Saturday, July 07, 2018

MIRLN --- 17 June - 7 July 2018 (v21.09)

MIRLN --- 17 June - 7 July 2018 (v21.09) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENTS

Register now for the next cybersecurity ABA CLE webinar " Bumps in the Night: Cybersecurity Legal Requirements, Government Enforcement, and Litigation ". This second in a 5-part series airs July 18, followed by other episodes in August, September, and October. Each 90-minute episode parses related parts of the best-selling (and winner of the 2018 ACLEA "Best Publication" award) " ABA Cybersecurity Legal Handbook ". For more information, visit ambar.org/cyberwakeup to register. Get 20% off if you subscribe to the full series (recordings of earlier ones are available), along with a free e-copy of the handbook.

ABA attendees at the Chicago annual meeting will also want to attend our showcase program (August 4 10:00-11:30 Central), featuring Raj De (former NSA GC), Suzanne Spaulding (former DHS Undersecretary), and others. Info here : top

NEWS

Why destruction of information is so difficult and so essential: The case for defensible disposal (ABA's Business Law Today, 15 June 2018) - IN BRIEF: (1) Information is growing unfettered for most businesses and impacting their ability to function; (2) Lawyers must find a way to get rid of information without creating greater business and legal issues for their clients; (3) Defensible disposition rids businesses of information that no longer has business or legal value without employees having to involve themselves in classification. * * * top

A student, a worried girlfriend, a shared password and an admissions lawsuit (InsideHigherEd, 18 June 2018) - Most admissions lawsuits are about applicants who are rejected. But Eric Abramovitz won 375,000 Canadian dollars (about $284,000) last week over an admissions offer he turned down. Actually, his then girlfriend turned it down, pretending to be Abramovitz. That set up the unusual court ruling. As outlined in the ruling issued by a Canadian judge last week, Abramovitz and Jennifer Lee met in 2013 and became a couple while both were studying music at McGill University. While they were involved, Abramovitz shared his laptop -- and his passwords -- with Lee. Abramovitz was a star student of clarinet, winning numerous prizes. He aspired to finish his bachelor's degree at Colburn Conservatory of Music, in Los Angeles, where he hoped to study with Yehuda Gilad, who only accepts two students a year. In December 2013, Abramovitz applied and went to Los Angeles when he was invited to audition. On March 27, 2014, he was admitted -- and his admission brought with it a full scholarship. On that fateful day, Lee checked Abramovitz's email before he did. Using his email account, she turned down the offer and created a fake email account in Gilad's name. Then she sent an email, pretending to be Gilad, rejecting Abramovitz. Lee could not be reached for comment. She did not contest Abramovitz's suit. The court ruling says that she was apparently afraid he would move to Los Angeles, leaving her behind at McGill, in Montreal. Eventually, Abramovitz did leave for Los Angeles and enrolled in a certificate program at the University of Southern California in which Gilad also taught. That program charged about $25,000, which Abramovitz paid. (He couldn't afford USC's master's degree program, which would have cost him about twice as much in tuition.) Abramovitz was "completely taken in," the court decision says, and only went to USC after staying in Montreal -- with Lee -- to finish his bachelor's degree. The scheme unraveled when Abramovitz met Gilad, who is not used to being turned down. As Abramovitz told National Post , when he auditioned for Gilad to enter the USC program, Gilad asked him, "Why did you reject me?" When Gilad showed him the email Lee had sent, Abramovitz was stunned. But he also had Lee's passwords, and he found the fake emails. He also found she had done the same thing when he won admission to the Juilliard School -- another institution that few admitted applicants turn down. The Canadian court judged that Lee was responsible for the tuition paid by Abramovitz to USC, the lost opportunities of the scholarship to the conservatory and for delaying the start of his career. The court ruling found that Lee's conduct was "morally reprehensible." top

Why your FOIA request might not get text messages (Ride the Lightning, 19 June 2018) - Hat tip to my friend Doug Austin at CloudNine for a marvelous post on his EDiscovery Daily Blog . As Doug asks, what percentage of Freedom of Information Act (FOIA) requests actually result in receiving all of the information requested? According to the 2018 Public Sector Text & Mobile Communications Survey from Smarsh, 70 percent of federal, state, county and city government organizations surveyed report allowing SMS/text for official business communication. But, almost half of those (46 percent) are not formally capturing and retaining these messages. There were 236 total respondents in the survey. The information below is directly from Doug's post. And I fully agree with his conclusion at the end! "The vast majority of agencies allow organizational e-mail (97 percent) on mobile devices, but right behind it is SMS/text messaging, with 70 percent allowing it for official government business. Social channels Facebook and Twitter are the next most frequently cited, with 58 percent and 44 percent, respectively. Two-thirds of surveyed organizations allow employees to use their own BYOD devices for official business, for those devices, only 35 percent of respondents are retaining SMS/text messages (as opposed to 62 percent for Corporate Owned Personally Enabled (COPE) devices). The top four reasons SMS/Text records are NOT captured are: 1) Don't currently have budget this year, 2) SMS/text isn't required to be retained by law, 3) Waiting for Capstone/FOIA guidance, 4) Existing capture technologies are too complicated. The majority of respondents, 62 percent or nearly 2/3, lacked confidence that they could provide specifically requested mobile text messages promptly if responding to a public records or litigation request. Agencies with no retention solution in place have very little confidence in their ability to fulfill requests. 23 percent reported that if requested, it was unlikely they could produce SMS/text messages from their organizational leader at all. When you hear these stats, you might be surprised the numbers aren't higher. Last year, Federal Freedom of Information Act (FOIA) litigation jumped 26 percent over the previous year. In 2018, that number is on track to increase again. While an average of 2.08 lawsuits were filed each day in 2017, 2018 has seen the average increase to 2.72 lawsuits per day. Last year, there were 823,222 Federal FOIA requests - 78 percent of those requests yielded censored files or no records at all. In other words, only 22 percent of FOIA requestors got everything they asked for. 22 percent! And, the Federal government spent $40.6 million in legal fees defending its withholding of files in 2017. Freedom of information isn't free, apparently." top

Verizon will stop selling real-time location data to third-party brokers (The Verge, 19 June 2018) - Verizon has pledged to stop selling data that can pinpoint the location of its mobile users to third-party intermediaries, according to The Associated Press . Verizon is the first carrier to end the controversial practice after Sen. Ron Wyden (D-OR) revealed that one of the companies that purchased the real-time location-tracking data from carriers wasn't verifying if its users had legal permission to track cellphone users through its service. In a letter to carriers and the FCC, Sen. Wyden said that Securus Technologies - a company that mainly monitors phone calls to inmates in jails and prisons across the country and also sells real-time location data to law enforcement agencies who must upload legal documents such as a warrant stating they have the right to access the data - wasn't actually verifying if those documents were legitimate. Securus did not "conduct any review of surveillance requests," Wyden wrote in his letter to the FCC. A sheriff in Missouri was charged with illegally tracking people 11 times without court orders using Securus, according to The New York Times. While all four major carriers have now cut off access to Securus, only Verizon has said it will stop selling data to geolocation aggregators who can then turn around and sell that data to someone else. Verizon said 75 companies obtained data from the two companies it sells location data directly to: LocationSmart and Zumigo. Last month, KrebsOnSecurity reported that LocationSmart - which supplies Securus with the location-tracking data - was leaking the real-time location data of customers on every major US carrier through a free demo tool on its website, which was subsequently taken down. "Verizon did the responsible thing and promptly announced it was cutting these companies off," Wyden said in a statement to the AP. [ see also , AT&T and Sprint to follow Verizon in ending its sale of user location data to third-party brokers (The Verge, 19 June 2018)] top

Are free societies at a disadvantage in national cybersecurity (Bruce Schneier, 19 June 2018) - Jack Goldsmith and Stuart Russell just published an interesting paper , making the case that free and democratic nations are at a structural disadvantage in nation-on-nation cyberattack and defense. From a blog post : It seeks to explain why the United States is struggling to deal with the "soft" cyber operations that have been so prevalent in recent years: cyberespionage and cybertheft, often followed by strategic publication; information operations and propaganda; and relatively low-level cyber disruptions such as denial-of-service and ransomware attacks. The main explanation is that constituent elements of U.S. society -- a commitment to free speech, privacy and the rule of law; innovative technology firms; relatively unregulated markets; and deep digital sophistication -- create asymmetric vulnerabilities that foreign adversaries, especially authoritarian ones, can exploit. These asymmetrical vulnerabilities might explain why the United States so often appears to be on the losing end of recent cyber operations and why U.S. attempts to develop and implement policies to enhance defense, resiliency, response or deterrence in the cyber realm have been ineffective. I have long thought this to be true. There are defensive cybersecurity measures that a totalitarian country can take that a free, open, democratic country cannot. And there are attacks against a free, open, democratic country that just don't matter to a totalitarian country. That makes us more vulnerable. (I don't mean to imply -- and neither do Russell and Goldsmith -- that this disadvantage implies that free societies are overall worse, but it is an asymmetry that we should be aware of.) I do worry that these disadvantages will someday become intolerable. Dan Geer often said that "the price of freedom is the probability of crime." We are willing to pay this price because it isn't that high. As technology makes individual and small-group actors more powerful , this price will get higher. Will there be a point in the future where free and open societies will no longer be able to survive? I honestly don't know. EDITED TO ADD (6/21): Jack Goldsmith also wrote this . top

GDPR and browser fingerprinting: How it changes the game for the sneakiest web trackers (EFF, 19 June 2018) - Browser fingerprinting is on a collision course with privacy regulations. For almost a decade, EFF has been raising awareness about this tracking technique with projects like Panopticlick . Compared to more well-known tracking "cookies," browser fingerprinting is trickier for users and browser extensions to combat: websites can do it without detection, and it's very difficult to modify browsers so that they are less vulnerable to it. As cookies have become more visible and easier to block, companies have been increasingly tempted to turn to sneakier fingerprinting techniques. But companies also have to obey the law. And for residents of the European Union, the General Data Protection Regulation (GDPR), which entered into force on May 25th, is intended to cover exactly this kind of covert data collection. The EU has also begun the process of updating its ePrivacy Directive, best known for its mandate that websites must warn you about any cookies they are using. If you've ever seen a message asking you to approve a site's cookie use, that's likely based on this earlier Europe-wide law. This leads to a key question: Will the GDPR require companies to make fingerprinting as visible to users as the original ePrivacy Directive required them to make cookies? The answer, in short, is yes. Where the purpose of fingerprinting is tracking people, it will constitute "personal data processing" and will be covered by the GDPR. top

Should media publish government's child-detention photos? (WaPo, 19 June 2018) - Based on the photographic evidence, living conditions inside government-run detention centers for immigrant children separated from their parents in south Texas look reasonably orderly and clean. But there's a major catch: All of the photographs depicting life inside the facilities have been supplied by the government itself. There's been no independent documentation; federal officials, citing the children's privacy, have barred journalists from taking photographs or video when they've been permitted inside. This has left news organizations with a quandary: Do they publish the handouts supplied by U.S. Customs and Border Protection (CBP) - which has an incentive to make its facilities look as humane and comfortable as possible - or do they reject the photos as essentially propaganda? The New York Times, for one, has taken the latter course. On Monday, it said it would not publish CBP-supplied photos. "We thought it was a bad precedent to accept government handout photos when [photojournalists aren't] allowed in," Dean Baquet , the paper's editor, said in an interview. "It would hurt any future case for access. And given the sensitivity of this story, I don't think we can assure readers that we are seeing a full picture when the government makes the choice of what we see and show. Readers want to know what these places look like, from the view of journalists who are witnesses." One of the government-supplied photos - a shot of children sprawled on thin mattresses under mylar blankets - was featured prominently by many news organizations on Tuesday. top

Bad news cut from Michigan State alumni magazine (InsideHigherEd, 21 June 2018) - After a review by Michigan State University interim president John Engler, an upcoming edition of the university's alumni magazine will not include planned long-form essays exploring how the Larry Nassar sexual abuse case has tainted the university, multiple anonymous administration sources told the Detroit Free Press . It will also apparently not include a striking black-and-white cover image of a woman wearing teal lipstick -- teal is the color that Nassar survivors and supporters wear to show solidarity. Sources told the Free Press that Engler saw the planned image, among others, and said, "Get that teal shit out of here." While the magazine issue will address the crisis, sources said, it will showcase positive moves Engler has made since taking over, such as adding more counselors. Several people close to Engler who were not authorized to speak to the media said the effort is part of his push to "pivot toward positive news" in the wake of the scandal. top

SEC provides further guidance on when digital assets may be deemed securities (Nixon Peabody, 21 June 2018) - On June 14, 2018, William Hinman, Director of the Securities and Exchange Commission's (SEC's) Division of Corporation Finance, provided important but nonbinding guidance on when a digital asset may be deemed a security in his remarks at the Yahoo Finance All Markets Summit in San Francisco, California. Slowly, the SEC has continued to reveal its views on the approaches taken by some crypto and digital asset industry participants―such as the pioneers of the Simple Agreement for Future Tokens (or SAFT), who have attempted to structure digital asset sales in such a way that the digital asset is not a security. As noted by Director Hinman in his remarks, these are still the "early days" of crypto, but with this latest guidance, the SEC has provided more clarity around securities law-compliant digital asset sales. The following is a summary of certain key takeaways from Director Hinman's remarks and related analysis. * * * top

MIT to conduct an environmental scan of open source publishing (MIT, 22 June 2018) - The MIT Press has announced the award of a grant from The Andrew W. Mellon Foundation to conduct a landscape analysis and code audit of all known open source (OS) authoring and publishing platforms. By conducting this environmental scan, the MIT Press will be providing a comprehensive and critical analysis of OS book production and hosting systems to the scholarly publishing community. As noted by Amy Brand, director of the MIT Press, "Open source book production and publishing platforms are a key strategic issue for not-for-profit scholarly publishers, and the wide-spread utilization of these systems would foster greater institutional and organizational self-determination. The MIT Press has long been a leader in digital publishing. We are very grateful for the generous support from The Mellon Foundation for this project." The grant affords the MIT Press the unique opportunity to provide the university press community and other not-for-profit scholarly publishers with a comprehensive overview of the numerous OS publishing platforms that are currently in use or under development. These systems, which produce and host platforms for scholarly books and journals, have proliferated in the last decade. The forthcoming analysis will highlight the availability, affordances, and current limitations of these systems, and thereby encourage the adoption and continued development of OS publishing technologies. Open infrastructure could prove to be a durable alternative to complex and costly proprietary services. The results of the environmental scan and the accompanying code audit, expected later this year, will be made openly accessible. The final report will inform the MIT Press's roadmap for the publishing platform PubPub currently being codeveloped with the MIT Media Lab. top

FirstNet launches, giving police and firefighters a dedicated wireless network and infinite possibilities (WaPo, 25 June 2018) - Though it's not a renowned high-tech hub, Brazos County, Tex., has become the showroom for what technology can do for police officers, paramedics and firefighters nationwide, through the newly created FirstNet wireless network. When Brazos sheriff's deputies entered a standoff with an armed man inside his home, they positioned four cars around the building and streamed live video through FirstNet back to their command center from their phones. When firefighters launched a swiftwater rescue recently, they were able to show it in real time through FirstNet to their supervisors. When a man tried to fraudulently register a stolen car, a patrol lieutenant was able to patch into the government center cameras through FirstNet and watch the crime in progress. "It's given us some incredible communication," said Brazos Sheriff Chris Kirk, "that we've been able to put to good use. It makes us much more efficient." The idea for FirstNet was long in gestation, beginning with the terrorist attacks of Sept. 11, 2001, but has rapidly come to fruition in the year since AT&T won a contract to build it for the federal government. The idea was a dedicated wireless network exclusively for first responders, enabling them to communicate in emergencies on a secure system built to handle massive amounts of data. Former Boston police commissioner Ed Davis witnessed two major problems of emergency communication firsthand. On 9/11, police helicopters flying over the World Trade Center could see the danger of building collapse but could not reach firefighters inside the towers, who were using a different radio system. And after the Boston Marathon bombing, cellular networks were overwhelmed with traffic, and police could not communicate with each other, Davis said. FirstNet addresses both problems. The government agency was created after 9/11 to devise the interoperability of first responders, and then to enable video, data and text capabilities in addition to voice. In March 2017, FirstNet accepted AT&T's $40 billion bid to build out the network. The governments of all 50 states and the District of Columbia opted in, and in March of this year, the core network went live. More than 1,000 agencies in 52 states and U.S. territories have signed up, including Boston police and fire and the Texas Department of Public Safety. top

Potential clients are confident in law firms' cybersecurity. Should they be? (Legal Tech News, 25 June 2018) - Despite an increasingly malicious cyberthreat environment, most potential law firm clients are confident in the legal industry's ability to protect client data, according to a survey of more than 1,000 small business owners and the U.S. general public conducted by data disposal company Shred-it and market research company Ipsos Public Affairs. Almost half of the respondents, 47 percent, said data protection considerations were "very important" when deciding which law firm to hire, while 36 percent said such considerations were at least "somewhat important." But a majority, 61 percent, expressed little or no concern about providing sensitive information to lawyers, underscoring the widespread trust potential clients have in law firms ability to protect their data. * * * What's more, overconfidence may already be harming law firms security preparations, according to ALM Intelligence's "Challenges at the Intersection of Cybersecurity and Legal Services," a survey of 194 law firms and legal departments. While the survey found that most law firms were confident they had adequate cybersecurity protections in place, their cybersecurity programs failed to meet client expectations. top

- and -

Legal Tracker LDO Index (ThomsonReuters, July 2018) - The volume of work for legal departments continues to grow, yet the overall legal department budget is not increasing at the same rate. Legal departments are dealing with how to do more with less. To address this challenge, departments are focusing on legal operations. With an operational focus, legal departments are looking at process improvements and technology to deliver on key department initiatives like controlling outside counsel costs and simplifying workflow and manual processes. Sixty-eight percent of organizations say the volume of legal work - defined by the number of legal matters - is increasing. Fifty-four percent of survey respondents report the percentage of work handled in-house is increasing, while 48% of survey respondents report increasing outside counsel spending. Seventy-one percent of organizations report that outside counsel hourly rates are increasing, while only 8% of organizations report decreases. With the increases in volume of work, 35% of legal departments report increasing the total legal department budget in the last 12 months, 25% report a budget decrease, and 40% report flat legal department budgets. When it comes to the budget for technology, 34% report increasing the budget, 52% are flat, and 13% report decreasing the technology budget. We asked legal departments to rank a variety of initiatives from no priority to high priority. The top five priorities among legal departments surveyed are: * * * [ Polley : Lots of interesting data here; spotted by MIRLN reader Gordon Housworth ] top

AT&T collaborates on NSA spying through a web of secretive buildings in the US (TechCrunch, 25 June 2018) - A new report from The Intercept sheds light on the NSA's close relationship with communications provider AT&T. The Intercept identified eight facilities across the U.S. that function as hubs for efforts to collaborate with the intelligence agency. The site first identified one potential hub of this kind in 2017 in lower Manhattan. The report reveals that eight AT&T data facilities in the U.S. are regarded as high-value sites to the NSA for giving the agency direct "backbone" access to raw data that passes through, including emails, web browsing, social media and any other form of unencrypted online activity. The NSA uses the web of eight AT&T hubs for a surveillance operation code-named FAIRVIEW, a program previously reported by The New York Times . The program, first established in 1985, "involves tapping into international telecommunications cables, routers, and switches" and only coordinates directly with AT&T and not the other major U.S. mobile carriers. top

How social networks set the limits of what we can say online (Wired, 26 June 2018) - Content moderation is hard. This should be obvious, but it's easily forgotten. It is resource intensive and relentless; it requires making difficult and often untenable distinctions; it is wholly unclear what the standards should be, especially on a global scale; and one failure can incur enough public outrage to overshadow a million quiet successes. We as a society are partly to blame for having put platforms in this situation. We sometimes decry the intrusions of moderators, and sometimes decry their absence. Even so, we have handed to private companies the power to set and enforce the boundaries of appropriate public speech. That is an enormous cultural power to be held by so few, and it is largely wielded behind closed doors, making it difficult for outsiders to inspect or challenge. Platforms frequently, and conspicuously, fail to live up to our expectations. In fact, given the enormity of the undertaking, most platforms' own definition of success includes failing users on a regular basis. The social media companies that have profited most have done so by selling back to us the promises of the web and participatory culture. But those promises have begun to sour. While we cannot hold platforms responsible for the fact that some people want to post pornography, or mislead, or be hateful to others, we are now painfully aware of the ways in which platforms invite, facilitate, amplify, and exacerbate those tendencies. For more than a decade, social media platforms have portrayed themselves as mere conduits, obscuring and disavowing their active role in content moderation. But the platforms are now in a new position of responsibility-not only to individual users, but to the public more broadly. As their impact on public life has become more obvious and more complicated, these companies are grappling with how best to be stewards of public culture, a responsibility that was not evident to them-or us-at the start. For all of these reasons, we need to rethink how content moderation is done and what we expect of it. And this begins by reforming Section 230 of the Communications Decency Act-a law that gave Silicon Valley an enormous gift, but asked for nothing in return. * * * top

Instagram now lets you 4-way group video chat as you browse (TechCrunch, 26 June 2018) - latest assault on Snapchat, FaceTime and Houseparty launches today. TechCrunch scooped back in March that Instagram would launch video calling, and the feature was officially announced at F8 in May. Now it's actually rolling out to everyone on iOS and Android, allowing up to four friends to group video call together through Instagram Direct. With the feed, Stories, messaging, Live, IGTV and now video calling, Instagram is hoping to become a one-stop-shop for its 1 billion users' social needs. This massive expansion in functionality over the past two years is paying off, SimilarWeb told TechCrunch in an email, which estimates that the average U.S. user has gone from spending 29 minutes per day on the app in September 2017 to 55 minutes today. More time spent means more potential ad views and revenue for the Facebook subsidiary that a Bloomberg analyst just valued at $100 billion after it was bought for less than $1 billion in 2012. top

8 states impose new rules on Equifax after data breach (NYT, 27 June 2018) - Equifax agreed to a number of data security rules under a consent order with eight state financial regulators that was announced on Wednesday, the latest regulatory response to the breach that allowed hackers to steal sensitive personal information on more than 147 million people. The order describes specific steps the credit bureau must take, including conducting security audits at least once a year, developing written data protection policies and guides, more closely monitoring its outside technology vendors, and improving its software patch management controls. Equifax has said that the attackers gained access to its systems last year through a known software flaw that was inadvertently left unfixed for months. If Equifax falls short on any of its new promises, regulators in the states - Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas - will be able to take punitive action. Equifax said that "a good number" of the measures it agreed to in the order had already been completed. Equifax has spent nearly $243 million so far on the fallout from the data breach, including its spending on legal costs, new security tools and credit monitoring services it offered for free after the break-in was revealed in September. The company's chief executive and several other top officials were forced out in the aftermath. Government regulators and law enforcement officials are still looking into Equifax's data safeguards. The company remains under investigation by the Federal Trade Commission, the Consumer Finance Protection Bureau and the Securities and Exchange Commission, among others. top

Homeland Security subpoenas Twitter for data breach finder's account (ZDnet, 2 July 2018) - Homeland Security has served Twitter with a subpoena, demanding the account information of a data breach finder, credited with finding several large caches of exposed and leaking data. The New Zealand national, whose name isn't known but goes by the handle Flash Gordon , revealed the subpoena in a tweet last month . The pseudonymous data breach finder regularly tweets about leaked data found on exposed and unprotected servers. Last year, he found a trove of almost a million patients' data leaking from a medical telemarketing firm. A recent find included an exposed cache of law enforcement data by ALERRT, a Texas State University-based organization, which trains police and civilians against active shooters. The database, secured in March but reported last week, revealed that several police departments were under-resourced and unable to respond to active shooter situations. Homeland Security's export control agency, Immigration and Customs Enforcement (ICE), served the subpoena to Twitter on April 24, demanding information about the data breach finder's account. Twitter informed him of the subpoena, per its policy on disclosing legal processes to its users. A legal effort to challenge the subpoena by a June 20 deadline was unsuccessful. Attorneys from the Electronic Frontier Foundation provided Flash Gordon legal assistance. ICE demanded Twitter turn over his screen name, address, phone number -- and any other identifying information about the account, including credit cards on the account. The subpoena also demanded the account's IP address history, member lists, and any complaints filed against the Twitter account. The subpoena did not demand the account's private messages or any other content, which typically requires a court order or a search warrant. It's not known why the subpoena was issued. Twitter spokesperson Emily Horne said the company does not comment on individual accounts for privacy and security reasons. top

Carpenter v. United States: Big data is different (GW Law Review, 2 July 2018) - A central truism of U.S. privacy law is that if you share information, you do not have an expectation of privacy in it. This reasoning runs through both Fourth Amendment jurisprudence and privacy tort cases, and has repeatedly been identified as a central failing of American privacy law in the digital age. On June 22, in Carpenter v. United States , the Supreme Court did away with this default. While repeatedly claiming to be fact-bound and incremental, Chief Justice Roberts's opinion has paradigm-shifting implications not only for Fourth Amendment law, but also for private-sector privacy law. In short, the Court in Carpenter has declared that Big Data is different. Just how different remains to be seen. The question addressed in Carpenter- whether obtaining historic location information from cellular phone service providers constitutes a search under the Fourth Amendment-arose at the confluence of two lines of cases. One addresses location tracking in public spaces, and the other addresses records that have been shared with third parties. Until recently, neither doctrinal thicket looked particularly good for Timothy Carpenter, or for privacy. But the Carpenter decision does not come out of thin air. Starting with the Court's recent GPS-tracking decision in United States v. Jones- and what has been referred to as the Jones "shadow majority"-the Supreme Court has recently appeared to take a different approach to Big Data. Carpenter cements this change. * * * [ see also Gorsuch's dissent in 'Carpenter' case has implications for the future of privacy (The Hill, 26 June 2018), and When does a Carpenter search start-and when does it stop? (Orin Kerr on Lawfare, 6 July 2018)] top

It's time for a chemistry lesson. Put on your virtual reality goggles. (NYT, 3 July 2018) - There was a time when biochemists had a lot in common with sculptors. Scientists who had devoted their lives to studying a molecule would building a model, using metal and a forest of rods to hold up the structure of thousands of atoms. " Slow work, but at the end you really know the molecule ," said Michael Levitt, who shared the Nobel Prize in Chemistry in 2013. These days simulations on screens have replaced such models, sacrificing some of their tactile value while gaining the ability to show movement. But what if you could enter a virtual reality environment where the molecules lie before you, obeying all the laws of molecular physics as calculated by supercomputers, and move them around in three dimensions? In a new paper in the journal Science Advances , researchers report that they have constructed just such an environment, and that users who manipulate the proteins in VR can perform simple tasks nearly ten times faster in virtual reality than on a screen. The researchers asked users to perform three separate manipulations of molecules and timed how long each took. They had to thread a molecule of methane through a simulated carbon nanotube; unwind a helical molecule and wind it up in the opposite direction; and tie a knot in a simulated protein. They also did the same tasks on computers using a touchscreen or a mouse. Each task resembles research that is current in biology and chemistry. In tallying the time each task took, the researchers found that in VR, threading the nanotube and tying the knot went much quicker. The knot task, in particular, was completed nearly ten times as rapidly. By using 2D screen-based simulations of molecules, said Dr. Glowacki, "we might actually be doing things a lot slower than we could be." Scientists who use VR to get familiar with molecules may be able to gain intuition about their movements more quickly. [ Polley : pretty interesting animation videos on the website version of the story.]

RESOURCES

Tech Competence (Robert Ambrogi) - In 2012, something happened that I called a sea change in the legal profession: The American Bar Association formally approved a change to the Model Rules of Professional Conduct to make clear that lawyers have a duty to be competent not only in the law and its practice, but also in technology. * * * On this page, I track the states that have formally adopted the revised comment to Rule 1.1. The total so far is 31. [ Polley : nice interactive map of the states.] top

Grimmelmann on Whether Robot Transmissions Are Speech For First Amendment Purposes (MLPB, 20 June 2018) - James Grimmelmann, Cornell Law School, is publishing Speech in, Speech Out in Robotica: Speech Rights and Artificial Intelligence (Ronald K. L. Collins and David M. Skover, eds., Cambridge University Press 2018). Here is the abstract: This invited short response was published as part of Ronald K.L. Collins and David M. Skover's book Robotica: Speech Rights and Artificial Intelligence (Cambridge University Press 2018). Collins and Skover make a two-step argument about "whether and why First Amendment coverage given to traditional forms of speech should be extended to the data processed and transmitted by robots." First, they assert (based on reader-response literary criticism) that free speech theory can be "intentionless": what matters is a listener's experience of meaning rather than a speaker's intentions. Second, they conclude that therefore utility will become the new First Amendment norm. The premise is right, but the conclusion does not follow. Sometimes robotic transmissions are speech and sometimes they aren't, so the proper question is not "whether and why?" but "when?" Collins and Skover are right that listeners' experiences can substitute for speakers' intentions, and in a technological age this will often be a more principled basis for grounding speech claims. But robotic "speech" can be useful for reasons that are not closely linked to listeners' experiences, and in these cases their proposed "norm of utility" is not really a free speech norm. top

Lola v. Skadden and the Automation of the Legal Profession (Yale Journal of Law & Technology) - Technological innovation has accelerated at an exponential pace in the last few decades, ushering in an era of unprecedented advancements in algorithms and artificial intelligence technologies. Traditionally, the legal field has protected itself from technological disruptions by maintaining a professional monopoly over legal work and limiting the "practice of law" to only those who are licensed. This article analyzes the long-term impact of the Second Circuit's opinion in Lola v. Skadden, Arps, Slate, Meagher & Flom LLP , 620 F. App'x 37 (2d Cir. 2015), on the legal field's existing monopoly over the "practice of law." In Lola , the Second Circuit underscored that "tasks that could otherwise be performed entirely by a machine" could not be said to fall under the "practice of law." By distinguishing between mechanistic tasks and legal tasks, the Second Circuit repudiated the legal field's oft-cited appeals to tradition insisting that tasks fall under the "practice of law" because they have always fallen under the practice of law. The broader implications of this decision are threefold: (1) as machines evolve, they will encroach on and limit the tasks considered to be the "practice of law"; (2) mechanistic tasks removed from the "practice of law" may no longer be regulated by professional rules governing the legal field; and (3) to survive the rise of technology in the legal field, lawyers will need to adapt to a new "practice of law" in which they will act as innovators, purveyors of judgment and wisdom, and guardians of fairness, impartiality, and accountability within the law. The article proceeds by first discussing the procedural history and decision in Lola v. Skadden . It then explains the technological advances that will impact the legal field and the tools used by the legal field to perpetuate its self-regulating monopoly. The article then turns to the socioeconomic implications of technological disruption within the legal field and concludes with a discussion on how lawyers may prepare themselves for, and thrive within, an inevitably automated future. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Patent Office agrees to review infamous JPEG patent (TechDirt, 12 March 2008) - Last month, we noted that there was some effort being made to get the Patent Office to do a re-exam of a patent that attorney Ray Niro had been using to go after any site that had a JPEG image. While the patent itself had been re-examed before, one claim had been left intact, which Niro has said covers anyone using JPEG compression. It appears that the effort to get the USPTO to look into the patent once again has succeeded, though it's a long and rather involved process that won't come to fruition for quite a long time. The request includes a long list of prior art on that one particular claim, which the Patent Office admits it did not look at earlier and that raise substantial questions about the patentability of the remaining claim in the patent. This is rather good news. top

Administration shutting down economic indicators site (TechDirt, 14 Feb 2008) - While there was some decent news suggesting the economy might not be falling into a recession, there are still plenty of knowledgeable folks who think some sort of recession is likely. Last week, in New York, plenty of folks I spoke to seemed to believe we were already in one. Of course, to actually call a recession, the general consensus is that there would need to be two consecutive quarters of negative economic growth. So how would you measure that growth? Well, apparently the White House would prefer to make it as difficult as possible. Reader Jon writes in to note the rather inconvenient timing of the Administration suddenly deciding to shut down its own website that aggregated economic indicators. The site, EconomicIndicators.gov had even won awards from Forbes as a great resource. top

Saturday, June 16, 2018

MIRLN --- 27 May - 16 June 2018 (v21.08)

MIRLN --- 27 May - 16 June 2018 (v21.08) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENTS

Register now for the upcoming ABACLE webinar series "Cybersecurity Wake-Up Call: The Business You Save May Be Your Own". This 5-part series starts June 27 (with ethics CLE credit!), followed by other episodes in July, August, September, and October. Each episode parses related parts of the best-selling " ABA Cybersecurity Legal Handbook ". For more information, visit ambar.org/cyberwakeup to register. The "colleagues" discount is 15% - use code FACMARK at checkout. Get 20% off if you subscribe to the full series, along with a free e-copy of the handbook.

NEWS

Law firm cybersecurity 'an imperative' as clients make demands clear (Law.com, 21 May 2018) - As corporate clients fret over the potential threat posed by cyber breaches, Pennsylvania law firms are increasingly making data privacy and cybersecurity a top priority, putting time and resources behind the effort. Legal software company Aderant this month released its second "Business of Law and Legal Technology" survey , which showed general optimism among law firm professionals. But when respondents were asked about the key challenges they faced, more than 32 percent of them named cybersecurity as a top concern. Pennsylvania law firms are grappling with the issue- and the cost -along with the rest of the industry. Law firm technology professionals and firm management in the region say the days are gone when clients could treat their outside lawyers' cybersecurity efforts as an afterthought. Devin Chwastyk, chair of the privacy and data security group at McNees Wallace & Nurick , said the driver for law firm clients has been demands from their customers for assurance of data privacy. More and more, he said, clients are putting data security addenda on their fee agreements. "Every RFP now requires us to disclose how we protect confidential information," said Jeff Lobach, managing partner of Barley Snyder. And that requires a greater investment of time and money, he said. Lobach said clients have never been dissatisfied with the measures his firm has put in place. But if they were, he said, the firm would likely be expected to change its practices to keep the work. " Cybersecurity as a line item has certainly become a bigger expense for us," Chwastyk said. "That was inevitable regardless of client demands." top

- and -

The law firm cybersecurity audit grows up (Law.com, 29 May 2018) - A few years ago, law firms faced a wake-up call. More and more, their networks were being infiltrated, their staff exposed to a new threat called ransomware. They saw the crosshairs on their backs, understood the risks of their coveted position as holders of clients' sensitive information. But they didn't come to this realization entirely on their own. Clients in heavily regulated industries, like finance, demanded protections for crucial sensitive data. And slowly, through client security audits and questionnaires, a high of standard cybersecurity awareness at law firms became the norm. * * * But in response, law firm cybersecurity requirements have evolved, too. There are now more in-depth cybersecurity assessments, more expectations around transparency, and more engagement between client and law firm. Cybersecurity questionnaires and audits have been, and still remain, the foundation of law firm cybersecurity assessments. Now, though, they are performed far more rigorously than they were in the past. For one thing, the time between audits is shrinking. "Typically, audits used to be once every three years, then they became once every two years. Now, with big clients, they increasingly tend to be every year," says Paul Greenwood, chief information officer at Clifford Chance. Clients have also become more demanding, seeing cybersecurity reviews as more of a collaborative and custom process than a simple matter of housekeeping. "It's more of an engagement than a point-in-time audit," says Robert Kerr, chief information officer at Cooley. "It used to be a check-the-box type of exercise; now it's an interactive exercise where they seek clarifications." And often, these audits will get into the weeds. Brett Don, chief information officer at Stradley Ronon, says that from his experience working with information security prior to entering the law firm world, corporations have "gotten more granular, they've gotten more specific in terms of the information they are trying to glean from their business partners, including law firms." The details that clients usually ask from a law firm will vary, but oftentimes will focus around the technical minutiae of their data security. "The client security questionnaires will ask how we protect their data, and our protocol is to share the results of our ongoing penetration tests and vulnerability scans with them," says Andrea Markstrom, chief information officer at Blank Rome. This means that, at a minimum, modern law firms need to hold "routine and regular scans of vulnerabilities in their systems," Don adds. But demanding and detailed audits, even yearly, may not be enough in today's cyberthreat world. "The other thing that I think we're seeing more of is these one-off, what I call 'diligence inquiries' around high risk vulnerabilities," Don says, pointing to "Spectre" and "Meltdown" microprocessor vulnerabilities that were disclosed in January 2018 as examples. Such inquiries come "outside the questionnaire process," he explains, and may encompass several questions about the firm's susceptibility to the vulnerability. In some cases, he says, clients ask the firm directly to certify that they've addressed a particular vulnerability. top

Pentagon cracks down on personal mobile devices (FCW, 23 May 2018) - The Defense Department is cracking down on personal mobile devices inside secure areas of the Pentagon. Under a new policy memo released May 22, DOD personnel, contractors and visitors to the building and supporting facilities in Arlington County, Va., are restricted from having mobile devices in areas designated or accredited for "processing, handling, or discussion of classified information." Personal and unclassified government-issued mobile devices are prohibited in secure spaces but may be used in common areas. Government-issued unclassified devices being used as desktop replacements must have approved "interim mitigations applied until replaced with compliant devices" within 180 days. Mitigations include disabling the camera, microphone and Wi-Fi settings. Government-issued classified mobile devices can continue to operate per previous authorization while exemptions are reviewed. top

Chase Bank sues Landry's for $20M over data breach (Houston Chronicle, 23 May 2018) - Chase and its credit card payment processor Paymentech filed a breach-of-contract lawsuit Thursday in federal court in Houston, claiming Landry's failed to comply with credit card data security standards and is refusing to reimburse the Ohio-based financial institutions for assessments imposed by Visa and MasterCard in the wake of the data breach. Hackers in 2014 and 2015 compromised point-of-sale systems at more than 40 Landry's properties, including Bubba Gump, McCormick & Schmick's, Rainforest Cafe and Saltgrass restaurants. In response, Landry's hired a cyber security firm to examine its payment-card systems and implemented enhanced security measures for processing credit cards, including end-to-end encryption. top

This Frida Kahlo digital collection is massive & free (Remezcle, 25 May 2018) - More than six decades after her death, there is still immense interest in Frida Kahlo . And a new retrospective will allow fans to learn more about the Mexican artist right from their homes. Google Arts & Culture has collaborated with 33 museums from seven countries across the world to bring us Faces of Frida , the largest collection of photographs, documents, and artworks associated with Kahlo. The collection promises to give us a multi-faceted look at the queer, feminist, and disabled icon. "It's a true global effort," said Jesús García, Google's Head of Hispanic Communications, according to Forbes . "Frida's name kept coming up as a top contender when we started to think of what artists would be the best to feature in a retrospective. There's so much of her that was not known and could still be explored from an artistic perspective and life experience." Excitingly, the collection gives us a look into items and artworks that have rarely been displayed, including a sketch Kahlo made of New York in 1932 for Mexican actress Dolores del Río . She sketched what she saw from the Barbizon Plaza Hotel. If you've also wanted to visit La Casa Azul , where she lived and worked, but haven't had a chance, Google also has you covered. "This expertly curated online exhibition presents an intimate view of Frida Kahlo's life and loves through her vibrant letters, candid photographs, and unpublished essays," added Kate Haw, director of the Smithsonian Archives of American Art. "Through the story threads of these original records - a total of 54 rare documents drawn from our collections - we gain a deeper understanding of Frida's relationships with historian Florence Arquin, artist Emmy Lou Packard, photographer Nickolas Muray, art collector Chester Dale, and writer John Weatherwax." Enjoy it in its full glory here . top

Four days into GDPR, US publishers are starting to feel the effects (Columbia Journalism Review, 29 May 2018) - For something that has been in the works for more than two years , the EU's General Data Protection Regulation seemed to take at least some people by surprise when it went into effect May 25th-including more than a few publishers. And some warn the long-term effects of the regulations could be severe: Ad exchanges used by many news sites reportedly saw an immediate drop in demand of between 25 and 40 percent, and many believe this could help increase the dominance of platforms like Google and Facebook, since they are better prepared for the data-handling rules and have deeper pockets. When the new rules on how to handle user information went into effect, a number of news sites responded by simply shutting off access to anyone who appeared to be coming from a European address, and for many that continued to be the case right through the Memorial Day weekend. As of Monday, for example, several of the papers belonging to the tronc chain-including the Los Angeles Times and Chicago Tribune- were still showing EU visitors a message saying : "Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism." Other news sites such as USA Today's responded to the new rules-under which multi-million-dollar fines can be issued for improper use of data-by removing some or all of the ad-related software that harvests information from users and tracks their behavior. According to one web engineer , the US version of the USA Today site was 5.5 megabytes in size and included more than 800 ad-related requests for information involving 188 different domains. The EU version was less than half a megabyte in size and contained no third-party content at all, meaning it not only didn't track as much data but also loaded much faster. top

A trip to the ER with your phone may mean injury lawyer ads for weeks (ArsTechnica, 29 May 2018) - With digital traps in hospitals, there's no need for personal injury lawyers to chase ambulances these days. Law firms are using geofencing in hospital emergency rooms to target advertisements to patients' mobile devices as they seek medical care, according to Philadelphia public radio station WHYY. Geofencing can essentially create a digital perimeter around certain locations and target location-aware devices within the borders of those locations. Patients who unwittingly jump that digital fence may see targeted ads for more than a month, and on multiple devices, the outlet notes. While the reality may seem like a creepy nuisance to some, privacy experts are raising alarms. "Private medical information should not be exploited in this way," Massachusetts Attorney General Maura Healey told WHYY. "Especially when it's gathered secretly without a consumer's knowledge-without knowledge or consent." Last year, Healey's office barred a digital firm from using geofencing in healthcare settings in the state after the firm was hired by a Christian pregnancy counseling and adoption agency to use digital perimeters to target ads to anyone who entered reproductive health facilities, including Planned Parenthood clinics . The goal was to make sure "abortion-minded women" saw certain ads on their mobile devices as they sat in waiting rooms. The ads had text such as "Pregnancy Help" or "You Have Choices," which, if clicked, would direct them to information about abortion alternatives. top

Cybersecurity: Why it matters in M&A transactions (Schonherr, 30 May 2018) - At a time when we are all dependent on our IT systems and when digital assets are of central importance, cybersecurity is one of the most critical aspects to protect our businesses, know-how and data from being stolen, disclosed, deleted and/or manipulated. In light of the global threats that potentially could affect every business ("no one is safe"), public regulators have started adopting regulations on cybersecurity (e.g. the Austrian Financial Market Authority published guidelines for IT security in financial institutions ). In addition, the GDPR specifically deals with data breach issues. Still, it feels that awareness of cybersecurity issues is lacking. This is particularly true for private M&A transactions. A recent regulation of the New York Department of Financial Services (" NYDFS ") now specifically addresses cybersecurity risks in M&A transactions . The NYDFS's regulation was issued in the context of the 2014 large-scale data breach of Yahoo! and Yahoo!'s failure to disclose the breach until September 2016, shortly before the sale of its operating unit to Verizon Communications Inc. The non-disclosure of the 2014 data breach had a direct impact on the sale, i.e. Yahoo! and Verizon agreed to a USD 350 million reduction in the acquisition price , among other things because Yahoo! had positively represented to Verizon in the publicly available stock purchase agreement that, to the best of its knowledge, there had been no security breaches. In its FAQ , the NYDFS now has clarified the importance of cybersecurity also in M&A transactions: "when Covered Entities are acquiring or merging with a new company, Covered Entities will need to do a factual analysis of how these regulatory requirements apply to that particular acquisition. Some important considerations include, but are not limited to, what business the acquired company engages in, the target company's risk for cybersecurity including its availability of PII, the safety and soundness of the Covered Entity, and the integration of data systems. The [NYDFS] emphasizes that Covered Entities need to have a serious due diligence process and cybersecurity should be a priority when considering any new acquisitions." Now, the NYDFS regulation underlines that cybersecurity has become an issue to be also considered in M&A processes, namely in the due diligence and in the transaction documents. top

New data show substantial gains and evolution in internet use (NTIA, 6 June 2018) - The digital divide is showing signs of giving way as more Americans from all walks of life connect to the Internet. Several historically disadvantaged groups showed significant increases in online adoption, according to initial results from NTIA's most recent survey on Internet use conducted by the U.S. Census Bureau. The survey, which was conducted in November 2017, reveals new contours of Americans' Internet use. In 2017, more households had a mobile data plan than wired broadband service. Additionally, for the first time since NTIA began tracking use of different types of computing devices, tablets were more popular than desktop computers among Americans, and the number of people who used multiple types of devices also increased substantially. The data show that 78 percent of Americans ages 3 and older used the Internet as of November 2017, compared with 75 percent in July 2015, when our previous survey was conducted. This increase of 13.5 million users was driven by increased adoption among low-income families, seniors, African Americans, Hispanics, and other groups that have been less likely to go online. For example, among Americans living in households with family incomes below $25,000 per year, Internet use increased from 57 percent in 2015 to 62 percent in 2017, while households earning $100,000 or more showed no change during this period. While the trend is encouraging, low-income Americans are still significantly less likely to go online (see Figure 1). top

Special counsel Robert Mueller's team is requesting that witnesses turn in their personal phones to inspect their encrypted messaging programs (Benton, 7 June 2018) - Apparently, special counsel Robert Mueller's team is requesting that witnesses turn in their personal phones to inspect their encrypted messaging programs and potentially view conversations between associates linked to President Donald Trump. Since as early as April, Mueller's team has been asking witnesses in the Russia probe to turn over phones for agents to examine private conversations on WhatsApp, Confide, Signal and Dust, apparently. Fearing a subpoena, the witnesses have complied with the request and have given over their phones. While it's unclear what Mueller has discovered, if anything, through this new request, investigators seem to be convinced that the apps could be a key to exposing conversations that weren't previously disclosed to them. [ see also , Are any encrypted messaging apps fail-safe? Subjects of Mueller's investigation are about to find out. (WaPo, 8 June 2018)] top

FTC rebuked in LabMD case: What's next for data security? (Wiley Rein, 7 June 2018) - On June 6, the U.S. Court of Appeals for the Eleventh Circuit decided the long-awaited LabMD saga. As Wiley Rein attorneys recently explained in a webinar on agency priorities, this case is an important milestone and inflection point for the new Federal Trade Commission (FTC) leadership. The FTC's authority and role in data security has been key to ongoing debates over federal privacy and security policy domestically and globally. This case raised issues going to FTC power and practice, but ultimately turned on the remedy imposed by the agency which was found to be so vague as to be unenforceable. The court did not address the key substantive questions: (1) First, in a data breach case, what type of consumer injury gives rise to "unfairness" under Section 5 of the FTC Act, an issue sometimes identified as the "informational injury" question? (2) Second what type of notice is the FTC required to provide regarding reasonable data security measures? Despite its failure to answer these questions, the decision has implications for those issues and the agency's overall approach to data security. In particular the Eleventh Circuit's decision was a rebuke to the agency's remedial efforts, which lean heavily on consent decrees to prod action the agency could not otherwise mandate. The Court found that the FTC's cease and desist order "mandates a complete overhaul of LabMD's data-security program and says precious little about how this is to be accomplished." According to three appeals court judges, "[t]his is a scheme that Congress could not have envisioned." * * * [ Polley : good analysis.] top

Blockchain's once-feared 51% attack is now becoming regular (Telegra.ph, 8 June 2018) - Monacoin, bitcoin gold, zencash, verge and now, litecoin cash. At least five cryptocurrencies have recently been hit with an attack that used to be more theoretical than actual, all in the last month. In each case, attackers have been able to amass enough computing power to compromise these smaller networks, rearrange their transactions and abscond with millions of dollars in an effort that's perhaps the crypto equivalent of a bank heist. More surprising, though, may be that so-called 51% attacks are a well-known and dangerous cryptocurrency attack vector. While there have been some instances of such attacks working successfully in the past, they haven't exactly been all that common. They've been so rare, some technologists have gone as far as to argue miners on certain larger blockchains would never fall victim to one. The age-old (in crypto time ) argument? It's too costly and they wouldn't get all that much money out of it. But that doesn't seem to be the case anymore. NYU computer science researcher Joseph Bonneau released research last year featuring estimates of how much money it would cost to execute these attacks on top blockchains by simply renting power, rather than buying all the equipment. One conclusion he drew? These attacks were likely to increase. And, it turns out he was right. [ see also , Bitcoin's price was artificially inflated, fueling skyrocketing value, researchers say (NYT, 13 June 2018)] top

Not just corporate: Law firms too are struggling with GDPR compliance (Law.com, 11 June 2018) - Despite the yearslong build up to the EU's General Data Protection Regulation (GDPR), which came into force on May 25, many organizations are still behind in their compliance efforts. And while much attention has been paid to corporations' compliance shortcomings, a recent Wolters Kluwer survey found that law firms are also lagging in meeting GDPR mandates. Conducted among 74 medium (26-100 staff members) to large (100-plus) law firms, the survey found that only 47 percent of law firms said they were "fully prepared" to meet the GDPR's requirements. While 16 percent said they were "somewhat prepared," more than a third, 37 percent, said they have not prepared specifically for the GDPR at all. Barry Ader, vice president of product management and marketing at Wolters Kluwer, noted that part of the reason why many law firms were unprepared for GDPR was because they thought there would be an extension to the deadline. "Many of the law firms kind of half expected that there would be a delay, and they wouldn't have had to solve the problem by May 25 , " he said. However, Ader noted that the lack of preparation was also a sign that "law firms just don't have the necessary skills, people, and budget to figure out how to handle GDPR." Indeed, law firms are in a unique situation when it comes to the GDPR, given that many not only have to ensure their own firm's compliance while also managing and directing their clients' GDPR compliance efforts. Such " double duty " is forcing some firms to staff up and overextend their attorneys. Yet even with added staff and hours, firms can find it challenging to meet GDPR demands. London-based Squire Patton Boggs partner Ann LaFrance, for example, told The American Lawyer that hiring cannot keep up with the wide-ranging compliance needs of their clients. "It still isn't enough, and there isn't enough experience out there." Still, while firms may have a lot of GDPR preparation to do, 60 percent had already assigned a point person, consultant or team to spearhead GDPR compliance efforts, while 72 percent were investing in cybersecurity. What's more, 43 percent assigned a data protection officer (DPO), though they were not required to under the regulation. Such a mandate only applies to companies classified as "data controllers" who determine the purposes for, and the means of, processing EU personal data. One area where many firms' GDPR preparations lagged behind is with employee training. The survey found that only 43 percent of law firms conducted security and privacy training annually, while 24 percent had done training in the past three years. An additional 15 percent said that while they did not currently train employees, they were planning to do so in the near future. Seventeen percent did not and had no plans to train at all. [ Polley : Spotted by MIRLN reader Gordon Housworth ] top

On Facebook, a place for civil discussion (NYT, 12 June 2018) - In the run-up to the 2016 election, Russian trolls wielding ads and memes used Facebook as a tool to darken lines of division. More recently, one corner of Facebook has emerged in pursuit of the opposite: civil conversation, even among those who disagree. It has become part of Bethany Grace Howe's morning routine, right alongside her yogurt and cup of tea. The New York Times's Reader Center put out a call early last December inviting readers to apply to join a Facebook group where they could offer feedback on The Times's coverage and talk about how the news affects them. Ms. Howe, 49 - a longtime media scholar, journalist and reader of The Times since she was 13 - was among the first 100 people chosen to join the group. "It was like, O.K., this is too good to be true," she said. And it soon became clear that the group was a lot more than just a place to talk about the Gray Lady. "I joined because I thought I was going to learn a lot about The New York Times from the people who work at The Times," Ms. Howe said. "What's ended up happening is I've learned an amazing amount about this country by talking to the readers of The Times." It has come to mean enough that she is now working to organize a real life meet-up of group members near her in Oregon, where she is a doctoral student of mass media studies examining questions of transgender identity and depictions in media. The Reader Center group is one of four Facebook groups that The Times has created since last spring. There's NYT Australia , where the focus is Australia but the discussion regularly stretches wider, run by the journalists in The Times's Australia bureau. There's Now Read This , an online book club co-managed by The New York Times Book Review and "PBS Newshour" where members discuss a different book every month, guided in part by questions from the two news organizations. And there's The New York Times Podcast Club (which I help run), where podcast lovers can talk about what they're listening to and Times employees select a show every week for discussion. These are different from The Times's institutional Facebook page, or pages run by sections like Styles or Science, which you might follow to see their news articles show up in your feed. In these groups, people at The Times - and collaborators - guide discussions and often engage with group members. Administrators must approve people before they can join, and must sign off on individual posts, too. They can also delete comments or remove members if things get nasty or inappropriate. top

Apple will update iOS to block police hacking tool (The Verge, 13 June 2018) - For months, police across the country have been using a device called a GrayKey to unlock dormant iPhones, using an undisclosed technique to sidestep Apple's default disk encryption. The devices are currently in use in at least five states and five federal agencies , seen as a breakthrough in collecting evidence from encrypted devices. But according to a new Reuters report , Apple is planning to release a new feature to iOS that would make those devices useless in the majority of cases, potentially sparking a return to the encryption standoff between law enforcement and device manufacturers. Under the new feature, iPhones will cut off all communication through the USB port if they have not been unlocked in the past hour. Once the hour expires, the USB port can only be used to charge the device. The result will give police an extremely short window of time to deploy GrayKey devices successfully. According to a Malware Bytes report published in March, GrayKey works by installing some kind of low-level software through the iPhone's Lightning port. After plugging into the GrayKey device briefly, the target iPhone will continue to run the GrayKey software on its own, displaying the device's passcode on-screen between two hours and three days after the software was installed. While politically sensitive, the change will close off an entire class of attacks through the iPhone's Lightning port, including attacks that copy GrayKey's techniques. Apple described the change as a general security update rather than a response to law enforcement specifically. top

Google adds federal data to college searches (Inside Higher Ed, 13 June 2018) - Search for a four-year college on Google, and you'll now be presented with data on admission rates, graduation rates and tuition costs, in addition to the usual link to Wikipedia. Google said the addition of more information to college search results would make it easier for prospective students to choose the right institution for them. Writing in a blog post Tuesday, Jacob Schonberg, product manager for Google, said the process for finding information on colleges is "confusing" and that it is "not always clear what factors to consider and which pieces of information will be most useful for your decision." Schonberg said Google used data from the U.S. Department of Education's College Scorecard and Integrated Postsecondary Education Data System (IPEDS). Though IPEDS is one of the most comprehensive sources of data on four-year colleges, its numbers are often criticized for not being representative of student populations, particularly at open-access colleges, as IPEDS data tend to reflect only first-time, full-time students. In addition to data from IPEDS, Google has introduced new college-search features such as lists of notable alumni and suggestions for "similar colleges." top

How Firefox is using Pocket to try to build a better news feed than Facebook (The Verge, 13 June 2018) - On this week's episode of Converge , Pocket founder and CEO Nate Weiner tells us why he sold his company to Mozilla, and how he's working to build a better version of Facebook's News Feed into the Firefox browser. Pocket, which lets you save articles and videos you find around the web to consume later, now has a home inside Firefox as the engine powering recommendations to 50 million people a month. By analyzing the articles and videos people save into Pocket, Weiner believes the company can show people the best of the web - in a personalized way - without building an all-knowing, Facebook-style profile of the user. "We're testing this really cool personalization system within Firefox where it uses your browser history to target personalized [recommendations], but none of that data actually comes back to Pocket or Mozilla," Weiner said. "It all happens on the client, inside the browser itself. There is this notion today... I feel like you saw it in the Zuckerberg hearings. It was like, 'Oh, users. They will give us their data in return for a better experience." That's the premise, right? And yes, you could do that. But we don't feel like that is the required premise. There are ways to build these things where you don't have to trade your life profile in order to actually get a good experience." Pocket can analyze which articles and videos from around the web are being shared as well as which ones are being read and watched. Over time, that gives the company a good understanding of which links lead to high-quality content that users of either Pocket or Firefox might enjoy. In a world where trust in social feeds has begun to collapse, Pocket offers a low-key but powerful alternative. And as Mozilla has integrated it deeper into Firefox, Pocket has become a significant source of traffic for some publishers, The Verge included. [ Polley : I love Pocket.] top

Free MOOCs face the music (Inside Higher Ed, 14 June 2018) - Massive open online courses got a little less open with edX's recent announcement that it is introducing support fees for some of its MOOCs. Midway through an innocuous-looking blog post , Anant Agarwal, CEO of edX, said the nonprofit would be "moving away from our current model of offering virtually everything for free." On May 3, edX began testing the introduction of a "modest support fee" that will "enable edX and partners to continue to invest in our global learning platform." Adam Medros, edX COO and president, said in an interview that the support fee was just one option being explored to ensure the long-term sustainability of the MOOC provider. Previously edX users were able to take most of its courses at no cost, an option that edX calls "auditing" a course. Those who want a certificate to show they have completed a course typically pay between $50 and $300. Some options, such as edX's MicroMasters programs , cost over $1,000. Now some users will be asked to pay a support fee, "from $9 up to some portion of the certification cost," said Medros. The price of the support fee "will be aligned to the value and experience" that a course gives to a learner, said Medros, suggesting that the best courses will also be the most expensive. By introducing a support fee, Medros said, there is a possibility that completion rates may go up. "There is a lot of evidence showing that having some 'skin in the game' is beneficial in online learning," said Medros. Medros did not say how many courses the support fee would be applied to, but he said it was edX's intention that "some portion" of its content "will always be free." He said edX had not decided which content will remain free and what proportion of the total catalog it will represent. top

Beware of buying a competitor's name to market your law practice (MyShingle.com, 14 June 2018) - Can lawyers use a competitor's name as a keyword to market their own law practice? Although Google allows law firms' to purchase competitors' names as keywords, at least two states - North Carolina and South Carolina - forbid this practice, finding it inherently deceptive. By contrast, Florida and Texas -allow lawyers to use keywords to advertise with the caveat that the ads must be designed so as not to trick consumers into thinking they are going to one firm's website when they are instead lead to another. But the bar regulations don't much matter because increasingly, law firms whose names have been appropriated are suing competitors and winning. As the Daily Report Online reports, a Georgia court recently enjoined a Texas marketing firm called ELM from running ads for a law firm that used a rival firm's trade name to draw traffic to the advertising firm's site. Further compounding the confusion, the marketing company used photos of the rival firm's site as background for the ads and included phone numbers to call centers where operators were instructed to use a generic greeting so that callers would believe that they had reached the rival firm's answering service. top

RESOURCES

Encryption Workarounds (Orin Kerr and Bruce Schneier, Georgetown Law Journal, revised 13 May 2018) - Abstract : The widespread use of encryption has triggered a new step in many criminal investigations: The encryption workaround. We define an encryption workaround as any lawful government effort to reveal unencrypted plaintext of a target's data that has been concealed by encryption. This Article provides an overview of encryption workarounds. It begins with a taxonomy of the different ways investigators might try to bypass encryption schemes. We classify six kinds of workarounds: find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. For each approach, we consider the practical, technological, and legal hurdles raised by its use. The remainder of this Article develops lessons about encryption workarounds and the broader public debate about encryption in criminal investigations. First, encryption workarounds are inherently probabilistic. None work every time, and none can be categorically ruled out every time. Second, the different resources required for different workarounds will have significant distributional effects on law enforcement. Some techniques are inexpensive and can be used often by many law enforcement agencies; some are sophisticated or expensive and likely to be used rarely and only by a few. Third, the scope of legal authority to compel third-party assistance will be a continuing challenge. And fourth, the law governing encryption workarounds remains uncertain and underdeveloped. Whether encryption will be a game changer or a speed bump depends on both technological change and the resolution of important legal questions that currently remain unanswered. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

CIA monitors YouTube for intelligence (Information Week, 6 Feb 2008) - In keeping with its mandate to gather intelligence, the CIA is watching YouTube. U.S. spies, now under the Director of National Intelligence (DNI), are looking increasingly online for intelligence; they have become major consumers of social media. "We're looking at YouTube, which carries some unique and honest-to-goodness intelligence," said Doug Naquin, director of the DNI Open Source Center (OSC), in remarks to the Central Intelligence Retirees' Association last October. "We're looking at chat rooms and things that didn't exist five years ago, and trying to stay ahead. We have groups looking at what they call 'Citizens Media': people taking pictures with their cell phones and posting them on the Internet." In November 2005, the OSC subsumed the CIA's Foreign Broadcast Information Service, which housed the agency's foreign media analysts. The OSC is responsible for collecting and analyzing public information, including Internet content. Steven Aftergood, director of the Federation of American Scientists project on government secrecy, posted transcript of Naquin's remarks on his blog. "I found the speech interesting and thoughtful," he said in an e-mail. "I would not have thought of YouTube as an obvious source of intelligence, but I think it's a good sign that the Open Source Center is looking at it, and at other new media." top

Google, UN unveil project to map movement of refugees (SiliconValley.com, 8 April 2008) - Internet search giant Google Inc. unveiled a new feature Tuesday for its popular mapping programs that shines a spotlight on the movement of refugees around the world. The maps will aid humanitarian operations as well as help inform the public about the millions who have fled their homes because of violence or hardship, according to the office of the U.N. High Commissioner for Refugees, which is working with Google on the project. "All of the things that we do for refugees in the refugee camps around the world will become more visible," U.N. Deputy High Commissioner for Refugees L. Craig Johnstone said at the launch in Geneva. Users can download Google Earth software to see satellite images of refugee hot spots such as Darfur, Iraq and Colombia. Information provided by the U.N. refugee agency explains where the refugees have come from and what problems they face. Google says more than 350 million people have already downloaded Google Earth. The software was launched three years ago and originally intended for highly realistic video games, but its use by rescuers during Hurricane Katrina led the company to reach out to governments and nonprofit organizations. top