Saturday, December 22, 2018

MIRLN --- 28 Nov - 22 Dec 2018 (v21.16)

MIRLN --- 28 Nov - 22 Dec 2018 (v21.16)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Facebook's New 'Supreme Court' Could Revolutionize Online Speech (Lawfare, 19 Nov 2018) - The Supreme Court of Facebook is about to become a reality. When Facebook CEO Mark Zuckerberg first mentioned the idea of an independent oversight body to determine the boundaries of acceptable speech on the platform-"almost like a Supreme Court," he said-in an April 2018 interview with Vox , it sounded like an offhand musing. But on Nov. 15, responding to a New York Times article documenting how Facebook's executives have dealt with the company's scandal-ridden last few years, Zuckerberg published a blog post announcing that Facebook will "create a new way for people to appeal content decisions to an independent body, whose decisions would be transparent and binding." Supreme Court of Facebook-like bodies will be piloted early next year in regions around the world, and the "court" proper is to be established by the end of 2019, he wrote. It is difficult to overstate the potential this has to transform understandings of online speech governance, international communication and even the very definition of "free speech." Zuckerberg's blog post literally asks more questions about the anticipated tribunal than it answers. (He writes, "Starting today, we're beginning a consultation period to address the hardest questions, such as: how are members of the body selected? How do we ensure their independence from Facebook, but also their commitment to the principles they must uphold? How do people petition this body? How does the body pick which cases to hear from potentially millions of requests?") But it's worth unpacking the underlying ideas behind the proposal and the most difficult challenges that will need to be resolved in how it's set up. top

Today in brighter crypto news: SEC says tokens are securities (TechCrunch, 21 Nov 2018) - Crypto news got a little boost last week after a dark month of crashes , stablecoins and birthdays . The SEC ruled that two ICO issuers, CarrierEQ Inc. and Paragon Coin Inc., were in fact selling securities instead of so-called utility tokens. "Both companies have agreed to return funds to harmed investors, register the tokens as securities, file periodic reports with the Commission, and pay penalties," wrote Pamela Sawhney of the SEC. "These are the Commission's first cases imposing civil penalties solely for ICO securities offering registration violations." top

- and -

Ohio becomes the first state to accept bitcoin for tax payments (TechCrunch, 28 Nov 2018) - Starting Monday, businesses in Ohio will be able to pay their taxes in bitcoin - making the state that's high in the middle and round on both ends the first in the nation to accept cryptocurrency officially. Companies that want to take part in the program simply need to go to OhioCrypto.com and register to pay in crypto whatever taxes their corporate hearts desire. It could be anything from cigarette sales taxes to employee withholding taxes, according to a report in The Wall Street Journal , which first noted the initiative. The brainchild of current Ohio state treasurer Josh Mandel, the bitcoin program is intended to be a signal of the state's broader ambitions to remake itself in a more tech-friendly image. Already, Ohio has something of a technology hub forming in Columbus, home to one of the largest venture capital funds in the Midwest, Drive Capital . And Cleveland (the city once called "the mistake on the lake") is trying to remake itself in cryptocurrency's image with a new drive to rebrand the city as "Blockland." top

Jury dismissed after Crown looks up jurors on LinkedIn (The Globe & Mail, 22 Nov 2018) - A prosecutor's use of LinkedIn to conduct background checks on jurors is raising new questions about improper vetting after a second jury in a week was dismissed in Atlantic Canada over the issue. Both cases - a murder trial, and one of criminal negligence causing death - are now being tried by judge alone after the prosecution was obliged to drop its earlier objection to defence requests for such a trial. The newest instance came on Thursday in an important case in Nova Scotia - the first in that province under a federal Criminal Code provision drafted after the 1992 Westray methane explosion that killed 26 miners in Plymouth, N.S. Elie Hoyeck, the owner of an auto-repair shop, is charged with criminal negligence causing the death of an employee, Peter Kempton, in a 2013 vehicle fire. The 2004 "Westray law" says that anyone who directs another person in a task must take reasonable steps to ensure the person's safety. The earlier instance was revealed in a ruling on Monday in a high-profile case in New Brunswick - the retrial of Dennis Oland, charged with second-degree murder of his wealthy father, Richard. He had been found guilty in 2015, but an appeal court set aside the conviction and ordered a new trial in 2016. A police officer conducted checks in a local police database with information on all police contacts (as a witness, complainant, or suspect), and did not share the information with Mr. Oland's defence team. A judge dismissed the jury and declared a mistrial; a new trial started Tuesday. Vancouver lawyer Eric Gottardi, the past chair of the Canadian Bar Association's criminal-justice section, said that even one or two such cases are concerning. "You have to think it's like the tip of an iceberg just because of how unlikely it is that these practices would come to light," he said in an interview. It is not a new area of law, and the message is clear to police and prosecutors about what they may and may not do. In 2012, the Supreme Court of Canada ruled that prosecutors and police must share with defence lawyers anything they find inadvertently when checking whether potential jurors have criminal records. It made a similar ruling in 1997. The idea is that the prosecution should not have an advantage over the defence, or interfere with jurors' privacy. top

French tax officials to start digging through social media posts for expensive cars it thinks you can't afford (TechDirt, 26 Nov 2018) - In a weird announcement threatening the commencement of pointless government monitoring, a French official says tax cheats will now be outed by their own selfies . (via Reason ): France's tax administrators will start searching through social media accounts in early 2019, a pilot project in the fight against tax avoidance, Budget Minister Gerald Darmanin told weekly business TV show Capital. [...] "(The fiscal administration) will be able to see that if you have numerous pictures of yourself with a luxury car while you don't have the means to own one, then maybe your cousin or your girlfriend has lent it to you... or maybe not," Darmanin said. I guess French tax collectors will be scrolling through social media profiles with lists of tax dodgers and a keen appraiser's eye. There may be several reasons people have expensive items showcased on social media, and not all of them will have anything to do with ill-gotten net gains. A very common internet pastime is presenting your life as more exciting, dynamic, and filled with material goods than it actually is. Photoshop may be involved . Some of what tax officials come across will be evidence of nothing more than self-esteem issues. top

Online dispute resolution bolstering access to justice (Lawyers Weekly/Australia, 27 Nov 2018) - Despite the reluctance many jurisdictions have about utilising tech in dispute resolution matters, the chair of Canada's Civil Resolution Tribunal has shared how doing so has aided in the country's access to justice crisis. Speaking to Lawyers Weekly ahead of her appearance at last week's ODR: The State of the Art International Symposium, the tribunal's chair Shannon Salter spoke about what has been described as the access to justice crisis and the need for the development of creative solutions to combat the problem. Ms Salter said this is what led Canada's British Columbia to develop The Civil Resolution Tribunal (CRT) - Canada's first online tribunal. * * * top

Pennsylvania Supreme Court recognizes Common Law duty to safeguard employees' personal data (Nat'l Law Review, 27 Nov 2018) - The Pennsylvania Supreme Court has drastically changed the data breach litigation landscape by holding that an employer has a common law duty to use reasonable care to safeguard its employees' personal information stored on an internet-accessible computer. The court further held that Pennsylvania's economic loss doctrine permits recovery for "purely pecuniary damages" on a negligence claim premised on a breach of such a duty. This decision is likely to have a very significant impact on cybersecurity-related litigation in and beyond Pennsylvania, as negligence is now a viable cause of action for inadequate data security under Pennsylvania law. The court rejected the notion that it was creating a "new affirmative duty" under common law, and instead held that it was applying the "existing duty to a novel factual scenario." The plaintiffs alleged that-as a condition of employment at UPMC-they were required to provide certain financial and personal information. They further alleged that UPMC collected and stored that information on its internet-accessible computer system without the use of adequate security measures, including proper encryption, adequate firewalls, or adequate authentication protocols. The court held that where an employer's affirmative collection of employee personal information creates a foreseeable risk of a data breach (even by cybercriminals), the employer has a duty of reasonable care to secure its employees' personal information "against an unreasonable risk of harm arising out of [the employer's data collection practices]." UPMC should have realized, the court concluded, that "a cybercriminal might take advantage of the vulnerabilities in UPMC's computer system and steal [its employees'] information; thus, the data breach was 'within the scope of the risk created by' UPMC." As to the 'duty' element of the negligence claim, "the criminal acts of third parties in executing the data breach do not alleviate UPMC of its duty to protect [its employees'] personal and financial information from that breach." top

When the Internet Archive forgets (Gizmodo, 28 Nov 2018) - On the internet, there are certain institutions we have come to rely on daily to keep truth from becoming nebulous or elastic. Not necessarily in the way that something stupid like Verrit aspired to, but at least in confirming that you aren't losing your mind, that an old post or article you remember reading did, in fact, actually exist. It can be as fleeting as using Google Cache to grab a quickly deleted tweet, but it can also be as involved as doing a deep dive of a now-dead site's archive via the Wayback Machine. But what happens when an archive becomes less reliable, and arguably has legitimate reasons to bow to pressure and remove controversial archived material? A few weeks ago, while recording my podcast, the topic turned to the old blog written by The Ultimate Warrior, the late bodybuilder turned chiropractic student turned pro wrestler turned ranting conservative political speaker under his legal name of, yes, "Warrior." As described by Deadspin's Barry Petchesky in the aftermath of Warrior's 2014 passing, he was "an insane dick," spouting off in blogs and campus speeches about people with disabilities, gay people, New Orleans residents, and many others. But when I went looking for a specific blog post, I saw that the blogs were not just removed, the site itself was no longer in the Internet Archive, replaced by the error message: "This URL has been excluded from the Wayback Machine." Apparently , Warrior's site had been de-archived for months, not long after Rob Rousseau pored over it for a Vice Sports article on the hypocrisy of WWE using Warrior's image for their Breast Cancer Awareness Month campaign. The campaign was all about getting women to "Unleash Your Warrior," complete with an Ultimate Warrior motif , but since Warrior's blogs included wishing death on a cancer-survivor, this wasn't a good look. Rousseau was struck by how the archive was removed "almost immediately after my piece went up, like within that week," he told Gizmodo. * * * top

GCHQ: We don't tell tech companies about every software flaw (ZDnet, 29 Nov 2018) - The UK intelligence services has revealed how it chooses which security vulnerabilities to reveal to technology vendors -- and which aren't disclosed because the UK's national interest is better served by what GCHQ describes as 'retaining' the knowledge. For the first time ever, GCHQ and its cyber arm the National Cyber Security Centre (NCSC) has revealed process that is used to determine if a vulnerability is disclosed or not disclosed when discovered. It ultimately means that sometimes GCHQ won't tell a company if their software is vulnerable to cyber attacks and hacking if it's deemed to be the better option for national security. When a previously unknown vulnerability is discovered, the default position is to disclose it -- but if it serves the national interest, knowledge of the vulnerability may not be disclosed. GCHQ states that the decision to withhold vulnerabilities is not taken lightly and always involves 'rigorous assessment' by a panel of experts from GCHQ, the NCSC and the Ministry of Defence. top

- and -

Principles for a more informed exceptional access debate (Lawfare, 29 Nov 2018) - This is part of a series of essays from the Crypto 2018 Workshop on Encryption and Surveillance. In any discussion of cyber security, details matter. Unfortunately, it's the details that are missing from the discussion around lawful access to commodity end-to-end encrypted services and devices (often called the "going dark" problem). Without details, the problem is debated as a purely academic abstraction concerning security, liberty, and the role of government. There is a better way that doesn't involve, on one side, various governments, and on the other side lawyers, philosophers, and vendors' PR departments continuing to shout at each other. If we can get all parties to look at some actual detail, some practices and proposals-without asking anyone to compromise on things they fundamentally believe in-we might get somewhere. As commodity technology starts to really drive the evolution of our daily lives and more of our personal data, our industry and our economy is on the internet, we will repeatedly run into challenges of how to explain complex and subtle technical concepts to non-experts. That's likely to cover everything from how the internet economy could affect personal privacy through how the mass of data our smart stuff will be generating affects national security to how agencies charged with public protection can do their job in a way that meets the public's expectation. To do that, we need to have open and honest conversations between experts that can inform the public debate about what's right and we'll need a framework in which to do that. We hope the U.K.'s principles for access to encrypted services may help start that off. These are not intended as general principles for government access to data covering every case; and they do not address the 'discovery' problem around how governments establish which services and identities are being used by criminals and other valid targets. They're specifically for mass-scale, commodity, end-to-end encrypted services, which today pose one of the toughest challenges for targeted lawful access to data and an apparent dichotomy around security. * * * top

Making a ransomware payment? It may now violate US sanctions (Bleeping Computer, 30 Nov 2018) - Thinking about making a ransomware payment? If so, you may want to think twice before doing so as it could land you in trouble for violating U.S. government sanctions. This week the Department of Justice unsealed a grand jury hackers allegedly responsible for the SamSam Ransomware . As part of this indictment, for the first time the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) also publicly attributed cryptocurrency addresses to individuals who were involved in the converting ransomware cryptocurrency payments to fiat currency. "While OFAC routinely provides identifiers for designated persons, today's action marks the first time OFAC is publicly attributing digital currency addresses to designated individuals" stated the Department of Treasury's announcement . In this particular case, the cryptocurrency addresses are being attributed to Iran-based individuals named Ali Khorashadizadeh and Mohammad Ghorbaniyan who the U.S. government states have facilitated the exchange of ransomware payments into Iranian Rial. The addresses attributed to these individuals are 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V and 149w62rY42aZBox8fGcmqNsXUzSStKeq8C and contain a combined total of 5,901 bitcoins. At the current prices of bitcoins this is equivalent to over $23 million USD. top

Secret Service announces test of face recognition system around White House (ACLU, 4 Dec 2018) - In yet another step toward the normalization of facial recognition as a blanket security measure, last week the Department of Homeland Security published details of a U.S. Secret Service plan to test the use of facial recognition in and around the White House. According to the document , the Secret Service will test whether its system can identify certain volunteer staff members by scanning video feeds from existing cameras "from two separate locations on the White House Complex, and will include images of individuals passing by on public streets and parks adjacent to the White House Complex." The ultimate goal seems to be to give the Secret Service the ability to track "subjects of interest" in public spaces. top

The sneaky fight to give cable lines free speech rights (Susan Crawford, Wired, 4 Dec 2018) - It seems counterintuitive that a phone line could be a "speaker." But the cable industry very much wants to ensure that the act of transmitting speech from Point A to Point B is protected by the First Amendment, so that making a cable connection carry any speech it isn't interested in amounts to unconstitutional "forced speech." The addition of Justice Brett Kavanaugh to the Supreme Court roster gives the industry a significant boost. In a 2017 DC Circuit dissenting opinion , Justice Kavanaugh made it clear that he supports giving internet access providers "speaker" privileges, saying that "the First Amendment bars the Government from restricting the editorial discretion of Internet service providers." top

Cybersecurity: Who's fessed up to a "Material Weakness?" (The CorporateCounsel.net, 6 Dec 2018) - The SEC's recent Cyber 21(a) Report highlighted cybersecurity internal control shortcomings at 9 different companies. This Audit Analytics blog looks at which companies have disclosed a "material weakness" following a data breach. This excerpt says that not many have: The investigative report stopped short of recommending any enforcement action and did not name the companies that were investigated. Moreover, the report does not provide sufficient details to determine the identity of the companies. Although we are unable to identify the companies, we were curious whether we can find similar cases. Using Audit Analytics' cyber breaches dataset, we looked at recent examples & disclosures of companies that fell victims to the attacks described in the report. In total, we looked at nine companies that disclosed incidents of similar breaches. Six of these companies disclosed the breaches in filings furnished with the SEC, though only one made the disclosure in a current report (8-K). Of the six companies that disclosed their cyber breaches in SEC filings, just three disclosed that the breach rose to the level of a material weakness in the companies' internal controls. The blog also reviews the disclosures made by companies that determined a material weakness existed following a data breach. top

Four tips for law firms in responding to overreaching client audits (Law.com, 7 Dec 2018) - As you know, there can be a lot of effort on the law firm's end in responding to these security inquiries. How do legal IT professionals identify scenarios where clients are overreaching reasonable bounds of information or action? In cases of overreaching, how should a firm respond to the client? These are all areas where law firms may struggle, as reputation among other clients, professional responsibility concerns, or even bar admittance could be on the line if managed poorly. Here are four tips to better enable your firm to handle these inquiries. * * * top

RESOURCES

Teaching Cybersecurity Law and Policy: My Revised 62-Page Syllabus/Primer (UT's Bobby Chesney, 4 Dec 2018) - Cybersecurity law and policy is a fun subject to teach. There is vast room for creativity in selecting topics, readings and learning objectives. But that same quality makes it difficult to decide what to cover, what learning objectives to set, and which reading assignments to use. With support from the Hewlett Foundation, I've spent a lot of time in recent years wrestling with this challenge, and last spring I posted the initial fruits of that effort in the form of a massive "syllabus" document. Now, I'm back with version 2.0. . At 62 pages (including a great deal of original substantive content, links to readings, and endless discussion prompts), it is probably most accurate to describe it as a hybrid between a syllabus and a textbook. Though definitely intended in the first instance to benefit colleagues who teach in this area or might want to do so, I think it also will be handy as a primer for anyone-practitioner, lawyer, engineer, student, etc.-who wants to think deeply about the various substrands of this emergent field and how they relate to one another. top

- and -

Privacy and Security: A Pedagogic Cybersecurity Framework (Peter Swire, Oct 2018) - This column proposes a Pedagogic Cybersecurity Framework (PCF) for categorizing and teaching the jumble of non-code yet vital cybersecurity topics. From my experience teaching cybersecurity to computer science and other majors at Georgia Tech, the PCF clarifies how the varied pieces in a multidisciplinary cybersecurity course fit together. The framework organizes the subjects that have not been included in traditional cybersecurity courses, but instead address cybersecurity management, policy, law, and international affairs. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

NBC offers wide online access for Beijing Olympics (Washington Post, 28 June 2008) - NBC is making more than 2,200 hours of live competition from Beijing available online, giving Olympic junkies more action than they could ever devour in a day. After barely tipping its toe in the digital world during past Olympics, the network will dive into the deep end: live blogging, 3,000 hours of highlights on demand, daily recaps and analysis and even fantasy league gaming. That's in addition to the 1,400 hours of coverage planned on six television networks, more than the combined total of every previous Summer Olympics. NBC's digital plans, however, have angered media outlets that worry the company is being heavy-handed in enforcing its rights to exclusive Olympic access. There's been some brewing tension about the rights of other media organizations to cover the event; NBC paid $3.5 billion to the International Olympics Committee to televise the five Olympics through Beijing. Other TV networks have a limited window in which to show Olympics highlights, but no video of Olympic events is permitted to be shown on any Web site besides NBCOlympics.com. NBC has allowed video of Olympic trials events to be shown on other Web sites, but each site is required to link to NBCOlympics.com. All of that video must come down Aug. 7, the day before the Beijing Games start. That's going to limit the ability of Swimming World magazine, which has a heavy online component, to offer material to its users, said Brent Rutemiller, the magazine's publisher. He's also upset that limits have been placed on where other organizations can interview athletes, and that they were extended to coaches and officials. top

Biglaw firm recruits on Facebook (ABA Journal, 26 August 2008) - Screen shot of firm's Facebook page. Looking for a way to better promote itself to the next generation of lawyers, Curtis, Mallet-Prevost, Colt & Mosle has launched a Facebook page as part of its broader law school recruiting efforts. "We are pleased to be capitalizing on the popularity of the most widely used social networking site," Nancy Delaney, a Curtis partner who is a member of the firm's personnel committee, says in a release (PDF) about the page. "As a Firm, we recognized the power of this format of communication and the wide use being made of it by future lawyers." As of this posting, the page had 32 fans. The page promotes the 178-year-old firm with historical information and the benefits of starting a career in New York. It also includes links to news, awards, policies and questions and answers about other office locations and on-campus schedules. On his LawSites blog, Robert Ambrogi posits that Curtis may be the first Am Law 200 firm to feature Facebook as a central recruiting tool. top

Saturday, November 17, 2018

MIRLN --- 28 Oct - 17 Nov 2018 (v21.15)

MIRLN --- 28 Oct - 17 Nov 2018 (v21.15)

permalink

ANNOUNCEMENTS | NEWS | LOOKING BACK | NOTES

ANNOUNCEMENT

MIRLN began in 1997 and I've have published around 250 times, using an evolving, idiosyncratic approach to stories (not too new, not too obvious, etc.), with an idiosyncratic cross-section of readers (steady at about 3000: techies, lawyers, judges, international types, people in the IC, two former US AGs, etc.). This year probably will be MIRLN's last. (With curated Twitter/RSS feeds you may not miss it at all.) It's been fun; thanks for reading! top

NEWS

Ohio's new cybersecurity law: creating a data breach safe harbor (Mayer Brown, 23 Oct 2018) - Policymakers long have wrestled with how to enhance private-sector cybersecurity without imposing prescriptive one-size-fits-all requirements that undermine effective cyber risk management. With the passage of its Cybersecurity Safe Harbor Act (the "Act") on August 3, 2018, Ohio has enacted legislation-the first of its kind-that is intended to use the promise of relief from legal liability to incentivize companies to adopt appropriate cyber protections. Specifically, the Act gives companies that take certain steps to create, maintain and comply with a written cyber program an affirmative defense to data breach claims sounding in tort (such as negligence) brought under the laws or in the courts of Ohio. It remains to be seen whether the Act will have a practical impact on companies' approaches to cyber risk management or their liability exposure after a data breach. The Act nonetheless is important because it suggests a new approach to the regulation of cybersecurity practices and liability after a data breach. * * * top

FTC offers small businesses free cybersecurity resources (DarkReading, 26 Oct 2018) - The Federal Trade Commission's (FTC) newly launched national initiative to educate small business owners about cybersecurity threats and defenses began with a "listening tour" last year. What it learned became the foundation for the agency's new Cybersecurity for Small Business website and related resources, which draw from a dozen different security topics FTC officials gathered from its discussions with small and midsize business (SMB) owners nationwide, said Jon Miller Steiger, director of the FTC's East Central Region, who spoke at the 2018 Cyber Security Conference for small businesses in Charlottesville, Va., earlier this week. Among their hot-button concerns, Steiger said, are their ability to train employees properly for security awareness, cyberthreats, and human error leading to a cyberattack. "They want to get one unified message from the federal government" on cybersecurity as well, he said. The new website , created in cooperation with the US Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST), and the Small Business Administration (SBA), was officially launched on Oct. 18. It includes cybersecurity basics and best practices including the NIST cybersecurity framework for SMBs , and covers security threats, such as phishing, ransomware, email spoofing, and tech support scams. The FTC site also includes free resources, such as quizzes and educational videos. top

- and -

Law firm cybersecurity: Are your vendors posing the threat of a data breach? (Nat'l Law Review, 30 Oct 2018) - If you've been paying attention, chances are your law firm security is up-to-date and fairly strong. While that takes care of the firm itself, these days it is just as important that your cybersecurity policy takes into account the cybersecurity of your vendors. "A responsible firm must also reduce the risk of a data breach at their third-party vendors," according to Ishan Girdhar, CEO and founder of Privva , a cloud-based platform that streamlines the data security assessment process throughout the value chain. * * * Girdhar's article " Vendor Risk Management for Law Firms: 7 Steps to Success ," lists the following steps needed to be included in cybersecurity policy for law firms: * * * top

- and -

Solo, small firms are concerned about the cloud's confidentiality and security (Law.com, 13 Nov 2018) - In the lead-up to its scheduled January release of its annual Legal Technology Survey Report, the American Bar Association recently released a report examining the tech usage of solo lawyers and small firms with two to nine lawyers. In the report, 63 percent of all lawyer-respondents who use cloud technology said they are concerned about cloud-based services' confidentiality and security. Among those not using cloud-based services, confidentiality and security (56 percent) and lack of control over the data (40 percent) were cited as key barriers preventing them from using the technology. To be sure, cloud technology has been adopted by many solo lawyers and lawyers in small firms alike. The ABA reported 59 percent of solo practitioners and 58 percent of lawyers in small firms use cloud-based computing for their work. On the cybersecurity front, the report found that 14 percent of solos and 24 percent of small law firms said they experienced a breach. Of those, 66 percent of solos and 65 percent of small firms said no significant business disruption or loss occurred due to the breach. About half, 51 percent of lawyers in small law firms, said they had data retention policies, while only 33 percent of solo practitioners reported the same. The ABA also found that most, 70 percent, of solo practitioners and 63 percent of small firms don't use use password management tools. But most firms surveyed said they were required under ethical competency rules to stay abreast of the benefits and risks of technology, which may fuel faster technology retention by lawyers. top

The Vote With Me app looks up your contacts' voting records (BuzzFeed, 29 Oct 2018) - The app Vote With Me connects to your phone's contact list and matches names and phone numbers with state voter rolls - telling you which party your friends are registered to and which of the last elections they actually voted in. The idea is that you can use this information to encourage friends to go vote, and will prewrite a text message to them through the app. Great, right? Except that upon deeper reflection, I found this creepy and believe it's a strange invasion of my and my friends' privacy. Just because the voter records of our friends (or really, anyone on our phones, which is a lot of random people!) are a matter of public record doesn't mean they expect other people to look for them. Even weirder is getting a text from someone telling you that they saw you didn't vote in the last election! Mikey Dickerson, executive director of The New Data Project, the non-profit group that made Vote With Me, says that he knows his app might seem a little, well, creepy to some people, but he's ok with that. "Establishing the social norm of voting is important enough that a little bit of discomfort is warranted," he told BuzzFeed News. "It feels new because it hasn't been easy to have [voter records] publicly viewed before, but we think that's for the public good." Voter rolls are technically a matter of public record, but it's not easy to look up your friends' information. There simply isn't a single free website where you can enter a name and get a voter record. There's voterrecords.com , but it only covers 14 states plus D.C. On certain official state websites, you can look up registrations, but only if you know extra information like a person's actual full name and, say, their zip code or birth date. And all of these just say if you're registered or not, not which years you voted. (Who you voted for is, of course, always secret and not part of any of this information.) Vote With Me gets its info by paying for a licensed set of records from a commercial entity that provides this as a service to campaigns or other groups. In a Medium post , the group that made Vote With Me called the Project describeshow they obtained the voter data: "Campaigns have used these records for decades, and sometimes have taken steps to prevent you from realizing it. We feel that as long as this data exists, regular people not on a political payroll should be able to see and use it, too." top

Project provides access to all US case law, covering 360 years (Robert Ambrogi, 29 Oct 2018) - Launching today is the capstone to a massive project executed over the last three years to digitize all U.S. case law, some 6.4 million cases dating all the way back to 1658, a span of 360 years. The Caselaw Access Project site launching today makes all published U.S. court decisions freely available to the public in a consistent digitized format. The site is the product of a partnership started in 2015 between Harvard Law School's Library Innovation Lab and legal research service Ravel Law to digitize Harvard's entire collection of U.S. case law, which Harvard says it the most comprehensive and authoritative database of American law and cases available anywhere outside the Library of Congress. The collection includes all federal and state courts, and all territorial courts for American Samoa, Dakota Territory, Guam, Native American Courts, Navajo Nation, and the Northern Mariana Islands. For now, the collection is text only, although Harvard plans to add images at a later time. top

SEC Section 21(a) report focuses on cyber threats and internal accounting controls - measures to consider taking to mitigate risk (MoFo, 30 Oct 2018) - The Securities and Exchange Commission's October 16, 2018 Section 21(a) report focusing on public companies victimized by cyber-related attacks underscores the importance of devising and implementing proper internal accounting controls with an eye on addressing such cyber threats. The report, after detailing the SEC Enforcement Division's investigations of nine public companies that had lost millions of dollars as victims of cyber fraud, did not announce any action against the victims of the cyberattacks, but makes clear the Enforcement Division will continue to scrutinize how public companies create and implement internal controls relating to cybersecurity. [1] Indeed, the SEC's press release announcing the report specifically cautioned public companies that they "should consider cyber threats when implementing internal accounting controls." [2] Section 21(a) reports are not enforcement actions, but the SEC often utilizes such reports to signal an area of emphasis in its enforcement program, with enforcement actions relating to the same subject matter likely to follow. For example, the SEC's July 25, 2017 Section 21(a) report known as the "DAO Report," which reminded readers of the federal securities laws' registration requirements and their application to sales of certain "tokens," heralded the SEC's recent spate of enforcement actions relating to crypto-currency transactions. Companies would be wise, therefore, to read the SEC's latest Section 21(a) report as a reminder to revisit their internal accounting controls to ensure compliance with the federal securities laws. The SEC has previously provided guidance on cybersecurity disclosures, cybersecurity risk management, and the insider-trading implications of cybersecurity incidents, [3] and it has pursued enforcement actions against regulated firms for failure to safeguard customer information in the wake of cybersecurity incidents and companies for alleged delays in the disclosure of a material data breach. The Section 21(a) report focuses on a different dimension of cybersecurity, specifically, cyber fraud schemes targeting public company personnel, and provides a window into how the SEC Enforcement Division would look at whether a company's vulnerabilities to cyber fraud could signal an underlying failure in its internal accounting controls. top

US-CERT issues guide on how to properly dispose of your electronic devices (ZDnet, 31 Oct 2018) - This week, the United States Computer Emergency Readiness Team (US-CERT), a division part of the Department of Homeland Security (DHS), has published an official advisory with instructions and recommendations for properly deleting data from electronic devices that a user wishes to dispose of in one form or another. These instructions are universal and can be applied to computers, smartphones, tablets, cameras, media players, external storage devices, and even gaming consoles. Many of these recommendations are also common knowledge for IT industry veterans, but the guide was also written with non-technical users in mind. So let's take a deep dive into the proper device sanitization procedures. * * * top

Copyright Office extends anti-circumvention DMCA exemptions to all filmmakers, not just documentarians (TechDirt, 2 Nov 2018) - Earlier this year, we wrote a bunch of posts on the Copyright Office's request for comment on changes needed to the DMCA's anti-circumvention exemption list. There were lots of interesting submissions, but one that caught my attention was a whole bunch of film association groups, most of them for documentarians, advocating that the anti-circumvention they enjoyed to be able to use clips from other films and content be expanded to include filmmakers generally. This would address the copyright industries' cynical attempt to route around Fair Use usage by filmmakers by simply locking up their content behind all kinds of DRM that, unless you're a documentarian, you can't circumvent. The MPAA, as you would expect, said that allowing for this would kick off "widespread hacking" of all the DVDs on the planet, while all it was really concerned about was the licensing agreements it was able to secure by filmmakers who didn't want to violate the DMCA to get the Fair Use clips they wanted. Well, the Copyright Office made its decision and the exemption will now be offered to filmmakers en masse . top

'Modern-day neighborhood watch' (C&G Newspapers, 5 Nov 2018) - Each year, criminals get a little smarter and more advanced in their scheming. You know it's true - you've got a chip in your credit card, a mind-numbingly complex login password, and a missed call log full of spoofed "local" numbers from overseas scam callers to prove it. The only way to fight unlawful technology is with gadgets for good. Police departments across the country are taking advantage of the growing availability of surveillance systems to keep a closer eye on neighborhoods. Several weeks ago, Bloomfield Township police launched a registry list for homeowners and businesses with outdoor surveillance systems called Extra Eyes. Residents and business owners simply add their address and phone number to the list, and if police investigate a crime in their neighborhood, they could be called to see if their camera system recorded anything suspicious. * * * Aside from a lack of awareness, Pizzuti said he's had an issue with explaining the program to residents, who mistakenly think that by signing up they are granting the department access to their camera systems. "That's not true at all. We couldn't have access to your cameras, nor would we want it," he explained. "This is just a faster way for us to see who in the area has cameras, instead of us canvassing neighborhoods one home at a time looking for (witnesses)." How Extra Eyes works is this: When a crime is committed and police begin to investigate, officers would normally go door to door looking for clues, asking neighbors if they'd seen anything that could be helpful to the case. With the registry, officers can see who in the area might have surveillance cameras and they can contact the owners for help. "It can work one of two ways: They can view the camera themselves and tell us if they saw anything suspicious. Maybe we can say, 'Did you see this vehicle go by at this time?' Or they can offer for us to come over and take a look at the footage with them. We never have direct access. It's more of a modern-day neighborhood watch program." top

- and -

The DEA and ICE are hiding surveillance cameras in streetlights (Quartz, 9 Nov 2018) - The US Drug Enforcement Administration (DEA) and Immigration and Customs Enforcement (ICE) have hidden an undisclosed number of covert surveillance cameras inside streetlights around the country, federal contracting documents reveal. According to government procurement data , the DEA has paid a Houston, Texas company called Cowboy Streetlight Concealments LLC roughly $22,000 since June 2018 for "video recording and reproducing equipment." ICE paid out about $28,000 to Cowboy Streetlight Concealments over the same period of time. It's unclear where the DEA and ICE streetlight cameras have been installed, or where the next deployments will take place. ICE offices in Dallas, Houston, and San Antonio have provided funding for recent acquisitions from Cowboy Streetlight Concealments; the DEA's most recent purchases were funded by the agency's Office of Investigative Technology, which is located in Lorton, Virginia. * * * Earlier this week, the DEA issued a solicitation for "concealments made to house network PTZ [Pan-Tilt-Zoom] camera, cellular modem, cellular compression device," noting that the government intended to give the contract to Obsidian Integration LLC, an Oregon company with a sizable number of federal law enforcement customers. On November 7, the Jersey City Police Department awarded a contract to Obsidian Integration for "the purchase and delivery of a covert pole camera." The filing did not provide further design details. * * * In addition to streetlights, the DEA has also placed covert surveillance cameras inside traffic barrels , a purpose-built product offered by a number of manufacturers. And as Quartz reported last month , the DEA operates a network of digital speed-display road signs that contain automated license plate reader technology within them. top

West Virginians abroad in 29 countries have voted by mobile device, in the biggest blockchain-based voting test ever (WaPo, 6 Nov 2018) - Nearly 140 West Virginians living abroad in 29 countries have cast their election ballots in an unprecedented pilot project that involves voting remotely by mobile device, according to state officials. The statewide pilot, which covers 24 of West Virginia's 55 counties, uses a mixture of smartphones, facial recognition and the same technology that underpins bitcoin - the blockchain - in an effort to create a large-scale and secure way for service members, Peace Corps volunteers or other Americans living overseas to participate in the midterm elections. West Virginia is the first state to run a blockchain-based voting project at such a scale, state officials say. And if adopted more widely, the technology could make it easier to vote and potentially reduce long lines at the polls. But many security experts worry that the technology may not be ready for broader use - and could even contain vulnerabilities that risks the integrity of elections. As many as 300,000 U.S. voters located overseas requested ballots in the 2016 elections but failed to submit them. West Virginia sought to solve the problem by turning to Voatz, a company that in January received $2.2 million from Medici Ventures, a blockchain-focused investment firm owned by the online retailer Overstock.com. The Voatz app has been used on a limited basis in a number of other settings, such as student council races and West Virginia's May primary. top

Flickr says it won't delete Creative Commons photos (7 Nov 2018) - will spare both the Flickr Commons and Creative Commons photos from deletion, the now SmugMug-owned company announced today. However, its new storage limitations on free accounts may impact its use as a home for photos with a Creative Commons license in the future. When the company unveiled its big revamp last week, one of the immediate concerns among users was what the changes meant for the Creative Commons photos hosted on Flickr. Under its new management, Flickr decided to stop offering free users a terabyte of storage, and instead will begin charging users who want to host more than 1,000 photos on its site. Users with more than 1,000 photos either had to choose to upgrade to a Pro account to retain those photos on the site or see them deleted. Ryan Merkley, CEO at Creative Commons, expressed some concern last week over what this meant for the millions of CC images hosted on Flickr. Would they be gone, too? Flickr today says the answer is "no." It vows not to delete either its own Flickr Commons archive or any photos uploaded with a Creative Commons license before November 1, 2018. The Flickr Commons is a resource consisting of photos from institutions that want to share their digital collections with the world, such as NASA, the National Parks Service, the UK National Archives and The British Library, for example. These organizations were either already Pro account holders or have now received a free Pro account from Flickr, the company says. top

As state actors continue to wage cyberwar on the United States, they have a powerful ally-gaps and ambiguities in the law (Harvey Rishikof, et al., in the ABA Journal, Nov 2018) - A major hack on the firms Cravath, Swaine & Moore and Weil Gotshal & Manges a few years ago was linked to foreign nationals with ties to the Chinese government. Their target? Proprietary client information. In 2014, a group with links to the Russian state energy sector hacked into a website belonging to the British law firm 39 Essex Chambers looking for information. Last year, the Department of Justice opened an investigation into whether the Chinese government had attempted to hack Clark Hill, a law firm representing a Chinese dissident. And those are just the directed assaults. Law firms also are vulnerable to more broad-based attacks. DLA Piper was devastated in 2017 by a ransomware worm that placed nearly 3,600 of their lawyers on temporary lockdown. The worm later was found to be the work of hackers linked to North Korea. Cyber exploitations and attacks happen every day on a global scale. How do we characterize this new cyber reality? Are these network violations criminal activity or espionage? Or are they acts of war? Our existing international laws, domestic statutes and law of armed conflict frameworks, all conceived in the pre-internet age, are struggling to find principles to bring order to our digital era. The legal rules for cyber incidents below the threshold of an "armed attack" live in a gray zone as practitioners and scholars struggle to fill the legal doctrinal gaps on nonintervention under international law. The roles, responsibilities, authorities, accountability or standards for attribution are not universal, and there are no agreed-upon responses or norms for unlawful acts in cyberspace. As the U.S. attorney general's 2018 Cyber-Digital Task Force Report makes clear, although many government agencies are working on cybersecurity, and much has been accomplished, the DOJ is "keenly aware" that the current "tools and authorities are not sufficient by themselves" to keep America safe from cyberthreats. * * * top

Pentagon draws back the veil on APT malware with sudden embrace of VirusTotal (Threatpost, 8 Nov 2018) - The Pentagon has suddenly started uploading malware samples from APTs and other nation-state sources to the website VirusTotal, which is essentially a malware zoo that's used by security pros and antivirus/malware detection engines to gain a better understanding of the threat landscape. The Cyber National Mission Force (CNMF), which is under the auspices of the U.S. Cyber Command, posted its first malware samples to VirusTotal on Monday, after opening its account there. It also set up a "malware alert" Twitter feed to go along with the new effort. No advanced announcement of a new initiative accompanied the move, which is unusual for government entities. "Recognizing the value of collaboration with the public sector, the CNMF has initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity," CNMF said in a brief statement . The first two samples are files called rpcnetp.dll and rpcnetp.exe, which are both detected as dropper mechanisms for what was formerly known as the Computrace backdoor trojan, often associated with the Russia-based APT28/Fancy Bear group. "The particular pair of samples, Computrace/LoJack/Lojax, is actually a trojanized version of the legitimate software 'LoJack,' from a company formerly called Computrace (now called Absolute). The trojanized version of the legitimate LoJack software is called LoJax or DoubleAgent," a spokesperson from Chronicle told Threatpost. Releasing such samples is a bold move for a Department of Defense that has long kept its cyber-activities and knowledge very close to the vest, according to Tom Kellermann, chief cybersecurity officer at Carbon Black. "This is a huge leap forward for the cybersecurity community," he told Threatpost. "For too long, the U.S. has over-classified cyber- threat intelligence. This empowers the cybersecurity community to mobilize on clandestine threats in real time, thus aiding the U.S government in protecting and securing American cyberspace." [ Polley : Bruce Schneier writes about this: "This feels like an example of the US's new strategy of actively harassing foreign government actors. By making their malware public, the US is forcing them to continually find and use new vulnerabilities." ] top

The New York Times turns to Google Cloud to digitize its photo archive (BetaNews, 9 Nov 2018) - The New York Times is to digitize more than a century's worth of photographs, and it is going to use Google Cloud to do so. The NYT has a massive collection of photos dating back decades, and the plan is to digitize millions of images -- some dating back to the late nineteenth century -- to ensure they can be accessed by generations to come. The digitization process will also prove useful for journalists who will be able to delve into the archives far more easily in future. top

Judges need not recuse themselves just because they are Facebook "friends" with a lawyer (Volokh Conspiracy, 15 Nov 2018) - "The establishment of a Facebook 'friendship' does not objectively signal the existence of the affection and esteem involved in a traditional 'friendship.'" Indeed, as the court points out in today's Law Offices of Herssein & Herssein, P.A. v. United Servs. Auto. Ass'n , even traditional "friendship" doesn't always require recusal (though perhaps very close friendship might): Though the court doesn't give these as examples, state and federal Supreme Court Justices are often on close terms with their former clerks, who routinely practice in front of them, and in many small towns all the judges and lawyers may know each other well, especially since judges are usually former local lawyers. Note, though, that these rules vary from state to state; as the majority points out, its position is the dominant view among those states that have considered it, but other states do require recusal in such situations (as the 3-Justice dissent in the Florida Supreme Court would have). top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Moody's error gave top ratings to debt products (Financial Times, 20 May 2008) - Moody's awarded incorrect triple-A ratings to billions of dollars worth of a type of complex debt product due to a bug in its computer models, an Financial Times investigation has discovered. Internal Moody's documents seen by the FT show that some senior staff within the credit agency knew early in 2007 that products rated the previous year had received top-notch triple A ratings and that, after a computer coding error was corrected, their ratings should have been up to four notches lower. top

SEC to require electronic financial reporting in 2009 (Duane Morris article, 24 June 2008) - Certain companies will soon be required to submit their financial results, including annual and quarterly required submissions, electronically using XBRL, a language for communication of financial data. On May 14, the Securities and Exchange Commission unanimously agreed to propose the mandatory use of this technology, which has been in development since 1998, to ensure that investors receive essential financial information in a more timely fashion, with increased levels of reliability and at a lower cost. This interactive reporting vehicle will not only provide information to investors more rapidly but will aid companies in preparing their financial reporting packages more accurately and efficiently. Interactive data will revolutionize how the SEC collects data and will change the backbone of the financial reporting system, improve analytic capabilities and put vital information at the fingertips of investors. top

SEC provides guidance regarding use of company websites to disclose information for investors (Duane Morris advisory, 15 August 2008) - The Securities and Exchange Commission (the "SEC") has published an interpretive release, Commission Guidance on the Use of Company Web Sites, Release No. 34-58288 (the "Release"), providing guidance to companies and issuers of securities on the use of company websites to disclose information to investors. The Release, which became effective August 7, 2008, is intended to encourage companies to develop their websites in compliance with the federal securities laws so that such websites can serve as effective analytical tools for investors by being a vital source of information about a company's business, financial condition and operations. The Release is intended to provide guidance to those companies that are utilizing websites to supplement their required SEC filings. Since the adoption of the Securities Act of 1933 and the Securities Exchange Act of 1934 (the "Exchange Act"), the foundation of securities regulation in the United States has rested upon timely disclosure of relevant information to investors and the securities markets. Historically, companies have disclosed information to investors and the markets by mailing reports to stockholders, filing periodic reports with the SEC and issuing press releases. As technology has advanced, the Internet, the SEC's Electronic Data Gathering, Analysis and Retrieval ("EDGAR") system, and electronic communications have modernized the disclosure system. More and more investors are turning to the Internet and company websites as their main source of information before making investment decisions. The Release provides guidance to companies posting information on their websites, including (1) when information posted on their website is considered "public" for purposes of the "fair disclosure" requirements of Regulation FD; (2) the application of the antifraud provisions of the federal securities laws to information posted on company websites; (3) the types of controls and procedures advisable with respect to posting information; and (4) the appropriate format of the information presented on the website. top

Saturday, October 27, 2018

MIRLN --- 7-27 Oct 2018 (v21.14)

MIRLN --- 7-27 Oct 2018 (v21.14)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

NEWS

California bill bans bots during elections (SC Magazine, 3 Oct 2018) - A California bill that will ban the use of undeclared bots during elections is set to take effect on July 1, 2019, after Gov. Jerry Brown signed it into law Friday. "This bill would, with certain exceptions, make it unlawful for any person to use a bot to communicate or interact with another person in California online with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication in order to incentivise a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election," according to the Senate Bill No. 1001 . top

- and -

California bans default passwords on any internet-connected device (Engadget, 5 Oct 2018) - In less than two years, anything that can connect to the internet will come with a unique password - that is, if it's produced or sold in California. The " Information Privacy: Connected Devices " bill that comes into effect on January 1, 2020, effectively bans pre-installed and hard-coded default passwords. It only took the authorities about two weeks to approve the proposal made by the state senate. The new regulation mandates device manufacturers to either create a unique password for each device at the time of production or require the user to create one when they interact with the device for the first time. According to the bill, it applies to any connected device, which is defined as a "physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address." top

Microsoft to host the government's classified data early next year (NextGov, 9 Oct 2018) - Microsoft is making moves to target a growing multibillion market: hosting, storing and running the U.S. government's most sensitive classified secrets and data. On Tuesday, the software giant announced it will join rival Amazon as the only commercial cloud providers with the security capabilities to host secret classified data by the end of the first quarter of 2019. Microsoft's announcement comes days before the Pentagon will accept bids on its $10 billion Joint Enterprise Defense Infrastructure contract, which it will award to a single cloud service provider. The announcement doubles as a public declaration of Microsoft's intent to bid on the contract one day after Google pulled out of the competition in part because it can't meet the Pentagon's security requirements stipulated for JEDI quickly enough. Most experts consider Amazon Web Services the favorite to win the contract, in part because it operates the CIA's C2S Cloud, but Microsoft isn't pulling any punches. The company also announced its intent to meet additional security controls to host the government's data classified as top secret, which include the military and Defense Department's most sensitive information. The ability to host both secret and top secret data is a prerequisite to compete for JEDI. top

Can lawyers ethically accept cryptocurrency? (Attorney at Work, 10 Oct 2018) - Several years back we added credit card billing to our options for client bill payment, including through an online secured platform. Our bill collection rates dramatically increased along with how fast a bill was paid with emailed invoices. It was great! We recently saw some companies accepting bitcoin and other cryptocurrencies as payment for goods and services. While we don't expect a high volume of clients to pay with this new "currency," we are thinking about offering it as an option. If nothing else, it shows we are keeping ahead of the curve on modern trends. Should we be pumping the brakes, or do we have the green light to accept cryptocurrency as payment? At first glance, it may seem like you would be in the clear to accept alternative payments for the legal services rendered. Why not, since you can accept nonmonetary items such as a goat for preparing a family's estate planning documents, so long as the goat was reasonable compensation for the legal services provided. Yes, I'm sure someone at some time bartered hooved animals for the services of an attorney and counselor at law. No? What ethics rules might be considered in how you are paid for your work? What makes cryptocurrency different from currency (or bovine for that matter)? At least one state bar has issued an advisory opinion on the topic of cryptocurrency as payment for legal services or otherwise being held for clients by a law firm. In Nebraska Ethics Advisory Opinion for Lawyers No. 17-03, the ethics committee concluded that attorneys "may receive and accept digital currencies such as bitcoin as payment for legal services" with some caveats. The leading concern with the often volatile cryptocurrency values comes in ensuring the fees being paid by a client are reasonable, as required by ABA Model Rule 1.5 . Bitcoin is one of the less volatile of these currencies, and still it has been known to have swings of 10 percent or greater occurring every few hours. As the opinion gives the example, "An arrangement for payment in bitcoin for attorney services could mean that the client pays $200 an hour in one month and $500 an hour the next month, which the client could very easily allege as unconscionable." The opinion suggests the following actions to mitigate the risk of volatility and possible unethical overpayment for services: * * * top

New bots from DoNotPay includes one that lets you sue in any small claims court at the press of a button (Robert Ambrogi, 10 Oct 2018) - DoNotPay , the company that created a chat bot to automatically appeal parking tickets, is today launching a series of legal and consumer-protection bots, in the form of an iOS app, that includes one that will enable individuals to file an action in any small claims court in the United States. In addition, DoNotPay is announcing that it has acquired Visabot , a service launched shortly after the election of Donald Trump to help individuals obtain visas and green cards. DoNotPay is relaunching Visabot and eliminating all fees for the service, which previously ranged from $110 to $150. The new small claims bot covers small claims courts in all 3,000 counties in all 50 states. There is no charge to use the product, so users keep 100 percent of anything they recover. Joshua Browder, the self-taught coder who founded DoNotPay as a 17-year-old in 2015, said the initial idea for this product came from an app he created in the wake of the Equifax breach to help people file small claims lawsuits against the credit rating company. top

Microsoft makes its 60,000 patents open source to help Linux (The Verge, 10 Oct 2018) - Microsoft announced today that it's joining the Open Invention Network (OIN), an open-source patent group designed to help protect Linux from patent lawsuits. In essence, this makes the company's library over 60,000 patents open source and available to OIN members, via ZDNet . OIN provides a license platform for Linux for around 2,400 companies - from individual developers to huge companies like Google and IBM - and all members get access to both OIN-owned patents and cross-licenses between other OIN licensees, royalty-free. Microsoft joining is a big step forward for both sides: OIN gets thousands of new patents from Microsoft, and Microsoft is really helping the open-source community that it has shunned in the past. As Scott Guthrie, Microsoft's executive vice president of the cloud and enterprise group, commented in an interview to ZDNet , "We want to protect open-source projects from IP lawsuits, so we're opening our patent portfolio to the OIN." There are exceptions to what Microsoft is making available - specifically, Windows desktop and desktop application code, which makes sense for many reasons - but otherwise, Microsoft is going open source. And ultimately, that's a good thing for the whole developer community. top

Amicus brief on burdens of proof for compelled decryption (Orin Kerr on Volokh Conspiracy, 11 Oct 2018) - I recently posted a draft article on the Fifth Amendment and compelled entering of passwords: Compelled Decryption and the Privilege Against Self-Incrimination . My article flagged but did not answer a closely-related question: What is the burden of proof to show a foregone conclusion when the government compels entering a password? Coincidentally, the Massachusetts Supreme Judicial Court happened to invite amicus briefs on this issue in a pending case shortly after I posted my draft. It's a question of first impression among state supreme courts and federal circuit courts, and it relates closely to the underlying Fifth Amendment standard. In for a penny, in for a pound, I say. So today I submitted an amicus brief on the proper burden of proof in compelled decryption cases. You can read my brief here: Amicus Brief of Professor Orin Kerr on Standards for Compelled Decryption Under the Fifth Amendment . It argues that the government's burden should be to prove by clear and convincing evidence, based on a totality of the circumstances, that the subject of the order knows the password. top

Seventy years after Howey: An overview of the SEC's developing jurisdiction over digital assets (ABA's BLT, 12 Oct 2018) - On June 14, 2018, Director William Hinman of the SEC's Division of Corporation Finance delivered a speech at the Yahoo! Finance All Markets Summit in San Francisco, during which he shared his view that current offer and sale of bitcoin and ether, the two most valuable and prominent digital assets today, does not constitute a securities transaction. Reiterating the facts-and-circumstances approach the SEC takes in applying securities laws to digital assets, Hinman admitted that the evolvement and the decentralized nature of digital assets could at some point render the application of securities laws requirements insensible and unnecessary. Hinman's speech is the first public statement from SEC leadership that offers clear assurance that certain types of digital assets are not within the purview of SEC regulations. The SEC has been following and monitoring the development of ICOs and digital assets closely. This article traces the series of SEC actions leading up to Hinman's speech and analyzes how the SEC's jurisprudence in this field has developed overtime. * * * top

- and -

SEC launches new strategic hub for innovation and financial technology (SEC, 18 Oct 2018) - The U.S. Securities and Exchange Commission today announced the launch of the agency's Strategic Hub for Innovation and Financial Technology ( FinHub ). The FinHub will serve as a resource for public engagement on the SEC's FinTech-related issues and initiatives, such as distributed ledger technology (including digital assets), automated investment advice, digital marketplace financing, and artificial intelligence/machine learning. The FinHub also replaces and builds on the work of several internal working groups at the SEC that have focused on similar issues. * * * top

- and -

Cybersecurity: Fortune 100 disclosure practices (TheCorporateCounsel.net, 23 Oct 2018) - The SEC continues to ratchet up its scrutiny of cybersecurity issues. It issued disclosure guidance earlier this year & recently turned its attention to internal control implications of cybersecurity lapses. But are companies getting the message? This recent EY report provides some clues on the disclosure front. It analyzes cybersecurity-related disclosures of Fortune 100 companies in proxy statements and Form 10-K filings. Not surprisingly, disclosure practices vary widely. Here are some key findings: * * * top

Federal court ruling in Georgia shows judges have a role to play in election security (Lawfare, 12 Oct 2018) - In the wake of Russia's interference in U.S. elections, questions persist as to whether Russia changed vote totals and changed the outcome of the election. Former Homeland Security Secretary Jeh Johnson and the Senate intelligence committee each say there is no evidence that the Russians did so. But as technologist Matt Blaze told the New York Times , that's "less comforting than it might sound at first glance, because we haven't looked very hard." And experts agree that our outdated voting technology certainly exposes voters to the risk of interference, as election security experts and election administrators have known for more than a decade. Last month, the U.S. District Court for the Northern District of Georgia recognized that the risk of election hacking is of constitutional significance-and that courts can do something about it. In Curling v. Kemp , two groups of Georgia voters contend that Georgia's old paperless voting machines are so unreliable that they compromise the plaintiffs' constitutional right to vote. In ruling on the voters' motion for preliminary injunction, Judge Amy Totenberg held that the plaintiffs had demonstrated a likelihood of success on the merits-in other words, Georgia's insecure voting system likely violated their constitutional rights. While the court declined to order relief in time for the 2018 elections, the ruling suggests that Georgia may eventually be ordered to move to a more secure voting system. top

Real estate lawyers have become big "phish" for cyberfraudsters (Attorney at Work, 12 Oct 2018) - Cyberfraud is a major issue in any industry, but especially in real estate where property transactions can net a hacker hundreds of thousands of dollars in a single wire diversion. Attorneys who practice real estate law and their clients have become prime targets for hackers. According to published FBI data , $969 million was diverted or attempted to be diverted to "criminally controlled" accounts in real estate transactions in fiscal year 2017. Compare that with 2016, when comparable real estate wire transfer frauds amounted to just $19 million. * * * It's extremely difficult to recover funds that have been wired to a fraudulent account, though not impossible. Those who realize the mistake immediately have a better chance. As is the case with many things in life, prevention is the best tactic. Here are ways to lower the risk of real estate cyberfraud. * * * top

3D printers have 'fingerprints,' a discovery that could help trace 3D-printed guns (Science Daily, 18 Oct 2018) - Like fingerprints, no 3D printer is exactly the same. That's the takeaway from a new study that describes what's believed to be the first accurate method for tracing a 3D-printed object to the machine it came from. The advancement could help law enforcement and intelligence agencies track the origin of 3D-printed guns, counterfeit products and other goods. top

Appeals court says of course Georgia's laws (including annotations) are not protected by copyright and free to share (TechDirt, 19 Oct 2018) - The 11th Circuit appeals court has just overturned a lower court ruling and said that Georgia's laws, including annotations, are not covered by copyright, and it is not infringing to post them online. This is big, and a huge win for online information activist Carl Malamud whose Public.Resource.org was the unfortunate defendant in a fight to make sure people actually understood the laws that ruled them. The details here matter, so let's dig in: * * * [ Polley : This is an important victory, and Carl deserves our thanks. Hats off to Alston & Bird, David Halperin (Public Resource), and the ACLU. See also 11th Circuit: Georgia can't copyright annotated legal code (Law.com, 22 Oct 2018), and Court tells Georgia it can't charge people to read the law (ACLU, 22 Oct 2018)] top

ABA ethics opinion offers guidance on data breaches (ABA Journal, 17 Oct 2018) - Lawyers have to safeguard client data and notify clients of a data breach, and the ABA Standing Committee on Ethics and Professional Responsibility has issued a formal opinion that reaffirms that duty. In Formal Opinion 483 , issued Tuesday, the standing committee also provided new guidance to help attorneys take reasonable steps to meet this obligation. "Lawyers today face daunting challenges from the risk of data breaches and cyber attacks that can lead to disclosure of client confidences," says Barbara S. Gillers, chair of the standing committee. "Formal Opinion 483 offers helpful guidance on how the ABA Model Rules of Professional Conduct should inform lawyers' approaches to these risks in order to comply with the duty to protect client information." This opinion builds on the standing committee's Formal Opinion 477R released in May 2017, which set forth a lawyer's ethical obligation to secure protected client information when communicating digitally . "When a breach of protected client information is either suspected or detected, Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach," Formal Opinion 483 says. To that end, this week's new formal opinion only discusses the breach of client data, not other data breaches that may also require action on the part of an attorney or firm. "As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach," states the opinion. "The decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach." The opinion ends on a somber reminder that even if attorneys follow the Model Rules and make "reasonable efforts" to prevent disclosure and access to client information, they may still experience a data breach. "When they do, they have a duty to notify clients of the data breach under Model Rule 1.4 in sufficient detail to keep clients 'reasonably informed' and with an explanation 'to the extent necessary to permit the client to make informed decisions regarding the representation,'" the opinion closes. [ Polley : The Opinion also contains language suggesting that lawyers must "monitor" internet activity-e.g., using IDS tools.] top

New copyright exemptions let you legally repair your phone or jailbreak voice assistants (The Verge, 25 Oct 2018) - In a big victory for hacker, tinkerers, and the right to repair movement, the US Copyright Office has ruled some major changes to the legal exemption to the DMCA, making it far easier for owners to build software tools to hack, modify, and repair their own devices, as explained by iFixit founder Kyle Wiens . Under section 1201 of the Digital Millennium Copyright Act (DMCA), it is "unlawful to circumvent technological measures used to prevent unauthorized access to copyrighted works." Because software has become so integral to all the devices we use - everything from phones to speakers to even trackers - device manufacturers have long used section 1201 to prevent owners from taking apart or repairing their own devices, arguing that breaking the software locks as part of replacing parts or modifying your gadgets is a violation of that statute. But as part of that law, citizens are allowed to petition for exemptions to section 1201 every three years, when the Copyright Office rules what kind of repairs and software tools are and aren't allowed by the law. The final ruling for this cycle was just released (it goes into effect as law on October 28th), and it enacts broad new protections for repairing devices. Wiens' post breaks down the biggest changes, which include: * * * top

RESOURCES

Clarke and Piper on A Legal Framework to Govern Online Political Expression by Public Servants @Carleton_U (MLPB, 23 Oct 2018) - Amanda Clarke, Carleton University School of Public Policy and Administration, and Benjamin Pipe, National Judicial Institute, have published A Legal Framework to Govern Online Political Expression by Public Servants at 21 Canadian Labour and Employment Law Journal 1 (2018). Here is the abstract: This paper considers the extent to which public servants should be allowed to engage in political activities in online fora such as Facebook, Twitter, and YouTube. The question of the appropriate balance between the principle of political neutrality binding public servants and their Charter-protected right to political expression has been extensively addressed in the case law. However, the framework set out in the existing jurisprudence was developed in the context of more traditional forms of political engagement, and fails to provide clear guidance in an age when the political activities of public servants, like those of Canadians as a whole, have to a large degree migrated to social media and other platforms on the web. In an effort to remedy this deficiency, the authors lay the foundation for a revised framework for assessing the permissibility of online political activity by public servants, consisting of four analytical factors: the level and nature of a public servant's position; the visibility of the online activity; the substance of the online activity; and the identifiability of the online actor as a public servant. Adopting this test, the authors contend, would enable adjudicators to strike a reasonable balance between freedom of expression and the principle of political neutrality, by recognizing that in today's world both politics and life as a public servant play out online. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Smartphones, seat belts, searches, and the Fourth Amendment (ArsTechnica, 24 Jan 2008) - When Steve Jobs introduced the iPhone as a "revolutionary" device, he probably wasn't thinking of its effect on the Fourth Amendment. But a new paper by Adam Gershowitz, a professor at the South Texas College of Law, argues that unless courts or legislators make significant changes to the rules governing law enforcement searches, the increasing ubiquity of devices like Apple's übergadget will permit police to routinely gather massive amounts of citizens' sensitive personal data without a warrant. The Fourth Amendment guarantees that Americans will not be subject to "unreasonable searches and seizures." Normally, this means police must show a judge that there is "probable cause" to believe a search will uncover evidence of a crime before tapping our phones or digging through our papers. But the courts have always recognized a variety of special circumstances under which a search may be reasonable even without a court warrant. One important such exception is for "search incident to arrest." This allows police to search the person and immediate vicinity of anyone being placed under arrest, to ensure that the arrestee can't destroy evidence or pull a concealed weapon. The problem with this, argues Gershowitz, is that with the proliferation of iPhone-like devices, the officer digging through your coat pocket suddenly has access to gigabytes worth of potentially sensitive e-mail, videos, photographs, browsing histories, and other documents. If you're in the habit of keeping your passwords saved, they may even be able to reach bank statements, file servers, and that Nerve Personals account you opened "just for fun." Though the underlying rationale for searches incident to arrest is officer safety, courts have adopted a "bright line" rule permitting an arresting officer to search any object in a suspect's possession, such as a cigarette pack, even if it unlikely to conceal a miniature Glock. And since the Supreme Court has ruled that police have broad authority to arrest people for even trivial infractions, such as failure to wear a seat belt, the current rule gives law enforcement officers broad discretion to transform a routine traffic stop into a highly intrusive excavation of your digital life. top

Google makes health service publicly available (SiliconValley.com, 19 May 2008) - Google is now offering the general public electronic access to their medical records and other health-related information. The Mountain View-based Web search leader announced the public launch of Google Health during a Webcast today. It lets users import records from a variety of care providers and pharmacies. Google tested the service by storing medical records for a few thousand patient volunteers at the not-for-profit Cleveland Clinic. [Editor in 2008 : Now, I want Google to offer search for health-care providers, by cost and reputation; then, they'll offer health care insurance coverage.] top