Saturday, April 14, 2018

MIRLN --- 25 March – 14 April 2018 (v21.05)

MIRLN --- 25 March - 14 April 2018 (v21.05) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENTS

Take a look at the new ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals (2nd Edition). Published in November, it's already out-sold the 1st edition, probably because cyberattacks on law firms are in the news every day. The Handbook contains actionable information about "reasonable" security precautions for lawyers in every practice setting (solos, smalls, and large firms; in-house, government, and public-interest practitioners). Produced by the ABA Cybersecurity Legal Task Force (which I co-chair), it complements other resources for ABA members. Learn more here: ambar.org/cyber

NEWS

Appeals court says it's okay to copyright an entire style of music (TechDirt, 21 March 2018) - We had hoped that the 9th Circuit might bring some sanity back to the music copyright world by overturning the awful "Blurred Lines" ruling that has already created a massive chilling effect among musicians... but no such luck. In a ruling released earlier this morning, the 9th Circuit largely affirmed the lower court ruling that said that Pharrell and Robin Thicke infringed on Marvin Gaye's copyright by writing a song, "Blurred Lines," that was clearly inspired by Gaye's "Got To Give It Up." No one has denied that the songs had similar "feels" but "feeling" is not copyrightable subject matter. The compositions of the two songs were clearly different, and the similarity in feel was, quite obviously, paying homage to the earlier work, rather than "copying" it. For what it's worth, there appears to be at least some hesitation on the part of the majority ruling, recognizing that this ruling could create a huge mess in the music world, so it tries (and mostly fails) to insist that this ruling is on narrow grounds, specific to this case (and much of it on procedural reasons, which is a kind way of suggesting that the lawyers for Pharrell and Thicke fucked up royally). As the court summarizes: * * * top

NIST targets APTs with resilience strategies (GCN, 21 March 2018) - From the Office of Personnel Management data breach to the Russian hacking of the 2016 elections, cyberattacks from hostile nation-states, criminal and terrorist groups and rogue individuals are becoming more frequent. The National Institute of Standards and Technology's most recent draft publication aims to help organizations address vulnerabilities and create more "defensible and survivable systems." "Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems" provides guidance on addressing advanced persistent threats that target IT infrastructure to impede critical aspects of an organization's mission. It is applicable to new systems, but also addresses engineering considerations when improving resiliency in legacy systems. NIST defines cyber resilience as "the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources regardless of the source." The publication breaks down elements of cyber resiliency to provide a conceptual framework of goals, objectives, techniques and design principles. top

Lawyers have an obligation to stay on Facebook (Kevin O'Keefe, 27 March 2018) - Computer scientist and author, Jaron Lanier, in a ballyhooed op-ed in the Guardian, challenges us all to delete Facebook. Lanier was no fan of Facebook before (having already urged people to delete their social media accounts), but after Cambridge Analytica he saw it the perfect time to challenge everyone to beat the addiction, make a political statement and redefine your social life. The problem for lawyers is that Facebook represents the opportunity to engage the public where they are and on their terms. Like it or not, lawyers have an ethical obligation to make legal services accessible to people - not just to the impoverished, but to middle income individuals and small business people. To do this as a lawyer you not only need to go where the people are, but you need to establish trust by listening, sharing and nurturing relationships. More people spend more time on the Internet on Facebook than any other place. Social media, Facebook included, represents the town square, the coffee shop, the church group and the civic board of today. It's where lawyers establish enough trust and value in people's minds that legal services, at least though a lawyer, remain a viable answer for consumers and small business people. Lawyers jumping off Facebook can do so out of fear (perhaps legitimate) or to make a political statement, but by doing so they are turning on the public they serve. Access to legal services will only decline. [ Polley : interesting perspective, which I do not share.] top

A cyberattack hobbles Atlanta, and security experts shudder (NYT, 27 March 2018) - The City of Atlanta's 8,000 employees got the word on Tuesday that they had been waiting for: It was O.K. to turn their computers on. But as the city government's desktops, hard drives and printers flickered back to life for the first time in five days, residents still could not pay their traffic tickets or water bills online, or report potholes or graffiti on a city website. Travelers at the world's busiest airport still could not use the free Wi-Fi. Atlanta's municipal government has been brought to its knees since Thursday morning by a ransomware attack - one of the most sustained and consequential cyberattacks ever mounted against a major American city. The digital extortion aimed at Atlanta, which security experts have linked to a shadowy hacking crew known for its careful selection of targets, laid bare once again the vulnerabilities of governments as they rely on computer networks for day-to-day operations. The assault on Atlanta, the core of a metropolitan area of about six million people, represented a serious escalation from other recent cyberattacks on American cities, like one last year in Dallas where hackers gained the ability to set off tornado sirens in the middle of the night. Threat researchers at Dell SecureWorks, the Atlanta-based security firm helping the city respond to the ransomware attack, identified the assailants as the SamSam hacking crew, one of the more prevalent and meticulous of the dozens of active ransomware attack groups. The SamSam group is known for choosing targets that are the most likely to accede to its high ransom demands - typically the Bitcoin equivalent of about $50,000 - and for finding and locking up the victims' most valuable data. In Atlanta, where officials said the ransom demand amounted to about $51,000, the group left parts of the city's network tied in knots. Some major systems were not affected, including those for 911 calls and control of wastewater treatment. But other arms of city government have been scrambled for days. top

- and -

New York City is launching public cybersecurity tools to keep residents from getting hacked (TechCrunch, 29 March 2018) - In a week of harrowing city-level cyber attacks , New York is taking some precautions. While the timing is coincidental, New York City Mayor just announced that the city will introduce the first tools in its suite of cybersecurity offerings to protect residents against malicious online activity, particularly on mobile devices. When it launches this summer, New York residents will be able to download a free app called NYC Secure . The app will alert smartphone users to potential threats on their devices and offer tips for how to stay secure, "such as disconnecting from a malicious Wi-Fi network, navigating away from a compromised website, or uninstalling a malicious app." Because the app will take no active steps on its own, it'll be up to users to heed the advice presented to them. NYC Secure will not collect or transmit any personal identifying information or private data. The city will also beef up security over its public Wi-Fi networks, a notorious target for malicious actors looking to snoop on private information as it passes by unencrypted. The city will implement DNS protection through a service called Quad9 , a free public cybersecurity product out of the partnership between Global Cyber Alliance (GCA), IBM and Packet Clearing House. top

- and -

How to speed up your internet and protect your privacy with Cloudflare's new DNS service (Gizmodo, 2 April 2018) - Cloudflare has launched its own consumer Domain Name System (DNS) service that not only promises to keep your browsing history safe, but appears significantly faster than any other DNS service available. Cloudflare, known primarily for DDoS mitigation , launched DNS resolver 1.1.1.1 and 1.0.0.1 on Sunday and, at time of writing, analytics show it processing queries at 14.01ms, officially making it in the internet's fastest DNS resolver. The other true benefit here is that Cloudflare's perspective on handling user data. Prince said the company views user data as a "toxic asset," something it strives to either never collect or delete as quickly as possible. "Just at a policy level, Cloudflare's business has never been advertising or selling consumer data," Prince said. "As we started to talk to various browser manufacturers and others about what we were doing, they would come back and say, 'Well, we don't want you to retain logs for any longer than a week, we don't want you selling any of the data.' And I think they were kind of surprised when we returned back and said, 'Actually, we prefer never to write any personally identifiable information to disk and guarantee that we'll wipe all of the transactional logs and bug tracking logs within 24 hours.'" Prince said Cloudflare will also bring in an external monitor to certify that it is actually taking all of these steps to ensure user privacy. Those using the DNS services set by their ISPs can have their browsing history recorded, sold, and analyzed for advertising purposes. There are several ways to prevent this, but most involve using a VPN or the Tor browser, both of which can impact speed. There's also no guarantee that a VPN service isn't amassing your data itself. (If you're looking for a reliable VPN, however, I'd suggest Private Internet Access or ProtonVPN .) For non-technical users who've never changed their DNS settings, it may seem like one of those unfamiliar options you'd rather not mess around with. But it's actually quite simple and takes only a few seconds-and, as you've read, the benefits can be significant. Below are instructions on how to change your DNS settings for Windows and Mac, as well as iPhone and Android devices. * * * [ Polley : You probably should do this; also install an ad-blocker; use a VPN (vet it first); etc.] top

Law firms' guide to selecting a cloud-based vendor (Nat'l Law Review, 28 March 2018) - Selecting vendors can be a frustrating and complicated process-but it doesn't have to be. You've already got enough to think about while considering the differences in functionality across different products and vendors, and factoring in security is like going through the entire decision-making process all over again! With a few key considerations, though, you can vet vendors' security protocols like a pro, leaving you to make a choice that fits your budget and performance needs with the peace of mind that comes with knowing that security is covered. * * * [ Polley : workman-like checklist.] top

- and -

NJ physician practice fined over $400,000 for data breach caused by vendor (Jackson Lewis, 8 April 2018) - Last week, New Jersey Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs ("Division") announced that a physician group affiliated with more than 50 South Jersey medical and surgical practices agreed to pay $417,816 and improve data security practices to settle allegations it failed to properly protect the privacy of more than 1,650 patients whose medical records were made viewable on the internet as a result of a server misconfiguration by a private vendor. In this case, according to the NJ Office of Attorney General, the physician practice used a third party vendor to transcribe dictations of medical notes, letters, and reports by doctors, a popular service provided to many physical practices and other medical providers across the country. When the vendor, a HIPAA business associate, attempted to update software on a password-protected File Transfer Protocol website ("FTP Site") where the transcribed documents were kept, it unintentionally misconfigured the web server, allowing the FTP Site to be accessed without a password. As a result, anyone who searched Google using search terms that happened to be contained within the dictation information would have been able to access and download the documents located on the FTP Site. These documents would have included doctor names, patient names, and treatment information concerning patients. top

Protecting election registration sites from cyber intrusions (GCN, 28 March 2018) - The Center for Internet Security's newly established Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) plans to deploy intrusion detection sensors to voter registration websites for all 50 states by the 2018 midterm elections, an official told GCN. The intrusion detection sensors are called Albert sensors, and CIS has been using them on the state and local level since 2010, according to CIS Vice President of Operations Brian Calkin. The open-source Albert sensors provide automated alerts on both traditional and advanced network threats. Albert grew out of a Department of Homeland Security's Einstein project, which focuses on detecting and blocking cyberattacks within federal agencies. DHS approached CIS about creating similar capability for states and localities, but since the Einstein name was taken, CIS called it Albert instead. top

Combatting deep fakes through the right of publicity (Lawfare, 30 March 2018) - Fake news is bad enough already, but something much nastier is just around the corner: As Evelyn Douek explained , the "next frontier" of fake news will feature machine-learning software that can cheaply produce convincing audio or video of almost anyone saying or doing just about anything . These may be " digital avatars " built from generative adversarial networks (GANs), or they may rely on simpler face-swapping technology to create " deep fakes ." The effect is the same: fake videos that look frighteningly real. Bobby Chesney and Danielle Citron recently sounded the alarm on Lawfare about the threat to democracy from "deep fakes," lamenting "the limits of technological and legal solutions." They argue that existing law has a limited ability to force online platforms to police such content because "Section 230 of the Communications Decency Act immunizes from (most) liability the entities best situated to minimize damage efficiently: the platforms." But in fact, a loophole built into Section 230 immunity-the intellectual property exception-could be helpful in combating deep fakes and other next-generation fake news. Victims of deep fakes may successfully bring " right of publicity " claims against online platforms, thereby forcing the platforms to systematically police such content. At a minimum, such right-of-publicity claims are likely to generate crucial litigation. * * * top

- and -

Realistic docudramas don't violate California publicity rights-deHavilland v. FX (Eric Goldman, 2 April 2018) - Last week, the California Court of Appeal ordered the dismissal of a right of publicity and false-light privacy lawsuit brought by legendary actress Olivia de Havilland against FX Networks over the depiction of her in the television miniseries Feud: Bette and Joan (2017). The opinion is available here . One of Hollywood's staples is the docudrama: a motion picture or television series based on real persons and real-life events. Recent examples include the television series The People v. O.J. Simpson (which won nine Emmy awards), and the movies Hidden Figures (about female mathematicians and engineers at NASA in the 1960s) and Darkest Hour (about Winston Churchill's early days as Prime Minister). Sometimes docudramas are near-journalistic in nature, and sometimes they are heavily fictionalized; but all docudramas are necessarily dramatized to some extent, because it is impossible to depict real life with 100% accuracy. To depict private conversations, for example, a screenwriter must invent dialogue, because no one was there to record what was said, and even the participants to the conversation may remember it differently when interviewed in later years. It is also common for screenwriters to invent fictitious or composite characters to interact with the more well-known historical figures that are the focus of the docudrama. Docudramas have frequently been the source of litigation disputes. When real-life people are upset with how they are depicted in a movie or television series, they often turn to causes of action such as libel, false-light privacy, or the right of publicity to vindicate what they see as the truth. More often than not, these lawsuits fail; but they succeed often enough to avoid Rule 11 sanctions, and the cost of litigating these disputes may have a "chilling effect" on the willingness of Hollywood to take on certain subject material. Hollywood studios frequently pay people for the "rights" to tell their life stories, simply in order to avoid having a suit filed against them for a violation of their rights of privacy or publicity, and the attendant cost of litigation. * * * top

Tech thinks it has a fix for the problems it created: Blockchain (NYT, 1 April 2018) - Worried about someone hacking the next election? Bothered by the way Facebook and Equifax coughed up your personal information? The technology industry has an answer called the blockchain - even for the problems the industry helped to create. The first blockchain was created in 2009 as a new kind of database for the virtual currency Bitcoin , where all transactions could be stored without any banks or governments involved. Now, countless entrepreneurs, companies and governments are looking to use similar databases - often independent of Bitcoin - to solve some of the most intractable issues facing society. "People feel the need to move away from something like Facebook and toward something that allows them to have ownership of their own data," said Ryan Shea, a co-founder of Blockstack, a New York company working with blockchain technology. The creator of the World Wide Web, Tim Berners-Lee, has said the blockchain could help reduce the big internet companies' influence and return the web to his original vision. But he has also warned that it could come with some of the same problems as the web. Blockchain allows information to be stored and exchanged by a network of computers without any central authority. In theory, this egalitarian arrangement also makes it harder for data to be altered or hacked. In the first three months of 2018, venture capitalists put half a billion dollars into 75 blockchain projects, more than double what they raised in the last quarter of 2017, according to data from Pitchbook. Most of the projects have not gotten beyond pilot testing, and many are aimed at transforming mundane corporate tasks like financial trading and accounting. But some experiments promise to transform fundamental things, like the way we vote and the way we interact online. [ Polley : Quite interesting article (if a bit unstructured), and worth a close read.] top

US suspects cellphone spying devices in DC (AP, 3 April 2018) - For the first time, the U.S. government has publicly acknowledged the existence in Washington of what appear to be rogue devices that foreign spies and criminals could be using to track individual cellphones and intercept calls and messages. The use of what are known as cellphone-site simulators by foreign powers has long been a concern, but American intelligence and law enforcement agencies - which use such eavesdropping equipment themselves - have been silent on the issue until now. In a March 26 letter to Oregon Sen. Ron Wyden, the Department of Homeland Security acknowledged that last year it identified suspected unauthorized cell-site simulators in the nation's capital. The agency said it had not determined the type of devices in use or who might have been operating them. Nor did it say how many it detected or where. The agency's response, obtained by The Associated Press from Wyden's office, suggests little has been done about such equipment, known popularly as Stingrays after a brand common among U.S. police departments. The Federal Communications Commission, which regulates the nation's airwaves, formed a task force on the subject four years ago, but it never produced a report and no longer meets regularly. * * * Legislators have been raising alarms about the use of Stingrays in the capital since at least 2014, when Goldsmith and other security-company researchers conducted public sweeps that located suspected unauthorized devices near the White House, the Supreme Court, the Commerce Department and the Pentagon, among other locations. Like other major world capitals, he said, Washington is awash in unauthorized interception devices. Foreign embassies have free rein because they are on sovereign soil. Every embassy "worth their salt" has a cell tower simulator installed, Turner said. They use them "to track interesting people that come toward their embassies." The Russians' equipment is so powerful it can track targets a mile away, he said. top

Anatomy of a cyber attack (NY Law Journal, 4 April 2018) - Cybersecurity is an increasingly important risk vector that impacts every facet of society. Day by day, businesses and even individuals are finding themselves to be targets of cyberattacks and lawyers are certainly no exception. The exponential scale of the problem can be seen in the fact that, according to a recent report , there were more records compromised in 2017 than there are people currently living on earth. While this risk is applicable to all organizations and individuals, lawyers, as safeguards of their client's information, are particularly useful targets for cyber criminals. Lawyers of every stripe and specialty tend to possess large quantities of their clients' sensitive data and in many cases present a more desirable target than the clients themselves because the data of all of their clients is centralized in a single location. Recognizing this threat, the bar has taken steps to ensure that the profession rises to the challenge posed by the pervasive threat of cyber-compromise. The bar's understanding of the lawyer's duty to his or her clients has developed along two parallel paths-the duty of confidentiality and the duty of technological competence as applied in the digital context. In 2017, the American Bar Association proceeded along the first path and released Formal Opinion 477 , which dealt with cybersecurity in client communications. This is a fundamental departure from previously established guidance from the ABA, which held that "A lawyer may transmit information relating to the representation of a client by unencrypted e-mail sent over the Internet without violating the Model Rules of Professional Conduct (1998) because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint." While this specific rule change only effects attorney communications and not the practice of law more generally, it signals a change from the Bar that it is now more willing than ever to begin regulating cybersecurity and the practice of law. Not only the ABA has adopted these changes, in fact twenty-eight state Bars have adopted language mandating that the duty of competency in representation extends to technological competence as well. [ Polley : not much new(s) here, but the New York Law Journal reaches an important audience; more and more visibility (and appreciation) of these kinds of issues.] top

Facebook scans the photos and links you send on Messenger, and it reads flagged chats (LA Times, 4 April 2018) - Facebook Inc. scans the links and images that people send each other on Facebook Messenger, and reads chats when they're flagged to moderators, making sure it all abides by the company's rules governing content. If it doesn't pass muster, it gets blocked or taken down. The company confirmed the practice after an interview with Chief Executive Mark Zuckerberg, published this week, raised questions about Messenger's practices and privacy. Zuckerberg told Vox's Ezra Klein a story about receiving a phone call related to ethnic cleansing in Myanmar. Facebook had detected people trying to send sensational messages through the Messenger app, he said. "In that case, our systems detect what's going on," Zuckerberg said. "We stop those messages from going through." Some people reacted with concern on Twitter: Was Facebook reading messages more generally? Facebook has been under scrutiny in recent weeks over how it handles users' private data, and the revelation struck a nerve. Messenger doesn't use the data from the scanned messages for advertising, the company said, but the policy may extend beyond what Messenger users expect. top

- and -

What you don't know about how Facebook uses your data (NYT, 11 April 2018) - * * * Facebook meticulously scrutinizes the minutiae of its users' online lives, and its tracking stretches far beyond the company's well-known targeted advertisements. Details that people often readily volunteer - age, employer, relationship status, likes and location - are just the start.Facebook tracks both its users and nonusers on other sites and apps. It collects biometric facial data without users' explicit "opt-in" consent. And the sifting of users can get quite personal. Among many possible target audiences, Facebook offers advertisers 1.5 million people "whose activity on Facebook suggests that they're more likely to engage with/distribute liberal political content" and nearly seven million Facebook users who "prefer high-value goods in Mexico." "Facebook can learn almost anything about you by using artificial intelligence to analyze your behavior," said Peter Eckersley, the chief computer scientist for the Electronic Frontier Foundation, a digital rights nonprofit. "That knowledge turns out to be perfect both for advertising and propaganda. Will Facebook ever prevent itself from learning people's political views, or other sensitive facts about them?" Facebook uses a number of software tools to do this tracking. When internet users venture to other sites, Facebook can still monitor what they are doing with software like its ubiquitous "Like" and "Share" buttons, and something called Facebook Pixel - invisible code that's dropped onto the other websites that allows that site and Facebook to track users' activity. Ms. Dingell asked Mr. Zuckerberg how many non-Facebook sites used various kinds of Facebook tracking software: "Is the number over 100 million?" He said he'd have to get back to her with an answer. * * * top

Is cybersecurity improving? (Lawfare, 5 April 2018) - Is cybersecurity improving overall? By at least some measures the answer is a surprising "yes." This annual report from FireEye gives us at least two reasons to think that trend lines are actually improving: First, as noted by Joe Uchill of Axios Codebook , the identity of who discovers an intrusion is changing drastically. As recently as 2011, 94 percent of intrusions were discovered and reported by outsiders-law enforcement, customers, or other observers. Today, victim companies discover 64 percent of their own breaches-a significant improvement in self-awareness. Second, that improvement has consequences. An intruders "dwell time" inside a victim's system is less than a quarter of what it was in 2011. It's still too high-median dwell time is 75 days in the U.S., 175 in Europe and more than 490 in Asia-but the fact that it is down is a significant improvement. top

Cyberinsurance tackles the wildly unpredictable world of hacks (Wired, 6 April 2018) - In the aftermath of the Equifax data breach last year that exposed personal information of more than 145 million people, analysis firm Property Claim Services estimated that cyberinsurance would cover roughly $125 million of Equifax's losses from the incident. It's uncertain whether Equifax will actually receive that much money; insurance claims can take a long time to investigate, process, and pay out. But it was a reminder of the increasingly important role insurance plays in cybersecurity-and the challenges of getting it right. In 2016, the cyberinsurance market brought in around $3.5 billion in premiums globally, of which $3 billion came from US-based companies, according to the Organisation for Economic Co-operation and Development. That's not an enormous amount of money compared to other insurance markets; motor vehicle insurance premiums in the US, for instance, total more than $200 billion annually . But cyberinsurance premiums have grown steadily at a rate of roughly 30 percent every year for the past five years, in an industry unaccustomed to such spikes. With the Regulation poised to go into effect May 25, and firms of every size in every sector concerned about emerging online threats, insurance carriers see ample opportunity. But as the cyberinsurance market grows and those carriers take on responsibility for more computer-based risks, it becomes increasingly important that they model that risk and predict its outcomes accurately, a notoriously difficult task in the evolving and unpredictable domain of online threats. Companies like retailers, banks, and healthcare providers began seeking out cyberinsurance in the early 2000s, when states first passed data breach notification laws. But even with 20 years' worth of experience and claims data in cyberinsurance, underwriters still struggle with how to model and quantify a unique type of risk. "Typically in insurance we use the past as prediction for the future, and in cyber that's very difficult to do because no two incidents are alike," said Lori Bailey, global head of cyberrisk for the Zurich Insurance Group. Twenty years ago, policies dealt primarily with data breaches and third-party liability coverage, like the costs associated with breach class-action lawsuits or settlements. But more recent policies tend to accommodate first-party liability coverage, including costs like online extortion payments, renting temporary facilities during an attack, and lost business due to systems failures, cloud or web hosting provider outages, or even IT configuration errors. top

RSS is undead (TechCrunch, 7 April 2018) - RSS died. Whether you blame Feedburner , or Google Reader , or Digg Reader last month , or any number of other product failures over the years, the humble protocol has managed to keep on trudging along despite all evidence that it is dead, dead, dead. Now, with scandal over Cambridge Analytica, there is a whole new wave of commentators calling for RSS to be resuscitated. Brian Barrett at Wired said a week ago that "… anyone weary of black-box algorithms controlling what you see online at least has a respite, one that's been there all along but has often gone ignored. Tired of Twitter? Facebook fatigued? It's time to head back to RSS." Let's be clear: RSS isn't coming back alive so much as it is officially entering its undead phase. Don't get me wrong, I love RSS. At its core, it is a beautiful manifestation of some of the most visionary principles of the internet, namely transparency and openness. The protocol really is simple and human-readable. It feels like how the internet was originally designed with static, full-text articles in HTML. Perhaps most importantly, it is decentralized, with no power structure trying to stuff other content in front of your face. It's wonderfully idealistic, but the reality of RSS is that it lacks the features required by nearly every actor in the modern content ecosystem, and I would strongly suspect that its return is not forthcoming. [Polley : interesting; I use RSS to find about 20% of the content that goes into MIRLN.] top

Using Turnitin to teach students not to plagiarize (InsideHigherEd, 10 April 2018) - By now, most educators know about Turnitin, and many of us have used it to scare our students out of submitting work written by someone else, whether that writer was a friend, an internet entrepreneur or even (in the most obvious cases) Wikipedia. The first time I used it to check for plagiarism, I have to admit that it was purely for the fear factor, as I hadn't learned much about the benefits the resource has to offer. I just looked at the similarity percentages to see how high they were, warning students that they would be penalized if they had plagiarized. It took me a while to understand how Turnitin can also be useful to students if they are taught how to take advantage of it as a tool. * * * Here's how I tell students to use Turnitin to check their papers. First, I set it up on my end so that they can submit multiple times and see their similarity percentages. Students have told me sometimes their other professors won't allow this, which might be to further discourage plagiarism attempts by preventing students from knowing whether they need to make changes, but I feel that this restricts a powerful teachable moment. Next, when students have polished their drafts to a point where they think they're finished, they submit and wait for the percentage. Obviously, a high percentage is less than ideal, but that alone won't provide everything they need to know. Plagiarism is still possible with a low score, so I then have them click "markup document" and the originality tab. A truer originality percentage will show up if they use the filter, located on the right-hand side, to exclude any quotes they have used, as those will obviously come directly from sources. I also tell them to click "exclude bibliography," as titles of sources they have used will also come up highlighted. Any other writing that is too close to a source will be marked in various colors. This is a good check to see where they may need to make some tweaks. * * * [ Polley : quite interesting.] top

RESOURCES

Starting A Mobile Hotspot Lending Program (Maine.gov, March 2018) - Implementing a Mobile Hotspot Lending Program at your library offers up a world of possibilities for your patrons. Enabling patrons to take the Internet home offers a number of unique benefits such as: * * * By loaning out the Internet, just like a book, your Library can provide its patrons with 24/7 access to Internet. In an increasingly interconnected world, the Internet is vital in day to day life. Offering mobile hotspot devices to your patrons will help meet their information needs in new and exciting ways. top

Borgesius and Steenbruggen on The Right to Communications Confidentiality in Europe: Protecting Trust, Privacy, and Freedom of Expression (MLPB, 11 April 2018) - Frederik Zuiderveen Borgesius, University of Amsterdam, IVir Institute for Information Law (IViR), and Wilfred Steenbruggen, Bird & Bird, have published The Right to Communications Confidentiality in Europe: Protecting Trust, Privacy, and Freedom of Expression. Here is the abstract: In the European Union, the General Data Protection Regulation (GDPR) provides comprehensive rules for the processing of personal data. In addition, the EU lawmaker intends to adopt specific rules to protect confidentiality of communications, in a separate ePrivacy Regulation. Some have argued that there is no need for such additional rules for communications confidentiality. This paper discusses the protection of the right to confidentiality of communications in Europe. We look at the right's origins as a fundamental right to assess the rationale for protecting the right. We also analyse how the right is currently protected under the European Convention on Human Rights and under EU law. We show that the right to communications confidentiality protects three values: trust in communication services, privacy, and freedom of expression. The right aims to ensure that individuals and businesses can safely entrust communication to service providers. Initially, the right protected only postal letters, but it has gradually developed into a strong safeguard for the protection of confidentiality of communications, regardless of the technology used. Hence, the right does not merely serve individual privacy interests, but also other interests that are crucial for the functioning of our information society. We conclude that separate EU rules to protect communications confidentiality, next to the GDPR, are justified and necessary to protect trust, privacy and freedom and expression. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Comcast to stop blocking Internet traffic (NBC, 27 March 2008) - Comcast Corp., an Internet service provider under investigation for hampering online file-sharing by its subscribers, announced Thursday an about-face in its stance and said it will treat all types of Internet traffic equally. Comcast said it will collaborate with BitTorrent Inc., the company founded by the creator of the popular BitTorrent file-sharing protocol, to come up with better ways to transport large files over the Internet instead of delaying file transfers. Since user reports of interference with file-sharing traffic were confirmed by an Associated Press investigation in October, Comcast has been vigorously defending its practices, most recently at a hearing of the Federal Communications Commission in February. Consumer and "Net Neutrality" advocates have been equally vigorous in their attacks on the company, saying that by secretly blocking some connections between file-sharing computers, Comcast made itself a judge and gatekeeper for the Internet. They also accused Comcast of stifling delivery of Internet video, an emerging competitor to the cable company's core business. Comcast has said that its practices were necessary to keep file-sharing traffic from overwhelming local cable lines, where neighbors share capacity with one another. On Thursday, Comcast said that by the end of the year, it will move to a system that manages capacity without favoring one type of traffic over another. top

Abracadabra! Bush makes privacy board vanish (Wired, 4 Feb 2008) - The Bush administration has failed to nominate any candidates to a newly empowered privacy and civil-liberties commission. This leaves the board without any members, even as Congress prepares to give the Bush administration extraordinary powers to wiretap without warrants inside the United States. The failure rankles Sens. Joe Lieberman (I-Connecticut) and Susan Collins (R-Maine), respectively chairman and ranking minority member of the Senate's Homeland Security Committee. "I urge the president to move swiftly to nominate members to the new board to preserve the public's faith in our promise to protect their privacy and civil liberties as we work to protect the country against terrorism," Lieberman said in a statement. "The White House's failure to move forward with appointing the new board is unacceptable, and I call on the administration to do so as quickly as possible to prevent a gap in this vital mission," Collins said in a statement. top

Saturday, March 24, 2018

MIRLN --- 4-24 March 2018 (v21.04)

MIRLN --- 4-24 March 2018 (v21.04) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | LOOKING BACK | NOTES

Let's fix peer review (Ray Truant Laboratory, 14 Feb 2018) - If one explains the current system of peer review to a non-scientist, the response is typically, "that's insane, I thought you guys were supposed to be smart". To recap: When we apply for a grant or want to publish our science, we secretly get the work reviewed by our peers, some of which are competing with us for precious funding, or a bizarre version of fame. Under the veil of anonymity, a reviewer can write anything, included false statements, or incorrect statements to justify a decision. The decision is most often, "do not fund" or "reject", even if the review is based off of inaccuracies, lack of expertise, or even blatant slander. There are no rules, there are no repercussions. There are few integrity guidelines, or oversight, nor rules of ethics in the review process for the most part. It can lead to internet trolling at a level of high art. In funding decisions, these mistakes can be missed by inattentive panels, but were definitely missed in the CIHR reform scheme before panels were re-introduced. We still have a problem of reviewers self-identifying expertise they simply do not have. Scientists have to follow strict rules of ethics when submitting data, including conflicts of interest, research ethics, etc. No such rules are often formally stated in the review process and can vary widely between journals. This system is historic, back to an era when biomedical research was a fraction of the size it is today, and journal Editors were typically active scientists. The community was small. But as science rapidly expanded in the 90s, so did scientific publishing, and soon editors became professional editors, with some never running a lab or research program. Then, came the digital revolution, and journals were no longer being read on paper and the pipeline to publish increased exponentially. What drove the massive expansion of journals? Money. Big money. And like many historic industries, it's thriving, mostly based off free slave labor. * * * [ Polley : Quite interesting; flagged for me by a former client. See also Who May Swim in the Ocean of Knowledge? (Carl Malamud, March 2018)] top Five questions to test your understanding of the ethics of technology (Law Technology Today, 1 March 2018) - More than 28 states now say lawyers have an ethical duty to be competent in technology. Indeed, a State Bar of California ethics opinion recently extended that duty to include competence in e-discovery, CA Formal Opinion No. 2015-193. On top of that, the federal courts have implemented new proportionality rules governing your duty to produce documents. All of this comes as lawyers grapple with thorny ethical issues concerning the use of cloud technology, storing privileged documents with outside vendors, and relying on key tasks on smart but non-human computer algorithms. So what are your ethical duties with using new technology, such as technology assisted review (TAR) in e-discovery? A careful look at five key questions surrounding the ethics of TAR can help you use it in a way that is strategic, reasonable and proportional to the matter. And will save you and your client on review costs. * * * top

- and -

Ethics opinion stresses lawyers' duty of confidentiality when blogging (ABA Journal, 6 March 2018) - Lawyers should be mindful of the duty of confidentiality when they engage in public commentary, including blogging and other online postings, according to an ethics opinion from the ABA Standing Committee on Ethics and Professional Responsibility. Formal Ethics Opinion 480 explains that lawyers communicating about legal topics in public commentary must comply with the ABA Model Rules of Professional Conduct, including Rule 1.6(a) , which provides: "A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b)." This duty of confidentiality is broad and includes all information related to the representation, not just information learned directly from the client. The reach of this rule is much broader than either the attorney-client privilege or the work product doctrine. The opinion explains that this duty of confidentiality applies even if the information about the client's representation is found in a court record or other public record. "The duty of confidentiality extends generally to information related to a representation whatever its source and without regard to the fact that others may be aware of or have access to such knowledge," the opinion reads. "The salient point is that when a lawyer participates in public commentary that includes client information, if the lawyer has not secured the client's informed consent or the disclosure is not otherwise impliedly authorized to carry out the representation, then the lawyer violates Rule 1.6(a)," the opinion continues. [ Polley : This is almost entirely "not news". But, it makes the point that even "public" client information shouldn't be blogged about.] top

Hogan Lovells, 4th largest US firm, moves into the cloud (LegalTech, 1 March 2018) - Cloud adoption has been a slow-brewing trend in the legal sector over the last few years, but a recent announcement that Hogan Lovells, the fourth-largest firm in the United States based on the National Law Journal's 2017 rankings, has opted to adopt a cloud-based document management system may indicate that legal is moving more definitively into the cloud. Hogan Lovells recently announced that the firm plans to use cloud-based system NetDocuments as its primary document management system. Prior to the adoption, the firm was using two competing systems, iManage and OpenText, left over from the firm's merger of Washington D.C.-based Hogan & Hartson and U.K. firm Lovells in 2010. top

International law and cyberspace: Evolving views (Lawfare, 4 March 2018) - On Feb. 13, our colleague Robert Chesney flagged the upcoming Cyber Command legal conference titled "Cyberspace Operations in the Gray Zone." The conference-which begins Monday morning and involves heavy interagency and private sector and academia participation-is set to address a number of key international and domestic law issues surrounding cyberspace operations, such as the exploiting of social media in the gray zone, the characterizing of information warfare in cyberspace, the protecting of domestic information systems, the countering of gray zone cyber threats, technology and warfare, and privacy implications of military cyberspace operations. Much of the conference will be geared towards sub-use of force issues and activities that may not clearly be governed by the law of armed conflict, which raises questions about when exactly cyber activities do or not involve the use of force. The U.S. asserts that extant international law, to include International Humanitarian Law (IHL) applies to cyberspace, but it has yet to offer definitive guidance on what cyberattacks, short of those causing obvious large scale kinetic destruction, constitute a prohibited use of force or invoke the LOAC. While the Tallinn Manual 2.0 may be the most comprehensive treatise on the applicability of international law to cyberspace thus far, it was developed without the official participation of, and has not been sanctioned by, States. The U.S. Government, for example, has taken no official position on the views set forth in the Manual. Because members of the military are tasked with following the law, defining the nuances of the applicability of international law in cyberspace should be a central priority. We hope that the following discussions can serve to enrich this week's conference, and further DoD's development of cyber law. This year, a number of excellent pieces of scholarship emerged that could help enhance conference discussions on key elements of international law, namely the principles governing cyber operations outside the context of armed conflict, such as sovereignty and the IHL principles of distinction and proportionality. In his personal capacity, Colonel Gary P. Corn, Staff Judge Advocate of USCYBERCOM, co-authored " Sovereignty in the Age of Cyber " with Robert Taylor, Former Principal Deputy General Counsel of DoD, and posted on SSRN an advance draft of an upcoming chapter titled, "Cyber National Security: Navigating Gray Zone Challenges In and Through Cyberspace." Meanwhile, Commander Peter Pascucci, Chief of Operational Law at USCYBERCOM, authored " Distinction and Proportionality in Cyberwar: Virtual Problems with a Real Solution ." These works add nuance to the applicability of international law principles to cyberspace and vary somewhat from the publicly stated views of prior State Department Legal Advisers, as we'll argue below. top

Companies sharpen cyber due diligence as M&A activity revenue up (Morningstar, 5 March 2018) - Automatic Data Processing Inc. deployed a team of cybersecurity, risk management and financial-crime specialists to WorkMarket before acquiring it in January. The ADP team combed the software maker's technology, practices and internal policies. It also interviewed staff about monitoring for intrusions, training employees and performing other security tasks. The payroll processor also hired a cybersecurity firm to do its own evaluation. Security problems, said ADP's chief security officer Roland Cloutier, could kill any deal. "If we found out data was exfiltrated, we may walk away," he said. "We've looked at a lot of companies and only purchased a few. Security always plays a part." Companies are intensifying due diligence of acquisition targets to avoid costly cybersecurity surprises, particularly when intellectual property, such as software code or customer data drive the deal. Gaps in data protection, undiscovered breaches, regulatory violations and other holes in a company's technology operations can threaten transactions. Such problems can also decrease the value of a deal or leave an acquirer liable for problems after a merger. ADP investigators typically look for troublespots such as signs of an unauthorized presence on the target's network and scant or no evidence that employees have received security training. No significant problems surfaced at WorkMarket, but deep study of a target's cybersecurity helps executives forecast deal costs, Mr. Cloutier said. ADP typically spends two to four months on the process. Problems can arise even years later. FedEx Corp. moved quickly last month to secure a server that exposed data from customer driver's licenses and passports. FedEx inherited the server when it bought e-commerce service Bongo International in 2014. [ Polley : directly on point is the recently published ABA book " Guide to Cybersecurity Due Diligence in M&A Transactions ", which I highly recommend.] top

Reflecting on the original big idea for MOOCs (InsideHigherEd, 6 March 2018) - Six years ago, inspired by a big idea to democratize higher education, the University of Michigan (U-M) became a founding partner of Coursera. Massive open online courses (MOOCs) were born. While the issuance of MOOC death certificates by skeptics is only rivaled in frequency by those filed by South Park writers for Kenny, MOOCs consistently find ways to survive and indeed thrive in nurturing environments. MOOCs are far from dead. Rather, they appear to hatch derivatives. Sean Gallagher of Northeastern University's Center for the Future of Higher Education and Talent Strategy refers to this as "the new ecology of credentials", a landscape transforming rapidly as we move from the early knowledge economy to the digital, AI, Gig economy. Which leads those of us close to the action to reflect often upon the original big idea for MOOCs. Typically stating a goal to "democratize" is followed by "access to" something. In hindsight, it's clear we hadn't fully considered the potential of what we might be democratizing. What, in fact, are we scaling? Is it content and courses? Curriculum and credentials? Communities and college towns ? With today's announcement , we are now much closer to saying "all of the above". MOOCs may have initially provided learners an opportunity to simply peer into the university. Now MOOCs and MOOC derivatives (e.g. Teach-Outs, specializations, MicroMasters, MasterTrack, etc.) are helping universities to expand how they think about engaging with the world. For U-M, this is entirely consistent with top institutional priorities around academic innovation, diversity, equity, and inclusion, and public engagement. We are the global, inclusive, public research university. The real innovation of the MOOC era is not the unbundling of academic degrees that first captured massive attention, but rather the re-bundling that results from serious academic R&D - the creation of new communities and credentials for all levels. In announcing Michigan's new degrees this morning at the Coursera Partners Conference, Coursera CEO Jeff Maggioncalda contextualized these latest innovations as evidence that, "the future of work and the future of learning are converging." Today U-M announced the intent to design two new fully online master's degree programs and a new online cohort-based pathway to advanced degrees and career advancement called the MasterTrack Certificate. Let's consider this latest re-bundling effort within the broader context. * * * top

- and -

Udacity u-turns on money-back guarantee (InsideHigherEd, 16 March 2018) - It was hailed as a "dream come true" by Udacity's founder and CEO Sebastian Thrun. "We now GUARANTEE a job for anyone who completes a Nanodegree Plus -- or else tuition back. Hope other universities follow," tweeted Thrun in January 2016. Now, it seems, the dream is over. Udacity has quietly scrapped its pledge, nixing the program, which guaranteed a job within six months of graduation or 100 percent of students' money back, at the end of last year. top

Geek Squad's relationship with FBI is cozier than we thought (EFF, 6 March 2018) - After the prosecution of a California doctor revealed the FBI's ties to a Best Buy Geek Squad computer repair facility in Kentucky, new documents released to EFF show that the relationship goes back years. The records also confirm that the FBI has paid Geek Squad employees as informants. EFF filed a Freedom of Information Act (FOIA) lawsuit last year to learn more about how the FBI uses Geek Squad employees to flag illegal material when people pay Best Buy to repair their computers. The relationship potentially circumvents computer owners' Fourth Amendment rights . The documents released to EFF show that Best Buy officials have enjoyed a particularly close relationship with the agency for at least 10 years. For example, an FBI memo from September 2008 details how Best Buy hosted a meeting of the agency's "Cyber Working Group" at the company's Kentucky repair facility. The memo and a related email show that Geek Squad employees also gave FBI officials a tour of the facility before their meeting and makes clear that the law enforcement agency's Louisville Division "has maintained close liaison with the Geek Squad's management in an effort to glean case initiations and to support the division's Computer Intrusion and Cyber Crime programs." Another document records a $500 payment from the FBI to a confidential Geek Squad informant. This appears to be one of the same payments at issue in the prosecution of Mark Rettenmaier , the California doctor who was charged with possession of child pornography after Best Buy sent his computer to the Kentucky Geek Squad repair facility. Other documents show that over the years of working with Geek Squad employees, FBI agents developed a process for investigating and prosecuting people who sent their devices to the Geek Squad for repairs. The documents detail a series of FBI investigations in which a Geek Squad employee would call the FBI's Louisville field office after finding what they believed was child pornography. top

Large law firms seeing more data breaches (Ride the Lightning, 6 March 2018) - I know many readers have not read the 2017 ABA Legal Technology Survey because it costs money, but it is well worth reviewing the cybersecurity highlights - more 4000 respondents were surveyed. 22% of respondents said their firms had experienced a data breach at some point, up from 14 percent last year - that's a big escalation. Significantly, respondents at firms with 500 or more attorneys took the bulk of those hits. Over one third of law firms with 10-99 attorneys reported being compromised in 2017 alone. Some of the key consequences from breaches were downtime, loss of billable hours, destruction or loss of files - and of course having to pay consulting fees for remediating damages from the attacks. As one might expect, reporting stats are much lower. 7% of firms with 500+ attorneys and 3% of firms with 10-49 attorneys reported authorized access to sensitive client data. 25% of firms reported having no security policies, though all firms with 500+ lawyers did have such policies. 66% of BigLaw firms do have an Incident Response Plan. 51% of firms with 100-499 attorneys and 43% of firms with 50-99 attorneys also have an incident response plan. top

- and -

'Confusing as hell': Making sense of cyber insurance (ABA Journal, 9 March 2018) - When it comes to managing a firm's cybersecurity risks, password regimens and encrypted backups are not enough. You need cyber insurance. A Friday morning panel at ABA Techshow entitled "Cyberinsurance: Necessary, Expensive and Confusing as Hell," attempted to demystify the nascent cyber insurance field while underscoring how vital it is to have some sort of insurance policy in place in case of cyberattacks. Panelists Judy Selby, a cyber insurance consultant and lawyer, and Sharon Nelson, president of Sensei Enterprises, laid out the case for the insurance and the challenges of understanding it. No matter how good your cybersecurity infrastructure may be, "it can't stop it all," said Nelson. She argued that cyber insurance is necessary, "because you are managing an enormous risk." Providing background on the relatively new area of cyber insurance, Nelson quoted a PricewaterhouseCoopers report that found one-third of businesses have a cyber insurance policy. Additionally, she noted that policies are being offered by upwards of 60 insurers. At the same time, according to the 2017 ABA Legal Technology Survey, 22 percent of solo and small firms reported a data breach-an increase compared to the previous year, when 14 percent of such firms reported a breach. For many, this can be devastating. According to Nelson, it has been reported that half of all small businesses close within six months after a breach. Cyber insurance varies, but these types of policies can often cover first-party contingencies like legal, forensic, notification, credit monitoring and breach coach costs. It may also cover business interruption incurred by the insured or contingent business interruption, which provides coverage when a third-party service provider that the insured relies on, such as a cloud storage vendor, cannot operate because of a cyber incident. Policies may also cover data restoration, extortion, denial of service attacks and social engineering attacks. Some policies will cover third-party contingencies like privacy and network liability, public relations, regulatory liability, fines and payment card issuer liability. With growing demand and offerings, the cyber insurance market is still new, or a "soft market" in the terms of the presenters. This means that prices vary and terms and exclusions in cyber coverage are not standardized across the industry. "No matter what two polices you're looking at, it's apples and oranges," said Nelson. This includes ubiquitous terms like "cyber incident" or "social engineering," which will be defined by the insurer in their own idiosyncratic way. To this end, both say it is important to read through potential policies with an eye toward detail and definitions. top

For two months, I got my news from print newspapers. Here's what I learned. (NYT, 7 March 2018) - I first got news of the school shooting in Parkland, Fla., via an alert on my watch. Even though I had turned off news notifications months ago, the biggest news still somehow finds a way to slip through. But for much of the next 24 hours after that alert, I heard almost nothing about the shooting. There was a lot I was glad to miss. For instance, I didn't see the false claims - possibly amplified by propaganda bots - that the killer was a leftist, an anarchist, a member of ISIS and perhaps just one of multiple shooters. I missed the Fox News report tying him to Syrian resistance groups even before his name had been released. I also didn't see the claim circulated by many news outlets ( including The New York Times ) as well as by Senator Bernie Sanders and other liberals on Twitter that the massacre had been the 18th school shooting of the year, which wasn't true . Instead, the day after the shooting, a friendly person I've never met dropped off three newspapers at my front door. That morning, I spent maybe 40 minutes poring over the horror of the shooting and a million other things the newspapers had to tell me. Not only had I spent less time with the story than if I had followed along as it unfolded online, I was better informed, too. Because I had avoided the innocent mistakes - and the more malicious misdirection - that had pervaded the first hours after the shooting, my first experience of the news was an accurate account of the actual events of the day. This has been my life for nearly two months. In January, after the breaking-newsiest year in recent memory, I decided to travel back in time. I turned off my digital news notifications, unplugged from Twitter and other social networks, and subscribed to home delivery of three print newspapers - The Times, The Wall Street Journal and my local paper, The San Francisco Chronicle - plus a weekly newsmagazine, The Economist. I have spent most days since then getting the news mainly from print, though my self-imposed asceticism allowed for podcasts, email newsletters and long-form nonfiction (books and magazine articles). Basically, I was trying to slow-jam the news - I still wanted to be informed, but was looking to formats that prized depth and accuracy over speed. It has been life changing. Turning off the buzzing breaking-news machine I carry in my pocket was like unshackling myself from a monster who had me on speed dial, always ready to break into my day with half-baked bulletins. Now I am not just less anxious and less addicted to the news, I am more widely informed (though there are some blind spots). And I'm embarrassed about how much free time I have - in two months, I managed to read half a dozen books, took up pottery and (I think) became a more attentive husband and father. * * * [ Polley : resonates with me and the idea of saving time is attractive. For me, this story was the tipping point: I've just re-subscribed to New York Times home-delivery, hardcopy. I've been missing too much.] top

The FCC says a space startup launched four tiny satellites into orbit without permission (The Verge, 10 March 2018) - Earlier this year, a space startup from Silicon Valley launched four of its first prototype communications satellites on top of an Indian rocket. Except the FCC says that the company didn't have authorization to send up those spacecraft from the US government, IEEE Spectrum reports . It would seemingly mark the first time a US private company launched un-licensed satellites into orbit - and these rogue spacecraft could pose a danger to other objects in space. The four satellites reportedly belong to a fledgling company called Swarm Technologies, which was started by former Google and NASA JPL engineer Sara Spangelo in 2016. The probes, dubbed SpaceBees 1, 2, 3, and 4, are meant to test out Swarm's idea for a "space-based Internet of Things" network, according to IEEE, and went up as part of a cluster of 31 satellites aboard an Indian Polar Satellite Launch Vehicle (PSLV) rocket on January 12th. At the time of the launch, India's space agency didn't name the operator of the four satellites . top

Can't Washington protect Americans from propaganda on social media? (Poynter, 12 March 2018) - The past two years have taught us that the United States needs a better handle on what social networks are doing to manipulate and prioritize information. If there's one thing that Washington could do, it would be to provide better safeguards to ensure that these powerful tools are not used to mislead the public again. That's part of the message from Martha Minow, longtime Harvard Law school dean and expert on the shifting media and technological landscape. Minow also casts a skeptical eye on the concentration of local media ownership by companies such as Sinclair Broadcasting. We need action now, or independent news as we know it won't be around, she warned in a speech last week at Brown University. Minow cites the Constitution as impetus for Washington "to improve reliable access to material enabling competing views and authentication of messages and sources. The government can protect users against bombardment by computer-generated messages that drown out news and drive citizens away from the exchange needed for democratic self-governance." "Nothing in the Constitution forecloses government action to regulate concentrated economic power, to require disclosure of who is financing communications, and to support news initiatives where there are market failures. The First Amendment forbids Congress from 'abridging' the freedom of speech and freedom of press; it does not forbid strengthening it and amplifying news. "Affirmative government action may be precisely what the First Amendment actually requires now." top

- and -

How researchers learned to use Facebook 'likes' to sway your thinking (NYT, 20 March 2018) - Perhaps at some point in the past few years you've told Facebook that you like, say, Kim Kardashian West. When you hit the thumbs-up button on her page, you probably did it because you wanted to see the reality TV star's posts in your news feed. Maybe you realized that marketers could target advertisements to you based on your interest in her. What you probably missed is that researchers had figured out how to tie your interest in Ms. Kardashian West to certain personality traits, such as how extroverted you are (very), how conscientious (more than most) and how open-minded (only somewhat). And when your fondness for Ms. Kardashian West is combined with other interests you've indicated on Facebook, researchers believe their algorithms can predict the nuances of your political views with better accuracy than your loved ones. As The New York Times reported on Saturday , that is what motivated the consulting firm Cambridge Analytica to collect data from more than 50 million Facebook users, without their consent, to build its own behavioral models to target potential voters in various political campaigns. The company has worked for a political action committee started by John R. Bolton, who served in the George W. Bush administration, as well as for President Trump's presidential campaign in 2016. "We find your voters and move them to action," boasts on its website. top

ACLU sues TSA over searches of electronic devices (Tech Crunch, 12 March 2018) - The American Civil Liberties Union of Northern California has filed a Freedom of Information Act lawsuit against the Transportation Security Administration over its alleged practices of searching the electronic devices of passengers traveling on domestic flights. "The federal government's policies on searching the phones, laptops, and tablets of domestic air passengers remain shrouded in secrecy," ACLU Foundation of Northern California attorney Vasudha Talla said in a blog post. The lawsuit, which is directed toward the TSA field offices in San Francisco and its headquarters in Arlington, Virginia, specifically asks the TSA to hand over records related to its policies, procedures and/or protocols pertaining to the search of electronic devices. This lawsuit comes after a number of reports came in pertaining to the searches of electronic devices of passengers traveling domestically. The ACLU also wants to know what equipment the TSA uses to search, examine and extract any data from passengers' devices, as well as what kind of training TSA officers receive around screening and searching the devices. [ see also, US border searches of electronic devices: Recent developments and lawyers' ethical responsibilities (ABA, 13 March 2018) - by Keith Fisher (and, as always, worth reading)] top

Historical Supreme Court cases now online (Library of Congress, 13 March 2018) - More than 225 years of Supreme Court decisions acquired by the Library of Congress are now publicly available online - free to access in a page image format for the first time. The Library has made available more than 35,000 cases that were published in the printed bound editions of United States Reports (U.S. Reports). United States Reports is a series of bound case reporters that are the official reports of decisions for the United States Supreme Court dating to the court's first decision in 1791 and to earlier courts that preceded the Supreme Court in the colonial era. The Library's new online collection offers access to individual cases published in volumes 1-542 of the bound edition. This collection of Supreme Court cases is fully searchable. Filters allow users to narrow their searches by date, name of the justice authoring the opinion, subject and by the main legal concepts at issue in each case. PDF versions of individual cases can be viewed and downloaded. The collection is online at loc.gov/collections/united-states-reports/ . The digital versions of the U.S. Reports in the new collection were acquired by the Law Library of Congress through a purchase agreement with William S. Hein & Co. Inc. The acquisition is part of the Law Library's transition to a digital future and in support of its efforts to make historical U.S. public domain legal materials freely and easily available to Congress and the world. Users can access this collection from a link on loc.gov and law.gov . More recent editions of the U.S. Reports from 1987 to the present are available online from the U.S. Supreme Court. The U.S. Reports digital collection augments other legal collections made available online during the past year, including the U.S. Code from 1925 to 1988. Other newly digitized collections include the papers of U.S. Presidents James Buchanan, Ulysses S. Grant, Millard Fillmore, Franklin Pierce and James K. Polk; and the papers of Alexander Hamilton, Sigmund Freud and Margaret Bayard Smith. [ Polley : Spotted by MIRLN reader Carl Malamud - @carlmalamud] top

A cyberattack in Saudi Arabia had a deadly goal. Experts fear another try. (NYT, 15 March 2018) - In August, a petrochemical company with a plant in Saudi Arabia was hit by a new kind of cyberassault. The attack was not designed to simply destroy data or shut down the plant, investigators believe. It was meant to sabotage the firm's operations and trigger an explosion. The attack was a dangerous escalation in international cyberwarfare, as faceless enemies demonstrated both the drive and the ability to inflict serious physical damage. And United States government officials, their allies and cybersecurity researchers worry that the culprits could replicate it in other countries, since thousands of industrial plants all over the world rely on the same American-engineered computer systems that were compromised. Investigators have been tight-lipped about the August attack. They still won't identify the company or the country where it is based and have not identified the culprits. But the attackers were sophisticated and had plenty of time and resources, an indication that they were most likely supported by a government, according to more than a dozen people, including cybersecurity experts who have looked into the attack and asked not to be identified because of the confidentiality of the continuing investigation. The only thing that prevented an explosion was a mistake in the attackers' computer code, the investigators said. The assault was the most alarming in a string of cyberattacks on petrochemical plants in Saudi Arabia. In January 2017, computers went dark at the National Industrialization Company, Tasnee for short, which is one of the few privately owned Saudi petrochemical companies. Computers also crashed 15 miles away at Sadara Chemical Company, a joint venture between the oil and chemical giants Saudi Aramco and Dow Chemical. Within minutes of the attack at Tasnee, the hard drives inside the company's computers were destroyed and their data wiped clean, replaced with an image of Alan Kurdi , the small Syrian child who drowned off the coast of Turkey during his family's attempt to flee that country's civil war. The intent of the January attacks, Tasnee officials and researchers at the security company Symantec believe, was to inflict lasting damage on the petrochemical companies and send a political message. Recovery took months. Energy experts said the August attack could have been an attempt to complicate Crown Prince Mohammed bin Salman's plans to encourage foreign and domestic private investment to diversify the Saudi economy and produce jobs for the country's growing youth population. A team at Schneider Electric, which made the industrial systems that were targeted, called Triconex safety controllers, is also looking into the attack, the people who spoke to The Times said. So are the National Security Agency, the F.B.I., the Department of Homeland Security and the Pentagon's Defense Advanced Research Projects Agency, which has been supporting research into forensic tools designed to assist hacking investigations. All of the investigators believe the attack was most likely intended to cause an explosion that would have killed people. In the last few years, explosions at petrochemical plants in China and Mexico - though not triggered by hackers - have killed several employees, injured hundreds and forced evacuations of surrounding communities. What worries investigators and intelligence analysts the most is that the attackers compromised Schneider's Triconex controllers, which keep equipment operating safely by performing tasks like regulating voltage, pressure and temperatures. Those controllers are used in about 18,000 plants around the world, including nuclear and water treatment facilities, oil and gas refineries, and chemical plants. The Triconex system was believed to be a "lock and key operation." In other words, the safety controllers could be tweaked or dismantled only with physical contact. top

Initial estimates show digital economy accounted for 6.5 percent of GDP in 2016 (NTIA, 15 March 2018) - The Bureau of Economic Analysis released, for the first time, preliminary statistics and an accompanying report exploring the size and growth of the digital economy. Goods and services that are primarily digital accounted for 6.5 percent of the U.S. economy, or $1.2 trillion, in 2016, after a decade of growing faster than the U.S. economy overall, BEA's research shows. These new estimates are supported in part by funding from NTIA. From 2006 to 2016, the digital economy grew at an average annual rate of 5.6 percent, outpacing overall U.S. economic growth of 1.5 percent per year. In 2016, the digital economy supported 5.9 million jobs, or 3.9 percent of total U.S. employment. Digital economy employees earned $114,275 in average annual compensation compared with $66,498 per worker for the total U.S. economy. top

Election infrastructure ISAC created to share threats specific to voting systems (CyberScoop, 16 March 2018) - States and localities are getting a new, Department of Homeland Security-backed center to coordinate and share information on election security. The Elections Infrastructure Information Sharing and Analysis Center (ISAC) was announced Thursday, giving the nation's 8,800 state and local jurisdictions a dedicated venue to share information about cyberthreats and vulnerabilities specific to election systems and remote security monitoring capabilities. DHS has tasked the nonprofit Center for Internet Security with establishing and running the ISAC. CIS already runs the Multi-State ISAC , which states have been using to coordinate on election security in lieu of any official. Other ISACs exist for DHS's critical infrastructure sectors, such as the financial services, electricity and aviation industries. DHS designated election systems as subsector of the country's critical infrastructure in early 2017 when the intelligence community concluded that Russia tried to interfere in the 2016 presidential election. While that designation was initially met with skepticism on the state and local level, officials now say that it has improved election security coordination across levels of government. top

Democrats want to subpoena Apple to find out when key administration officials downloaded encrypted messaging apps (The Intercept, 17 March 2018) - On Wednesday, House Democrats on the Intelligence Committee released a memo laying out the steps they would have taken had they been in charge of the Trump-Russia investigation - and steps they may take if and when they gain subpoena power by taking over the House of Representatives in November. Down on Page 20 of the memo is a pair of ideas that could put Congress on a collision course with privacy advocates in Silicon Valley. "Apple: The Committee should seek records reflecting downloaded encrypted messaging apps for certain key individuals," the memo suggests. "The Committee should likewise issue a subpoena to WhatsApp for messages exchanged between key witnesses of interest." The committee said that it would also seek to find out "all messaging applications that Mr. [Jared] Kushner used during the campaign as well as the presidential transition, including but not limited to SMS, iMessage, Whatsapp, Facebook Messenger, Signal, Slack, Instagram, and Snapchat." The committee may also consider adding ProtonMail, the encrypted email service, to that list. One White House staffer, Ryan P. McAvoy, jotted his ProtonMail passwords and his address on a piece of White House stationery and left it at a bus stop near the White House. A source found it there and provided it to The Intercept, which confirmed its authenticity. (McAvoy did not respond to requests for comment.) top

Big four giant PWC announces blockchain auditing service (CCN, 17 March 2018) - Price Waterhouse Cooper LLP, a Big Four accounting firm that has supported various blockchain projects, has announced a blockchain audit service that it claims will encourage people to use the still new technology, according to The Wall Street Journal . The service will allow companies to offer an outside review of their use of blockchain technology, thereby ensuring they are using it properly and enabling employees to monitor the company's blockchain transactions. PwC recognizes the obstacles to the technology's adoption. These include concerns about compliance within companies and organizations, as well as concerns about risk management and corporate controls. While blockchain is often considered tamper-proof, its adoption presents issues similar to that of deploying any information technology. In recognizing such concerns among its own clients who were starting to use blockchain technology, PwC was motivated to develop its new solution. PwC logs transactions on the blockchain and has developed testing criteria and controls. The service will allows user within a company to view, test and monitor transactions on the blockchain in near real time. One customer is a major stock exchange that needs to verify its blockchain based payment process. Another customer, a digital wallet provider, is using the product to verify its transaction processing. PwC declined to identify these two customers. top

'Netflix for oil' setting stage for $1 trillion battle over data (Bloomberg, 19 March 2018) - A battle for big data is brewing in the oil patch. The service companies that map underground pockets of oil, drill the wells and lift crude from miles below are generating vast new amounts of data they never before realized could be valuable. But their exploration customers are essentially saying hands off to anything coming out of their wells, including the streams of zeros and 1s. "There's no doubt to me, we are producing two resources: the oil and gas, and the data," said Philippe Herve, a Schlumberger Ltd. veteran who now helps oil companies use artificial intelligence at SparkCognition. "The oil and gas is very clear: it belongs to the operator. But who owns the data?" Answering that question will mean real money for a global industry climbing out of the worst crude crash in a generation. An industry that only uses about 1 percent of the data it generates, according to Baker Hughes , is trying to harness it to see where to pump more oil faster for less money. Transforming to a digital oil field could add almost $1 trillion to the world's economy by 2025, according to a 2015 study by Oxford Economics and Cisco Consulting Services. To the service companies specifically, owning the data -- enough to fill 20 million file cabinets since 2010 alone -- would mean a whole new revenue stream, perhaps as they sell subscriptions to huge data libraries. "It's like Netflix for oil and gas," said John Gibson, an advisor at Tudor Pickering Holt & Co. who previously ran the oil-services business for Halliburton Co. "Imagine that all data is like a movie that many different people want to watch, but they want to watch it at different times." To the producers, though, owning that data means one less check they'd have to write. And it would ensure competing producers couldn't see their data while stealthily moving into a new field. EOG Resources Inc. , dubbed by one of its analysts as the Apple Inc. of the oilfield, is widely considered a leader among explorers for bypassing oilfield service companies to generate its own in-house innovations. "Data is king and one of our most valuable resources," Sandeep Bhakhri, chief information and technology officer at EOG told investors on a conference call last year. "You have to own the data. You cannot outsource its collection, analysis or delivery." [ Polley : Fascinating; I was in the business 14 years ago, and am surprised this issue isn't well-settled.] top

Results may vary in legal research databases (ABA Journal, March 2018) - When a lawyer searches in a legal database, that single search box is like a lure: Put in your search terms and rely on the excellence of the search algorithms to catch the right fish. At first glance, the various legal research databases seem similar. For instance, they all promote their natural language searching, so when the keywords go into the search box, researchers expect relevant results. The lawyer would also expect the results to be somewhat similar no matter which legal database a lawyer uses. After all, the algorithms are all trying to solve the same problem: translating a specific query into relevant results. The reality is much different. In a comparison of six legal databases-Casetext, Fastcase, Google Scholar, Lexis Advance, Ravel and Westlaw-when researchers entered the identical search in the same jurisdictional database of reported cases, there was hardly any overlap in the top 10 cases returned in the results. Only 7 percent of the cases were in all six databases, and 40 percent of the cases each database returned in the results set were unique to that database. It turns out that when you give six groups of humans the same problem to solve, the results are a testament to the variability of human problem-solving. If your starting point for research is a keyword search, the divergent results in each of these six databases will frame the rest of your research in a very different way. top

Former Google legal heads launch Privacy Compliance Hub (Legal Technology, 20 March 2018) - Two former heads of legal at Google have launched a Privacy Compliance Hub , which is designed to take organisations through their data obligations in a step-by-step fashion in order to keep compliance in the hands of the business, not outside consultants or lawyers. Nigel Jones and Karima Noren - who once upon a time were director of legal EMEA and head of emerging markets respectively, but in the past few years have had a fairly entrepreneurial career path (latterly co-founding legal consultancy The Legal Pod ) - created the Privacy Compliance Hub in January to help aid the process of data compliance and create a culture of privacy compliance within a business, inevitably using GDPR as a hook. Using a team of 'privacy champions' appointed from within the organisation, a compliance programme is followed using a methodology and privacy plan which are supplied within the hub. This takes the privacy champions through what they need to do in a structured, step by step fashion, recording each step of the organisation's compliance journey as they go along. The hub provides straightforward guidance and over 30 template documents, which are linked to key steps of the plan. [ Polley : super expensive; I'm curious if anybody has seen the product.] top

Think cryptocurrency is confusing? Try paying taxes on it (NYT, 21 March 2018) - The room was full of stressed-out cryptocurrency traders. And for once, they weren't nervous about the price of Bitcoin, or the roller coaster swings of the virtual currency markets. No, the subject of this gloomy affair was taxes. Specifically, how - and whether - to pay them. With this year's April 17 tax filing deadline fast approaching, many virtual currency traders are sweating over their tax returns. They're confused by the complicated rules, many of them stemming from guidelines issued by the I.R.S. in 2014, governing the taxation of virtual currencies. They're afraid that the windfall profits created by last year's cryptocurrency boom, which sent currencies like Bitcoin and Ether skyrocketing and created a new class of crypto-millionaires, have left them with huge tax bills. And, of course, they're worried about drawing the eye of the Internal Revenue Service. Taxes have become an increasingly divisive topic among cryptocurrency fans. On Reddit forums devoted to cryptocurrency trading, some users exchange tips for dodging their tax obligations, including a method of hiding their assets by converting them into "privacy coins," such as Monero, which are designed to be opaque and untraceable. They argue about whether the I.R.S. could use the blockchain, the digital ledger that records all Bitcoin transactions, to identify tax evaders in the future. And they ask for tax advice on complex situations, such as fly-by-night cryptocurrency exchanges that vanish suddenly, erasing the records of users' transactions. top

What is ProtonMail, the service used by Cambridge Analytica to cover its tracks? (Mashable, 21 March 2018) - Cambridge Analytica - the data analytics firm that came under fire this weekend for maliciously collecting information on 50 million Facebook users - reportedly used a self-destructing, encrypted email service called ProtonMail to cover its tracks, covering up correspondence between the company and third parties, according to a investigation published Wednesday. The firm set emails to self-delete after two hours and urged clients to use the service as well, per footage captured of former CEO Alexander Nix talking to a journalist posing as a would-be client. "I'd like you to set up a ProtonMail account, please," Nix said, "because these are, now it's getting quite sensitive." "We set our ProtonMail emails with a self-destruct timer," he continued. "So you send them, and after they've been read, two hours later they disappear." So how does ProtonMail work? Just like any normal email service. Go to their website , sign up for an account, and you're in. Their free service has some restrictions, though. You only get 500 MB of storage and can only send 150 messages per day. If you upgrade to the Plus plan for (4.00 € or ~ $4.91 per month), you get 5 GB of storage, 1,000 sent messages per day, and a slew of other perks. * * * All of this sounds a tad bit shady, no? Which brings us to the next question: How does ProtonMail get away with it? The answer is its email servers, which are based in Switzerland. Yes, it's something the company touts loudly on its website. On its homepage , it says, "ProtonMail is incorporated in Switzerland and all our servers are located in Switzerland. This means all user data is protected by strict Swiss privacy laws." ProtonMail purports to be so secure that no one but you can access your email. They even make it explicit that ProtonMail couldn't read your messages if it wanted to. The company says that since all of the data is stored outside the realm of "intrusive" U.S. laws, only encrypted messages could be handed over. * * * [ Polley : see also, Russian court says Telegram must hand over encryption keys to state intelligence service (TechDirt, 21 March 2018); and Kaspersky Lab plans Swiss data center to combat spying allegations - documents (Reuters, 21 March 2018)] top

NOTED PODCASTS/MOOCS

Slow Burn: A Podcast About Watergate (Slate) - You think you know the story, or maybe you don't. But Watergate was stranger, wilder, and more exciting than you can imagine. What did it feel like to live through the scandal that brought down a president? Join Leon Neyfakh for an eight-episode podcast miniseries that tells the story of Watergate as it happened-and asks, if we were living through Watergate, would we know it? [ Polley : 8 episodes (about 3 hours); fantastic. If you lived thru Watergate, this'll take you back to what it was like as the scandal slowly became clear; instructive for our current times.] top


The Accuracy, Fairness, and Limits of Predicting Recidivism
(Harvard Berkman video, 6 March 2018; 56 mins) - Algorithms for predicting recidivism are commonly used to assess a criminal defendant's likelihood of committing a crime. Proponents of these systems argue that big data and advanced machine learning make these analyses more accurate and less biased than humans. However, our study shows that the widely used commercial risk assessment software COMPAS is no more accurate or fair than predictions made by people with little or no criminal justice expertise. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Egypt 'to copyright antiquities' (BBC, 25 Dec 2007) - Egypt's MPs are expected to pass a law requiring royalties be paid whenever copies are made of museum pieces or ancient monuments such as the pyramids. Zahi Hawass, who chairs Egypt's Supreme Council of Antiquities, told the BBC the law would apply in all countries. The money was needed to maintain thousands of pharaonic sites, he said. Correspondents say the law will deal a blow to themed resorts across the world where large-scale copies of Egyptian artefacts are a crowd-puller. Mr Hawass said the law would apply to full-scale replicas of any object in any museum in Egypt. "Commercial use" of ancient monuments like the pyramids or the sphinx would also be controlled, he said. "Even if it is for private use, they must have permission from the Egyptian government," he added. But he said the law would not stop local and international artists reproducing monuments as long as they were not exact replicas. top

Science journal won't publish papers because authors want to put them on Wikipedia (TechDirt, 19 March 2008) - Over the last few months, we've been hearing more and more stories concerning some of the ridiculous levels of control that academic journals exert over the copyrights on the various papers and research they publish. Since many of those journals are ridiculously expensive, much of this important research is basically locked up entirely. This is especially troublesome when it comes to publicly funded research, which you would think should be available to the taxpayers who paid for it. While we've definitely seen a trend towards more open rules to publishing, many journals are still behind the curve. Reader parsko writes in to alert us to the news of the American Physical Society, which withdrew the offer to publish two recent studies in the Physical Review Letters because the authors wanted to be able to publish parts of the study in Wikipedia. Since the APS requires you hand over the rights to the study, they wouldn't allow it, and turned down the papers because of it. Not surprisingly, various scientists are upset about this, pointing out that it seems totally contrary to the purpose of the journal to hide such information using copyright claims. top