Saturday, August 05, 2017

MIRLN --- 16 July - 5 August 2017 (v20.11)

MIRLN --- 16 July - 5 August 2017 (v20.11) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

New York DFS publishes FAQs on new cybersecurity regulations (Covington, 14 July 2017) - As our readers know , New York's Department of Financial Services ("NY DFS") released a draft of its new Cybersecurity Regulations on September 13, 2016, and the final version of the regulations went into effect on March 1, 2017 ( 23 NYCRR 500 ). Among other things, the regulations require regulated entities to conduct cyber risk assessments and to develop and implement cybersecurity programs to manage their cyber risk. Notwithstanding the fanfare surrounding the announcement of these "first-in-the-nation" regulations, there has been significant uncertainty about precisely how the regulations will be interpreted and enforced. That uncertainty has been increasing with the approach of the August 28 deadline for compliance with the first round of requirements (Section 500.22(a)). On June 29, 2017, NY DFS took steps to reduce that uncertainty by posting a " Frequently Asked Questions " section about the regulations on its website. The FAQs seek to clarify some key provisions of these regulations, including provisions regarding reporting requirements and consumer notification triggers. Some highlights below: * * * [ Polley : e.g., a possible obligation to report unsuccessful cyber attacks.] top

When do review websites commit extortion?-Icon Health v. ConsumerAffairs (Eric Goldman, 14 July 2017) - Icon Health and Fitness manufactures exercise equipment, such as the well-known NordicTrack. ConsumerAffairs is a review website. Like many other review websites, its business model is predicated on payments from reviewed businesses. However, ConsumerAffairs' specific practices raise some extra questions. The complaint made the following allegations: Defendants, through that database, favor product manufacturers who agree to pay a one-time setup fee and an ongoing monthly fee to ConsumerAffairs or Consumers Unified, LLC. ConsumerAffairs publishes an "Overall Satisfaction Rating" for each product reviewed on its website. The Overall Satisfaction Rating is expressed as a star rating out of five possible stars. ConsumerAffairs calculates the rating based on an unspecified subset of user reviews hosted on ConsumerAffairs' website. ConsumerAffairs' chooses which consumer reviews to include in given company's Overall Satisfaction Rating based solely on whether that company pays a monthly fee to ConsumerAffairs. ConsumerAffairs alters a company's Overall Satisfaction Rating by intentionally omitting or removing legitimate positive consumer-submitted reviews from pages discussing non-paying companies. * * * If these allegations are true, as a consumer I would not consider ConsumerAffairs' review database management practices credible. Nevertheless, to me, these allegations make it clear that ConsumerAffairs qualifies for Section 230 protection (see also the Fourth Circuit's Nemet Chevrolet ruling , but see the disastrous Consumer Cellular ruling ). Unfortunately, the court doesn't know what to do with these allegations. Thus, the court bifurcates its opinion into some general principles about Section 230 and then specific applications on a claim-by-claim basis. The net effect isn't too bad for ConsumerAffairs, but the opinion has many interstices. * * * top

Lloyds of London: Insure cyberattacks like natural disasters (The Hill, 17 July 2017) - Cybersecurity insurers have to become more prepared to treat global cyberattacks more like national disasters than traditional crimes, concludes a report from insurer Lloyd's of London . In a report dated last week, the United Kingdom-based firm speculates about two hypothetical "cyber events" that could cause global damage cybersecurity insurance providers may not be prepared for. The report tabulates the potential damage caused by two types of attacks. In one, hackers disrupt cloud service providers. In a second, hackers get their hands on a vulnerability for an operating system used by 45 percent of the global market. Lloyd's of London approximates that average cloud service events of varying severity range from $4.6 billion in total damages for a "large" attack to $53.1 billion for an "extreme" one. In the vulnerability example, the average costs range from $9.7 billion for a large event to $28.7 billion for an extreme one. The report notes that attacks fluctuate dramatically around that average - in the extreme cloud event that averaged $53.1 billion in damages, attacks might do as little as $15.6 billion or as much as $121.4 billion. Lloyd's notes that much of the damages would not be covered by insurance. Only around 15 percent of damages would be covered in the cloud example and 7 percent in the vulnerability example. top

Alleged retweet by judge doesn't warrant retroactive recusal, 9th Circuit rules (ABA Journal, 17 July 2017) - A federal appeals court has refused to order the retroactive recusal of a federal judge accused of retweeting a news story about a case after he denied a motion. The San Francisco-based 9th U.S. Circuit Court of Appeals said that, even if U.S. District Judge William Shubb was the owner of the anonymous Twitter account at issue, his tweet didn't warrant retroactive recusal, report the Recorder (sub. req.) the Sacramento Bee and the Metropolitan News-Enterprise . Above the Law noted the July 13 decision (PDF). Sierra Pacific had initially sought to unravel a $122 million settlement related to a massive forest fire in 2007 based on allegations about alleged government misconduct. The government had sued Sierra Pacific and other defendants to recover damages and money it spent fighting the blaze. Shubb refused to grant Sierra Pacific's motion for relief from judgment. Sierra Pacific Industries Inc. claimed Shubb was tweeting at the account @nostalgist1 . The account had followed the U.S. Attorney office, which tweeted eight times about the case after Shubb's ruling. Sierra Pacific had argued that following the account created the appearance of bias. The news article that was retweeted was headlined "Sierra Pacific still liable for Moonlight Fire damages." Sierra Pacific had objected to the headline because it didn't admit liability and the settlement had said the payment didn't constitute damages. Sierra Pacific said the retweet created an additional inference of bias and constituted an impermissible public comment. Merely following a Twitter account doesn't create a basis for recusal and doesn't constitute improper ex parte communications, the appeals court said. Nor did retweeting a news article constitute plain error requiring recusal, the appeals court also said. Though the appeals court saw no reason to require Shubb's retroactive recusal, it nonetheless said the case was "a cautionary tale about the possible pitfalls of judges engaging in social media activity relating to pending cases." top

- and -

Miami-Dade judge's Facebook 'friendship' leads to court battle (Daily Business Review, 28 July 2017) - A North Miami law firm is fighting to have a judge removed from a case for being Facebook friends with a lawyer who appeared before her. Miami-Dade Circuit Judge Beatrice Butchko is publicly linked on the social networking site with Israel Reyes, a former colleague from the bench. Reyes, now the managing partner at the Reyes Law Firm in Coral Gables, entered an appearance on behalf of a nonparty in a case before Butchko. The Facebook friendship means Reyes can "influence" Butchko, who therefore "cannot be impartial," argued Reuven Herssein, founding member of Herssein Law Group, in a motion to disqualify Butchko. She declined to recuse herself, saying the motion was legally insufficient. The fight is now before the Third District Court of Appeal, where attorneys are debating the ethics of judicial social media use nearly a decade after the state first addressed judges' Facebook friendships. Florida has relatively strict guidelines on social media connections, compared with other states. A 2009 opinion from the Florida Supreme Court's judicial ethics advisory committee said judges should not send or accept social media friend requests from lawyers who may appear before them. "The committee believes that listing lawyers who may appear before the judge as 'friends' on a judge's social networking page reasonably conveys to others the impression that these lawyer 'friends' are in a special position to influence the judge," the committee wrote, recognizing that a social media "friend" may be nothing more than a distant acquaintance. The Fourth District Court of Appeal relied on the opinion in a decision disqualifying a judge in a criminal case for being Facebook friends with the prosecutor. The court found the social media connection could "create in a reasonably prudent person a well-founded fear of not receiving a fair and impartial trial." But United States Automobile Association, the defendant in the case filed by Herssein Law Group, argues the Fourth DCA decision doesn't apply here. While a criminal defendant might reasonably fear bias in this situation, Herssein and his firm are more sophisticated than that, USAA's counsel argued. "No reasonably prudent Miami lawyer has a well-founded fear of not receiving a fair and impartial trial simply because two judges who sat on the bench in Miami-Dade County are 'friends' on Facebook," wrote Shutts & Bowen attorneys Patrick Brugger and Frank Zacherl of Miami, who did not respond to a request for comment by deadline. Eleven states have issued guidance on judicial social media use, according to the National Center for State Courts. Florida's guidelines are among the most restrictive, with states including California, Kentucky and New York opining that judges can accept Facebook friend requests from lawyers who may appear before them under certain conditions. In California, judges may add lawyers on Facebook if their pages are used only for professional activities, such as interacting with members of a law school alumni group. Other factors include how many friends the judge has, whether he or she declines some attorneys' friend requests but accepts others and how often the attorney appears before the judge. top

- and -

Court rules that politicians blocking followers violates free speech (NY Magazine, 28 July 2017) - While there is no set precedent for the issue, more and more courts are encountering a new type of lawsuit related to social-media blocking. The Knight Foundation, for instance, is suing the U.S. government on behalf of Twitter users blocked by President Donald Trump , whose Twitter account has become alarmingly vital when it comes to understanding his presidency. This week, a federal court in Virginia tackled the issue when it ruled on behalf of a plaintiff blocked by a local county politician. According to The Wall Street Journal , "Brian Davison sued the chairwoman of the Loudoun County Board of Supervisors, who temporarily banned him from her Facebook page after he posted criticism of local officials last year." Judge James Cacheris found that she had violated Davison's First Amendment rights by blocking him from leaving comment, because, in his judgment, the chairwoman, Phyllis Randall, was using her Facebook page in a public capacity. Though it was a personal account, she used it to solicit comments from constituents. "The suppression of critical commentary regarding elected officials is the quintessential form of viewpoint discrimination against which the First Amendment guards," the judge stated in his ruling. Cacheris did emphasize that his ruling should not prohibit officials from moderating comments to protect against harassment. Davison was only banned for 12 hours, and Randall faces no penalties. Still, the ruling is one of the first in a growing, thorny legal issue surrounding social media that has already reached the White house. top

Debevoise protocol to promote cybersecurity in international arbitration (Debevoise, July 2017) - As the prevalence of malicious cyberactors and cyberattacks on high-profile companies and government organizations grows, parties to commercially or politically sensitive international arbitrations increasingly express concerns with respect to cybersecurity. Cybersecurity threats may create significant operational and legal problems that can compromise the arbitral process, including loss or unauthorized disclosure of sensitive data, breaches of attorney-client confidentiality, adverse media coverage and reputational damage, costs associated with breach notification or data recovery, and legal liability. In addition to the threat cyberattacks pose to the parties to an arbitration, failing to address this problem could ultimately lead to a loss of confidence in the arbitral system. To respond to these concerns, the practitioners at Debevoise & Plimpton LLP have developed this Protocol to Promote Cybersecurity in International Arbitration. This Protocol operates on three principles: (i) Establishing Secure Protocols for the Transfer of Sensitive Information at the Outset of Proceedings, (ii) Limiting Disclosure and Use of Sensitive Information, and (iii) Developing Procedures for Disclosing Cyber Incidents. * * * top

New Zealand airports customs officials performing 'digital strip searches' of travelers' electronics (TechDirt, 17 July 2017) - Despite DHS hints that foreign airports were falling down on the "security theater" job, it appears a few customs officials are more than happy to engage in local versions of " extreme vetting ." New Zealand customs officials are way ahead of the DHS in this department, having turned airports into rights-free zones where nearly anything can happen... to travelers . According to an investigative report by New Zealand's 1 news , airport customs officials routinely force up to two travelers each day to give up their electronic devices and passwords for searching. According to the customs agents, the program is designed to look for smugglers by performing a "digital strip search" on the phones and laptops of travelers. This does not require a court order, but the agents do claim to adhere to New Zealand's privacy act. The data shows more than 1,300 people have been subjected to these suspicionless "strip searches" since 2015, with less than a third of those being New Zealand citizens. The majority of those searched are foreigners and it appears visitors to the country should somehow expect delays of up to five hours thanks to this supposedly random vetting process. And there is no option to refuse this additional, highly-invasive search. As Techspot reports, travelers refusing to hand over their electronic devices can be subject to fines of $5,000. top

- and -

NYC Bar guides attorneys on US border e-device searches (Bloomberg, 28 July 2017) - Attorneys crossing the U.S. border now have more guidance on how they should protect confidential client information stored on electronic devices from the prying eyes of customs and immigration agents. A formal opinion issued July 25 by the New York City Bar's ethics committee identifies some measures attorneys who travel internationally may take to satisfy their ethical obligations, in light of broad powers that U.S. Customs and Border Protection (CBP) agents assert they have to inspect travelers' electronic devices. The ethics opinion appears to be the first to address the topic and comes at a time when there has been uptick in U.S. border electronic devices searches by CBP agents. There were nearly 15,000 electronic devices searched during the first six month of the CBP's 2017 fiscal year, compared to only just over 8,000 searches during the previous six months, according to CBP statistics released in April. As the number of searches of electronic devices has increased, many major law firms are reevaluating what policies they should have in place in order to protect confidential information, Steven Puiszis, a Chicago-based partner at Hinshaw & Culbertson LLP, who is his firm's general counsel for privacy, security & compliance, told Bloomberg BNA. The American Bar Association has also raised concerns about the handling of privileged and confidential legal materials during border searches. In May, the ABA sent a letter to the Department of Homeland Security, asking it to revise directives on the standards and procedures that CBP and Immigration and Customs Enforcement agents must follow before the contents of a lawyer's electronic device can be searched or seized at the border. ABA asserted that DHS's interpretation of the directives has "resulted in CBP Officers and ICE Special Agents exercising sweeping powers to search electronic devices at the border, with or without reasonable suspicion of any wrongdoing." ABA urged that DHS revise the directives to state that privileged or confidential electronic documents and files on a device cannot be read, duplicated, seized, or shared unless a subpoena or warrant is first obtained. The ethics committee's opinion addresses steps attorneys can take prior to crossing the U.S. border, during border searches, and after a CBP agent reviews confidential information. The opinion provides some practical guidance and highlights an issue that attorneys should be aware of, J. Alexander Lawrence, a New York-based partner at Morrison & Foerster LLP and co-chair of its eDiscovery Task Force, told Bloomberg BNA. * * * top

FedEx on Petya attack: systems still down, no cyber insurance (CSO, 18 July 2017) - US parcel delivery giant FedEx says customers of subsidiary TNT Express are still experiencing delays due to the Petya ransomware attack and that it didn't have cyber insurance to cover the incident. The company released further details about the impact of the attack in its SEC 10-K filing today , revealing the attack affected operational, financial, back-office and secondary business systems. FedEx still does not know when some of the systems downed by the Petya ransomware can be revived. On June 28, a day after the Petya ransomware began spreading in Ukraine, FedEx trading due to an unspecified cyber attack that crippled the operations of TNT Express, its Netherlands-based subsidiary. The attack forced it to move some TNT services across to FedEx. FedEx hasn't calculated the exact damage to its balance sheet, but repeated its initial warning that it would likely materially affect its financial performance. [ Polley : from the FedEx press release re the SEC 10-K: " We do not have cyber or other insurance in place that covers this attack. " And: " In addition to financial consequences, the cyber-attack may materially impact our disclosure controls and procedures and internal control over financial reporting in future periods. "] top

Putin's hackers now under attack-from Microsoft (The Daily Beast, 20 July 2017) - A new offensive by Microsoft has been making inroads against the Russian government hackers behind last year's election meddling, identifying over 120 new targets of the Kremlin's cyber spying, and control-alt-deleting segments of Putin's hacking apparatus. How are they doing it? It turns out Microsoft has something even more formidable than Moscow's malware: Lawyers. Last year attorneys for the software maker quietly sued the hacker group known as Fancy Bear in a federal court outside Washington DC, accusing it of computer intrusion, cybersquatting, and infringing on Microsoft's trademarks. The action, though, is not about dragging the hackers into court. The lawsuit is a tool for Microsoft to target what it calls "the most vulnerable point" in Fancy Bear's espionage operations: the command-and-control servers the hackers use to covertly direct malware on victim computers. These servers can be thought of as the spymasters in Russia 's cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents. Since August, Microsoft has used the lawsuit to wrest control of 70 different command-and-control points from Fancy Bear. The company's approach is indirect, but effective. Rather than getting physical custody of the servers, which Fancy Bear rents from data centers around the world, Microsoft has been taking over the Internet domain names that route to them. These are addresses like "livemicrosoft[.]net" or "rsshotmail[.]com" that Fancy Bear registers under aliases for about $10 each. Once under Microsoft's control, the domains get redirected from Russia's servers to the company's, cutting off the hackers from their victims, and giving Microsoft a omniscient view of that servers' network of automated spies. "In other words," Microsoft outside counsel Sten Jenson explained in a court filing last year, "any time an infected computer attempts to contact a command-and-control server through one of the domains, it will instead be connected to a Microsoft-controlled, secure server." top

Court rejects cell site RF signal map in murder trial because it's evidence of nothing (TechDirt, 21 July 2017) - The Maryland Court of Special Appeals has handed down a ruling [PDF] on quasi-cell site location info. The evidence offered by the state isn't being so much suppressed as it is being rejected. The information wasn't obtained illegally and no rights were violated. Rather, the court finds the evidence to be questionable, as in "evidence of what, exactly?" [via EvidenceProf Blog ] The defendant in the case is charged with murder. Bashunn Phillips filed a motion to exclude the evidence, which was granted by the lower court. The state appealed. But there's nothing in it for the state. The "evidence" -- which is going to carry around scare quotes for the remainder of this post -- doesn't tie Phillips to anything. What was submitted isn't even the equivalent of coarse cell site location info. What the state submitted is something that can easily be obtained without a warrant… because it doesn't actually target any person at all. Phillips filed a motion in limine on August 7, 2015, seeking to exclude the RF signal propagation map and related testimony. Phillips argued that the method used to create the map was not generally accepted as reliable within the relevant scientific community under Maryland's Frye-Reed test for admissibility of evidence based on novel scientific methodology. Phillips acknowledged that cell phone tower "ping" evidence is admissible, but drew a distinction between the method used to create the RF signal propagation map and the collection of historical cell phone "ping" evidence. * * * top

Abuses hide in the silence of non-disparagement agreements (CNBC, 21 July 2017) - * * * As more harassment allegations come to light, employment lawyers say nondisparagement agreements have helped enable a culture of secrecy. In particular, the tech start-up world has been roiled by accounts of workplace sexual harassment, and nondisparagement clauses have played a significant role in keeping those accusations secret. Harassers move on and harass again. Women have no way of knowing their history. Nor do future employers or business partners. Nondisparagement clauses are not limited to legal settlements. They are increasingly found in standard employment contracts in many industries, sometimes in a simple offer letter that helps to create a blanket of silence around a company. Their use has become particularly widespread in tech employment contracts, from venture investment firms and start-ups to the biggest companies in Silicon Valley, including Google. * * * In its buyout agreements, The New York Times asks employees to agree to a limited nondisparagement clause that specifies the agreement does not prohibit people from providing information about legal violations or discrimination to the government or regulators. The terms of other nondisparagement agreements vary. top

SEC regulators are coming after ICOs (TechCrunch, 25 July 2017) - It looks like ICOs , shorthand for initial coin offerings, are about to undergo a lot more scrutiny. The SEC has concluded that the digital currency financing events will be regulated as securities, meaning unregistered offerings could be subject to criminal punishment. The decision was announced on Tuesday. To reach its findings, regulators evaluated an offering facilitated by "The DAO," which resulted in theft by hackers. The report concluded, "that issuers of distributed ledger or blockchain technology-based securities must register offers and sales of such securities unless a valid exemption applies." The SEC said its report served to remind "investors of red flags of investment fraud, and that new technologies may be used to perpetrate investment schemes that may not comply with the federal securities laws." This is a blow to many startups that had been using ICOs as an alternative way to raise capital. There have been a wave of these offerings in recent months, where people have been investing in business ideas via Bitcoin, Ethereum or other cryptocurrencies. But like all startups, these investments bear risks. And the opaque nature of the ICOs meant that there wasn't enough oversight about what the businesses did with the proceeds. Many of the coins are traded on secondary markets, which provides short-term liquidity. Although many of the ICOs have been smaller unknown companies, the difficult fundraising environment has caused some venture-backed startups to raise coin offerings for enough capital to get them to the next step. Messaging app . In anticipation of an SEC crackdown, some startups had already prohibited U.S. investors. [ Polley : See also , this blog posting from TheCorporateCounsel.net.] top

- and -

The Uniform Law Commission has given states a clear path to approach bitcoin (Coindesk, 27 July 2017) - The Uniform Law Commission (ULC), a private body of lawyers and legal academics, has voted to finalize and approve a uniform model law for the regulation of virtual currency businesses. Now an official model for states to follow, I'm hopeful that over the next year, we'll see state after state pass this language as legislation. For states with badly drafted regulations (like the New York "BitLicense" ) or vague money transmission statutes that may or may not cover bitcoin businesses (like in California), this new legislation would be a major improvement and a huge win for our community. For one thing, the model act's language is explicitly clear on what types of digital currency businesses are and are not regulated. In many states, poorly written or outdated legal language that does not account for the properties of open blockchain networks has created legal gray areas for entrepreneurs. Whether or not they even need licenses is often open to interpretation - a looming prospect that hangs over the head of anyone trying to build a business in those states. * * * top

Lawyer's e-discovery error led to release of confidential info on thousands of Wells Fargo clients (ABA Journal, 27 July 2017) - A lawyer representing Wells Fargo in a lawsuit subpoena request has explained how she inadvertently turned over confidential information about thousands of bank clients. Lawyer Angela Turiano of Bressler, Amery & Ross had overseen the e-discovery conducted by a vendor and turned over the documents to a lawyer for a defamation plaintiff without realizing she was releasing information about wealthy Wells Fargo clients, the New York Law Journal (sub. req.) reports. The plaintiff and his lawyer told the New York Times about the release. According to the Times, the information consisted of "a vast trove of confidential information about tens of thousands of the bank's wealthiest clients," including customer names, Social Security numbers and financial data. In an affidavit, Turiano said she used an e-discovery vendor's software to review what she believed to be a complete set of results and marked some documents as privileged and confidential. She did not realize she was using "a view" that showed a limited set of documents. [ Polley : May implicate the duty of technological competence.] top

Sci-Hub's cache of pirated papers is so big, subscription journals are doomed, data analyst suggests (AAAS Science, 27 July 2017) - There is no doubt that Sci-Hub, the infamous-and, according to a U.S. court, illegal-online repository of pirated research papers, is enormously popular. (See Science 's investigation last year of who is downloading papers from Sci-Hub .) But just how enormous is its repository? That is the question biodata scientist Daniel Himmelstein at the University of Pennsylvania and colleagues recently set out to answer, after an assist from Sci-Hub. Their findings, published in a preprint on the PeerJ journal site on 20 July, indicate that Sci-Hub can instantly provide access to more than two-thirds of all scholarly articles, an amount that Himmelstein says is "even higher" than he anticipated. For research papers protected by a paywall, the study found Sci-Hub's reach is greater still, with instant access to 85% of all papers published in subscription journals. For some major publishers, such as Elsevier, more than 97% of their catalog of journal articles is being stored on Sci-Hub's servers-meaning they can be accessed there for free. Given that Sci-Hub has access to almost every paper a scientist would ever want to read, and can quickly obtain requested papers it doesn't have, could the website truly topple traditional publishing? In a chat with Science Insider, Himmelstein concludes that the results of his study could mark "the beginning of the end" for paywalled research. This interview has been edited for clarity and brevity. [ Polley : very interesting.] top

- and -

Elsevier acquires bepress : Library and knowledge community respond (Kevin O'Keefe, 3 August 2017) - Elsevier , a Dutch publisher and one of the world's major providers of scientific, technical, and medical information, announced this week the acquisition of bepress , formerly the Berkeley Electronic Press, an academic repository and software firm founded by academics in 1999. Elsevier is part of Reed Elsevier, the parent of LexisNexis. Much of the publishing Elsevier sells is authored by professionals and submitted for peer review. As I understand it, the research and information then published is only available by subscription, including as to any authority who would want to access their own submissions. Elsevier has been subject to criticism of late from academic institutions worldwide, and even governmental agencies, for their having to fund research/scholarly writing, give it to Elsevier for free and then pay millions to Elsevier to get access to the research and writing. In the case of government funded schools and research centers, the taxpayers pay twice. To fund research that goes to Elsevier, then to pay Elsevier for access to the research their colleges, healthcare centers and government agencies require. Bepress, on the other hand, has open access tools under its "Digital Commons" that allows institutions, including law schools, to showcase and preserve their scholarly output. Law review articles and other legal scholarship is available for free through bepress' Law Commons, part of the larger Digital Commons network encompassing other academic areas. Bepress' acquisition comes on the heels of LexisNexis' acquisition of SSRN , another repository of scholarly output, including that from law professors. Some librarians are looking with some suspicion at whether LexisNexis will retain open access and freely allow legal scholars to use their work freely across the net. How did librarians and knowledge management professionals react to the bepress acquisition? Not well, looking through the "Top" tweets on a Twitter search of bepress in the hours after the acquisition announcement. * * * Attorney and legal tech blogger, Bob Ambrogi, reporting on the acquisition noted that the announcement said nothing about the future of the bepress' Digital Commons. Ambrogi said "we'll have to wait and see what impact this has on scholarly publishing in law." top

LinkedIn: It's illegal to scrape our website without permission (Ars Technica, 31 July 2017) - A small company called hiQ is locked in a high-stakes battle over Web scraping with LinkedIn. It's a fight that could determine whether an anti-hacking law can be used to curtail the use of scraping tools across the Web. HiQ scrapes data about thousands of employees from public LinkedIn profiles, then packages the data for sale to employers worried about their employees quitting. LinkedIn, which was acquired by Microsoft last year, sent hiQ a cease-and-desist letter warning that this scraping violated the Computer Fraud and Abuse Act, the controversial 1986 law that makes computer hacking a crime. HiQ sued, asking courts to rule that its activities did not, in fact, violate the CFAA. James Grimmelmann, a professor at Cornell Law School, told Ars that the stakes here go well beyond the fate of one little-known company. "Lots of businesses are built on connecting data from a lot of sources," Grimmelmann said. He argued that scraping is a key way that companies bootstrap themselves into "having the scale to do something interesting with that data." If scraping without consent becomes illegal, startups like hiQ will have a harder time getting off the ground. But the law may be on the side of LinkedIn-especially in Northern California, where the case is being heard. In a 2016 ruling , the 9th Circuit Court of Appeals, which has jurisdiction over California, found that a startup called Power Ventures had violated the CFAA when it continued accessing Facebook's servers despite a cease-and-desist letter from Facebook. LinkedIn's position disturbs Orin Kerr, a legal scholar at George Washington University. "You can't publish to the world and then say 'no, you can't look at it,'" Kerr told Ars. The CFAA makes it a crime to "access a computer without authorization or exceed authorized access." Courts have been struggling to figure out what this means ever since Congress passed it more than 30 years ago. One plausible reading of the law-the one LinkedIn is advocating-is that once a website operator asks you to stop accessing its site, you commit a crime if you don't comply. * * * top

Daenerys Stormborn, Jon Snow and the real enemy of higher education (InsideHigherEd, 3 August 2017) - There was a moment while watching Daenerys Stormborn and Jon Snow's first meeting in the latest episode of Game of Thrones that reminded me of attending higher education conferences. Daenerys is pushing Snow to bend the knee, and become her loyal subject in the fight against Cersei. Jon Snow's reaction is that Cersei might be evil, but in reality the Seven Kingdoms have much bigger problems. Snow informs Daenerys that it doesn't matter who sits on the Iron Throne, as unless the Night King's Army of the Dead is defeated, she will " be ruling over a graveyard." Those of us who work in higher ed have a similar challenge to The Mother of Dragons and the King of the North. We need to understand who our real enemies are, and which battles we should be fighting. In our world, the Army of the Dead that we should be unifying against is the ongoing state level disinvestment in public higher education. No enemy is as potentially dangerous to the existence of a functional, equitable, and affordable system of postsecondary education as is the decision of state governments to cutback on funding for their public colleges and universities. Adjusting for the growth in students attending public institutions, state support per FTE has declined by 37 percent between 2000 and 2012 . In inflation adjusted dollars, this is a decline of an average of $7,000 in per-student state support in 2000 to $4,400 in 2012. While federal support grow in this time period, from $3,800 to $5,100 per student , this has not been enough to makeup for the state shortfall. The result, predictably enough, has been dramatic increases in tuition (and student debt). Another result of public disinvestment in higher education has been the widening gap in available resources between a select few private schools (and well-endowed public institutions), and the public colleges and universities where most students attend. Public disinvestment in higher education is exacerbating trends around inequality. We are moving towards a two-tiered postsecondary system, where only the affluent will enjoy the benefits of a high quality - and in particular a liberal arts - college education. Why the threat of public disinvestment in public education is not the big topic of every higher education conference is a mystery. This is particularly true of my world of educational technology and online learning. We should be calibrating our work, however, to follow the wisdom of Jon Snow. We should be fighting our true enemy - and that enemy is the decline of investment in public higher education. The reason that higher ed people, including edtech people, continue to focus on everything in higher ed except public disinvestment can understood by how Tyrion Lannister explains the world. The Hand of the Queen tells Jon Snow that, " People's minds aren't made for problems that large. White walkers, the Night King, Army of the Dead... it's almost a relief to confront a comfortable, familiar monster like my sister." Like Ser Davos, I fear for higher education that, " If we don't put aside our enmities and band together, we will die. And then it doesn't matter whose skeleton sits on the Iron Throne ." Winter is here. top

This shadowy company is flying spy planes over US cities (BuzzFeed, 4 August 2017) - For six straight days in the middle of March, a small twin-propeller plane flew over Phoenix. Each evening, it picked two or three spots and circled for hours, flying at more than 17,000 feet. The plane was loaded with sophisticated surveillance equipment, including technology developed by the National Security Agency to track cell phones. In June of last year, that same plane spent three weeks circling daily over Wilmington, North Carolina, carrying a state-of-the-art "persistent surveillance" camera that can monitor a large area continuously for hours at a time. The Phoenix and Wilmington flights are among dozens tracked by BuzzFeed News that were flown by companies run by an obscure, Oklahoma-based private equity fund called Acorn Growth Companies . Acorn's planes serve as the US military's "A-Team" for aerial surveillance in Africa, including tracking suspected terrorists' phones from the air. In the US, the planes sometimes take part in military exercises - as they were in Phoenix - helping troops practice raids on targets using the same phone-tracking technology. At other times, Acorn serves commercial clients. The Wilmington flights, according to the company that made and operated the persistent surveillance camera, were run for two reasons: to demonstrate the technology's value for traffic surveys, and to track vehicles going to and from retail outlets. This "commercial intelligence" would allow businesses to understand where their customers are driving from. The idea was to give retailers clues to help their marketing, so they can target mailings or other efforts to lure in customers from neighborhoods where people tend to shop at competing stores. Acorn's diverse activities in these and other cities raise questions about how much data is being gathered from ordinary people who come under the visual and electronic gaze of sophisticated spy planes - and how that information is being used. Although the city of Phoenix agreed to the military exercises and knew that the planes would carry out some sort of surveillance, officials did not know specifics about which technologies were used. And because there's no requirement to inform cities when recording aerial imagery, the city of Wilmington wasn't told about the June 2016 flights. * * * Acorn's pilots and sensor operators tend to join the firm directly from military service, often with special ops experience. "You're not talking about any Joe Schmo walking in off the street," one former employee, who spoke on condition of anonymity, told BuzzFeed News. "There are still fairly high security clearances involved." That's not surprising, given the sensitive technology deployed from Acorn's planes. BuzzFeed News found out about this gear from documents submitted to the Federal Aviation Administration to certify that a plane is still safe to fly after structural alterations. The plane that flew over Phoenix in March, for example, was modified to carry a device called Nebula, which mimics a cell phone tower, causing phones to connect to it. Nebula can then be used to locate and track a target phone from the air, or intercept its communications. A surveillance catalog leaked to The Intercept in 2015 suggests that the device can also connect to and track satellite phones. "The NSA is leading system development," says the section on Nebula , noting that approval for its use rests under "Title 50" of the US Code, which covers espionage and covert operations. * * * Phoenix and its suburbs, with a population of more than 4.5 million, is one of several cities to have fallen under Acorn's watch over the past two years. Using data collected by the websites Flightradar24 and ADS-B Exchange , which track signals emitted by aircraft transponders, BuzzFeed News spotted planes registered to Commuter Air Technology and Aircraft Logistics Group flying surveillance patterns over cities including Brawley, California; Charlotte, North Carolina; and multiple locations along the Gulf of Mexico in Louisiana, Mississippi, and Alabama. * * * [ Polley : interesting; we don't know what we don't know.] top

RESOURCES

Sunstein and Randall on Political Control Over Public Communications By Government Scientists (MLPB, 24 July 2017) - Cass R. Sunstein, Harvard Law School, and Lisa Randall, Harvard University, Department of Physics, have published Political Control Over Public Communications by Government Scientists . Here is the abstract: In recent years, there has been a great deal of controversy over political control of communications by government scientists. Legitimate interests can be found on both sides of the equation. This essay argues for adoption and implementation of a framework that accommodates those interests-a framework that allows advance notice to political officials, including the White House, without hindering the free flow of scientific information. top

At Our Own Peril: DoD Risk Assessment in a Post-Primacy World (US Army War College, 29 June 2017) - The U.S. Department of Defense (DoD) faces persistent fundamental change in its strategic and operating environments. This report suggests this reality is the product of the United States entering or being in the midst of a new, more competitive, post-U.S. primacy environment. Post-primacy conditions promise far-reaching impacts on U.S. national security and defense strategy. Consequently, there is an urgent requirement for DoD to examine and adapt how it develops strategy and describes, identifies, assesses, and communicates corporate-level risk. This report takes on the latter risk challenge. It argues for a new post-primacy risk concept and its four governing principles of diversity, dynamism, persistent dialogue, and adaptation. The authors suggest that this approach is critical to maintaining U.S. military advantage into the future. Absent change in current risk convention, the report suggests DoD exposes current and future military performance to potential failure or gross under-performance. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Sony BMG Settles FTC Charges Over Anti-Piracy CDs (SiliconValley.com, 30 Jan 2007) -- U.S. regulators said Tuesday that Sony BMG Music Entertainment agreed to reimburse consumers up to $150 for damage to their computers from CDs with hidden anti-piracy software. According to the Federal Trade Commission, which announced the settlement, Sony BMG's anti-piracy software limited the devices on which music could be played to those made by Sony Corp., Microsoft Corp. or other Windows-compatible devices. The software also restricted the number of copies of the music that could be made to three, the agency said, and ``exposed consumers to significant security risks and was unreasonably difficult to uninstall." ``Installations of secret software that create security risks are intrusive and unlawful," FTC Chairman Deborah Platt Majoras said. The focus of the FTC action is not the limits themselves, Majoras said, but the lack of notification. ``Ordinary experience with CDs would not lead consumers to expect these limits," she said. ``This was a case about disclosure." The settlement requires the company to allow consumers to exchange through the end of June the affected CDs purchased before Dec. 31, 2006, and reimburse them up to $150 to repair damage done when they tried to remove the software. It also requires Sony BMG to clearly disclose limitations on consumers' use of music CDs and prohibits it from installing software without consumer consent. For two years, Sony BMG also must provide an uninstall tool and patches to repair the security vulnerabilities on consumers' computers and must advertise them on its Web site. The company also is required to publish notices describing the exchange and repair reimbursement programs on its Web site. top

New York Times to end paid Internet service (Reuters, 18 Sept 2007) - The New York Times Co said on Monday it will end its paid TimesSelect Web service and make most of its Web site available for free in the hopes of attracting more readers and higher advertising revenue. TimesSelect will shut down on Wednesday, two years after the Times launched it, which charges subscribers $7.95 a month or $49.95 a year to read articles by columnists such as Maureen Dowd and Thomas Friedman. The trademark orange "T's" marking premium articles will begin disappearing Tuesday night, said the Web site's Vice President and General Manager Vivian Schiller. The move is an acknowledgment by The Times that making Web site visitors pay for content would not bring in as much money as making it available for free and supporting it with advertising. "We now believe by opening up all our content and unleashing what will be millions and millions of new documents, combined with phenomenal growth, that that will create a revenue stream that will more than exceed the subscription revenue," Schiller said. Figuring out how to increase online revenue is crucial to the Times and other U.S. newspaper publishers, which are struggling with a drop in advertising sales and paying subscribers as more readers move online. "Of course, everything on the Web is free, so it's understandable why they would want to do that," said Alan Mutter a former editor at the San Francisco Chronicle and proprietor of a blog about the Internet and the news business called Reflections of a Newsosaur. "The more page views you have, the more you can sell," he said. "In the immediate moment it's a perfectly good idea." Starting on Wednesday, access to the archives will be available for free back to 1987, and as well as stories before 1923, which are in the public domain, Schiller said. Users can buy articles between 1923 and 1986 on their own or in 10-article packages, the company said. Some stories, such as film reviews, will be free, she said. American Express will be the first sponsor of the opened areas on the site, and will have a "significant advertising presence" on the homepage and in the opinion and archives sections, the company said. top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, July 15, 2017

MIRLN --- 25 June - 15 July 2017 (v20.10)

MIRLN --- 25 June - 15 July 2017 (v20.10) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | DIFFERENT | LOOKING BACK | NOTES

US Government wants to permanently legalize the right to repair (Motherboard, 22 June 2017) - In one of the biggest wins for the right to repair movement yet, the US Copyright Office suggested Thursday that the US government should take actions to make it legal to repair anything you own, forever-even if it requires hacking into the product's software. Manufacturers-including John Deere, Ford, various printer companies, and a host of consumer electronics companies-have argued that it should be illegal to bypass the software locks that they put into their products, claiming that such circumvention violated copyright law. This means that for the last several years, consumer rights groups have had to repeatedly engage in an "exemption" process to Section 1201 of the Digital Millennium Copyright Act. Essentially, the Librarian of Congress decides which circumventions of copyright should be lawful-for example, unlocking your cell phone or hacking your tractor to be able to repair the transmission. But these exemptions expire every three years, and require going through a protracted legal process to earn. Additionally, a separate exemption is required for each product category-right now it's legal to hack software to repair a car, but not to repair a video game console. top

Under pressure, Western tech firms bow to Russian demands to share cyber secrets (Reuters , 23 June 2017) - Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has found. Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any "backdoors" that would allow them to burrow into Russian systems. But those inspections also provide the Russians an opportunity to find vulnerabilities in the products' source code - instructions that control the basic operations of computer equipment - current and former U.S. officials and security experts said. top

Police get broad phone and computer hacking powers in Germany (ZDnet, 23 June 2017) - Germany's coalition government has significantly increased police hacking powers by slipping a last-minute amendment into a law that's nominally supposed to deal with driving bans. While the police have so far only been allowed to hack into people's phones and computers in extreme cases, such as those involving terrorist plots, the change allows them to use such techniques when investigating dozens of less serious offences. In Germany, the authorities' hacking tools are widely known as Staatstrojanern , or state trojans. This term essentially refers to malware that the police can use to infect targets' devices, to give them the access they need to monitor communications and conduct searches. The types of crime where investigators can now use this malware are all of the variety where existing law would allow them to tap a suspect's phone. These range from murder and handling stolen goods to computer fraud and tax evasion. According to the government, the spread of encrypted communications makes traditional wiretapping impossible, so the authorities need to be able to bypass encryption by directly hacking into the communications device. top

U.S. cyber insurance continues to grow, according to Fitch Ratings (Property Casualty 360, 23 June 2017) - Cyber insurance direct written premium volume for the property & casualty (P&C) industry grew by 35% in 2016 to $1.35 billion, according to "Cyber Insurance Market Share and Performance," a new report from Fitch Ratings . "Take-up rates for cyber insurance are increasing with frequent reports of computer hacking incidents, including: network intrusions and data theft, as well as high-profile ransomware attacks that are leading corporations to search for broader insurance protection against cyber threats," said Jim Auden, managing director, Fitch Ratings. The largest cyber insurance writers are American International Group, Inc., XL Group Ltd, and Chubb Limited. These companies had a combined market share of approximately 40% at year-end 2016. The top 15 writers of cyber held approximately 83% of the market in 2016. However, over 130 distinct insurance organizations reported writing cyber premiums for the year. The industry statutory direct loss ratio for stand-alone cyber insurance improved in 2016 to 45% from 50% a year earlier. However, the ultimate profitability of the P&C industry's cyber insurance efforts will take some time to assess as the market matures and future cyber-related loss events emerge. top

Regulators enlist corporate lawyers in joint response to cyberattacks (ABA Journal, 26 June 2017) - Responding quickly to an identity theft, ransomware or other computer attack means having a plan in place. And as participants in the National Institute on Cybersecurity Law learned, that includes a plan to send in the feds. "Figure out if you have to report that breach to my office or other regulators, state and federal," was the advice from Iliana Peters, who's responsible for health care data privacy at the U.S. Department of Health and Human Services. Peters was on a panel of six current and former regulators assembled by the ABA Section of Litigation on Thursday in Chicago. "We want to be sure that entities are prepared to implement these kind of response plans," Peters said. "As it's happening is not the time to be doing that, to be figuring out how you're going to respond." Reporting an incident can bring in experts to evict cyber squatters, said Lucia Ziobro, the head of an FBI internet crime unit. One company's general counsel turned FBI agents away after a security breach, she recalled. For the next week, the lawyer traded messages online with the chief executive and technology executives about what to do next. Meanwhile, hackers monitored the discussion, and covered their tracks. When the feds returned, Ziobro said, "all the evidence we could have collected was gone." Regulators, for their part, are more focused on prevention than prosecution. But they don't like surprises. "If we see a news report and we don't have a breach report from you, it is very likely that we will open an investigation proactively," Peters said. Travis LeBlanc, a former chief enforcer for the Federal Communications Commission and the high-tech crime unit of the California Attorney General's Office , stressed that there's little downside to calling in federal or state regulators, who are constrained by law in what information they can share. "So often we hear from companies that they are afraid to report to the FBI or to the Secret Service or the eCrime unit in California," LeBlanc said. "Not one time did we ever on the civil side receive information about a criminal incident from a criminal law authority that resulted in an investigation. "It's very important that when a company is a victim of a crime, it should feel that it can go to the appropriate governmental authority without being chilled by the possibility of regulatory action." top

Detecting riots with Twitter (Cardiff Univ, 26 June 2017) - Social media can be an invaluable source of information for police when managing major disruptive events, new research from Cardiff University has shown. An analysis of data taken from the London riots in 2011 showed that computer systems could automatically scan through Twitter and detect serious incidents, such as shops being broken in to and cars being set alight, before they were reported to the Metropolitan Police Service. The computer system could also discern information about where the riots were rumoured to take place and where groups of youths were gathering. The new research, published in the peer-review journal ACM Transactions on Internet Technology, showed that on average the computer systems could pick up on disruptive events several minutes before officials and over an hour in some cases. * * * The researchers used a series of machine-learning algorithms to analyse each of the tweets from the dataset, taking into account a number of key features such as the time they were posted, the location where they were posted and the content of the tweet itself. Results showed that the machine-learning algorithms were quicker than police sources in all but two of the disruptive events reported. top

Defense contractors will be held to higher cyber standards (GoveconWire, 26 June 2017) - Defense contractors will soon be held to the same cybersecurity standards that the Defense Department has implemented in recent years, according to a top IT official at the Pentagon. "The cyberthreat is not going away; we have to defend our networks and systems, and you're part of that defense," acting DOD CIO John Zangardi said Friday. "DOD is facing the same threats that you are. And with these regulations, we are asking to implement some of the same defenses as we are implementing for the department's networks." Reporting," a new DOD regulation, will go into effect for how contractors respond to and report cyber incidents., and defense contractors have until the end of calendar year 2017 to begin complying. top

- and -

The Pentagon says it will start encrypting soldiers' emails next year (Motherboard, 6 July 2017) - For years, major online email providers such as Google and Microsoft have used encryption to protect your emails as they travel across the internet. That technology, technically known as STARTTLS , isn't a cutting edge development-it's been around since 2002. But since that time the Pentagon never implemented it. As a Motherboard investigation revealed in 2015 , the lack of encryption potentially left some soldiers' emails open to being intercepted by enemies as they travel across the internet. The US military uses its own internal service, mail.mil , which is hosted on the cloud for 4.5 million users. But now the Defense Information Systems Agency or DISA, the Pentagon's branch that oversees email, says it will finally start using STARTTLS within the year, according to a letter from DISA. top

DLA Piper hit by cyber attack, phones and computers down across the firm (Law.com, 27 June 2017) - DLA Piper has been hit by a major cyber attack, which has knocked out phones and computers across the firm. The shutdown appears to have been caused by a ransomware attack, similar to the WannaCry attack that hit organizations such as the NHS last month. DLA's phone system has not been working for much of the day and partners say they have been instructed to turn off their computers as a precaution. Offices in the UK, Europe, the Middle East and the US called by Legal Week all seem to have been affected, with some inside the firm saying email and phone systems have been affected with other systems then locked down as a precaution. top

- and -

66% of US law firms reported a breach in 2016 (HelpNetSecurity, 6 July 2017) - The majority of US-based law firms are not only exposed in a wide variety of areas, but in many cases, unaware of intrusion attempts. These findings were based on Logicforce survey data from over 200 law firms, anonymous system monitoring data and results from their on-site assessments. Approximately 40% of law firms in the study underwent at least one client data security audit, and Logicforce predicts this will rise to 60% by the end of 2018. Key findings: (1) An average of 10,000 intrusions occur every day at law firms; (2) Both large and small firms are equally at risk of being hacked; (3) 95% of assessed law firms were not compliant with their own data security policies and 100% were not compliant with those of their clients; and (4) 40% of firms were breached without knowing it in 2016. top

Digital field trip (InsideHigherEd, 28 June 2017) - For the 24 students in Virginia Miller's Principles of Chemistry 1 class at Montgomery College last fall, almost every lesson featured a "trip" to a world-class museum. Miller transformed her traditional, face-to-face course through the use of an expansive digital collection from the Smithsonian Institution in Washington, D.C. "It almost looks like a digital museum exhibit," the associate professor said of the five "collections" of chemistry-related space imagery that she curated from Smithsonian's online archives and turned into homework assignments for her students. "These objects jump out at you. You think, 'Let me click on this; this looks worth exploring.' … [Students] enjoyed the visual nature of it." Miller is one of approximately a dozen faculty members and instructors from the suburban Washington, D.C. community college who are using the Smithsonian's 19-month-old digital Learning Lab to enhance classes they have taught, lecture- or lab-style, for years. The lab features exhibits, documents, videos, blogs, podcasts and photographs from the Smithsonian's collections. Miller and her colleagues, who are participating in beta testing of the Learning Lab along with a group of high school teachers, teach science, math, nutrition, journalism, art history, music, mythology, developmental English and other subjects. They were tasked with centering at least one assignment on Smithsonian research or exhibits available through the digital lab relevant to classroom lessons. top

Google's DeepMind and UK hospitals made illegal deal for health data, says watchdog (The Verge, 3 July 2017) - A deal between UK hospitals and Google's AI subsidiary DeepMind "failed to comply with data protection law," according to the UK's data watchdog. The Information Commissioner's Office (ICO) made its ruling today after a year-long investigation into the agreement, which saw DeepMind process 1.6 million patient records belonging to UK citizens for the Royal Free Trust - a group of three London hospitals. The deal was originally struck in 2015, and has since been superseded by a new agreement. At the time, DeepMind and the Royal Free said the data was being shared to develop an app named Streams, which would alert doctors if patients were at risk from a condition called acute kidney injury. An investigation by the New Scientist revealed that the terms of the agreement were more broad than hand been originally implied. DeepMind has since made new deals to deploy Streams in other UK hospitals. top

Supreme Court unanimously overturns North Carolina's ban on social-media use by sex offenders (David Post/WaPo, 3 July 2017) - A few weeks ago, the Supreme Court released its opinion in Packingham v. North Carolina , holding 8-0 that a North Carolina law prohibiting previously convicted sex offenders from accessing or using "social networking" websites violates the First Amendment. The law in question made it a felony for a registered sex offender "to access a commercial social networking Web site* where the sex offender knows that the site permits minor children to become members or to create or maintain personal Web pages." The statute was purportedly designed to prevent ex-offenders from "gathering information about minors on the Internet" and using that information to make inappropriate or unlawful contact with them. All eight Justices agreed (with us) that the statute was not sufficiently "narrowly tailored" to serve that purpose. It wasn't even a close call. The court (Justice Anthony M. Kennedy writing for himself and Justices Ruth Bader Ginsburg, Stephen G. Breyer, Elena Kagan and Sonia Sotomayor, with Justice Samuel A. Alito Jr. concurring joined by Chief Justice John G. Roberts Jr. and Justice Clarence Thomas) described the statutory prohibition as "unprecedented in the scope of First Amendment speech it burdens.": [S]ocial media users employ these websites to engage in a wide array of protected First Amendment activity on topics "as diverse as human thought." … Social media allows users to gain access to information and communicate with one another about it on any subject that might come to mind. By prohibiting sex offenders from using those websites, North Carolina with one broad stroke bars access to what for many are the principal sources for knowing current events, checking ads for employment, speaking and listening in the modern public square, and otherwise exploring the vast realms of human thought and knowledge. These websites can provide perhaps the most powerful mechanisms available to a private citizen to make his or her voice heard. They allow a person with an Internet connection to "become a town crier with a voice that resonates farther than it could from any soapbox." … [T]o foreclose access to social media altogether is to prevent the user from engaging in the legitimate exercise of First Amendment rights. [ Polley : Sweeping and important language.] top

Veterans get a legal checkup with new online tool (Law.com, 5 July 2017) - "Checkups" are obviously common in health care, but the idea of doing a preventive screening for potential issues has applications in law as well, especially in access to justice efforts. A new legal "checkup" tool for veterans, a collaborative project between the American Bar Association (ABA), legal insurance group ARAG Legal and legal innovation group CuroLegal, aims to help veterans "check up" some of the legal issues they may be facing. Nicole Bradick, chief strategy officer at CuroLegal, said the tool, called Veterans Legal Checkup , was designed in alignment with current ABA president Linda Klein's institution of the ABA Veterans Legal Services Initiative. The tool, as its name plainly suggests, is designed for veterans, but Bradick explained that it looks at a few different service areas in particular. "We spoke with a lot of veterans' legal experts, and they highlighted employment, family law and housing as the three biggies," Bradick said. Accordingly, the tool's questionnaire steps users through questions that could bring to light issues veterans face in these areas, like eviction, emergency housing, fair pay, and spousal support. Veterans Legal Checkup is essentially a guided interview; users who access the tool are taken through a number of potential legal issues one question at a time to see if they may have an outstanding legal matter. If the tool can identify a potential claim, it provides a step-by-step walkthrough of the actions users can take to remedy the matter, including useful resources on how to prepare documents and scaffolding for what to say if you call a local legal aid organization. If the tool is unable to identify a particular legal concern, it provides some contact information for a local legal aid agency, paired for some suggestions for what to say when you call. * * * top

Wall Street Journal shuts down its law blog (Bob Ambrogi, 5 July 2017) - Sad news in the legal blogging world, as the Wall Street Journal on Monday shut down its Law Blog , which has regularly covered and broke legal news since its launch in 2006. The closing came as part of the news organization's shut down of eight blogs on Monday covering a range of topics, according to the NiemanLab . top

Why all federal agencies should break and inspect secure traffic (NextGov, 5 July 2017) - The data breach that rocked the Office of Personnel Management in 2015 resulted in the theft of an estimated 21.5 million records, including personally identifiable information such as Social Security numbers, names, dates, places of birth, addresses, fingerprint images and background check data. It's billed as the cyberattack that shocked the U.S. government , and it was discovered when a security engineer decrypted and inspected a portion of the SSL traffic that traverses the agency's network and noticed some odd outbound traffic. Hackers had used SSL encryption to shield their activity and to cloak a piece of malware designed to give them access to the agency's servers. They used that malware to steal mountains of data. Had that engineer not decrypted and inspected the network's SSL traffic, that malware may have continued to go unnoticed, making the already monstrous breach more catastrophic. As evidenced by the OPM data breach, one attack method modern hackers use to infiltrate federal networks is encrypted streams. Essentially, they use secure, encrypted traffic to obfuscate malware. Advanced adversaries don't want to something that jumps out at security engineers. There are no shiny, blinking lights that say they're performing a malicious activity. They want to hide among the noise and use SSL encryption for camouflage. SSL traffic has become the largest network blind spot for government and federal agencies. A Ponemon Institute survey titled "Hidden Threats in Encrypted Traffic" found 50 percent of malware attacks are expected to be delivered via encrypted channels and 80 percent of organizations are not inspecting their SSL traffic. And of the public-sector respondents indicating they had been attacked, 43 percent of those attacks are believed to have used encryption to evade detection. top

- but -

As elites switch to texting, watchdogs fear loss of transparency (NYT, 6 July 2017) - Secure messaging apps like WhatsApp, Signal and Confide are making inroads among lawmakers, corporate executives and other prominent communicators. Spooked by surveillance and wary of being exposed by hackers, they are switching from phone calls and emails to apps that allow them to send encrypted and self-destructing texts. These apps have obvious benefits, but their use is causing problems in heavily regulated industries, where careful record-keeping is standard procedure. "By and large, email is still used for formal conversations," said Juleanna Glover, a corporate consultant based in Washington. "But for quick shots, texting is the medium of choice." Texting apps are already creating headaches on Wall Street, where financial regulations require firms to preserve emails, instant messages and other business-related correspondence. * * * For now, America's elites seem to be using secure apps mostly for one-on-one conversations, but the days of governance by group text might not be far-off. Last year, a group affiliated with Britain's Conservative Party was discovered to be using a secret WhatsApp conversation to coordinate a pro-"Brexit" messaging campaign, while a separate WhatsApp group was being used by politicians backing the Remain effort. Steve Baker, the Conservative member of Parliament who led the pro-"Brexit" group, told The Telegraph that WhatsApp was "extremely effective" as a tool for political coordination. top

BakerHostetler forms swat team to help clients deal with active ransomware attacks (Ride the Lightning, 10 July 2017) - I am not usually interested in the semi-spammy press releases that flood my Inbox, but one did catch my attention, announcing that BakerHostetler, in the wake of the NotPetya and WannaCry assaults, has established a SWAT team to help clients deal with active ransomware attacks. According to the release, this team is different from a typical incident response team. The SWAT team is comprised of members of several practice groups which have handled thousands of cybersecurity incidents, including hundreds of ransomware matters over the last few years. SWAT Team members address issues that go along with ransomware attacks - like whether or not to pay ransom and how, preserving crucial evidence when systems are down, engagement of law enforcement at the highest levels for support, establishing compliant offline communications because systems are down, leveraging downtime processes from business continuity plans and disaster recovery plans, working with company Boards to remain focused on restoration of services and legal obligations, and developing communications for internal and external parties. I suspect other law firms are forming similar teams - for a need that is now very pressing and didn't exist at all several years ago. Like one of my labs sniffing the air for interesting scents, the firm made a smart move by scanning the horizon for a new legal services opportunity. And that is an essential part of future-proofing firms and keeping legal services relevant. top

NYU releases the largest LiDAR dataset ever to help urban development (TechCrunch, 12 July 2017) - New York University has made available the largest public LiDAR data set ever collected, via its Center for Urban Science and Progress. The laser scanned data, collected using aerial LiDAR instruments, is about 30 times as dense as a typical data set at a resolution of around 300 points per square meter, and covers a 1.5km square region of Dublin's city center. The data was collected by Professor Debra F. Laefer and her NYU CUSP research team, and includes both a top-down view of the roofs and distribution of buildings, as well as info about their vertical surfaces, making it possible to build 3D models of the urban landscape with detail around building measurements, tress, power lines and poles and even curb height, CUSP says. Open access to this scale and quality of data has big implications for researchers working on urban planning and development, and for engineering teams tackling everything from autonomous vehicles, to drone fleet operation, to infectious disease transmission tracking and more. It's something that would understandably be of use if captured for other cities, too - and that's exactly what CUSP hopes to do, with discussions underway to tackle New York City with a similar data imaging project next. If you think you can do something cool with the dataset, go ahead and grab it here - complete with both LiDAR info and related imagery . top

Six major US airports now scan Americans' faces when they leave country (ArsTechnica, 12 July 2017) - The Department of Homeland Security has been pushing a plan that if enacted would require all Americans submit to a facial-recognition scan when departing the country. This step would be a way to expand a 2004 biometric-tracking law meant to target foreigners. According to the Associated Press, which first reported the plan on Wednesday, facial-scanning pilot programs are already underway at six American airports-Boston, Chicago, Houston, Atlanta, New York City, and Washington DC. More are set to expand next year. In a recent privacy assessment, DHS noted that the "only way for an individual to ensure he or she is not subject to collection of biometric information when traveling internationally is to refrain from traveling." In recent years, facial recognition has become more common amongst federal and local law enforcement: a 2016 Georgetown study found that half of adult Americans are already in such biometric databases. "Americans expect when they fly overseas that their luggage is going to be looked into," Harrison Rudolph , a Georgetown legal fellow, told Ars. "What they don't expect is their face is going to be scanned. This is an expansion of a program that was never authorized for US citizens." John Wagner, the Customs and Border Protection official in charge of the program, said that the agency will delete such scans within 14 days. But he also said that the agency may keep scans longer after it goes "through the appropriate privacy reviews and approvals." top

Border Patrol says it's barred from searching cloud data on phones (NBC, 12 July 2017) - U.S. border officers aren't allowed to look at any data stored only in the "cloud" - including social media data - when they search U.S. travelers' phones, Customs and Border Protection acknowledged in a letter obtained Wednesday by NBC News. The letter (PDF), sent in response to inquiries by Sen. Ron Wyden, D-Ore., and verified by Wyden's office, not only states that CBP doesn't search data stored only with remote cloud services, but also - apparently for the first time - declares that it doesn't have that authority in the first place. In April, Wyden and Sen. Rand Paul, R-Ky., introduced legislation to make it illegal for border officers to search or seize cellphones without probable cause. Privacy advocates and former Homeland Security lawyers have said they are alarmed by how many phones are being searched. The CBP letter, which is attributed to Kevin McAleenan, the agency's acting commissioner, is dated June 20, four months after Wyden asked the Department of Homeland Security (PDF) , CBP's parent agency, to clarify what he called the "deeply troubling" practice of border agents' pressuring Americans into providing passwords and access to their social media accounts. McAleenan's letter cites several laws that he contends allow officers to search any traveler's phone without probable cause when the traveler enters or leaves the United States. The agency says the practice protects against child pornography, drug trafficking, terrorism and other threats. But the question of whether that broad authority extends to data linked to on remote servers but not physically stored on a phone had remained unclear, according to privacy advocates like the American Civil Liberties Union and the Electronic Frontier Foundation . McAleenan's letter says officers can search a phone without consent and, except in very limited cases, without a warrant or even suspicion - but only for content that is saved directly to the device, like call histories, text messages, contacts, photos and videos. top

RESOURCES

Big data, data science, and civil rights (Computing Community Consortium, 27 June 2017) - The Computing Community Consortium (CCC) has been working hard on various white papers over the past couple of months and slowly releasing them. You can see all of them here . Today, we highlight another paper, called Big Data, Data Science, and Civil Rights by Solon Barocas, Elizabeth Bradley, Vasant Honavar, and Foster Provost. Government, academia, and the private sector have increasingly recognized that the use of big data and data science in decisions has important implications for civil rights. However, a coherent research agenda for addressing these topics is only beginning to emerge and the need for such an agenda is critical and timely. Big data and data science have begun to profoundly affect decision making because the modern world is more broadly instrumented to gather data-from financial transactions, mobile phone calls, web and app interactions, emails, chats, Facebook posts, Tweets, cars, Fitbits, and on and on. According to this paper, the necessary research agenda should include: * * * [ Polley : Spotted by MIRLN reader Claude Baudoin ] top

A primer on debates over law and ethics of autonomous weapon systems (Lawfare, 5 July 2017) - For Lawfare readers interested in law and regulation of autonomous weapon systems (AWS), we're pleased to note our new essay, recently posted to SSRN , "Debating Autonomous Weapon Systems, Their Ethics, and Their Regulation Under International Law." It appears as a chapter in a just-published volume, The Oxford Handbook of Law, Regulation, and Technology , edited by Roger Brownsword, Eloise Scotfield, and Karen Yeung (Oxford University Press, July 2017). Our chapter can be read on its own as a non-technical and relatively short primer on normative debates over AWS. The book in which it appears addresses emerging technologies and regulation more generally. Some readers might find it interesting to see how debates over the law, regulation, and ethics of AWS compare and contrast with those of other emerging technologies ( Table of Contents tab here ). Although our chapter expresses a point of view on these normative debates (a point of view we've previously conveyed here , here , and elsewhere), it is intended to present, as fairly as we could in a limited space and in non-technical language, the leading positions in the debate. It's not a brief for one side or the other. Teachers looking for a basic introduction to the AWS topic for use in law, international relations, ethics, armed conflict or military studies, etc., might find it useful. top

DIFFERENT

Text this number anything you want and it will text you back art depicting it (Gothamist, 10 July 2017) - There are 34,678 pieces of artwork in SFMOMA's collection, with only about 5% on view at any given time. To get more eyes on the art, they've created a way to discover some of it. Their highly addictive "Send Me" feature allows you to text them what you want to see, and they'll send you back an image of a piece of art depicting that thing, along with some information on the piece. Here's how to make the magic happen: text "send me [x]" to 572-51, and within seconds SFMOMA will text you back a piece of art that, in some way, shows you that thing. X can = a keyword, a color, and even an emoji. In their announcement of the text service, they noted that "studies have shown that the average museum visitor spends approximately seven seconds in front of any artwork," asking, "In a world oversaturated with information... how can we generate personal connections between a diverse cross section of people and the artworks in our collection? How can we provide a more comprehensive experience of our collection?" In the first four days of the project, they received over 12,000 texts. [ Polley : Spotted by MIRLN reader Elizabeth Polley = @ebpolley] top

Specific laws that governs katana/samurai sword ownership (Case Clothesed, July 2017) - In japan, there are certain laws you have to comply with for you to have swords or katana. During the old period in japan, carrying swords in the road is prohibited unless you're a public servant or police. In these days it is hard to find someone who owns a sword. Only those who are associated with the sport Hombu Dojo, or a type of Samurai Sports. Yakuza and other members of the elite community may have access to these swords too. But there are certain laws that restrict the use of this traditional weapon. * * * top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Company will monitor phone calls to tailor ads (New York Times, 24 Sept 2007) - Companies like Google scan their e-mail users' in-boxes to deliver ads related to those messages. Will people be as willing to let a company listen in on their phone conversations to do the same? Pudding Media, a start-up based in San Jose, Calif., is introducing an Internet phone service today that will be supported by advertising related to what people are talking about in their calls. The Web-based phone service is similar to Skype's online service - consumers plug a headset and a microphone into their computers, dial any phone number and chat away. But unlike Internet phone services that charge by the length of the calls, Pudding Media offers calling without any toll charges. The trade-off is that Pudding Media is eavesdropping on phone calls in order to display ads on the screen that are related to the conversation. Voice recognition software monitors the calls, selects ads based on what it hears and pushes the ads to the subscriber's computer screen while he or she is still talking. A conversation about movies, for example, will elicit movie reviews and ads for new films that the caller will see during the conversation. Pudding Media is working on a way to e-mail the ads and other content to the person on the other end of the call, or to show it on that person's cellphone screen. "We saw that when people are speaking on the phone, typically they were doing something else," said Ariel Maislos, chief executive of Pudding Media. "They had a lot of other action, either doodling or surfing or something else like that. So we said, 'Let's use that' and actually present them with things that are relevant to the conversation while it's happening." top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top