enforcement measures (including sanctions). Next, this article discusses advisory and industry reactions to the proposed Regulation, and outlines the legislative process, prior to making certain conclusory remarks. top

Hoofnagle on FTC Regulation of Cybersecurity and Surveillance (MLPB, 24 Aug 2017) - Chris Jay Hoofnagle, University of California, Berkeley, School of Information, and University of California, Berkeley, School of Law, is publishing FTC Regulation of Cybersecurity and Surveillance in The Cambridge Handbook of Surveillance Law (David Gray and Stephen Henderson, eds., Cambridge University Press 2017). Here is the abstract: The Federal Trade Commission (FTC) is the United States' chief consumer protection agency. Through its mandate to prevent unfair and deceptive trade practices, it both regulates surveillance and creates cybersecurity law. This chapter details how the FTC regulates private-sector surveillance and elucidates several emergent properties of the agency's activities. First, private-sector surveillance shapes individuals' reasonable expectations of privacy, and thus regulation of the private-sector has effects on the government as surveillant. The FTC's activities not only serve dignity interests in avoiding commercial inference in one's life, they also affect citizens' civil liberties posture with the state. Second, surveillance can make companies directly liable (for intrusive web monitoring, for tracking people offline, and for installing malware) or indirectly liable (for creating insecure systems, for using deception to investigate, and for mediating the surveillance of others) under the FTC Act. Third, the FTC's actions substitute plaintiffs' litigation for privacy, as the class action is burdened in novel ways. Fourth, the FTC's actions increase the quality of consent necessary to engage in surveillance, and in so doing, the FTC has made some kinds of surveillance practically impossible to implement legally. Finally, the FTC's actions make companies more responsible for their surveillance technologies in several ways-by making software vendors liable for users' activities, by imposing substantive security duties, and by narrowing internet intermediary immunity. top

Cisco 2017 Midyear Cybersecurity Report (Cisco, 24 Aug 2017) - For nearly a decade, Cisco has published comprehensive cybersecurity reports that are designed to keep security teams and the businesses they support apprised of cyber threats and vulnerabilities-and informed about steps they can take to improve security and cyber-resiliency. In these reports, we strive to alert defenders to the increasing sophistication of threats and the techniques that adversaries use to compromise users, steal information, and create disruption. With this latest report, however, we find we must raise our warning flag even higher. Our security experts are becoming increasingly concerned about the accelerating pace of change-and yes, sophistication-in the global cyber threat landscape. That is not to say defenders are not improving their ability to detect threats and prevent attacks, or to help users and organizations avoid or recover more quickly from them. But we see two dynamics undermining their hard-won successes, hindering further progress, and helping to usher in a new era of cyber risks and threats: * * * top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Settling it on the web (ABA Journal, 4 Oct 2007) - Online dispute resolution was supposed to take over the legal profession. With the rise of the Internet, ar­tificial intelligence and other clever bits of technology, lawyers would be able to solve legal disputes with computers, not courtrooms and judges. "Around 1999 or 2000 we thought this would be huge; every court would have a kiosk out front for ODR," says Colin Rule, ODR director for eBay and PayPal. But a funny thing happened after the dot-com bust. ODR seemed to fail. And now, instead of being imposed on the legal profession from the outside, it is bubbling up from within the trade. Rule says ODR is integrated into a lot of business models and has become so integral that many people might not even know it's there. "Look at me: When we started, I worked at a tiny, independent ODR company," he says. "Now I'm part of this big company that handles millions of disputes online, and nobody thinks twice about it." Web technology is now slowly making inroads into dispute resolution that had been handled offline. Dan Rainey, director of the office of alternative dispute resolution services for the National Mediation Board, a federal agency, says he hopes to soon handle 10 percent of its arbitration cases online. top

Software provider liable for unauthorized practice of law in Ninth Circuit (Findlaw.com, March 2007) -- Legal software vendors beware! The Ninth Circuit recently held that a seller of web-based bankruptcy software qualified as a bankruptcy petition preparer and, as such, engaged in fraud and the unauthorized practice of the law. Any provider of software that claims to "know the law" and offers automated form selection should examine this decision closely to make sure their activities are within legal boundaries. The suit, Frankfort Digital Services v. Kistler (In re: Reynoso), arose out of a bankruptcy proceeding, during which the petitioner paid to use browser-based software that prepared his bankruptcy petition based on information he provided. The product's web site explained that the software would choose which bankruptcy exemptions to apply for and remove any need for the petitioner to individually select which schedule to use for the various pieces of information involved. During the first meeting with the petitioner's creditors, the Chapter 7 trustee noticed mistakes, learned about the software and filed an adversary action against the software vendor alleging violations of 11 U.S.C. section 110. This action added to the list of section 110 proceedings against the software vendor, which had already run afoul of several other Chapter 7 trustees. The bankruptcy court held that collateral estoppel prevented the vendor from challenging its status as a "bankruptcy petition preparer engaged in the unauthorized practice of law," since a previous case had gone against the vendor on this point. The Bankruptcy Appellate Panel of the 9th Circuit agreed with the bankruptcy court and affirmed based on issue preclusion. The regular Ninth Circuit panel decided to address the merits of the case, however, after accepting defendant's argument that the website had changed since the previous case was decided. The court found that the vendor indeed qualified as a bankruptcy petition preparer, which was the first time that the Ninth Circuit had determined that a software-provider could qualify as such. Since bankruptcy petition preparers are, by definition, not attorneys, the court's next step was to examine California law to determine whether the vendor engaged in the unauthorized practice of the law. Case at http://caselaw.lp.findlaw.com/data2/circs/9th/0417190p.pdf top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top