Saturday, February 18, 2017

MIRLN --- 29 Jan - 18 Feb 2017 (v20.03)

MIRLN --- 29 Jan - 18 Feb 2017 (v20.03) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Secure messaging for lawyers

Be careful choosing a VPN

How feds can use encrypted apps-without breaking the law

'Paranoid' Republicans flock to app that wipes conversations

House members: EPA officials may be using Signal to "spread their goals covertly

Some of the New York Times' best stories aren't in the Times - they're on Twitter

NIST's draft update to cybersecurity framework focuses on third-party vendors and

the cost-effectiveness of cybersecurity programs

Some surprises in the new New York cybersecurity regulations

When you're under cyberattack, silence isn't golden

Google must turn over foreign-stored emails pursuant to a warrant, court rules

Google figured out how to turn pixelated images into high-res ones

The Met makes 375,000 public domain images available

Your smart TV may have been spying on you

Facebook, Oculus, Zenimax, and nonliteral copying of code

Russia's apparent meddling in U.S. election is not an act of war, cyber expert says

Someone paid random internet users to lobby for Betsy DeVos's confirmation

NACD publishes five cybersecurity principles every board director needs to know

Boards focus on cyber-risk regularly, but only 1 in 7 have deep security knowledge

Can you hold copyright in federal law?

Linux pioneer Munich poised to ditch open source and return to Windows

Want to help fight legal battles? There's a crowdfunding site for that.

A US-born NASA scientist was detained at the border until he unlocked his phone

Diehard coders just rescued NASA's earth science data

Woman's insurance canceled over Facebook pictures

Secure messaging for lawyers (Lawyerist.com, 23 Jan 2017) - After you have thought through your threat model and secured your accounts and devices , you are ready to delve into communicating privately and securely with your clients and others. If you guessed this means setting up encrypted email, you are wrong. Love it or hate it, email makes the world go round, and it's probably the main way you communicate with your clients, opposing counsel, experts, and many other people in your personal and professional life. Let's take a look at how email works, and gain a better understanding of how private these communications are. * * * [ Polley : This is excellent and thorough; I use most of these processes.]

top

- and -

Be careful choosing a VPN (Lawyerist, 31 Jan 2017) - Using a reputable VPN (virtual private network) to protect yourself when you use public Wi-Fi is basic computer security. It's either that or stay off of public Wi-Fi entirely and use your phone as a personal hotspot. This is where the security experts point out that there is a third option. Yes, a third option. If you are careful only to use websites and services that are properly configured to use HTTPS/SSL, you should be safe. That includes your email server. If you understand how to do that, feel free. For most regular users (and I put most lawyers in this category), it is safer to rely on a VPN or personal hotspot to protect you when you are connecting to the unencrypted half of the internet . Here is the catch. If you rely on a VPN or personal hotspot, that effectively means sending all your information through one service. Therefore, you have to be able to trust your VPN provider. And, this should go without saying: not all VPN providers are trustworthy. In fact, a lot of VPN providers contain viruses and malware . So how do you know which VPN you can trust? For starters, avoid free VPN providers. There are notable exceptions like rolling your own OpenVPN install, but that's for advanced users only. In general, free VPNs aren't really free. They make money by inserting one thing or another into your information, or else they harvest your information. Neither is good if security, privacy, and confidentiality are part of your reason for using a VPN in the first place. * * * [ Polley : I use Cloak, VPNsecure, Private Internet Access, and Opera-Developer. See also Beware: Most mobile VPNs aren't as safe as they seem (Wired, 8 Feb 2017)]

top

- and -

How feds can use encrypted apps-without breaking the law (NextGov, 3 Feb 2017) - "Download Signal," a career federal employee and longtime source for information told me last month. "We can talk on that. It's not a good time right now. A lot of us are nervous." I received similar messages from federal technologists I regularly engage with and another source who handles federal oversight matters. The use of encryption technologies to communicate with peers is undoubtedly safer than using traditional communications, but there are caveats for federal employees. Open records laws dictate how federal employees conduct official business, and those who opt to use encrypted apps need to be aware of the sometimes murky legal ground they're entering that puts their devices and privacy at risk. Politico reports some in government are using encrypted communications to actively dissent, while others, including some who spoke to Nextgov on condition of anonymity, explained they wanted safe, simple and legal means to communicate with peers without possible consequence or retaliation. * * * Encrypted communications are relatively new as a technology, but for federal employees, they still fall under the Freedom of Information Act and other open-records laws, said Alex Howard, deputy director of the Sunlight Foundation. "The key issue here is not the condition of encryption; the key thing to consider is whether official government business is being conducted or not," Howard told Nextgov . Federal guidance released by the National Archives Records Administration in July 2015 updated the government's policies regarding newer forms of communications such as Google Chat and Slack. The guidance states "agencies must capture and manage these records in compliance with federal records management laws, regulations and policies." Further, it doesn't matter whether employees are using official government-issued devices or their own. NARA's guidance covers all federal employees, contractors, volunteers and external experts "when they conduct agency business using personal electronic messaging accounts or devices," whether agencies formally allow employees to use personal accounts or devices to conduct government business. Both the Environmental Protection Agency and the Internal Revenue Service have come under scrutiny for improperly retaining instant messages. Encrypted messages should be treated by federal employees in the same fashion, Howard said, and not doing so flies in the face of sunshine laws.

top

- and -

'Paranoid' Republicans flock to app that wipes conversations (Naked Security, 13 Feb 2017) - A little-known messaging app that automatically erases all conversations has reportedly taken off among "paranoid" US politicians, including members of the Trump administration. The claim emerged from news gossip site Axios , which quoted an unnamed Republican who explained the simple appeal of Confide , an app for professionals launched three years ago by a New York-based startup of the same name: "For folks that are on the inside in this city, it provides some cover." Lending credibility to the story is a 2015 report that Australian prime minister Malcolm Turnbull has taken to using the same app . Confide uses a proprietary version of the end-to-end encryption used by bigger rivals such as Signal, Telegram, WhatsApp, Facebook Messenger, as well as a growing list of others. Why might politicos be drawn to Confide rather than better-known names? One attraction is the app's promise that everything sent between contacts will "disappear without a trace when you're done," an off-the-record mode of communication that fits the low-trust zeitgeist. Other apps such as Snapchat have similar features, but struggle to stop bypasses such as taking screenshots . Confide counters this by hiding messages until the receiver moves or "wands" their finger or cursor over each line of text. After messages are read once, they disappear, or after 10 minutes if they aren't, and messages can't be forwarded or saved. Perhaps its biggest draw could simply be that Confide has reached a critical threshold of users in this unusual community: the more DC insiders who use it, the more who want to use it. There should be sectors where "disappearing" messaging and email won't work, such as the financial sector and government, because of the need for an audit trail. And yet, despite the recent Clinton email server fracas, there are no fixed rules that government officials and politicians can't communicate privately, as long as they use official servers for the day job.

top

- and -

House members: EPA officials may be using Signal to "spread their goals covertly (ArsTechnica, 15 Feb 2017) - Two Republican members of Congress sent a formal letter Tuesday to the Environmental Protection Agency's Office of the Inspector General, expressing concern that "approximately a dozen career EPA officials" are using the encrypted messaging app Signal to covertly plan strategy and may be running afoul of the Freedom of Information Act. The congressmen note that the EPA has previously examined employee use of text messages to conduct government business and found that only a minuscule fraction of those messages was retained under FOIA. "Not only does this demonstrate the vast issues presented with using text messages to conduct official business, but raises additional concerns about using messaging applications to conduct official business, which make it virtually impossible for the EPA to preserve and retain the records created in this manner to abide by federal record-keeping requirements," they concluded .

top

Some of the New York Times' best stories aren't in the Times - they're on Twitter (ReCode, 26 Jan 2017) - New York Times reporter Maggie Haberman had a great story yesterday: On Saturday, Donald Trump, operating on less than four hours' sleep, flew into a rage because of a National Park tweet that a fellow Times reporter had retweeted . Trump's anger led to White House press secretary Sean Spicer's preposterous crowd size statement . "Trump's worst impulse control is when he's tired or overstretched, or in an uncertain situation. All three took place Saturday," Haberman wrote, and followed that up with insight into Trumpland's inner circle. It's must-read stuff. But you couldn't read it in the New York Times on Wednesday. Instead, Haberman published it as 9-part tweetstorm . Here's the opener: * * *

top

NIST's draft update to cybersecurity framework focuses on third-party vendors and the cost-effectiveness of cybersecurity programs (Nat'l Law Review, 1 Feb 2017) - On January 10, 2017, the National Institute of Standards and Technology ("NIST") released a proposed update to its popular cybersecurity blueprint for organizations and businesses, known as the Framework for Improving Critical Infrastructure Cybersecurity (the "Framework"). The updated Framework, titled "Draft Version 1.1," includes, among other things, new provisions for assessing the cybersecurity risk posed by third-party vendors and the addition of a new section on measuring the cost effectiveness of cybersecurity programs. The proposed changes are NIST's first attempt to update the Framework since it was issued in February 2014 pursuant to President Obama's February 2013 Executive Order 13636, "Improving Critical Infrastructure Cybersecurity." Based on feedback from users, responses to its official request for information, and workshop comments, NIST has identified certain areas of the Framework that needed refining, clarification, or enhancement. Draft Version 1.1 is the result of that effort.

top

Some surprises in the new New York cybersecurity regulations (Veracode, 2 Feb 2017) - In the US, there exist no meaningful national cybersecurity rules, but, as a practical matter, that is likely to change this year. But it's not coming from Congress. The catalyst is new rules slated to start in March from the New York State Department of Financial Services . In financial areas, that New York department is typically mimicked by a wide range of other state regulators, along with federal regulators. Hence, de facto national rules. The rules themselves (you can peruse the full guidelines here ) are not especially controversial, primarily being security best practices. The rules insist on regular penetration testing and vulnerability assessments. They also establish strict encryption guidelines and require written access-control policies. Notably, however, the way they approach application security is somewhat novel, and the regulations do contain some language that might cause confusion. * * *

top

- and -

When you're under cyberattack, silence isn't golden (American Banker, 3 Feb 2017) - With cyberattacks growing in complexity and size, the last thing a financial institution needs is to be its own enemy. Yet, in my capacity helping large banks deal with information security risk, I have observed financial institution leaders make decisions that exposed their organization to greater cyber risk. I have also seen breached institutions make errors that could further harm the company and its brand. Critical mistakes made following an attack will not only hurt a bank's reputation in the eyes of its customers, but could also breed disillusionment with employees and impair their trust in an organization's leaders. Here are four principles to avoid making an already dangerous threat environment worse. * * *

top

Google must turn over foreign-stored emails pursuant to a warrant, court rules (Orin Kerr, 3 Feb 2017) - A federal magistrate judge handed down an opinion this afternoon, In re Search Warrant No. 16-960-M-01 to Google , ordering Google to comply with a search warrant to produce foreign-stored emails. The magistrate judge disagrees with the U.S. Court of Appeals for the 2nd Circuit's Microsoft Ireland warrant case , recently denied rehearing by an evenly divided court . Although the new decision is only a single opinion by a single magistrate judge, the decision shows that the Justice Department is asking judges outside the Second Circuit to reject the Second Circuit's ruling - and that at least one judge has agreed. [ see also Court denies U.S. government appeal in Microsoft overseas email case (Computerworld, 24 Jan 2017)]

top

Google figured out how to turn pixelated images into high-res ones (Mashable, 7 Feb 2017) - You see it all the time in movies and TV shows: A security camera records footage of an intruder, but the image is too blurry or pixelated to make out who it is. Some nerdy-looking "hacker" then clacks at his keyboard and -- boom -- seconds later, pixelated image turns into a crisp one revealing the person's face in glorious detail. "Oh, come on!" we all say while rolling our eyes. Well, you might have to break that habit because Google has figured out a way to turn movie magic into reality (sort of). According to ArsTechnica , researchers at Google's deep learning research project, Google Brain , have created software that attempts to "sharpen" images made up of 8 x 8 pixels. Of course, Google Brain's software can't actually enhance the original block of pixels. Instead, what it's doing is using machine learning to try to guess what the original image might be if it had been downsized to 64 pixels. [ Polley : like a reverse hash look-up?]

top

- and -

The Met makes 375,000 public domain images available (Fortune, 7 Feb 2017) - The Metropolitan Museum of Art announced Tuesday that more than 375,000 of the Museum's "public-domain artworks" are now available for unrestricted use. "We have been working toward the goal of sharing our images with the public for a number of years," said Thomas P. Campbell, director and CEO of the Met, in a statement. "Our comprehensive and diverse museum collection spans 5,000 years of world culture and our core mission is to be open and accessible for all who wish to study and enjoy the works of art in our care." The image collection covers photographs, paintings, and sculptures, among other works. Images now available for both scholarly and commercial purposes include Emanuel Leutze's famous painting Washington Crossing the Delaware ; photographs by Walker Evans, Alfred Steiglitz, and Dorothea Lange; and even some Vincent van Gogh paintings. The Met has teamed up with Creative Commons, Wikimedia, Artstor, Digital Public Library of America, Art Resource, and Pinterest to host and maximize the reach of their enormous collection. There is also a public GitHub repository of the images.

top

Your smart TV may have been spying on you (Mashable, 7 Feb 2017) - Electronics company Vizio doesn't want its customers to believe it ran a giant spying operation, but the company's surrender to a recent lawsuit suggests otherwise. Vizio agreed to pay $2.2 million on Monday to settle a lawsuit brought against them by the New Jersey government and the Federal Trade Commission. In doing so, they agreed to stop fighting the charge that the company "installed software on its TVs to collect viewing data on 11 million consumer TVs without consumers' knowledge or consent." Vizio and "an affiliated company" built their smart TVs to spy on whatever their customers were watching, starting in February, 2014 , according to the complaint filed. They did this with a pixel-reading technology that matched pixels on customer TVs to pixels of whatever show was in their database - live shows, shows recorded for future watching, movies, whatever. By taking this data and matching it to data about their customers, the complaint alleges that Vizio took information about customers' "sex, age, income, marital status, household size, education level" and more of those who watched particular shows, and sold that information to advertisers. That type of demographic information is incredibly valuable to advertisers. Advertisers already know the demographic they're after. This information tells them when their potential customers will be relaxed, sitting on a couch, and ready to be pitched on a product. Vizio still contends that its "program never paired viewing data with personally identifiable information such as name or contact information, and the commission did not allege or contend otherwise ."

top

Facebook, Oculus, Zenimax, and nonliteral copying of code (IPWatchdog, 7 Feb 2017) - Just last week, Facebook was spanked with a $500 million court judgement for non-literal infringement of software copyright. Even for Facebook, that's a lot of money. Though less than the $4 billion that plaintiff ZeniMax had been asking for , it's a large chunk of the $2 billion that Facebook paid for Oculus in 2014. The case was ZeniMax v. Oculus , and the jury decided that Facebook had infringed on the copyright of ZeniMax's software source code. According to the jury, Oculus co-founder Palmer Luckey and CTO John Carmack violated a nondisclosure agreement (NDA) with ZeniMax when they all had worked together to develop the Oculus Rift, the virtual reality headset that caught the attention of Facebook. I've been seeing some articles about the case from software engineers who are confused about the verdict, especially a Facebook rant by John Carmack . My consulting company specializes in software copyright infringement, my software company has created tools and procedures for determining whether software copyright occurred, and I wrote the primary textbook in the field of software forensics . In fact, I was the expert for Facebook in the famous case made into the movie The Social Network . I was able to show that Mark Zuckerberg didn't copy Facebook code from the Winklevoss twins at Harvard. My consulting company wasn't involved in this new case, so I cannot speak to the behind-the-scenes details, but I do think it's important to understand nonliteral copyright infringement in case you're thinking of taking some of your employer's code with you to your next company. * * *

top

Russia's apparent meddling in U.S. election is not an act of war, cyber expert says (WaPo, 7 Feb 2017) - Russia's hacks of the Democratic National Committee and its election meddling were alarming, but not an act of war, said a leading scholar of international law in cyber operations. "I'm no friend of the Russians," said Michael Schmitt, chairman of the U.S. Naval War College's International Law Department and director of a project that analyzes how international law applies to cyber operations - especially in peacetime. But Moscow's hacking and dumping of Democratic emails to WikiLeaks "is not an initiation of armed conflict. It's not a violation of the U.N. Charter's prohibition on the use of force. It's not a situation that would allow the U.S. to respond in self-defense militarily." Schmitt spoke in an interview with The Washington Post coinciding with the release of the Tallinn Manual 2.0, an updated reference for lawyers around the world on how international law applies to cyberspace. Schmitt, who is also a law professor at the University of Exeter in Britain, led the legal team that compiled the manual. Sen. John McCain (R-Ariz.), the chairman of the Armed Services Committee, has said he believes Russia's interference in the 2016 presidential election amounted to an act of war. Nonetheless, Schmitt said, Russia's apparent attempt to influence the outcome of the election by its release of emails through WikiLeaks probably violates the international law barring intervention in a state's internal affairs. And that would give the United States grounds to undertake "countermeasures" that would otherwise be unlawful, he said.

top

- and -

Someone paid random internet users to lobby for Betsy DeVos's confirmation (Vox, 7 Feb 2017) - Someone out there really wants President Donald Trump's polarizing nominee for secretary of education, Betsy DeVos, to get the job - so much so that they've been paying random internet users to write notes supporting her contentious confirmation . Users on paid task sites like InstaGC, Swagbucks, which reward users for shopping at certain websites or completing small tasks and surveys online, as well as 'freemium'-based mobile fashion game Covet Fashion, have been reporting a task that links to SupportDeVos.com . The website contains a contact form to get in touch with members of Congress - but only to send notes of support for DeVos's confirmation. Users who fill out and send the support form earn points or actual cash, but there is no option to send a note of dissent. Spokespersons for InstaGC as well as the company that runs Covet Fashion each confirmed that the ads recently appeared on their sites and have since been removed. The ads attempted to convince users they were paid for by the American Federation for Children, an organization funded and previously chaired by DeVos. But they weren't. Spokespersons for DeVos and AFC confirmed to Vox that neither she nor the AFC had purchased the ads. Spokespersons for InstaGC and Covet Fashion each confirmed to Vox that the ads were paid for by advertisers using third-party vendors.

top

NACD publishes five cybersecurity principles every board director needs to know (Security Intelligence, 8 Feb 2017) - In January 2017, the National Association of Corporate Directors (NACD) released an updated edition of its " Director's Handbook on Cyber-Risk Oversight ." In light of increasing pressures from regulators and ongoing cyberattacks, board directors have a key role to play to ensure proper oversight of cyber risks for their organizations. The 2017 edition improves on the 2014 version by clarifying several points for board directors to help them understand the strategic importance of cyber risks and the complexity of threats. It also includes several appendices that both chief information security officers (CISOs) and directors will find useful when preparing for mergers and acquisitions (M&A). The appendices also contain information about metrics and dashboards, and the relationship between boards and CISOs. * * *

top

- and -

Boards focus on cyber-risk regularly, but only 1 in 7 have deep security knowledge (Bitdefender, 13 Feb 2017) - Nearly 90 percent of directors at public companies say their board discusses cyber-risk regularly, yet only 14 percent of boards have in-depth knowledge of cyber-risks, according to a survey by the National Association of Corporate Directors ( NACD ), cited by Internal Auditor . Almost 60 percent of respondents reported that they find it challenging to oversee cyber risk. For 51 percent of publicly listed companies, cyber-risk oversight falls on the audit committee, but 96% of directors surveyed say the full board takes on the big picture risks that could impact their company's strategic direction. The most common board cyber-risk oversight practices are reviewing the company's approach to protecting its most critical assets (77 percent) and reviewing the technical infrastructure used to protect those assets (74 percent). In case of a breach, NACD recommends directors and management focus on the following areas of concern: * * *

top

Can you hold copyright in federal law? (Volokh Conspiracy, David Post, 8 Feb 2017) - The U.S. District Court for the District of Columbia decided last week ( Am. Soc. for Testing Materials v. Public.Resource.org ) that standards-setting organizations whose work product is "incorporated by reference" into federal law do not lose copyright protection for their works (and can, therefore, prohibit others from copying or distributing their standards, or charge for access to them). Standards, the court observed, "are typically developed by standards developing organizations ("SDOs"), like Plaintiffs, who work to develop 'voluntary consensus standards,'" such as the ones at issue in the case. One of the plaintiffs (ASTM), for instance, has "developed over 12,000 standards that are used in a wide range of fields, including consumer products, iron and steel products, rubber, paints, plastics, textiles, medical services and devices, electronics, construction, energy, water, and petroleum products, and are the combined efforts of over 23,000 technical members, representing producers, users, consumers, government, and academia." Pursuant to 5 U.S.C. § 552, federal agencies may incorporate such voluntary consensus standards - as well as, for example, state regulations, government-authored documents, and product service manuals - into federal regulations by reference. Applicable regulations provide that a "publication is eligible for incorporation by reference" if it is "published data, criteria, standards, specifications, techniques, illustrations, or similar material," and it must be "reasonably available to the class of persons affected thereby" before it can be deemed to have been incorporated into the law. * * * Unfortunately, I think Judge Chutkan got the copyright analysis correct on this one; there is simply no provision in the Copyright Act that can be read to strip protection for works that become, after their creation, incorporated into the law. It is a very unfortunate state of affairs. Almost 10 years ago, in response to a similar copyright claim (by the state of Oregon, no less) asserting copyright in the text of its laws, I wrote that "it is completely outrageous that in 2008 [!!] we do not have a complete and authoritative compendium of all of the laws of the 50 States, and the federal government, available at no cost on the Internet." It was true then, and it is true now; the idea that one has to purchase a copy of relevant regulatory requirements that you are required, by law, to comply with is outrageous - and the fact that one can consult a hard copy of the regulations at the Office of the Federal Register in Washington does not make it less so. But I have to say that Chutkan is probably correct that this is something that Congress, and not the courts, should deal with. [ see also Federal court basically says it's okay to copyright parts of our laws (TechDirt, 3 Feb 2017)]

top

Linux pioneer Munich poised to ditch open source and return to Windows (TechRepublic, 10 Feb 2017) - Politicians at open-source champion Munich will next week vote on whether to abandon Linux and return to Windows by 2021. The city authority, which made headlines for ditching Windows, will discuss proposals to replace the Linux-based OS used across the council with a Windows 10-based client. If the city leaders back the proposition it would be a notable U-turn by the council, which spent years migrating about 15,000 staff from Windows to LiMux, a custom version of the Ubuntu desktop OS, and only completed the move in 2013. * * * At the time Munich began the move to LiMux in 2004 it was one of the largest organizations to reject Windows, and Microsoft took the city's leaving so seriously that then CEO Steve Ballmer flew to Munich to meet the mayor. More recently, Microsoft last year moved its German company headquarters to Munich . [ Polley : Munich's experiment dates back to 2004, when these stories were running: Indian president calls for open source in defense (CNET, 7 July 2004); France lends support to new open-source license (InfoWorld, 9 July 2004)]

top

Want to help fight legal battles? There's a crowdfunding site for that. (WaPo, 11 Feb 2017) - When online crowdfunding sites like Kickstarter and GoFundMe debuted, people hoping to invent and sell a better bottle opener, those in need of help with medical bills and all sorts of personal would-be fundraisers talked about the concept in grand, world-changing ways. This, they said, was a disruptive, potentially transformative financial development. A new website aims to mash up that kind of popular Internet fundraising with legal work, hoping to turn legal cases into publicly funded - and backed - social causes. CrowdJustice.org , went live with its first U.S. fundraising appeals in recent weeks with a tag­line meant to promote equal access to the courts, regardless of one's economic standing: "The law should be available to everyone." The site's founder, a British transplant, says CrowdJustice is a politically neutral portal where people and organizations pursuing litigation can solicit and win public help with the costs. So far, CrowdJustice has helped fund an assortment of cases, including a lawsuit fighting a multistory car park in Berkhamsted, England, and one trying to quash Brexit. But, just weeks after the site opened to U.S. causes, CrowdJustice, or at least it's marketing plan, appears to set it on a collision course with one of the Trump administration's signature policies: the travel ban. * * * [ Polley : NOTE TO READERS - Amazon Prime members now have unlimited access to Washington Post online; free for the first six months, and $4/month thereafter. So, I'm adding MIRLN links to WaPo articles even though they're possibly behind a paywall; only WaPo and the New York Times are so-treated here. Sorry WSJ.]

top

A US-born NASA scientist was detained at the border until he unlocked his phone (The Verge, 12 Feb 2017) - Two weeks ago, Sidd Bikkannavar flew back into the United States after spending a few weeks abroad in South America. An employee of NASA's Jet Propulsion Laboratory (JPL), Bikkannavar had been on a personal trip, pursuing his hobby of racing solar-powered cars. He had recently joined a Chilean team, and spent the last weeks of January at a race in Patagonia. Bikkannavar is a seasoned international traveller - but his return home to the US this time around was anything but routine. Bikkannavar left for South America on January 15th, under the Obama Administration. He flew back from Santiago, Chile to the George Bush Intercontinental Airport in Houston, Texas on Monday, January 30th, just over a week into the Trump Administration. Bikkannavar says he was detained by US Customs and Border Patrol and pressured to give the CBP agents his phone and access PIN. Since the phone was issued by NASA, it may have contained sensitive material that wasn't supposed to be shared. Bikkannavar's phone was returned to him after it was searched by CBP, but he doesn't know exactly what information officials might have taken from the device. [ Polley : see also The Danger of U.S. Customs Searches for Returning Lawyers (ABA's GP/Solo magazine, May/June 2013); and How to legally cross a US (or other) border without surrendering your data and passwords (Cory Doctorow on BoingBoing, 12 Feb 2017); and Can federal agents detain citizens at border checkpoints until they disclose their smartphone passcodes? (Orin Kerr, 13 Feb 2017). This is a fraught issue for lawyers; If you've heard of any lawyers having related problems, please email me; or, use Signal to my cellphone or Wickr to vpolley]

top

Diehard coders just rescued NASA's earth science data (Wired, 13 Feb 2017) - On Saturday morning, the white stone buildings on UC Berkeley's campus radiated with unfiltered sunshine. The sky was blue, the campanile was chiming. But instead of enjoying the beautiful day, 200 adults had willingly sardined themselves into a fluorescent-lit room in the bowels of Doe Library to rescue federal climate data . Like similar groups across the country-in more than 20 cities-they believe that the Trump administration might want to disappear this data down a memory hole. So these hackers, scientists, and students are collecting it to save outside government servers. But now they're going even further. Groups like DataRefuge and the Environmental Data and Governance Initiative , which organized the Berkeley hackathon to collect data from NASA's earth sciences programs and the Department of Energy, are doing more than archiving. Diehard coders are building robust systems to monitor ongoing changes to government websites. And they're keeping track of what's been removed-to learn exactly when the pruning began. * * *

top

Woman's insurance canceled over Facebook pictures (Chicago ABC, 14 Feb 2017) - Do you put pictures of your kids, pets, or adventures on social media? If you do, be careful as you never know who is watching. Melina Efthimiadis along with her husband wanted to add personal umbrella liability insurance to their Nationwide homeowner's policy. She says they have been low risk clients so she didn't think it would be a problem. In the application process for Nationwide, Melina says they had to write down the number of dogs they owned and their breeds, which are Shih Tzu/ Yorkie, a Hound and Hound/Lab mix. Melina says they waited for approval, but instead got a cancellation letter from Nationwide. She says the reason, "We were being cancelled because we had an ineligible dog breed that we failed to disclose." Nationwide claimed Melina had a potentially dangerous Rottweiler mix breed, which Nationwide considers that breed to be ineligible. Melina says she was told by Nationwide how they made that decision. "They sent us the pictures that they had taken off of my Facebook page of my dog Zeus who is a lab/hound mix. Melina called Nationwide to tell them they were wrong about Zeus' breed. "They said that I would have to have a letter written by my veterinarian," she said. That's not a problem for Melina as she actually is a veterinarian. "Really, this is not something that can be proven just by looking at pictures," she added. After confirming Zeus was not an ineligible breed, Nationwide rescinded the cancellation.

top

RESOURCES

The Right Tools: Europe's Intermediary Liability Laws and the 2016 General Data Protection Regulation (Daphne Keller, Stanford Law School; SSRN; 8 Feb 2017) - Abstract: The so-called "Right to Be Forgotten" established by the Court of Justice of the European Union in 2014 is about to change. The EU's General Data Protection Regulation, which goes into effect in 2018, introduces new notice-and-takedown rules for online information targeted by "Right to Be Forgotten" erasure requests. The new rules are ripe for abuse. They give private Internet platforms powerful incentives to remove user-generated content - whether or not that content, or the intermediaries' processing of the content, violates any law. This threat to online expression and information could be reduced through procedural checks and balances in the OSPs' removal operations and before regulators and courts. This article details the problematic GDPR provisions, examines the convergence of European Data Protection and Intermediary Liability Law, and proposes ways that the EU's own Intermediary Liability laws can restore balanced protections for privacy and information rights under the new law.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Under-The-Rug Oversight (New York Times Editorial, 29 Dec 2006) -- The wondrously named Privacy and Civil Liberties Oversight Board held its first public hearing the other day on the National Security Agency's illegal eavesdropping program. If you expected it to discover any truths about the secret program, you can forget it. The board spent its time explaining why it was more important to work from within the administration than to challenge it. Thus wags the tail of a watchdog with neither bark nor bite. The board was created two years ago by the White House and the Republican Congress as a pale substitute for the independent monitor recommended by the Sept. 11 commission. Its members (four Republicans and one lone Democrat) serve at the pleasure of the administration. It has a paltry budget and no subpoena power, and any requests for documents can be vetoed by the attorney general. It's so low on the totem pole that it didn't even get a formal briefing on the administration's eavesdropping on American citizens until October - almost a year after the warrantless surveillance program had been uncloaked for the nation by the news media. Hardly complaining, the oversight panel offered a parody of a hearing that laid bare its own toothlessness. Members studiously ducked the question of whether they condoned President Bush's concoction of an inherent power to eavesdrop beyond court oversight. One spoke of the priority to "provide advice confidentially" to the White House, another even more vaguely of the "conservative tradition of checks and balances." A frustrated witness informed the board it was "all bark and no bite." But in truth, there's no bark either. The board's initial report to Congress in March will first be vetted by administration factotums. Right now, the panel is best suited to polishing up the handles on the White House doors. But its members make the point that the board is no more than Congress created it to be. All the more reason to repair the damage as Americans wonder precisely how many liberties they have already sacrificed. A bill to remake the board as an independent entity with subpoena power and a credible claim to oversight has been submitted by Representatives Carolyn Maloney, Democrat of New York, and Christopher Shays, Republican of Connecticut. It deserves a full and open review - which is more than the American public has been getting from its toothless watchdog.

top

Online Nordic banking theft stirs talk of Russian hacker (New York Times, 25 Jan 2007) -- Word has started spreading in Sweden about the discovery last week of a $1 million online banking theft traced to a Russian hacker who goes by the sobriquet "the Corpse." The case opens a window into the dark world of Russian programming and underlines risks in online banking. Nordea Bank, the Scandinavian financial services company involved, emphasized that only customers whose computers were not protected by antivirus programs had become victims. The Swedish police said the virus was distributed with spam e-mail and programmed to infiltrate home computers of customers at several European and American banks. Police officers have arrested Swedish nationals and foreigners who withdrew cash from Nordea branches after making online transfers. The Corpse's identity is unknown to computer virus specialists. The virus in question, a so-called Trojan horse program, surreptitiously logged keystrokes while banking customers entered their passwords. The police identified the program as a variant of the Haxdoor Trojan. The Corpse is thought to be the author of the original Haxdoor program and several iterations, under names including A311 Death and Nuclear Grabber. Those are offered for sale on a Russian Web site at prices ranging from several hundred dollars to several thousand dollars, depending on the version. Thieves using the program in Sweden defrauded 250 customers of Nordea's online banking service over a period of 15 months. The bank has compensated its clients. The case has drawn new attention to the bizarre world of Russian hacking. Russia's weak laws and a strong tradition of scientific education have combined to create a flourishing culture of computer hacking, specialists in the programming industry say. The prevalence of pornography and fraud on the Russian Internet has contributed to the country's image as a digital Wild West of spammers and hackers. And foiling Western banking security resonates with Russian programmers, technology specialists say. Russian hackers are driven by "curiosity, greed or the desire to prove they are clever," said Denis Kalinin, chief executive of Rambler, a successful Russian search engine company. This latest version of the Haxdoor Trojan program was activated when a customer typed the bank's address into a browser. The rogue software then recorded keystrokes to capture passwords. Later, money was transferred to newly opened accounts and cash was withdrawn at bank branches. The Corpse's site carries a disclaimer in rough English that the programs are to be used "exclusively in the educational purposes." Questions mailed to the site were not answered on Wednesday.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, January 28, 2017

MIRLN --- 8-28 Jan 2017 (v20.02)

MIRLN --- 8-28 Jan 2017 (v20.02) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Dems, civil libertarians blast fines for live-streaming on House floor (The Hill, 4 Jan 2017) - Civil libertarians are blasting new rules from House Republicans that would impose fines on lawmakers who take pictures or live-stream video on the House floor. The fines are intended to prevent a repeat of protests like the sit-in by House Democrats last year calling for gun control legislation after the mass shooting in an Orlando, Fla., nightclub. Democrats broadcast their sit-in on social media, including Periscope and Twitter, after GOP leadership cut the camera feed that was being aired by C-SPAN. Michael Macleod-Ball, a First Amendment attorney for the American Civil Liberties Union, called the new fines an overreaction. "Ultimately what harm was done?" Macleod-Ball said of Democrats broadcasting their sit-in, noting that the House floor is constantly being televised. "I just don't see that there's a huge justification for imposing this penalty," he added. "Adding the penalty is just one further step in the wrong direction. The original rule would have had some chilling effect, the rule with the penalty has a further chilling effect, and because of that we don't think it's a good idea." Before the fines, there were already existing rules against recording on the House floor, but lawmakers rarely faced any consequences for violating it before Tuesday. The new fines are part of a rules package that was opposed by the entire Democratic caucus and just three Republicans. It imposes a $500 fine on lawmakers for their first offense and a $2,500 fine for every subsequent violation. The money would be taken out of a member's salary.

top

FTC goes after D-Link for shoddy security in routers, cameras (Computer World, 5 Jan 2017) - The U.S. Federal Trade Commission is cracking down on D-Link for selling wireless routers and internet cameras that can easily be hacked, the regulator said Thursday. Thousands of consumers are at risk, the FTC said in a complaint filed against the Taiwanese manufacturer, charging D-Link with repeatedly failing to take reasonable measures to secure the products. The action comes as hackers have been hijacking poorly secured internet-connected products to launch massive cyberattacks that can force websites offline. Recently, a notorious malware known as Mirai has been found infecting routers, cameras, and DVRs built with weak default passwords. In D-Link's case, the company said its products are "easy to secure" and offer "advanced network security." But in the reality, the devices contained preventable security flaws open to easy exploitation, the FTC alleged. Among those flaws were guessable login credentials embedded in D-Link camera software, using the word "guest" for both the username and password. In addition, D-Link also failed to patch vulnerabilities in the product software, including a command injection flaw that would have given hackers remote control over a device. "We can't say whether we will take action against similar companies," an FTC spokesman said on Thursday.

top

A few states now actually help you figure out if you've been hacked (Wired, 6 Jan 2017) - Thousands of US companies were hacked last year , and each time people's private data was taken. Was yours? You may not know because it's hard to keep track, much less do anything about it when there are so many incidents all the time. But if the data collected on breaches in the US were available to you, it would be a lot easier to check whether you've interacted with compromised businesses and institutions. That data exists. In fact, nearly every US state (47 to be exact) requires companies to disclose when a breach affects their citizens, and most track this data internally. That data is usually a public records request away from you, the consumer, who could actually use it to inform your digital habits. But, recently a small group of states have decided to make breach information freely available to the public. This week, Massachusetts joined them. Massachusetts joins California , Indiana , and Washington in making this data public. The US Department of Health and Human Services has also collected and publicly posted information about patient data breaches since 2009. The DHH data collection is often referred to colloquially as the "Wall of Shame." For Massachusetts, the decision is a way to increase transparency.

top

A lawyer rewrote Instagram's terms of use 'in plain English' so kids would know their privacy rights (WaPo, 8 Jan 2017) - Members of " Generation Z " can spend up to nine hours a day sharing photos on Instagram, consuming "content" on YouTube and talking to friends on Snapchat. But how much do these teens understand what they've agreed to give up when they start an account with those sites? Probably very little, according to a report released last week - and dense terms and conditions that are "impenetrable and largely ignored" are partly to blame. "'Terms and conditions' is one of the first things you agree to when you come upon a site," Jenny Afia, a privacy lawyer and partner at Schillings law firm in London, told The Washington Post. "But of course no one reads them. I mean, most adults don't read them." Afia was a member of a "Growing Up Digital" task force group convened by the Children's Commissioner for England to study Internet use among teens and the concerns children might face as they grow up in the digital age. The group found more than a third of Internet users are younger than 18, with 12- to 15-year-olds spending more than 20 hours a week online. Most of those children have no idea what their privacy rights are, despite all of them agreeing to terms and conditions before starting their social media accounts, Afia said. The task force, which included experts from the public and private sector, worked for a year and released its report Wednesday. * * * The group ran Instagram's terms and conditions through a readability study and found that it registered at a postgraduate reading level, Afia said. She was tasked with rewriting the company's terms and conditions "in plain English." It took her several hours, she said. "It was doable," Afia said. "But it was quite taxing and definitely time-consuming." The simplified terms of service fit on a single page. * * *

top

George Washington University Law School launches the Cybersecurity Law Initiative (Lawfare, Orin Kerr, 9 Jan 2017) - I'm pleased to announce the launch of the Cybersecurity Law Initiative , of which I am the director, at George Washington University Law School . For years, GW Law has had strong faculty expertise and curricular offerings in cybersecurity law . We decided to bring that together with a formal initiative that includes affiliated scholars from elsewhere in the university. In the near term, the initiative will include a lecture series that is open to the public on topics of cybersecurity law and technology. It likely will host conferences in the field as well. In the long term, we may end up expanding to include research papers or perhaps a more formal educational component (possibly making cybersecurity law one of the specialty fields offered in GW's LLM program ). For more details - including information about full scholarships available to study cybersecurity law at GW - see the website for the initiative: www.law.gwu.edu/cybersecurity . I'll announce future events for the initiative on the home page and on my Twitter feed . If there's a particularly interesting event, I may also flag it here on the blog.

top

Lessons for legal: Inside the cybertheft faced by two large firms (American Lawyer, 10 Jan 2017) - The fact that three Chinese nationals profited off of insider-trading information illicitly obtained through the hacking of two U.S.-based law firms is one of few known certainties in yet another successful instance of law firm cyberattacks. While the indictment from U.S. Attorney Preet Bharara of the Southern District of New York did not name the law firms infiltrated, The American Lawyer noted that based on the details in the indictment of the breached firms' involvement in specific mergers and acquisitions (M&A) deals, it can be surmised that the firms are Cravath, Swaine & Moore and Weil, Gotshal & Manges. * * * In the case of the M&A hacks outlined in the indictment, once inside the law firms' servers, cyberattackers planted malware in the network, and extracted sensitive M&A data to their possession-sometimes in large tranches. The indictment notes, for example, that "more than 40 gigabytes of data" was taken from one law firm "over the course of at least eight days." Such theft was possible, Rasmussen explained, because it is not uncommon to see law firms unequipped to notice such large data transfer activity in their network. "Network monitoring is a mostly proactive security control that retains a lot of data and requires a large amount of human capital to digest, triage and analyze," he said, adding that this may be a too much of a cost for legal to shoulder. "Many law firms still must consider the cost benefit of enlarging their internal resources to throw at a potential problem, instead of a known problem, as some firms feel they are not at risk. Current client needs often trump security needs," he added. Supporting his point, Novitex and the Association of Legal Administrators (ALA) recently conducted a survey of over 800 law firms and legal administration professionals worldwide and found that reducing cybersecurity risk came in a distant fourth among top concerns behind increasing net profits, attracting new clients, and bolstering revenues. * * * "A law firm is not going to keep an advanced attacker from getting in the network," Abrenio added. "Therefore, the goal should be to limit what an attacker can do once they get inside the network."

top

You've probably never heard of this creepy genealogy site. But it knows a lot about you. (WaPo, 12 Jan 2017) - Early Tuesday morning, Anna Brittain got a text from her sister: Did she know about Familytreenow.com? The relatively unknown site, which presents itself as a free genealogy resource, seemed to know an awful lot about her. "The site listed my 3- and 5-year-olds as 'possible associates,' " Brittain, a 30-year-old young-adult fiction writer in Birmingham, Ala., told The Washington Post on Tuesday. Her sister, a social worker who works at a child advocacy center, found the site while doing a regular Internet footprint checkup on herself. "Given the danger level of my sister's occupation," Brittain added, the depth of information available on the genealogy site "scared me to death." There are many "people search" sites and data brokers out there, like Spokeo, or Intelius, that also know a lot about you. This is not news, at least for the Internet-literate. And the information on FamilyTreeNow comes largely from the public records and other legally accessible sources that those other data brokers use. What makes FamilyTreeNow stand out on the creepy scale, though, is how easy the site makes it for anyone to access that information all at once, and free.

top

FBI withdrew national security letter after Cloudflare lawsuit (ZDnet, 12 Jan 2017) - Cloudflare received a national security letter (NSL) from the United States Federal Bureau of Investigation (FBI) back in February 2013, its transparency report for 2016 has shown, with the company only now able to report the event after being placed under a gag order. The FBI had been seeking the names, addresses, length of service, electronic communications transactional records, transaction and activity logs, and all email header information linked with a certain Cloudflare account, although not the content of those emails. Once served with the NSL, Cloudflare, with the help of the Electronic Frontier Foundation (EFF), filed a lawsuit under seal , successfully getting the FBI to rescind the NSL in July 2013 and withdraw its request for customer information. Consequently, no customer information was ever provided by Cloudflare under the NSL, but the company was required to fulfil the non-disclosure obligations that have now been lifted. "For nearly four years, Cloudflare has pursued its legal rights to be transparent about this request despite the threat of criminal liability. As explained above, the FBI recently removed that gag order, so we are now able to share the redacted text of NSL-12-358696," Cloudflare said in a blog post . The redacted NSL does not show whose account was requested by the FBI, or which FBI agent was involved in making the request.

top

New checklist from ABA Cybersecurity Legal Task Force aims to make vendor partnerships safer (ABA, 13 Jan 2017) - Imagine this: Your bar association is excited to partner with a new vendor. Its products or services are exactly what's needed to keep the bar's operations running smoothly or to help your members in their practice. The introduction is a big splash, everyone is happy … and then the vendor calls. There's been a data breach. It involves your data. And the truth is, it could just as easily be you having to make that difficult phone call because something on your end has put the vendor at risk. The ABA Cybersecurity Legal Task Force recently released its Vendor Contracting Project: Cybersecurity Checklist to help avoid this and other nightmare scenarios that could occur anytime you-or your members and/or their law firms-do business with an outside partner. Here are just a few of the questions that the checklist indicates are critically important when considering any such partnership: * * *

top

Ethics panel says ok for judge to tweet - within limits (Bob Ambrogi, 13 Jan 2017) - A judicial ethics panel of the Massachusetts court system has determined that a judge may ethically maintain a Twitter account, but only within certain boundaries, and that a judge must be particularly cautious about selecting accounts to follow on Twitter. The opinion from the Massachusetts Committee on Judicial Ethics does not identify the judge, but says that the judge maintains an active Twitter account and requested the committee's advice concerning the judge's continuing use of Twitter. I was able to find only one Massachusetts state judge who maintains an active Twitter account, Superior Court Judge Shannon Frison . Her Twitter activity matches some of that described by the committee, such as "posts intended to reveal the existence of racism and implicit bias in the courts." Judge Frison is president of the Massachusetts Black Judges Conference. The committee's opinion said that a judge's obligations with regard to Twitter are, broadly speaking, no different than they would be when using any form of social media, although different types of social media pose distinct issues. The committee has previously issued opinions approving judges' use of LinkedIn and Facebook , but as here, also within boundaries. * * *

top

Obama's cyber legacy: He did (almost) everything right and it still turned out wrong (NextGov, 17 Jan 2017) - The Obama administration made an unprecedented all-fronts effort to secure cyberspace. So, why are we less secure? For eight years, cyberspace proved the Obama administration's most unpredictable adversary, always twisting in new directions and delivering body blows where least expected. The administration took the cyber threat seriously from day one, launching reviews, promulgating policy, raising defenses and punishing cyberspace's most dangerous actors. That included imposing sanctions against Russia and North Korea and indicting government-linked hackers from China and Iran. But, in the end, cyberspace won. President Barack Obama will leave office this week following an election in which digital breaches ordered by Russian President Vladimir Putin helped undermine the losing candidate Hillary Clinton, sowed doubts about the winner Donald Trump's legitimacy and damaged faith in the nation's democratic institutions. When the history of the Obama administration's cyber policy is written, that fact will likely loom larger than anything else, numerous cyber experts and former officials told Nextgov , overshadowing years of hard work to prepare the government and the nation for an age of digital insecurity. It will also likely overshadow the dozens of instances in which Obama officials got the big cyber questions, more or less, right. "He set himself up with all the tools, but he blew this," said Paul Rosenzweig, a deputy assistant secretary at the Department of Homeland Security during the Bush administration. [ Polley : excellent summary.]

top

Does litigation database belong to law firm or clients? Suit against ex-partners raises the issue (ABA Journal, 19 Jan 2017) - A Boston law firm and six former partners are battling in court over rights to databases for the firm's asbestos and toxic tort cases. The Governo Law Firm and name partner David Governo contend in a lawsuit that the partners took proprietary databases that cost hundreds of thousands of dollars to build, report the Boston Globe and the Boston Business Journal . The former partners, who opened a firm called CMBG3 Law on Dec. 1, claim database information belongs to the firm's clients, who were billed for work associated with the databases. According to the Boston Globe, the suit is "being carefully watched by the city's legal community, which anticipates it may establish case law on the legal and ethical parameters for leaving a law firm in the digital age." In a Jan. 11 decision, Judge Kenneth Salinger of Boston Superior Court refused to issue an injunction for the return of database material. Salinger said both sides presented evidence on whether the database belongs to the firm or its clients, but he was unable to decide the issue on the current record.

top

Deutsche Bank to ban texts and messaging apps (InfoSecurity, 19 Jan 2017) - German banking giant Deutsche Bank is banning the use of any mobile phone-based messaging which can't be monitored by the lender, in a bid to improve compliance efforts. The new policy was communicated to employees in a memo last Friday, signed by chief operating officer Kim Hammonds and chief regulatory officer, Sylvie Matherat. "We fully understand that the deactivation will change your day-to-day work and we regret any inconvenience this may cause. However, this step is necessary to ensure Deutsche Bank continues to comply with regulatory and legal requirements," it noted, according to reports . The move will effectively ban the use of SMS messages and any third party apps including WhatsApp, Google Talk and Apple's iMessage. It will apparently apply not only to corporate-owned devices but also personal handsets used by staff in the workplace - although it's not clear how the latter will be enforced. The move comes in apparent response to Deutsche Bank's poor record on regulatory compliance, which has cost the lending giant close to $14 billion in fines since 2008, according to Bloomberg data . Some of these fines may have been levied in the past as a result of the bank's failure to produce accurate communications records when asked, it is believed.

top

Corporate legal counsel fret over cybersecurity (Dark Reading, 20 Jan 2017) - A majority of in-house legal counsels at US corporations view data breaches and cross-border data privacy regulations as among their biggest e-discovery related legal risks. BDO Consulting, a company that provides financial, business, and technology advisory services, recently surveyed over 100 senior legal executives at organizations ranging in size from $100 million to over $5 billion. Seventy four percent, or nearly three in four of the respondents, pointed to data breaches as one of their top data-related risks, while 68% say the legal department in their organization was more engaged with cybersecurity compared to 12 months ago as result of such concerns. "E-discovery systems collect, store and process highly sensitive information that is a potential goldmine for hackers," said Shahryar Shaghaghi, head of BDO International's cybersecurity and technology advisory Services practice in the report . "These systems and the data they contain require strong risk management oversight as well as proper cybersecurity defenses and protocols." In situations where third-party service providers manage the data for enterprises, more than one quarter of the survey respondents (27%) say they are unaware of the risk posed to their organization by third-parties.

top

Hackers downloaded US government climate data and stored it on European servers as Trump was being inaugurated (Quartz, 21 Jan 2017) - As Donald Trump was sworn into office as the new president of the US on Jan. 20, a group of around 60 programmers and scientists were gathered in the Department of Information Studies building at the University of California-Los Angeles, harvesting government data . A spreadsheet detailed their targets: Webpages dedicated to the Department of Energy's solar power initiative , Energy Information Administration data sets that compared fossil fuels to renewable energy sources, and fuel cell research from the National Renewable Energy Laboratory, to name a few out of hundreds. Many of the programmers who showed up at UCLA for the event had day jobs as IT consultants or data managers at startups; others were undergrad computer science majors. The scientists in attendance, including ecologists, lab managers, and oceanographers, came from universities all over Southern California. A motley crew of data enthusiasts who assemble for projects like this is becoming something of a trend at universities across the country: Volunteer "data rescue" events in Toronto, Philadelphia, Chicago, Indianapolis, and Michigan over the last few weeks have managed to scrape hundreds of thousands of pages off of EPA.gov, NASA.gov, DOE.gov, and whitehouse.gov, uploading them to the Internet Archive . Another is planned for early February at New York University . Hackers, librarians, scientists, and archivists had been working around the clock, at these events and in the days between, to download as much federal climate and environment data off government websites as possible before Trump took office. But suddenly, at exactly noon on Friday as Trump was sworn in, and just as the UCLA event kicked off, some of their fears began to come true: The climate change-related pages on whitehouse.gov disappeared. It's typical of incoming administrations to take down some of their predecessor's pages, but scrubbing all mentions of climate change is a clear indication of the Trump administration's position on climate science.

top

Three states propose DMCA-countering 'right to repair' laws (SlashDot, 23 Jan 2017) - Automakers are using the Digital Millennium Copyright Act to shut down tools used by car mechanics -- but three states are trying to stop them. An anonymous reader quotes IFixIt.Org: in 2014, Ford sued Autel for making a tool that diagnoses car trouble and tells you what part fixes it. Autel decrypted a list of Ford car parts, which wound up in their diagnostic tool. Ford claimed that the parts list was protected under copyright (even though data isn't creative work) -- and cracking the encryption violated the DMCA. The case is still making its way through the courts. But this much is clear: Ford didn't like Autel's competing tool, and they don't mind wielding the DMCA to shut the company down... Thankfully, voters are stepping up to protect American jobs. Just last week, at the behest of constituents, three states -- Nebraska , Minnesota , and New York -- introduced Right to Repair legislation (more states will follow). These 'Fair Repair' laws would require manufacturers to provide service information and sell repair parts to owners and independent repair shops. Activist groups like the EFF and Repair.org want to "ensure that repair people aren't marked as criminals under the DMCA," according to the site, arguing that we're heading towards a future with many more gadgets to fix. "But we'll have to fix copyright law first."

top

NIST issues two important publications (Ride the Lightning, 24 Jan 2017) - It is important to take a look at The National Institute of Standards and Technology (NIST) Special Publication 800-160, System Security Engineering (issued in November of 2016), and its draft update to the Framework for Improving Critical Infrastructure Cybersecurity , issued January 10, 2017. Special Publication 800-160 is directed mostly at engineers, but the C-Suite folks need to read it too. One of the main goals of the publication is to push for building security into Internet of Things devices the way that safety features are built into automobiles. NIST is also trying to expedite public and private sectors to immediately address the proliferation of new risks associated with IoT. In addition, NIST 800-160 seems to be a response to the Federal Trade Commission's recent statements on whether complying with NIST standards demonstrates "reasonable security." NIST 800-160 expressly provides a framework for how an organization may show "adequate security," which focuses on the adequacy of the procedures and documentation used to arrive at the ultimate cybersecurity decisions. It focuses heavily on the documentation of "better security practices" as opposed to "perfect security practices." The draft update to the Framework for Improving Critical Infrastructure Cybersecurity provides new details on managing cyber supply chain risks, clarifies key terms, and introduces measurement methods for cybersecurity. The updated framework aims to further develop NIST's voluntary guidance to organizations on reducing cybersecurity risks.

top

Lawsuit challenging PACER fees certified as class action (Bob Ambrogi, 25 Jan 2017) - A federal lawsuit challenging as excessive the fees charged by PACER, the federal courts' electronic records system, has been certified as a class action. Yesterday, U.S. District Judge Ellen Segal Huvelle in the District of Columbia approved the class of "[a]ll individuals and entities who have paid fees for the use of PACER within the past six years, excluding class counsel and agencies of the federal government." The lawsuit, National Veterans Legal Services Program v. U.S. , claims that PACER's fee schedule is higher than necessary to cover the costs of operating PACER and therefore violates the E-Government Act of 2002, which allows the federal judiciary to charge fees for PACER that are reasonable and "only to the extent necessary." Plaintiffs assert that the judiciary is charging far more than necessary in PACER fees, and that the fees it collects are going to purposes other than PACER, such as courtroom technology, websites for jurors, and bankruptcy notification systems. Judge Huvelle found that the lawsuit meets the requirements for class certification under the Federal Rules of Civil Procedure. In December, Judge Huvelle denied the government's motion to dismiss the suit. Judge Huvelle's memorandum granting class certification is below. (If you have trouble with the PDF viewer, here is a direct link to the PDF .)

top

RESOURCES

When the mother of invention is a machine, who gets credit? (Singularity Hub, 3 Nov 2016) - What do the Oral-B CrossAction toothbrush, about a thousand musical compositions and even a few recent food recipes all have in common? They were invented by computers, but you won't find a nonhuman credited with any of these creations on U.S. patents. One patent attorney would like to see that changed. Ryan Abbott is petitioning to address what he sees as more than a quirk in current laws but a fundamental flaw in policy that could have wide-ranging implications in areas of patent jurisprudence, economics and beyond if his proposals are adopted. "I argue that we ought to acknowledge a computer as an inventor because it would incentivize the development of creative computers and result in more innovations for society," says Abbott, a professor of law and health sciences at the University of Surrey's School of Law and adjunct assistant professor of medicine at the David Geffen School of Medicine at UCLA. He is also a licensed and board certified physician and registered patent attorney with the U.S. Patent and Trademark Office (USPTO). In a paper recently published in the Boston College Law Review , Abbott offers a framework for revamping how the USPTO approaches­­ nonhuman inventors. The current regulations are outdated and don't recognize that computers are already producing patentable inventions, Abbott says in an interview with Singularity Hub. Abbott notes in the paper, "I Think, Therefore I Invent: Creative Computers and the Future of Patent Law," that early versions of AI, dating back to the 1990s, were independently creating all sorts of things, such as new super-strong materials and devices that search the internet for messages from terrorists. * * * Abbott's solution is to assign patents to the computer's owner, which generally refers to software ownership. He sees other options - such as the developer or user of the AI -as more problematic. For instance, allowing a computer's user to own a patent might compel owners to tighten restrictions or access to their software. * * *

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Where real money meets virtual reality, the jury is still out (Washington Post, 26 Dec 2006) -- Veronica Brown is a hot fashion designer, making a living off the virtual lingerie and formalwear she sells inside the online fantasy world `. She expects to have earned about $60,000 this year from people who buy her digital garments to outfit their animated self-images in this fast-growing virtual community. But Brown got an unnerving reminder last month of how tenuous her livelihood is when a rogue software program that copies animated objects appeared in Second Life. Scared that their handiwork could be cloned and sold by others, Brown and her fellow shopkeepers launched a general strike and briefly closed the electronic storefronts where they peddle digital furniture, automobiles, hairdos and other virtual wares. As virtual worlds proliferate across the Web, software designers and lawyers are straining to define property rights in this emerging digital realm. The debate over these rights extends far beyond the early computer games that pioneered virtual reality into the new frontiers of commerce. "Courts are trying to figure out how to apply laws from real life, which we've grown accustomed to, to the new world," said Greg Lastowka, a professor at Rutgers School of Law at Camden in New Jersey. "The law is struggling to keep up." U.S. courts have heard several cases involving virtual-world property rights but have yet to set a clear precedent clarifying whether people own the electronic goods they make, buy or accumulate in Second Life and other online landscapes. Also unclear is whether people have any claim when their real-life property is depicted online, for instance in Microsoft's new three-dimensional renderings of actual real estate. The debate is assuming greater urgency as commerce gains pace in virtual reality.

top

Sweden to set up embassy in Second Life (The Local, 26 Jan 2007) -- Sweden is to become the first country to establish diplomatic representation in the virtual reality world of Second Life, officials said on Friday. "We are planning to establish a Swedish embassy in Second Life primarily as an information portal for Sweden," Swedish Institute (SI) director Olle Wästberg told AFP. The embassy would not provide passports or visas but would instruct visitors how to obtain such documents in the real world and act as a link to web-based information about the Scandinavian country. "Second Life allows us to inform people about Sweden and broaden the opportunity for contact with Sweden easily and cheaply," Wästberg said. The Swedish Institute is an agency of the Swedish foreign ministry tasked with informing the world about Sweden. The ministry fully backed the initiative, he added.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top