Saturday, May 13, 2017

MIRLN --- 23 April - 13 May 2017 (v20.07)

MIRLN --- 23 April - 13 May 2017 (v20.07) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

The emerging need for cybersecurity diligence in M&A (Skadden, 19 April 2017) - Cybercrime has emerged as one of the foremost threats a company faces. As a result of a few keystrokes, a company may find its customers' data sold on the dark web, its intellectual property in the hands of a competitor or its operations paralyzed by ransomware. It should come as little surprise, then, that cybersecurity has become a key risk factor in mergers and acquisitions. A 2016 survey by West Monroe Partners and Mergermarket found that 77 percent of top-level corporate executives and private equity partners reported that the importance of cybersecurity at M&A targets had increased significantly in recent years. Given this trend, executives and directors contemplating acquisitions should consider the following cyber-related issues when conducting due diligence. * * * [ Polley : The ABA's Business Law Section is about to publish " A Guide to Cybersecurity Due Diligence in M&A Transactions " (240pp); Skadden's Stuart Levi is one of the contributing authors.] top

Torching the modern-day library of Alexandria; "Somewhere at Google there is a database containing 25 million books and nobody is allowed to read them." (The Atlantic, 20 April 2017) - You were going to get one-click access to the full text of nearly every book that's ever been published. Books still in print you'd have to pay for, but everything else-a collection slated to grow larger than the holdings at the Library of Congress, Harvard, the University of Michigan, at any of the great national libraries of Europe-would have been available for free at terminals that were going to be placed in every local library that wanted one. At the terminal you were going to be able to search tens of millions of books and read every page of any book you found. You'd be able to highlight passages and make annotations and share them; for the first time, you'd be able to pinpoint an idea somewhere inside the vastness of the printed record, and send somebody straight to it with a link. Books would become as instantly available, searchable, copy-pasteable-as alive in the digital world-as web pages. It was to be the realization of a long-held dream. "The universal library has been talked about for millennia," Richard Ovenden, the head of Oxford's Bodleian Libraries, has said. "It was possible to think in the Renaissance that you might be able to amass the whole of published knowledge in a single room or a single institution." In the spring of 2011, it seemed we'd amassed it in a terminal small enough to fit on a desk. "This is a watershed event and can serve as a catalyst for the reinvention of education, research, and intellectual life," one eager observer wrote at the time. On March 22 of that year, however, the legal agreement that would have unlocked a century's worth of books and peppered the country with access terminals to a universal library was rejected under Rule 23(e)(2) of the Federal Rules of Civil Procedure by the U.S. District Court for the Southern District of New York. When the library at Alexandria burned it was said to be an "international catastrophe." When the most significant humanities project of our time was dismantled in court, the scholars, archivists, and librarians who'd had a hand in its undoing breathed a sigh of relief, for they believed, at the time, that they had narrowly averted disaster. * * * [ Polley : fairly long piece; interesting, fun to read, and well-written.] top

FBI allays some critics with first use of new mass-hacking warrant (ArsTechnica, 24 April 2017) - Mass hacking seems to be all the rage currently. A vigilante hacker apparently slipped secure code into vulnerable cameras and other insecure networked objects in the "Internet of Things" so that bad guys can't corral those devices into an army of zombie computers, like what happened with the record-breaking Mirai denial-of-service botnet. The Homeland Security Department issued alerts with instructions for fending off similar "Brickerbot malware," so-named because it bricks IoT devices. And perhaps most unusual, the FBI recently obtained a single warrant in Alaska to hack the computers of thousands of victims in a bid to free them from the global botnet, Kelihos. On April 5, Deborah M. Smith, chief magistrate judge of the US District Court in Alaska, greenlighted this first use of a controversial court order. Critics have since likened it to a license for mass hacking. The FBI sought the 30-day warrant to liberate victims through a new procedural rule change that took effect in December amid worries among privacy advocates that the update would open a new door for government abuse. But the first use of the amendments to Rule 41 of the Federal Rules of Criminal Procedure has assuaged fears, at least for the moment, because the feds used their power to kill a botnet. The Electronic Frontier Foundation, for example, commended the feds for asking a judge to review exactly what data the FBI would and would not touch in victimized devices, which were located across the country. It was a "positive step" toward accountability and transparency in FBI computer break-ins, EFF staff attorney Andrew Crocker said. This wasn't the first time the government has gained permission from a federal court to jump in and clean infected computers worldwide. To dismantle Gameover Zeus , once considered the most damaging botnet, the US obtained civil and criminal court orders in federal court in Pittsburgh "authorizing measures to redirect the automated requests by victim computers for additional instructions away from the criminal operators to substitute servers," as well as "to collect dialing, routing, addressing and signaling ("DRAS") information from the infected computers ," Justice Department officials said at the time in 2014. top

Analyzing cyber insurance policies (Bruce Schneier, 26 April 2017) - There's a really interesting new paper [from the RAND Corporation] analyzing over 100 different cyber insurance policies. From the abstract: In this research paper, we seek to answer fundamental questions concerning the current state of the cyber insurance market. Specifically, by collecting over 100 full insurance policies, we examine the composition and variation across three primary components: The coverage and exclusions of first and third party losses which define what is and is not covered; The security application questionnaires which are used to help assess an applicant's security posture; and the rate schedules which define the algorithms used to compute premiums. Overall, our research shows a much greater consistency among loss coverage and exclusions of insurance policies than is often assumed. For example, after examining only 5 policies, all coverage topics were identified, while it took only 13 policies to capture all exclusion topics. However, while each policy may include commonly covered losses or exclusions, there was often additional language further describing exceptions, conditions, or limits to the coverage. The application questionnaires provide insights into the security technologies and management practices that are (and are not) examined by carriers. For example, our analysis identified four main topic areas: Organizational, Technical, Policies and Procedures, and Legal and Compliance. Despite these sometimes lengthy questionnaires, however, there still appeared to be relevant gaps. For instance, information about the security posture of third-party service and supply chain providers and are notoriously difficult to assess properly (despite numerous breaches occurring from such compromise). In regard to the rate schedules, we found a surprising variation in the sophistication of the equations and metrics used to price premiums. Many policies examined used a very simple, flat rate pricing (based simply on expected loss), while others incorporated more parameters such as the firm's asset value (or firm revenue), or standard insurance metrics (e.g. limits, retention, coinsurance), and industry type. More sophisticated policies also included information specific information security controls and practices as collected from the security questionnaires. By examining these components of insurance contracts, we hope to provide the first-ever insights into how insurance carriers understand and price cyber risks. top

- and -

Victimized by ransomware, law firm sues insurer for $700K in lost billings (ABA Journal, 2 May 2017) - A Rhode Island law firm has filed a lawsuit against its insurer over coverage for a ransomware attack that locked down the firm's computer files for three months. Moses Afonso Ryan, a 10-lawyer law firm in Providence, says it paid $25,000 in ransom, but the amount is far less than its lost billings, the Providence Journal reports. A review of records for the same three months last year shows the firm had more than $700,000 in billings during the time period, according to the suit. The suit (PDF) was originally filed in state court and removed to federal court. It claims that Sentinel Insurance Co. is responsible for the loss under policy coverage for lost income. In its answer (PDF) to the complaint, Sentinel denies an unjustified refusal to provide coverage under the law firm's business owner's policy. The policy form "speaks for itself," the answer says. Sentinel says it has paid the law firm the policy maximum of $20,000 for losses caused by computer viruses, which are covered under a computers and media endorsement. The insurer says it has no legal obligation to cover other ransomware losses. The policy coverage for lost business income applies only when there is physical loss or damage to property at the business premises, according to Sentinel. top

'Need to know' security: New standard of care, new competitive advantage (InsideCounsel, 27 April 2017) - The Association of Corporate Counsel (ACC) recently released their " Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information ," which specify baseline security measures that legal departments may require of outside counsel and set expectations with respect to their data security practices. This comes just as the New York State Department of Financial Services (NYS DFS) cybersecurity requirements went into effect on March 1 this year. Law firms need to pay attention to both developments. The ACC guidelines will set client expectations of law firms while the DFS regulations mandate requirements for financial institutions operating in New York which extend to their service providers, including law firms. Most of the world's notable brands have a presence in New York, so it's hard to imagine many firms not being subject to compliance. Together, the ACC recommendations and the NYS DFS regulations create an impactful story for the legal services industry: They establish an effective standard of care with regard to the handling of client data. When it comes to the protection of client data by law firms, we are already seeing the definitions of this standard being tested in the class action suit against Chicago law firm Johnson & Bell . Much of the information protection security controls proposed by the ACC and contained within the NYS DFS cybersecurity regulation already are considered best practices for both physical and electronic assets. Many already may be in place at most law firms. However, much remains to implement. Firms located in some regions have not traditionally been as concerned about physical access inside their offices; they will need to adjust, taking steps such as securing certain areas. Most firms provide remote desktop access, yet many still have not implemented two-factor authentication; they will need to do so. However, the most significant change-and one which will require most firms to take immediate action-impacts the standard of care for protecting of non-public, electronic information. In short, the old standard of care that allowed firms to operate 'optimistic' or open environments inside their firewall is dead. The former standard which consisted of locking-down a firm's perimeter via a firewall and allowing anyone inside the firewall (i.e. everyone working at the firm) full access to non-public client information is no longer acceptable. The new standard, clearly established by both the ACC guidelines and the NYS DFS regulations, is 'need-to-know' access. top

Data breach lawsuit survives motion to dismiss (Bracewell, 28 April 2017) - In an April 13, 2017 decision in Walters v. Kimpton Hotel , a California federal judge rejected the bid of hotel chain Kimpton Hotel and Restaurant Group, LLC to dismiss a proposed class action arising from a data breach last year. Judge Vince Chhabria found that the named plaintiff sufficiently alleged imminent harm to establish standing notwithstanding the absence of allegations that his personal information had been misused. * * * Judge Chhabria found that a plaintiff does not need to "actually suffer the misuse of his data or an unauthorized charge before he has an injury for standing purposes," and that Walters' allegations of imminent harm were sufficient to confer standing to survive Kimpton's motion to dismiss. Judge Chhabria adopted the standing approach applied by the Sixth and Seventh Circuits in Galaria v. Nationwide Mut. Ins. Co. and Lewert v. P.F. Chang's China Bistro . In Galaria , the Sixth Circuit held that allegations of a continuing, increased risk of fraud and identify theft were more than just speculative allegations of injury, emphasizing that there is "no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals." Similarly, in P.F. Chang's , the Seventh Circuit explained that "it is plausible to infer a substantial risk of harm from the data breach, because a primary incentive for hackers is sooner or later to make fraudulent charges or assume those consumers' identities." Additionally, Walters' allegations of purchasing credit-monitoring services and other out-of-pocket expenses were actual damages sufficient to allow claims of breach of implied contract, negligence, and a violation of California's unfair competition law to survive. The breach of implied contract claim was based on allegations that Kimpton's privacy policy, which states that the company is committed to protecting customer personal data, created an enforceable promise to customers in that it was a voluntary duty and constituted valid consideration. top

New tools allow voice patterns to be cloned to produce realistic but fake sounds of anyone saying anything (TechDirt, 2 May 2017) - Fake images, often produced using sophisticated software like Photoshop or the GIMP, were around long before so-called "fake news" became an issue. They are part and parcel of the Internet's fast-moving creative culture, and a trap for anyone that passes on striking images without checking their provenance or plausibility. Until now, this kind of artful manipulation has been limited to the visual sphere. But a new generation of tools will soon allow entire voice patterns to be cloned from relatively small samples with increasing fidelity such that it can be hard to spot they are fake. For example, in November last year, the Verge wrote about Adobe's Project VoCo: "When recording voiceovers, dialog, and narration, people would often like to change or insert a word or a few words due to either a mistake they made or simply because they would like to change part of the narrative," reads an official Adobe statement. "We have developed a technology called Project VoCo in which you can simply type in the word or words that you would like to change or insert into the voiceover. The algorithm does the rest and makes it sound like the original speaker said those words." Since then, things have moved on apace. Last week, the Economist wrote about the French company CandyVoice: Utter 160 or so French or English phrases into a phone app developed by CandyVoice, a new Parisian company, and the app's software will reassemble tiny slices of those sounds to enunciate, in a plausible simulacrum of your own dulcet tones, whatever typed words it is subsequently fed. In effect, the app has cloned your voice. The Montreal company Lyrebird has a page full of fascinating demos of its own voice cloning technology, which requires even less in the way of samples. * * * top

Court upholds enforceability of open source licenses (O'Melveny & Myers, 3 May 2017) - The District Court for the Northern District of California1 recently issued an opinion that is being hailed as a victory for open source software. In this case, the court denied a motion to dismiss a lawsuit alleging violation of an open source software license, paving the way for further action enforcing the conditions of the GNU General Public License ("GPL"). * * * Hancom moved to dismiss Artifex's complaint on several grounds. The District Court denied Hancom's motion to dismiss on each ground. A few aspects of the decision are of particular interest to the open source community. For example, Hancom argued that Artifex could not plead breach of contract for violation of GPL and could not request specific performance of the terms of GPL. Hancom also argued that copyright damages were not available because the GPL grants royalty-free rights. As part of its motion to dismiss, Hancom argued that using open source code offered under open source licensing terms does not form a contract. Whether open source licenses can be contracts in addition to conditional licenses has been an unsettled area of law. In the seminal case on enforcement of open source licenses in the United States, Jacobsen v. Katzer,2 the Federal Circuit Court of Appeals held that open source violations could be brought as copyright claims, but did not foreclose the possibility of bringing contract claims as well. In Artifex, the District Court ruled that Artifex's breach of contract claim could proceed, finding that the GPL, by its express terms, requires that third parties agree to the GPL's obligations if they distribute the open-source-licensed software. * * * Here, in denying a motion to dismiss, the District Court only holds that the claims may proceed on the theories enunciated by Artifex, not necessarily that they will ultimately succeed. Still, the case represents a significant step forward for open source plaintiffs. Many open source compliance claims have been brought as copyright infringement claims, and Jacobsen affirmed this approach. Generally, copyright claims may afford plaintiffs more damages and stronger remedies than contract claims. However, contract claims may help a plaintiff pursue a violator's worldwide conduct in a way that jurisdictional limits on copyright claims might not allow. Breach of contract claims may also be able to address reputational harm and other indirect non-economic benefits that a plaintiff might derive from enforcing open source license conditions. A breach of contract claim might also, in certain instances, allow for specific performance of open source obligations. top

Hundreds of privacy-invading apps are using ultrasonic sounds to track you (ZDnet, 3 May 2017) - A new privacy-busting technique that tracks consumers through the use of ultrasonic tones may have once sounded like the stuff of science fiction novels, but today it's reality. These near-silent tones can't be picked up by the human ear, but there are apps in your phone that are always listening for them. This technology is called ultrasonic cross-device tracking, and it works by emitting high-frequency tones in advertisements and billboards, web pages, and across brick-and-mortar retail outlets or sports stadiums. Apps with access to your phone's microphone can pick up these tones and build up a profile about what you've seen, where, and in some cases even the websites you've visited. In the past year, researchers found 234 Android apps that include the ability to listen for ultrasonic tones "without the user's knowledge,". one paper said . The researchers note that some apps use the beacons to display location-specific advertising content on user's phones, like tickets and vouchers for festivals. Several stores in two unnamed European cities have already installed these ultrasonic beacons. Worst of all, the researchers say that this ultrasonic tracking technology can de-anonymize users of bitcoin, which is designed to be used without the need for a name. A similar technique can be. used for those who are browsing the web using the Tor anonymity network , which prevents eavesdroppers from monitoring your web traffic and browsing history. top

How hackers get past the defenses of large law firms (Ride The Lightning, 3 May 2017) - Law 360 (sub.req.) published an article about how cybercriminals get past the defenses of large law firms. One point of reference was to the scheming of Oleras, a cybercriminal seeking help in the Dark Web to hack into some of the biggest American law firms - in return for major monies. His vision was a scheme to spear-phish high-powered lawyers. A group Oleras was working with suggested the bait would be a phishing e-mail with a purported award announcement from a well-known British publication called Business Worldwide , and it would say that the lawyer was being honored for deal making achievements. High-powered lawyers are not known for modest egos - and that was their edge. To figure out who to phish, they looked at the social media accounts and online profiles of lawyers at the targeted firms, searching for those who seemed to list every award and honor. We can't know how the scheme fared, but Oleras pronounced himself happy with the results in online postings. The article talks about the Legal Services Information Sharing and Analysis Organization (LS-ISIO), which now has more than 100 law firm members, many of them large firms. It likens itself to a "Neighborhood Watch" - the motto being "If you see something, say something." We've certainly heard that line before. This 16-page article, full of real-life stories and helpful tips, should be mandatory reading for lawyers. If you can't think like the enemy, you can't effectively fight the enemy. top

- and -

Hackers face $8.9 million fine for law firm breaches (Dark Reading, 9 May 2017) - Three Chinese stock traders were ordered to pay $8.9 million in fines and penalties for hacking into two law firms and stealing information on upcoming mergers and acquisitions and then leveraging the information to trade stocks. A federal court in New York ordered Iat Hong, Bo Zheng, and Hung Chin to pay fines, as well as Hong's mother Sou Cheng Lai who held a bank account where the proceeds from the stock sales were kept, according to a copy of the judgment posted by SC Media. The three hackers installed malware on the law firms' computer networks, enabling them to view emails on mergers and acquisitions in which the firms were involved. With the information, the attackers purchased stock in at least three public companies prior to their merger announcements, according to the Securities and Exchange Commission (SEC), which filed the lawsuit against the hackers . The hackers shelled out roughly $7.5 million within a month's time to buy shares in Altera prior to its 2015 acquisition by Intel. The defendants also snapped up shares in Borderfree before its 2015 buyout by Pitney Bowes, and also acquired shares in InterMune before its 2014 merger deal with Roche, according to the SEC. With these transactions, the trio racked up nearly $3 million in illegal profits, the SEC stated. top

ABA expresses concern about border searches of lawyer laptops and other electronic devices (ABA Journal, 5 May 2017) - ABA President Linda Klein is expressing serious concern about standards that permit searches of lawyer laptops and other electronic devices at the border in the absence of reasonable suspicion. In a May 5 letter (PDF) to the Department of Homeland Security, Klein seeks policies and procedures to ensure the confidentiality of privileged or confidential client material on the devices. A summary is here . The letter says the ABA supports the critical role played by customs and immigration officers in protecting national security. "But just as border security is fundamental to national security," Klein writes, "so too is the principle of client confidentiality fundamental to the American legal system." The letter urges DHS to clarify directives governing border searches of electronic devices by U.S. Customs and Border Protection and by Immigration and Customs Enforcement. Current policies do call for special handling of privileged and confidential legal materials in border searches, but the ABA is concerned that the provisions are not sufficiently clear or comprehensive, Klein writes. Klein says the directives should state that privileged or confidential client information on lawyers' electronic devices should not be read, duplicated, seized or shared absent a subpoena based on reasonable suspicion or a warrant supported by probable cause. [ see also ACLU says demanding US citizens unlock phones at the border is unconstitutional (The Verge, 4 May 2017)] top

Taser/Axon separating defense lawyers from body camera footage with license agreements (TechDirt, 8 May 2017) - Taser Inc.'s quiet takeover of evidence generation and storage -- through extensive body camera offerings -- was put on public display when the company rebranded as Axon. The company was willing to give away cameras in exchange for something far more lucrative: software licensing and footage access fees in perpetuity. Axon even nailed down a choice URL: Evidence.com. This is the portal to law enforcement body camera footage stored in Axon's cloud -- the real moneymaker for Axon. The cameras are just the gateway drug. But much of what's stored at Evidence.com could be considered public records. Much of what's stored there could also be subject to discovery by defense attorneys during criminal proceedings. But no one asked defense attorneys if this arrangement worked for them. It was enough that it worked for cops. Defense attorney Rick Horowitz has a problem with contractual agreements he's being asked to sign when attempting to gain access to records regarding his client. Instead of handing out files, prosecutors are handing out URLs. To obtain the records he needs, Horowitz is forced to use Axon's portal… and sign agreements with Axon before he's allowed to access anything : * * * top

Vendors approve of NIST password draft (CSO Online, 9 May 2017) - A recently released draft of the National Institute of Standards and Technology's (NIST's) digital identity guidelines has met with approval by vendors. The draft guidelines revise password security recommendations and altering many of the standards and best practices security professionals use when forming policies for their companies. The new framework recommends, among other things [to] remove periodic password change requirements. There have been multiple studies that have shown requiring frequent password changes to actually be counterproductive to good password security, said Mike Wilson, founder of PasswordPing. NIST said this guideline was suggested because passwords should be changed when a user wants to change it or if there is indication of breach. * * * top

RESOURCES

"Securing Communication of Protected Client Information" (ABA Formal Opinion 477, 11 May 2017) - A lawyer generally may transmit information relating to the representation of a client over the internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security. [ Polley : Thorough and interesting (cites the ABA Cybersecurity Handbook ; a second edition of the Handbook will be published this summer). However, this opinion falls into the trap of making assumptions/recommendations based on current technology, and thus risks obsolescence - e.g., it suggests changing passwords periodically, which has been called into question by experts - see the NIST story immediately above.] top

LOOKING BACK - MIRLN TEN YEARS AGO .

(note: link-rot has affected about 50% of these original URLs)

German police barred from secretly searching computers over Internet (SiliconValley.com, 5 Feb 2007) -- Police cannot secretly search suspects' computer hard drives over the Internet, a German court ruled Monday. The decision of the Federal Court of Justice in Karlsruhe bars police from using software to search through remote hard drives unless parliament passes a law explicitly allowing the technique. Police, however, still will be allowed to seize evidence from PCs when conducting searches in person. Arguing that stealth searches were indispensable to investigating criminals and terrorists, Interior Minister Wolfgang Schaeuble, the country's top security official responsible for police, called on the government to seek swift changes in the law. ``It is indispensable for criminal investigators to be able to carry out online searches secretly and with a corresponding order from a judge," he said in a statement. The decision came in response to a request by the Federal Prosecutor's Office, which had sought to use Trojan horse programs to investigate a possible terrorist group. Prosecutors argued the legal reasoning used to allow telephone surveillance and other electronic eavesdropping techniques should be applicable to gathering evidence over the Internet. top

SEC publishes rule requiring internet posting of proxy materials (Duane Morris client alert, 28 August 2007) - The SEC recently published final regulations on Shareholder Choice Regarding Proxy Materials. The amendments to the proxy rules under the Securities Exchange Act of 1934 ("Amendments") require issuers and other soliciting persons to post proxy materials on a publicly accessible Internet web site and to provide notice to shareholders of the availability of those materials. Issuers and other soliciting persons must follow a notice and access model, which allows two options to issuers to provide proxy materials to shareholders: (1) the "notice only" option and (2) the "full set delivery" paper option. If the issuer chooses to post its proxy materials on the Internet web site, under the "notice only" option, shareholders may elect to receive these proxy materials in paper copy format. top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):.

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu .

2. InsideHigherEd - http://www.insidehighered.com/ .

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/ .

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html .

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, April 22, 2017

MIRLN --- 2-22 April 2017 (v20.06)

MIRLN --- 2-22 April 2017 (v20.06) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

UK barrister fined after 'confidential' information leaked in home computer update (LegalTechNews, 27 March2017) - A recent decision and fine against a barrister by the U.K.'s Information Commissioner regarding confidential information provides some important lessons for both U.S. and U.K. attorneys. The confidential information belonged to as many as 250 individuals, "including vulnerable adults and children," and was "uploaded to the internet when the barrister's husband updated software on the couple's home computer," according to a statement from the Information Commissioner's Office (ICO) which is the data protection authority in the U.K. The lawyer, described as a "senior barrister" who specializes in family law, was fined £1,000 by the ICO. In addition, Kim Roberts, counsel at King & Spalding's U.K. office, said the ICO's action shows the office "will intervene to fine organizations and individuals and will exemplify cases where careless practices fail to protect personal data, particularly where that data is sensitive in nature." It is noteworthy, too, the lawyer was self-employed. "Even as in this case, where the lawyer was a self-employed barrister rather than working in a corporate environment, he or she must follow practices which protect the personal data of clients in carrying out their work," Roberts cautioned. "In this case, insufficient care was taken when using a home computer which failed to protect the data concerned. The barrister, although self-employed, was subject to the guidelines that had been set down by the governing professional body and which were not fully followed." [ Polley : Odd reporting; it seems that the lawyer's spouse updated software on the lawyer's computer, which caused the compromise.]

top

First Amendment institute sues government over records related to border device searches (TechDirt, 31 March 2017) - Columbia University's Knight First Amendment Institute wants to know why device searches at the border have skyrocketed since the beginning of this year. As was reported earlier this month, the number of devices searched in February 2017 equals the total searched in all of 2015. Even last year's jump from 5,000 to 25,000 searches looks miniscule in comparison. Border device searches are on track to more than double last year's numbers. The Knight First Amendment Institute filed FOIA requests with the DHS, ICE, and CBP for "statistical, policy, and assessment records" related to the steep increase in device searches. It's also looking for any legal interpretations the agencies might have on hand that explain their take on the Supreme Court's Riley decision, which instituted a warrant requirement for cell phone searches. It asked for expedited handling given the significant public interest in all things immigration and border-related, which has climbed along with the device searches thanks to several presidential directives, some of which are being challenged in court. As the lawsuit [PDF] notes, the public definitely should be apprised of the policies and procedures governing border device searches. If there's been an increase in searches, the public should be made aware of why this is happening, as well as their rights and remedies when it comes to entering or leaving the United States. The suit also points out that several recent reports suggest devices have been taken by government agents by force, or "consent" obtained through threats of further detention and/or violence.

top

Microsoft closing down CodePlex, tells devs to move to GitHub (ArsTechnica, 31 March 2017) - Microsoft announced Friday that CodePlex, the company's open source project-hosting service, will be closed down. Started in 2006 , the service offered an alternative to SourceForge. It was based initially on Microsoft's Team Foundation Server source control and later added options to use Subversion, Mercurial, and Git . At the time, there weren't a tremendous number of good options for hosting projects. SourceForge was the big one, but it always seemed light on feature development and heavy on advertising. CodePlex on the Web was much more attractive and less cluttered. The use of TFS for source control meant it also had strong integration in Visual Studio. But these days, GitHub is the default choice for most open source projects. This applies to Microsoft, too; the company is using GitHub to host projects such as .NET and its Chakra JavaScript engine . Activity on CodePlex has declined, with fewer than 350 projects seeing code commits over the last 30 days. Accordingly, Microsoft has decided to stop running the service. From today, new projects can no longer be created. In October, all projects will be set to read-only. On December 15, CodePlex will be shut down completely, and the website will be replaced with a static archive. Projects and sources will still be browsable online, but the source control system will no longer be operational. GitHub is the preferred new home for CodePlex projects, and there's a straightforward import process that will copy CodePlex-hosted source and documentation to GitHub. Microsoft is also building a tool to migrate issues, though that's not ready yet. Projects can also be migrated to services such as Bitbucket. This will be appealing to those using Mercurial source control with CodePlex, as Bitbucket supports Mercurial in addition to the more common Git.

top

Indiana: Ban on broadcasting trials doesn't bar live-tweeting (Volokh/WaPo, 3 April 2017) - So an Indiana judicial ethics commission opined in an opinion that was posted on Westlaw: Rule 2.17 of the Code of Judicial Conduct requires judges to prohibit the broadcast of court proceedings except under a narrow set of exceptions. … The Commission's view is that microblogging, tweeting, or electronically relaying a written message does not constitute broadcasting under Rule 2.17, unless the transmitted message contains video or audio of court proceedings or a link to videotaped court testimony. I leave to others the question of whether outright broadcasting of trials should be allowed, but I thought this interpretation of what counts as "broadcast[ing]" in the Twitter age was interesting (and, I think, correct).

top

- and -

Texas Supreme Court is skeptical about Wikipedia as a dictionary (Eric Goldman on TechDirt, 12 April 2017) - This is an interesting opinion from the Texas Supreme Court on citing Wikipedia as a dictionary . The underlying case involves an article in D Magazine titled "The Park Cities Welfare Queen." The article purports to show that the plaintiff, Rosenthal, "has figured out how to get food stamps while living in the lap of luxury." After publication, evidence emerged that the plaintiff had not committed welfare fraud. She sued the magazine for defamation. The appeals court denied the magazine's anti-SLAPP motion in part because it held the term "Welfare Queen," as informed by the Wikipedia entry, could be defamatory. The Texas Supreme Court affirms the anti-SLAPP denial, but it also criticizes the appeals court for not sufficiently examining the entire article's gist. Along the way, the court opines on the credibility and validity of Wikipedia as a dictionary. TL;DR = the Supreme Court says don't treat Wikipedia like a dictionary.

top

Encryption policy and freedom of the press (Schneier, 4 April 2017) - Interesting law journal article: " Encryption and the Press Clause ," by D. Victoria Barantetsky. Abstract: Almost twenty years ago, a hostile debate over whether government could regulate encryption -- later named the Crypto Wars -- seized the country. At the center of this debate stirred one simple question: is encryption protected speech? This issue touched all branches of government percolating from Congress, to the President, and eventually to the federal courts. In a waterfall of cases, several United States Court of Appeals appeared to reach a consensus that encryption was protected speech under the First Amendment, and with that the Crypto Wars appeared to be over, until now. Nearly twenty years later, the Crypto Wars have returned. Following recent mass shootings, law enforcement has once again questioned the legal protection for encryption and tried to implement "backdoor" techniques to access messages sent over encrypted channels. In the case, Apple v. FBI, the agency tried to compel Apple to grant access to the iPhone of a San Bernardino shooter. The case was never decided, but the legal arguments briefed before the court were essentially the same as they were two decades prior. Apple and amici supporting the company argued that encryption was protected speech. While these arguments remain convincing, circumstances have changed in ways that should be reflected in the legal doctrines that lawyers use. Unlike twenty years ago, today surveillance is ubiquitous, and the need for encryption is no longer felt by a seldom few. Encryption has become necessary for even the most basic exchange of information given that most Americans share "nearly every aspect of their lives ­-- from the mundane to the intimate" over the Internet, as stated in a recent Supreme Court opinion. Given these developments, lawyers might consider a new justification under the Press Clause. In addition to the many doctrinal concerns that exist with protection under the Speech Clause, the Press Clause is normatively and descriptively more accurate at protecting encryption as a tool for secure communication without fear of government surveillance. This Article outlines that framework by examining the historical and theoretical transformation of the Press Clause since its inception.

top

Susman Godfrey is sanctioned for wrong line spacing in brief (ABA Journal, 4 April 2017) - A federal judge in Manhattan has fined Susman Godfrey $1,048.09 for wrong spacing in a brief that allowed the law firm to cram more words into its argument on behalf of Amazon Web Services Inc. U.S. District Judge Victor Marrero said the law firm used 24-point spacing, rather than double spacing, allowing it to exceed the court's 25-page limit, Law360 (sub. req.) reports. According to Marrero, the court's individual rules of practice require all memoranda to be "double-spaced and in 12-point font with 1-inch margins."

top

New insurance covers cyber risks for the wealthy (Cyberscoop, 5 April 2017) - Some of the wealthiest Americans can now expand their home insurance packages to include expert advice and technology to protect them against cyberattacks, as well as a variety of complimentary or reimbursable services if they do get hacked. AIG said it this week would be offering a "Family CyberEdge" product to existing customers of their Private Client Group, as an add-on to the home insurance packages it already sells. The Private Client Group caters to families with a net worth of more than $1 million and includes 40 percent of the individuals on the Forbes 400 list of the richest Americans. The Family CyberEdge package includes a wide range of "risk mitigation services," including an audit of personal mobile devices, home networks, wireless access points and social media, banking and other secure online accounts. There is training and advice for family members about online security, and continuous monitoring that assesses the security for, and tracks the availability of, personal information online. Advice provided by fraud and ID theft experts from the identity and data defense specialist CyberScout; and threat intelligence from K2 Intelligence - an investigative, compliance and cyberdefense services firm - rounds out the preventive end of the package.

top

Programmer faces federal charges for creating software used by hackers (ABA Journal, 5 April 2017) - An Arkansas programmer who created software that is popular with hackers is facing federal charges of conspiracy, and aiding and abetting computer intrusions. Taylor Huddleston created a remote administration tool called NanoCore that has been linked to computer hacks in at least 10 countries, the Daily Beast reports. The case raises a novel question, according to the article: When is a programmer criminally responsible for the actions of their users? Huddleston, a high school dropout, developed the program in hopes that it could lift him out of poverty and get him out of a run-down trailer where he lived on his mother's property. His hope, he said, was that his $25 program could be used by IT administrators, parents keeping track of their children's online activity, and others who didn't have a lot of money to spend on remote-access capability. He eventually bought a $60,000 home with proceeds from NanoCore and an anti-piracy program he created called Net Seal. Prosecutors pointed out that Huddleston announced and supported NanoCore on HackForums.net. They raided his home in December, arrested him in February, and are seeking forfeiture of his home in Hot Springs, Arkansas. "It would soon become clear," the Daily Beast reports, that HackForums "was a terrible place to launch a legitimate remote administration tool. There aren't a lot of corporate procurement officers on HackForums. Instead, many of Huddleston's new customers had purely illicit uses for a slick remote-access tool. In short order, Huddleston found himself routinely admonishing people not to use his software for crime." Huddleston eventually removed his product's capability to steal passwords and log keystrokes, and he would log in and disable the software when he discovered a buyer was using it for hacking. Unhappy hackers eventually distributed pirated versions of Huddleston's software online.

top

Canadian Mounties own up: Yes, we own 10 IMSI-catchers (The Register, ­5 April 2017) - The Royal Canadian Mounted Police has 'fessed up to a long-held suspicion that it uses Stingray-style equipment to track mobile phones. At the same time, in an interview with public broadcaster CBC, Chief Superintendent Jeff Adam says IMSI (international mobile subscriber identity)-catchers that CBC News believes it spotted in Ottawa didn't belong to any government agency - sparking concerns about who might have been snooping on government or commercial communications in the capital. The RCMP says its use of IMSI-catchers is limited: it deployed the fake base stations 24 times in 2015 and 19 times in 2016, said Adam - whose remit includes technical investigation services - in the hour-long interview. CBC News kicked off a furore when it reported evidence of IMSI-catchers in the vicinity of government buildings in Ottawa. Security minister Ralph Goodall has referred the matter to the Mounties and the Canadian Security Intelligence Service for investigation. Adam told CBC that "It's a security risk when it is used in proximity to government and/or any other commercial enterprises." Without specifying his concerns in detail, Adam warned that those deploying IMSI-catchers could be attempting more than surveillance: "There is equipment out there that is not limited in its capturing of communications between devices."

top

Unpaywall scours the web for free versions of scientific papers (TechCrunch, 5 April 2017) - The science publishing world is a complex one, but the pendulum is currently swinging away from the paywalled mega-journals of the last decade to a more open model - but it can still be hard to find a full copy of an article you need on short notice. Unpaywall is a browser plug-in that identifies the paper you're looking for, then checks whether it's available for free anywhere on the web. Install the plug-in in Firefox or Chrome, and when you arrive at a page summarizing or showing part of an article, a little lock icon appears telling you whether you can get it somewhere else for free. For instance, on this paper the icon is grey (it's still only available behind the paywall), but here (also at Nature), it's green. Clicking it brings me to a PDF version hosted at Arxiv. * * *

top

- and -

European Commission may join Gates Foundation and Wellcome Trust in becoming an open access publisher (TechDirt, 6 April 2017) - Open access isn't a new idea -- the term was first defined back in 2002 , and arguably the first examples go back even further to the founding of arXiv.org in 1991 (pdf). And yet progress towards making all academic knowledge freely available has been frustratingly slow, largely because hugely-profitable publishers have been fighting it every inch of the way. In response to that intransigence, academics have come up with a variety of approaches, including boycotts , mass cancellation of subscriptions, new kinds of overlay journals and simply making everything available with or without permission. Here's another interesting move to open up publishing , reported by the journal Science: One of Europe's biggest science spenders could soon branch out into publishing. The European Commission, which spends more than €10 billion annually on research, may follow two other big league funders, the Wellcome Trust and the Bill & Melinda Gates Foundation, and set up a "publishing platform" for the scientists it funds, in an attempt to accelerate the transition to open-access publishing in Europe. It was quite surprising to see the Wellcome Trust start its own rapid-publishing unit, called Wellcome Open Research , a move that seems to have encouraged the Bill & Melinda Gates Foundation to follow suit with the similar Gates Open Research platform, due to start publishing later this year. For the EU's main executive body to do the same is even more extraordinary. It's true that there has been no official announcement about the European Commission's publishing move, but the Science article suggests that it is likely: * * *

top

- and -

Institute announces new open access policy for all MIT authors (MIT News, 6 April 2017) - Thanks to the efforts of Cara Manning PhD '16, the MIT Libraries, and many others across the Institute, MIT is launching a new way for authors of scholarly articles to legally hold onto rights to reuse and post their articles, and for others to more easily build on that work. As of this month, all MIT authors, including students, postdocs, and staff, can opt in to an open access license . * * * "We'd long heard from MIT authors who were not faculty that they'd like a policy so they would be more assured of their rights to share their work. But there was no clear path to extend the policy to those authors," says Ellen Finnie, head of scholarly communications and collections strategy at the MIT Libraries. "The faculty adopted the policy in 2009 as a faculty policy, and they were not positioned to create a blanket policy for other groups at MIT. There were governance questions about who could create a policy that would apply by default for graduate students." After Manning and Finnie met in 2015, Finnie and attorney Jay Wilcoxson from the Office of General Counsel came up with the idea for an opt-in license - a voluntary agreement that an individual MIT author can sign and that applies to scholarly articles written while at MIT. "We thought that an optional license would offer the power of an open access policy for authors not covered by the faculty policy. It's exciting to see the license now available to all MIT authors," says Finnie. The opt-in language mirrors that of the faculty policy and was vetted across campus by groups including the Office of General Counsel, Faculty Policy Committee, Committee on Intellectual Property, and Graduate Student Council, which has long supported making student work more accessible to the public. The license can be used by authors who are employed by, have an academic instructional staff or academic research staff (e.g., postdoc) appointment from, or are registered as a student at MIT, and applies to articles written while at the Institute.

top

- and -

Tearing down science's citation paywall, one link at a time (Wired, 7 April 2017) - To scientists, citations are currency. No, you can't use them to put gas in your car or food on your table. But surviving in academia means publishing papers people want to read and, more to the point, cite in their own research. Citations establish credibility, and determine the impact of a given paper, researcher, and institution. Simply put, they fundamentally shape what people believe. The problem with this lies in determining who's citing whom. Over the last few decades, only researchers with subscriptions to two proprietary databases, Web of Science and Scopus, have been able to track citation records and measure the influence of a given article or scientific idea. This isn't just a problem for scientists trying to get their resumes noticed; a citation trail tells the general public how it knows what it knows, each link a breadcrumb back to a foundational idea about how the world works. On Thursday, a coalition of open data advocates, universities, and 29 journal publishers announced the Initiative for Open Citations with a commitment to make citation data easily available to anyone at no cost. "This is the first time we have something at this scale open to the public with no copyright restrictions," says Dario Taraborelli, head of research at the Wikimedia Foundation, a founding member of the initiative. "Our long-term vision is to create a clearinghouse of data that can be used by anyone, not just scientists, and not just institutions that can afford licenses."

top

FBI, DHS disagree on when to tell victims they've been hacked (Cyberscoop, 6 April 2017) - Competing interests exist between two of the predominant federal agencies tasked with stopping hackers from attacking the U.S., officials say, and that dynamic shapes how and when the government notifies Americans if they've been breached. The Homeland Security Department and FBI follow distinctly different missions, and this extends into cyberspace, according to John Felker, director of the National Cybersecurity and Communications Integration Center. NCCIC is DHS's around-the-clock office for incident awareness and response. Occasionally, DHS's efforts to rapidly deploy software updates and immediately notify a victim when a cybersecurity incident occurs clashes with the FBI's work to fully investigate and ultimately prosecute cybercriminals, Felker said Thursday. "There's always going to be some tension between our mission space at DHS, which is asset response, threat mitigation - stop the bleeding, if you will - and law enforcement's threat response, which is to catch a bad guy and make a successful prosecution," Felker said during McAfee's Security through Innovation conference hosted by CyberScoop and FedScoop. "It's not easy and it's case-by-case. The challenge we have is to keep a relationship that is open and honest and transparent between us." "Even in the last couple weeks we've had a few knock-down, drag-outs about cases that are going on, but it is what it is," Felker said. "We'll work through it." Ongoing negotiations effectively determine when DHS will rapidly reach out to a victim or, on the other hand, if the FBI will be afforded a grace period to collect evidence and gain new insight.

top

New Tenn. law: No breach notice needed if data encrypted (Bloomberg, 6 April 2017) - Companies don't need to notify Tennessee citizens of personal data breaches if the information was encrypted, under a new law that took effect April 4 and clarifies confusion created by a 2016 amendment. The measure reinstates language in the state's data breach notice law to remove any doubt that companies do not need to give notice of an encrypted data breach, unless the encryption key is also breached. It took effect with Gov. Bill Haslam's (R) signature. Tennessee adopted a breach notification law in 2005 that specifically exempted to providing notice if the breached data were encrypted. But in 2016, the law was amended to remove the exemption. The 2016 amended law, however, still mentioned in another section that encryption was a positive means of protecting data. This created confusion for companies about whether they could still avoid providing notice if the data were encrypted.

top

Company boards lack deep security knowledge - survey (BizCommunity, 7 April 2017) - According to a recent National Association of Corporate Directors (NACD) survey, although almost 90% of directors at public companies claim their board discusses cyber risk regularly, only 14% have deep knowledge of the topic. Lutz Blaeser, MD of Intact Software Distribution, says that 60% of respondents said they find overseeing cyber risk a challenge. "Just over half of publicly listed companies, reported that cyber risk oversight falls on the audit committee, and 96% of directors that took the survey said the full board takes on the big picture risks that could impact their organisation's strategic direction." The survey, says Blaeser, also highlighted that the most common board cyber-risk oversight practices are reviewing the organisation's approach to protecting its most critical assets, followed by reviewing the technical infrastructure used to protect those assets.

top

Roku TVs can now detect what you're watching on cable to see if it's available on Netflix (The Verge, 11 April 2017) - Televisions with Roku's software preinstalled can now automatically detect what you're watching via cable, satellite, or an antenna. The new feature, coming to Roku TVs as part of a the latest operating system update , is called "More Ways to Watch" and is designed to show you whenever a show or movie you've got on can also be streamed using popular services like Netflix, Hulu, and Amazon Video. This could allow you to watch an in-progress episode from the beginning, find other episodes of a series, or view recommendations for similar content. Roku uses Automatic Content Recognition (ACR) technology to recognize what's currently being viewed in your living room. Somewhat creepy, yet also helpful! Not that the creepy side is stopping other companies from doing the same thing. Roku is at least being careful about how it's all being implemented. More Ways to Watch requires customers to opt-in once the feature is rolled out or whenever they perform an initial out-of-box setup on a Roku TV. Only Roku TVs are doing this right now; your streaming set-top box isn't (yet) detecting what you're watching.

top

Uber reportedly tracked Lyft drivers using a secret software program named 'Hell' (TechCrunch, 12 April 2017) - Another day, another revelation of an ethically questionable business practice by Uber. This time The Information reports that Uber secretly tracked Lyft drivers using an internal software program it dubbed Hell. Hell not only let Uber see how many Lyft drivers were available for rides and what their prices were, but also figure out which ones were double-dipping by driving for Uber, too. This meant Uber had data that made it easier to offer those drivers incentives to switch over to Uber exclusively. The software was called Hell in reference to "God View," its tool for tracking the location of customers (God View, also called "Heaven," was infamously abused by Uber employees to stalk journalists, celebrities and ex-girlfriends). Hell originated after Uber created fake rider accounts on Lyft and used software to trick Lyft's system into thinking those riders were in certain locations. This allowed Uber to see the eight closest available Lyft drivers to each fake rider. Then Uber executives realized that Lyft had assigned a numerical user ID to each of its drivers. This bonanza allowed them to start long-term tracking of Lyft drivers and deduce who also drove for Uber. Once Uber knew when and where they tended to log onto Lyft, the company was able to offer drivers incentives-including financial bonuses-created to convince them to use only Uber.

top

Inmates built computers hidden in ceiling, connected them to prison network (ArsTechnica, 12 April 2017) - Inmates at a medium-security Ohio prison secretly assembled two functioning computers, hid them in the ceiling, and connected them to the Marion Correctional Institution's network. The hard drives were loaded with pornography, a Windows proxy server, VPN, VOIP and anti-virus software, the Tor browser, password hacking and e-mail spamming tools, and the open source packet analyzer Wireshark. That's according to a new report (PDF) from the Ohio Office of the Inspector General, which concluded that the geeky inmates obtained the parts from an onsite computer skills and electronics recycling program. The agency's IT department, according to the report, initially was alerted to a connected device, using a contractor's stolen credentials, that had "exceeded a daily Internet usage threshold." The computers were operational for about four months. After a three-week search, they were discovered above a training room closet in an area off limits to unsupervised inmates. Ultimately, the authorities traced cable from a networking switch to find the devices that were assembled with discarded computers from an Ohio aircraft parts company and an Ohio school district. A forensic analysis of the hard drives found that they were loaded with "malicious" software and that inmates used the computers to apply for credit cards, research tax-refund fraud, search inmate records, and obtain prison access passes for restricted areas. "Additionally, articles about making home-made drugs, plastics, explosives, and credit cards were discovered," according to the report.

top

How The New York Times decides which stories to link to (and which ones to match) (Poynter, 17 April 2017) - Even though The New York Times has a staff of more than 1,000 journalists that produce roughly 230 articles per day - the equivalent of a daily Harry Potter book - there's some stories they just can't get. Controversial (but worthy) opinion pieces, harrowing first-person accounts and profiles of reclusive celebrities all exist beyond the walled garden of nytimes.com. In years past, The Times might've ignored these stories, rolled them into a longer article or tried to match them. Now, they just link out. Along with colleague Michelle Dozois, Times Senior Digital Strategist Anna Dubenko publishes a twice-weekly roundup of stories under a made-to-share headline that signals temporary relief from the unending torrent of news from the capital: " 15 great stories that have nothing to do with politics ," reads one. " Take a break from politics with these 12 stories. " " Sick of politics? Try these great reads ." The curation strategy might seem contradictory for a newspaper whose business depends on attracting readers and holding them on The Times' owned-and-operated platforms. Why link out when you could flood the masses with Times journalism? But the articles are part of a plan to create habitual users of The New York Times who will return to the newspaper for news they actually want to consume - regardless of who made it. "It might sound a bit ambitious or crazy to say, but it's sort of my dream to really compete with what I think is a broken News Feed," Dubenko said. "...The idea behind curation at The Times is: What if your really smart, funny, charming, friend - me - gave you recommendations of what to read without all of the craziness that you might get in your News Feed?" The latest of these efforts is " Right and Left: Partisan Writing You Shouldn't Miss ," a twice-weekly roundup of political writing from both sides of the ideological spectrum. With the debut of hyperpartisan news sites and the rise of filter bubbles on social media, many centrist news organizations have launched initiatives aimed at dispelling the political myopia that afflicts us all. BuzzFeed has "Outside Your Bubble," a feature that exposes its audience to viewpoints outside their personal ideologies. The Guardian has " Burst Your Bubble ," a weekly guide to the right-wing media commentariat. But where The New York Times roundup differs from its competition is that Dubenko is interested in both the left- and the right-wing. And she's trying to find writers who are actually interested in convincing readers who may not agree with them. * * * [ Polley : very interesting]

top

Another trick to try to get mainstream media articles deindexed by Google (Volokh/WaPo, 18 April 2017) - I've been blogging over the past several months about people using various tactics to try to get Google to "deindex" Web pages - remove them from Google indexes, so that Google users won't see them in search results. If you send Google a court order finding the material on some pages to be defamatory, Google will consider deindexing those pages, on the theory that the court order is fairly reliable evidence that the pages are indeed inaccurate and libelous. But the consequence is that people have been using various stratagems to deindex material even when there's little reason for such confidence. Here's another twist, which some people have used to try to deindex mainstream news articles (though without any success, to my knowledge, because Google seems skeptical of these particular requests) - they (a) sue the people quoted in the articles, (b) get stipulations from the people recanting their allegations, (c) get court orders based on those recantations and then (d) try to use those court orders to deindex an entire article. Now, if a media organization gets such a recantation from one of the sources they quote, the editors would reasonably ask: Was the source lying then, or is he lying now? If the editors are persuaded that the recantation is accurate, they might well publish a correction, or revise or even take down the original article. But if they think that the original report was accurate, and the recantation was coerced using a lawsuit, they might stand by their story. When a plaintiff sues the source, though, gets a stipulation and submits the order to Google with a deindexing request, the plaintiff is trying to short-circuit the news organization's review of the matter. Instead, the plaintiff wants to just get the original story hidden, with no independent evaluation of whether the story was and continues to be correct. Consider, for example, Ball v. Saurman . A Ventura County Star article had quoted Sandee Saurman as sharply criticizing J. Kiely Ball's hearing aid company. Ball sued Saurman, who eventually agreed to a stipulation in which she stated that her original allegations were false. A court then issued an injunction, which was submitted to Google for deindexing of the newspaper article. If the Court of Appeal decision were upheld, Google would have had to deindex the Ventura County Star article even though neither the Star nor Google had an opportunity to independently examine Saurman's recantation. * * *

top

New apps from MIT fill your waiting moments with learning opportunities (TechCrunch, 18 April 2017) - MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) has come up with a way to fill those few seconds of waiting everyone experiences while their social media apps load, or their phone connects to WiFi. It may not seem like much, but filling these gaps can [have] a significant aggregate effect, given how much time we spend on our devices. To fill this time with productive learning opportunities, CSAIL came up with WaitSuite, a collection of apps that work on desktop or mobile, offering up educational micro-moments where you can brush up on second language vocab skills and more in the time between everything else. MIT's work here isn't unprecedented: They cite apps like Duolingo that already offer up short-term learning opportunities tied to devices like smartphones that we have with us everywhere. WaitSuite targets even more fleeting moments, like while you're waiting for your phone or computer to connect to a WiFi network, or while you're waiting for someone to text you back. WaitSuite also covers the time spent fetching emails, waiting for an elevator to arrive, and waiting for various kinds of content to load on your phone. The system is simple, and basically presents you with a vocabulary word to translate, with a simple text entry field. This could be repurposed to learn specific lingo for various fields of study and work, or for SAT prep and more, but language learning was an easy target because of the flash card-like experience. The system also automatically detects if your device is looking for a WiFi connection, or if your phone can detect Bluetooth iBeacons that indicate you're near an elevator, and the automatic nature is key - users don't have to think about what app to open, it's presented instantly, letting them direct their full attention to that learning task for the few seconds they typically have to wait during these activities. A side benefit of the apps was that users still paid attention to their original task: When they fill these moments with things like browsing social media, they tend to get lost in that secondary activity, but with these quick learning moments, they return their attention more fully to what they were doing in the first place.

top

Who controls the blockchain? (HBR, 19 April 2017) - Blockchain networks tend to support principles, like open access and permissionless use, that should be familiar to proponents of the early internet. To protect this vision from political pressure and regulatory interference, blockchain networks rely on a decentralized infrastructure that can't be controlled by any one person or group. Unlike political regulation, blockchain governance is not emergent from the community. Rather, it is ex ante, encoded in the protocols and processes as an integral part of the original network architecture. To be a part of a community supporting a blockchain is to accept the rules of the network as they were originally established. In a blockchain transaction, you don't have to trust your counterpart to perform their obligations or properly record transactional data, since these processes are standardized and automated, but you do have to trust that the code and the network will function as you expect. And just how immutable are blockchain ledger entries if the network becomes politicized? As it turns out, not very. * * * [ Polley : First time I've seen a blockchain article in Harvard Business Review.]

top

RESOURCES

Fair Use, Notice Failure, and the Limits of Copyright as Property (BU Law Review) - Abstract: If we start with the assumption that copyright law creates a system of property rights, to what extent does this system give adequate notice to third parties regarding the scope of such rights, particularly given the prominent role played by the fair use doctrine? This essay argues that, although the fair use doctrine may provide adequate notice to sophisticated third parties, it fails to provide adequate notice to less sophisticated parties. Specifically, the fair use doctrine imposes nearly insuperable informational burdens upon the general public regarding the scope of the property entitlement and the corresponding duty to avoid infringement. Moreover, these burdens have only increased with changes in technology that enable more, and more varied, uses of copyrighted works. The traditional response to uncertainty in fair use has been to suggest ways of curing the notice failure by providing clearer rules about what is and is not permitted. This essay suggests, however, that these efforts to reinforce the property framework feel increasingly strained and fail to reflect how copyright law is actually experienced by the general public. Indeed, the extent of the notice failure is such that it may be time to stop treating copyright like a property right, at least for certain classes of users. The essay ends by suggesting a number of alternative frameworks that would seek to regulate public behavior regarding copyrighted works without imposing the unrealistic informational burdens required by a system of property rights.

top

Encryption Workarounds (Bruce Schneier & Orin Kerr, Georgetown Law Journal) - Abstract: The widespread use of encryption has triggered a new step in many criminal investigations: the encryption workaround. We define an encryption workaround as any lawful government effort to reveal an unencrypted version of a target's data that has been concealed by encryption. This essay provides an overview of encryption workarounds. It begins with a taxonomy of the different ways investigators might try to bypass encryption schemes. We classify six kinds of workarounds: find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. For each approach, we consider the practical, technological, and legal hurdles raised by its use. The remainder of the essay develops lessons about encryption workarounds and the broader public debate about encryption in criminal investigations. First, encryption workarounds are inherently probabilistic. None work every time, and none can be categorically ruled out every time. Second, the different resources required for different workarounds will have significant distributional effects on law enforcement. Some techniques are inexpensive and can be used often by many law enforcement agencies; some are sophisticated or expensive and likely to be used rarely and only by a few. Third, the scope of legal authority to compel third-party assistance will be a continuing challenge. And fourth, the law governing encryption workarounds remains uncertain and underdeveloped. Whether encryption will be a game-changer or a speed bump depends on both technological change and the resolution of important legal questions that currently remain unanswered.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Public access group defies copyright to post Smithsonian images online (Canada.com, 18 May 2007) -- Grabbing pictures of iconic Smithsonian Institution artifacts just got a whole lot easier. Before, if you wanted to get a picture of the Wright Brothers' plane, you could go to the Smithsonian Images website and pay for a print or high-resolution image after clicking through several warnings about copyrights and other restrictions - and only if you were a student, teacher or pledging not to use it to make money. Now, you can just go to the free photo-sharing website flickr.com. A nonprofit group is challenging the copyrights and restrictions on images being sold by the Smithsonian. But instead of going to court, the group downloaded all 6,288 photos online and posted them Wednesday night on the free Internet site. "I don't care if they sell the photos, but then once they sell it, they can't say you can't reuse this photo," said Carl Malamud, co-founder of the group Public.Resource.Org, advocates for posting more government information online. "You're not allowed to chill debate by telling people they can't use something because it's under copyright when that's not true." Most images the Smithsonian is selling, including photos of artifacts and historic figures, are not protected by copyright, Malamud said. But the Smithsonian site carries copyright notices and other warnings that would discourage most people from using historic images that should be publicly available, he said.

top

State Department launches first blog (US Department of State, 25 Sept 2007) - Welcome to the State Department's first-ever blog, Dipnote. As a communicator for the Department, I have the opportunity to do my fair share of talking on a daily basis. With the launch of Dipnote, we are hoping to start a dialogue with the public. More than ever, world events affect our daily lives-what we see and hear, what we do, and how we work. I hope Dipnote will provide you with a window into the work of the people responsible for our foreign policy, and will give you a chance to be active participants in a community focused on some of the great issues of our world today… [ Polley (in 2017): ironic that the link has rotted.]

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top