Friday, April 15, 2016

MIRLN --- 27 March - 16 April 2016 (v19.06)

MIRLN --- 27 March - 16 April 2016 (v19.06) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | LOOKING BACK | NOTES

Pentagon cut off access to personal email to fight malicious message (NextGov, 23 March 2016) - Pentagon officials last week cut off employee access to private webmail after a malicious, pervasive email campaign was spotted. Employees could not log on to commercial webmail services from the military's network for about 48 hours beginning Thursday night, according to the Defense Department. The Defense Information Systems Agency, which operates the Department of Defense Information Network, severed connections, by direction of U.S. Cyber Command. Defense restored access over the weekend. "The decision to temporarily block commercial webmail services was a result of a recent, widespread phishing effort," agency spokesman Jeffrey Capenos told Nextgov in an email Wednesday.

top

FBI is pushing back against judge's order to reveal TOR browser exploit (Motherboard, 29 March 2016) - Last month, the FBI was ordered to reveal the full malware code used to hack visitors of a dark web child pornography site. The judge behind that decision, Robert J. Bryan, said it was a "fair question" to ask how exactly the FBI caught the defendant. But the agency is pushing back. On Monday, lawyers for the Department of Justice filed a sealed motion asking the judge to reconsider, and also provided a public declaration from an FBI agent involved in the investigation. In short, the FBI agent says that revealing the exploit used to bypass the protections offered by the Tor Browser is not necessary for the defense and their case. The defense, in previous filings, has said they want to determine whether the network investigative technique (NIT)-the FBI's term for a hacking tool-carried out additional functions beyond those authorised in the warrant. "Tsyrklevich claims that he requires access to the government's 'exploit' to determine if the government 'executed additional functions outside the scope of the NIT warrant,'" Special Agent Daniel Alfin writes. He is referring to Vlad Tsyrklevich, a malware expert held by the defense to analyse the NIT. In January, the defense did receive some of the NIT code, but not sections that would ensure that the identifier issued to the suspect's NIT-infection was unique, and the exploit used to break into the computer.

top

Google and Oracle lawyers who research jurors online must disclose it, judge rules (ABA Journal, 29 March 2016) - A federal judge has asked lawyers for Google and Oracle to voluntarily agree to a ban on Internet research on potential jurors or to disclose the extent of their online searches during jury selection. U.S. District Judge William Alsup offered that choice to lawyers in an order (PDF) on Friday. He ruled in advance of a second trial in May on Oracle's claim that Google used Oracle's copyrighted code in the Android operating system. Alsup said he decided to give lawyers the choice after realizing the reason they wanted more time to review a two-page juror questionnaire was so they could "scrub Facebook, Twitter, LinkedIn, and other Internet sites to extract personal data on the venire." He gave the lawyers until March 31 to decide whether they will agree to a ban. If the lawyers opt to conduct the searches, their juror disclosure "shall not explain away their searches on the ground that the other side will do it, so they have to do it too," Alsup wrote. "Nor may counsel intimate to the venire that the court has allowed such searches and thereby leave the false impression that the judge approves of the intrusion." Alsup said the disclosure should include how the lawyers will research jurors' social media accounts before and during the trial. Potential jurors would be told, however, that Google won't be mining their Internet searches. The lawyers would also have to keep a record of every search and all information viewed. Alsup acknowledged the online searches could turn up information that aids the lawyers in their peremptory challenges and could even lead to a for-cause removal of a potential juror. But Alsup saw potential problems with the searches. First, he wrote, jurors who learn of lawyers' own searches could be tempted to "stray from the court's admonition to refrain from conducting Internet searches on the lawyers and the case." Second, Alsup said, lawyers could use their Internet research to make improper personal appeals to particular jurors. "For example," he wrote, "if a search found that a juror's favorite book is To Kill A Mockingbird , it wouldn't be hard for counsel to construct a copyright jury argument (or a line of expert questions) based on an analogy to that work and to play upon the recent death of Harper Lee, all in an effort to ingratiate himself or herself into the heartstrings of that juror. The same could be done with a favorite quote or with any number of other juror attitudes on free trade, innovation, politics or history."

top

Hackers breach law firms, including Cravath and Weil Gotshal (WSJ, 29 March 2016) - Hackers broke into the computer networks at some of the country's most prestigious law firms, and federal investigators are exploring whether they stole confidential information for the purpose of insider trading, according to people familiar with the matter. The firms include Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP. Other law firms also were breached, the people said, and hackers, in postings on the Internet, are threatening to attack more. It isn't clear what information the hackers stole, if any, but the focus of the investigation is on whether confidential data were taken for the purpose of insider trading, according to a person familiar with the matter. Cravath said the incident, which occurred last summer, involved a "limited breach" of its systems and that the firm is "not aware that any of the information that may have been accessed has been used improperly." The firm said its client confidentiality is sacrosanct and that it is working with law enforcement as well as outside consultants to assess its security. A spokeswoman for Weil Gotshal declined to comment. The attacks on law firms appear to show thieves scouring the digital landscape for more sophisticated types of information. Law firms are attractive targets because they hold trade secrets and other sensitive information about corporate clients, including details about undisclosed mergers and acquisitions that could be stolen for insider trading. The potential vulnerability of law firms is raising concerns among their clients, who are conducting their own assessments of the firms they hire, according to senior lawyers at a number of firms. One of the trickiest questions for law firms is when they are required to publicly disclose a data breach. Forty-seven US states have their own breach-notification laws, forcing law firms and other companies to navigate a patchwork of different rules.

top

- and -

Cybercriminals target 50 BigLaw firms for phishing attacks seeking corporate deal info (ABA Journal, 30 March 2016) - A would-be securities fraud broker has spotlighted methods used in attempts to penetrate law firm computer systems, by seeking help with his project on a cybercriminal forum, authorities say. A post earlier this year by "Oleras," who lives in the Ukraine, outlined a plan to target nearly 50 BigLaw firms, most of them based in the U.S., in an attempt to get hold of documents that reveal information about pending corporate deals, Crain's Chicago Business (sub. req.) reports. Offering to pay a hacker $100,000 plus half the profits after the first $1 million, the broker outlined a plan to do keyword searches in law firm computer networks for documents likely to contain merger information. But first the hacker would have to get access to the law firm computer networks, and to do that the broker apparently suggested spear-phishing attacks on employees whose names, email addresses and social media account information were provided. In another post, Oleras listed eight attorneys at major firms to target in a different phishing attack. It would purportedly seek to profile the lawyers in a trade magazine article on top mergers and acquisitions practitioners, the Crain's article says.

top

- and -

Cravath admits breach as law firm hacks go public (American Lawyer, 30 March 2016) - While it's no secret that law firms are often targeted by cybercriminals seeking sensitive client information, it's rare for breaches to become public. But not this week. The Wall Street Journal reported Tuesday that hackers had gained access to the computer networks of law firms working on M&A deals, including Cravath, Swaine & Moore and Weil, Gotshal & Manges. A Weil spokeswoman declined to comment, but Cravath confirmed that the firm identified a "limited breach of its IT systems" in the summer of 2015. Also this week, Crain's Chicago Business reported that dozens of law firms were targeted by a Russian hacker seeking information on M&A deals. The cybercriminal, going by the name of "Oleras," was discovered soliciting help from other hackers to try to gain access to computer systems at 48 firms, nearly all of which are among The Am Law 100. When contacted by The American Lawyer, some firms said they became aware of the incident either in late 2015 or earlier this year. Wachtell, Lipton, Rosen & Katz; Paul, Weiss, Rifkind, Wharton & Garrison; Goodwin Procter; Shearman & Sterling; Pillsbury; and Kaye Scholer, which were all named in the Russian threat report, said they had no reason to believe that any of their information had been compromised. Many other firms declined to comment. Douglas Ellenoff, a founding partner at the 69-lawyer M&A firm Ellenoff Grossman & Schole, said that he found out his firm was on the target list Wednesday after reading the Crain's article. "We were surprised our name was on that particular list," he said, adding that it would have been a nice courtesy if he found out earlier. A partner at another of the targeted firms, who did not want to be identified for fear of inviting other attacks, said his firm sees "many, many phishing attempts." Cybersecurity professionals said that what's new about these hacks and attempted attacks is that they've been disclosed, willingly or not. Law firms will go to great lengths to keep attempted and successful hacks secret, because any sign that the data they store isn't secure can result in a "huge loss of customer confidence," said Austin Berglas, former head of the FBI's cyber branch in New York. "I think that the majority of the law firms don't even know that they're compromised," said Berglas, who now leads the cyber investigations and incident response team at K2 Intelligence. He added that law firms are traditionally understaffed in cybersecurity, compared with large corporations and banks. [ Polley : emphasis supplied.]

top

- and -

Law firm data breaches besiege client confidentiality (Legal Tech News, 31 March 2016) - In the wake of recently exposed law firm data breaches among several of the Am Law 100 emerges a larger issue around managing client confidentiality-one of the bedrocks of law firms' responsibilities. In the modern digital world, it also becoming more of a complex challenge, which is the topic of a recent whitepaper released by Delta-Risk, a cybersecurity consulting company based in Washington, D.C. And nowhere is the concern over client confidentiality perhaps more pronounced than in industry's vulnerabilities to cyberthreats. Law firms are some of the most attractive targets for cyberattackers, the whitepaper notes, because they handle a variety of sensitive information, from "potential mergers and acquisitions, patent and trade secrets, litigation plans, and generally very specific and confidential information on clients and their dealings." While law firms have kept hush about it, data breaches at law firms actually date back several years: For example, in 2010, California-based law firm Gipson, Hoffman & Pancione was the target of malicious phishing emails from Chinese hackers shortly after filing a software piracy lawsuit again the government and the country's firms. The firm was quickly able to identify the malware and prevent any data infiltration. In 2012, however, Chinese hackers successfully breached Washington D.C. firm Wiley Rein, who represented Solarworld in an antidumping case against the country, as a part of a wider cyberattack effort. Gipson, Hoffman & Pancione and Wiley Rein declined to comment for this article. But that is not unusual, said Joseph Abrenio, vice president of commercial services at Delta-Risk, who is also president of the Midwest Cybersecurity Alliance. He noted that firms are usually hesitant to disclose breaches due to legal, ethical, and as important, branding issues. The amount of breaches at law firms, he believes, is higher than what is usually reported.

top

- and -

GCs are aghast over hacks at top law firms (American Lawyer, 31 March 2016) - A general counsel often has some control over cybersecurity efforts within her corporation. But several cybercrimes reported this week show that now she needs to scrutinize the company's outside law firms as well. Consider these news items, all published in the past five days: * * * Outside counsel and GCs have known since an FBI warning in 2011 that law firms were becoming a major target of hackers because the firms hold a treasure of corporate information, such as upcoming M&As along with copyright and patent data on new creations. "But now we know how severely law firms are being targeted," says attorney Sharon Nelson, who is president of Sensei Enterprises Inc., a digital forensics and information security firm in Fairfax, Virginia. Because everyone is vulnerable to an attack, "the general counsel usually wants to work hand in glove with the hacked law firm," Nelson says. * * * [ Polley : This story has a better headline than body. Still; great headline.]

top

- and -

'Panama Papers' put spotlight on law firm data security (American Lawyer, 4 April 2016) - Experts warned that law firms need to "up their game" on data security after millions of documents showing apparent tax evasion and money laundering by wealthy individuals and companies were leaked from Panama offshore firm Mossack Fonseca. The Panama Papers leak is reportedly the biggest ever data breach and calls into question the ability of law firms to protect clients' data. Benedict Hamilton, Europe, Middle East and Africa managing director of risk consultant Kroll Experts, said that although firms are already taking security measures to protect private data, much more still needs to be done. "I definitely think they need to up their game on data security... I don't think they are doing nearly enough," said Hamilton. "No company can totally protect itself against an employee abusing trust, but there are things you can do that make it harder for people to leak documents." Ropes & Gray privacy and data security partner Rohan Massey said: "The risk we have is incredibly real and we are now as a sector being targeted because of the sensitivity of the information we hold. "As a profession we do need to ensure that our houses are safe and maybe we lag behind because we focus on clients." Philip Lieberman, president of Lieberman Software, said clients should be aware of the risks of law firm data breaches and satisfy themselves that a firm has necessary security measures in place before trusting them with information. "There are some law firms with excellent automated and adaptive cyber defence capabilities, but many are stuck in the dark ages of wigs, candles to read by, and quill pens to write with," he added. [ Polley : This was reportedly due to a former employee, and not a hack: see Former-employee curse: How to prevent your company from becoming the next Mossack Fonseca (Business Insights, 11 April 2016)]

top

- and -

7 lessons from the Panama Papers leak (Dark Reading, 5 April 2016) - Although many people are rejoicing in the Panama Papers outing of illegal and unethical activity by rich and powerful individuals and companies across the globe, information security professionals can also take the opportunity to learn a few lessons. The International Consortium of Investigative Journalists (ICIJ), Monday, published a report based upon a yearlong study into an enormous store of 11.5 million documents -- 2.6 TB of data, mostly emails -- leaked from Panamanian law firm Mossack Fonseca. The leaked data reveals secret information about the offshore holdings of political leaders and crime lords alike, and has exposed illegal practices used to hide wealth, disguise sources of wealth, and evade taxes. A separate report last week revealed that hackers have also been attacking law firms and banks in the United States, and the FBI is investigating to see if the attacks have resulted in insider trading. With that in mind, here are a few things all organizations, and perhaps law firms in particular, should keep in mind. * * * [ Polley : perhaps obvious, but still useful.]

top

Appeals Court: No stingrays without a warrant, explanation to judge (ArsTechnica, 31 March 2016) - On Wednesday, the Maryland Court of Special Appeals published a legal opinion finding that state police must not only obtain a warrant before deploying a cell-site simulator, but are required to also fully explain to the court what exactly the device does and how it is used. In recent years, stingray use has come under increasing scrutiny, with several states including California , Washington , Virginia , Minnesota , and Utah now mandating a warrant be issued for their use. Last year, the Department of Homeland Security and the Department of Justice also imposed new policies that require a warrant for stingray use in most cases. In an e-mail to Ars, American Civil Liberties Union attorney Nathan Wessler called Wednesday's opinion the "first appellate opinion in the country to fully address the question of whether police must disclose their intent to use a cell site simulator to a judge and obtain a probable cause warrant."

top

Could the election be hacked? (Government Technology, 31 March 2016) - With the surge in data breaches over the past several years, the prevailing wisdom is that no online data is completely safe from hackers. Banks, governments, insurance companies and small businesses globally have lost billions of dollars to cybercrime. Which leads to the big question that's being asked with renewed fervor: Could the 2016 presidential election be disrupted, or somehow manipulated, via unauthorized computer hacking or denial of service attacks? Related situations have come up several times in the past year. Concerns were raised following the Iowa caucuses in February after a new Microsoft vote-tallying app failed in certain parts of the state. The Des Moines Register reported these troubles: "Too many accounts have arisen of inconsistent counts, untrained and overwhelmed volunteers, confused voters, cramped precinct locations, a lack of voter registration forms and other problems." Still, no hacker "foul play" was insinuated. After the hanging chads from the Florida election in November 2000 and the dozens of nationwide contested elections over the past decade, no one wants to wake up to a huge cybermess that involves the word "hacking" on Nov. 9, 2016. Therefore, this election tampering issue has been raised by commentators from both ends of the political spectrum. The Huffington Post mentioned six ways hackers could disrupt an election, including hacking a voting machine, shutting down the voting system or election agencies, and deleting or changing election records. Meanwhile, Fox News proclaimed that "ballot machines are easy targets." Pointing to a report by the Commonwealth Security and Risk Management Directorate for the Virginia Information Technologies Agency, experts recently insisted that old technology could impact election results. A 2015 report from the Brennan Center for Justice said that in this year's election, 43 states will use electronic voting machines that are at least 10 years old and reaching the end of their expected lifespan. A member of the U.S. Election Assistance Commission told the report's authors, "We're getting by with Band-Aids." So what efforts are being made to ensure a safe and reliable election count? In 2012, CountingVotes.org looked at election preparedness state-by-state. The answer is that every state has taken specific actions to ensure that public trust and integrity in the voting process is maintained. [ Polley : This is one of my greatest fears; there's a lot of money involved, and even more money potentially to be had (or lost) depending on the way governments go. It'd be naive to assume that this isn't under some kind of active consideration, somewhere.]

top

Reddit hints that US now spying on its customers (CNN, 1 April 2016) - It seems that the federal government has made a demand -- in a controversial secret court -- to spy on Reddit users. Normally, the discussion website Reddit would never be allowed to even acknowledge that it received such a request. But thanks to a legal hack, the company has tipped off its customers. Federal agencies have a tool of mass surveillance called a "National Security Letter." It's a formal request that's usually issued by the FBI to an American company seeking information about customers. The legal demand is approved by a federal judge sitting on the Foreign Intelligence Surveillance Act court -- whose proceedings are kept secret -- and the subject company must stay absolutely silent about it. Ever since ex-NSA contractor Edward Snowden in 2013 revealed the extent of U.S. government surveillance, some technology companies have adopted a legal hack to alert the public when they receive these secret demands for information. It's called a "warrant canary." Here's the logic: Although a company can't say when it has received a National Security Letter, it can say when it has not received one. So, some companies have included special language in public statements saying things like, "We haven't received an NSL yet." The idea is, when an NSL comes around, the language disappears. It's like a canary in a coal mine that dies when exposed to toxic gas. Only a few companies -- mostly high tech ones that have a strong pro-privacy stance -- have adopted this, such as websites Pinterest, Reddit, and Tumblr, software maker Adobe, phone maker Silent Circle, and mobile cybersecurity company Lookout. In Reddit's case, the company previously included this language in its 2014 "transparency report," which documented how many times governments have requested information on Reddit users. "As of January 29, 2015, reddit has never received a National Security Letter," the company wrote then. "If we ever receive such a request, we would seek to let the public know it existed." That language disappeared in its next transparency report . Reuters was the first to discover this. Reddit did not respond to requests for comment.

top

The Internet's lowercase demotion by AP Stylebook upsets the internets (Mashable, 2 April 2016) - The end of an era is coming: As of June 1, Internet will no longer be capitalized. No, there's no law mandating the change, and the Internet will still be a thing, you'll just start to notice a difference in the way the word appears on many websites. The update reflects a shift in the Associated Press Stylebook , the writing bible for many journalists in the U.S. So while a large number of websites that don't use the AP Stylebook as a guide will continue to write the word as they see fit, for many others, readers will need to get used to seeing the word as "internet." The change is being met with gratitude by some, and protest by others. In fact, if you keep scrolling through the responses to AP's tweet on Saturday, the debate about the change is incredibly civil and packed with good points. [ Polley : Wired Magazine ran a story advocating for lower-case "internet" back in 2004; wouldn't you know it but the URL for that story is dead: http://www.wired.com/culture/lifestyle/news/2004/08/64596 .]

top

Publishers dealt another loss in copyright lawsuit (InsideHigherEd, 4 April 2016) - A U.S. district court judge has once again taken a look at three publishers' case against Georgia State University's e-reserve and ruled that, in 41 of 48 cases, no copyright infringement took place. The ruling , a 220-page walk-through that applies the four-part fair-use test to each of the 48 cases, is seen by copyright experts as a complicated decision that won't be of much help to universities in determining fair use, as it relies on revenue data not normally available. Still, observers described it as a win for proponents of fair use and another loss for the publishers. "This ruling, like each ruling in the case, is clearly a disaster for the plaintiff publishers," Kevin Smith, director of the office of copyright and scholarly communication at Duke University, said in a blog post . "Once again it establishes that there is significant space for fair use in higher education, even when that use is not transformative. Nevertheless, it is a difficult victory for libraries, in the sense that the analysis it uses is not one we can replicate; we simply do not have access to the extensive data about revenue, of which [U.S. District Judge Orinda D. Evans] makes such complex use."

top

Website seeks to make government data easier to sift through (NYT, 4 April 2016) - For years, the federal government, states and some cities have enthusiastically made vast troves of data open to the public. Acres of paper records on demographics, public health, traffic patterns, energy consumption, family incomes and many other topics have been digitized and posted on the web. This abundance of data can be a gold mine for discovery and insights, but finding the nuggets can be arduous, requiring special skills. A project coming out of the M.I.T. Media Lab on Monday seeks to ease that challenge and to make the value of government data available to a wider audience. The project, called Data USA , bills itself as "the most comprehensive visualization of U.S. public data." It is free, and its software code is open source, meaning that developers can build custom applications by adding other data. Cesar A. Hidalgo, an assistant professor of media arts and sciences at the M.I.T. Media Lab who led the development of Data USA, said the website was devised to "transform data into stories." Those stories are typically presented as graphics, charts and written summaries. The media lab worked with the consulting and auditing firm Deloitte , which provided funding and expertise on how people use government data sets in business and for research.

top

Applying the Fourth Amendment to cell-site simulators (Orin Kerr on Volokh, 4 April 2016) - The widespread use of cellphones gives the government a way to locate criminal suspects using a device known as a cell-site simulator . The Maryland Court of Special Appeals recently handed down the first appellate decision on whether and when use of a cell-site simulator to identify the location of a target's phone is a Fourth Amendment "search." The opinion, in State v. Andrews , rules that government use of a cell-site simulator is always a Fourth Amendment search and that it ordinarily requires a warrant. I think that result is plausible, but I found the court's path to that result rather frustrating. This post explains why. * * *

top

Wikimedia's free photo database of artworks violates copyright, court rules (The Guardian, 4 April 2016) - Sweden's highest court on Monday found Wikimedia Sweden guilty of violating copyright laws by providing free access to its database of artwork photographs without the artists' consent. Wikimedia, part of the not-for-profit foundation which oversees Wikipedia among other online resources, has a database of royalty-free photographs that can be used by the public, for educational purposes or the tourism industry. The Visual Copyright Society in Sweden (BUS), which represents painters, photographers, illustrators and designers among others, had sued Wikimedia Sweden for making photographs of their artwork displayed in public places available in its database, without their consent. The Supreme Court found in favour of BUS, arguing that while individuals were permitted to photograph artwork on display in public spaces, it was "an entirely different matter" to make the photographs available in a database for free and unlimited use.

top

- and -

Hyperlinking to unlawfully published copyright images is still legal, says top European judge (PC World, 7 April 2016) - Publishing hyperlinks to photos from, say, Playboy magazine is legal -- even if the website linked to doesn't have permission to publish the images, a top European Union judge has said. That's because hyperlinking to a document does not constitute a fresh publication, according to Melchior Wathelet, advocate general of the Court of Justice of the EU, in a legal opinion issued Thursday . But his opinion, on a case brought by the publisher of Playboy magazine, is only advisory, and it still remains for the CJEU to make a final ruling on the matter. The question of whether hyperlinking constitutes publication is important to copyright and libel law. It was last addressed by the CJEU in 2014 , when it found that Swedish media aggregation site Retriever did not need a newspaper's permission to link to stories.

top

Bitcoin start-up gets an electronic money license in Britain (NYT, 6 April 2016) - The British government has pushed through its first licensing of a virtual currency company, underscoring its desire to make London a hub for the development of financial technology. The Financial Conduct Authority, Britain's top financial regulator, has granted an electronic money license to Circle, a company based in Boston that uses Bitcoin, the virtual currency, to enable consumers to make payments to other consumers using a mobile app, or "social payments" as the company puts it. The regulator helped Circle get the license by putting it in the government's Innovation Hub, which is one of several initiatives Britain has undertaken to encourage experimentation in the financial industry. The license makes it possible for Circle to establish a banking relationship with Barclays , the British bank. It is the first time that a large global bank has agreed to work with a Bitcoin company, though Circle has attracted investments from others .

top

Using the All Writs Act to route around the Fifth Amendment (TechDirt, 6 April 2016) - USA Today's Brad Heath has dug up another use for the FBI's now-infamous All Writs Act orders: skirting the Fifth Amendment. In a 2015 case currently headed to the Appeals Court, the government is attempting to use All Writs to force a defendant to unlock his devices. The order finding Francis Rawls guilty of contempt contains a footnote pointing to the government's use of an All Writs order to force Rawls to unlock his devices -- and, one would think -- allow the government to dodge a Fifth Amendment rights violation. On July 29, 2015, the Government obtained a search warrant for certain electronic media previously seized by Delaware County and Philadelphia County law enforcement officials. Dkt. No. 1. On August 3, 2015, the Government made an application pursuant to that All Writs Act to require Francis Rawls to assist in the execution of a previously executed search warrant. "Assist in the execution" means forcing Rawls to possibly provide evidence against himself, depending on what's contained in the devices. However, the court didn't see it this way. It considered his unlocking of the devices to be "non-testimonial." While it did grant him a chance to respond to the All Writs application, it ultimately found in favor of the government.

top

Cyber insurance rates could rise 30% in 2016 for large health care, point-of-sale retailers (Canadian Underwriters, 7 April 2016) - The withdrawal by American International Group Inc. from some monoline site pollution markets "will result in increased competition" as other carriers look to pick up the displaced business, losses arising from the explosion last August in the Chinese port of Tianjin could reach $6 billion and some retailers could expect cyber insurance rates to rise 30% this year, Willis Towers Watson plc said in a report announced Thursday. In Marketplace Realities 2016 Spring Update, Willis Towers Watson revealed its predictions on rate changes for several commercial lines this year. All dollar figures are in U.S. currency. "Cyber renewals are seeing primary premiums increases of 5% to 15% for most buyers and 15% to 30% for [point of sale] retailers and large health care companies with no losses - with additional increases on excess lawyers," stated Willis Towers Watson, formed by the recent merger of commercial brokerage Willis Group plc with Towers Watson & Co.

top

Workplace wearables open up a murky legal hinterland (ReadWrite, 10 April 2016) - As wearables become more common for personal use, they are also increasingly being used by employers in the workplace . This new technology is giving employers new tools to track safety and productivity, and allowing insurers to track employee habits and health indicators. But just as the options for wearable tech proliferates, so do the related legal and privacy issues. Companies are increasingly embracing the habit of tracking any and all data possible to create efficiencies and boost the bottom line. But a recent MarketWatch article explored many of the subsequent legal concerns that are cropping up in this emerging age of workplace wearables. For employers that mandate wearables in the workplace, it's incumbent on them to develop clear rationales and policies explaining why data is being collected and limits of its use, said Jason Geller. Geller is a partner with U.S. law firm Fisher & Phillips who specializes representing employers in labour and discrimination cases.

top

How an internet mapping glitch turned a random Kansas farm into a digital hell (Fusion, 10 April 2016) - An hour's drive from Wichita, Kansas, in a little town called Potwin, there is a 360-acre piece of land with a very big problem. The plot has been owned by the Vogelman family for more than a hundred years, though the current owner, Joyce Taylor née Vogelman, 82, now rents it out. The acreage is quiet and remote: a farm, a pasture, an old orchard, two barns, some hog shacks and a two-story house. It's the kind of place you move to if you want to get away from it all. The nearest neighbor is a mile away, and the closest big town has just 13,000 people. It is real, rural America; in fact, it's a two-hour drive from the exact geographical center of the United States. But instead of being a place of respite, the people who live on Joyce Taylor's land find themselves in a technological horror story. For the last decade, Taylor and her renters have been visited by all kinds of mysterious trouble. They've been accused of being identity thieves, spammers, scammers and fraudsters. They've gotten visited by FBI agents, federal marshals, IRS collectors, ambulances searching for suicidal veterans, and police officers searching for runaway children. They've found people scrounging around in their barn. The renters have been doxxed, their names and addresses posted on the internet by vigilantes. Once, someone left a broken toilet in the driveway as a strange, indefinite threat. All in all, the residents of the Taylor property have been treated like criminals for a decade. And until I called them this week, they had no idea why. * * * [ Polley : Fascinating story about "internet mapping"]

top

University says government's pretty terrible at sharing cyberthreat information (TechDirt, 11 April 2016) - Multiple government agencies have gone all-in on cybersecurity. CISA was pushed through late last year -- dumped into the back pages of a "must pass" omnibus spending bill. Just like that, the government expanded its surveillance power and cleared its cyberthreat inboxes to make way for all the information non-governmental entities might want to share with it. It promised to share right back -- making this all equitable -- but no one really believed the government would give as much as it would take. Right on cue, a university heavily involved in scientific research says the government really isn't interested in sharing information . Virginia Tech is no stranger to hackers . Randy Marchany, the school's chief information security officer, says he assumes the attackers are already inside the networks. The university's attack space includes power generation networks, campus police databases, research files, student records and retail payment systems, among other sensitive digital operations, he said. Marchany lamented what he says has been a growing trend during the last couple of years of the government restricting information about ongoing hack campaigns - information that could help his staff identify the suspicious activity they already glimpse on systems. "The federal government now has this tendency to try to put a classified label on everything, and so I have to sometimes go to a dark room and have people hand me information that I can only look at," he said.

top

NY high court says parents can legally eavesdrop on kids (Ride the Lightning, 12 April 2016) - On April 5, the New York Court of Appeals, the state's highest court, ruled that a parent who believes their minor child is in danger can legally record an overheard conversation by giving consent on behalf of their child, countering a state wiretapping law that requires the consent of at least one person on the call. The court affirmed a decision of a lower court that a recording made by a child's father, who heard his ex-wife's boyfriend, Anthony Badalamenti, threatening to punch his son in the face, was admissible evidence in the underlying criminal trial against Badalamenti, on the grounds that vicarious consent was given by the father on behalf of his son to be recorded because the father believed his son was in danger. The court applied the vicarious consent doctrine which recognizes the long-established principle that the law protects the right of a parent or guardian to take actions he or she considers to be in the child's best interests. The court noted that the parent or guardian who acted in bad faith and was merely curious about the child's conversations cannot give consent and could be held liable for eavesdropping, which could be determined by the court.

top

What happened when I eliminated political dissent from my Facebook feed (Vox, 12 April 2016) - I normally refrain from posting political content on social media, but in the aftermath of the San Bernardino shooting last December I shared a video on Facebook. It was too disturbing not to. Dana Loesch, a conservative radio host, narrates the video, which appeared on the National Rifle Association's news site . She has harsh words for liberals. "These saboteurs share the same fanatical fervor to tear apart the foundations of America as the terrorists who threaten our very survival. And together, they march hand in hand toward the possible, purposeful destruction of us all," says Loesch. The video implied that the "godless left" was responsible for the San Bernardino shooting, piling it on with other purported atrocities Loesch believes liberals are also responsible for: Benghazi, Obamacare, the overall "tearing apart of the foundations of America." She goes on to say that liberals "demonize Christians" and endanger the country with our talk of "racism and xenophobia." The inflammatory nature of her remarks alarmed me. I'm a progressive. I felt personally attacked. But I also felt terrified that this rhetoric existed at all in the light of such a tragedy. I posted the video with the following comment: "As we continue to lose our sense of safety in public places, including schools, it is interesting to note that the NRA and those who profit from the sale of weapons are sponsoring videos such as this one to further promote fear and division among Americans. What a scary, scary video." I assumed my friends would see that the video was propaganda. That they would be horrified, and agree that whatever our beliefs about gun ownership, making remarks like Loesch's about any political group is not acceptable. This is why I was incensed when an old classmate commented that she absolutely loved the video and proceeded to repost it to her page. I didn't respond. I had a sudden urge to block her from my news feed, to prevent her from commenting on my posts, or even to delete her. But I worried that these feelings made me guilty of the same intolerance I have accused others of in the past. I resolved to not take any action. * * * While we may have always created echo chambers in our social circles, the emergence of the internet has intensified this effect. In his TED talk , Eli Pariser, the author of The Filter Bubble: What the Internet Is Hiding From You and the founder of MoveOn.org, warns that the internet is "increasingly showing us things we want to see and not the things we need to see." [ Polley : This is interesting and lengthy - I've here included only part of the posting.]

top

Texas prisons' new rules aim to force social media to close inmate accounts (ArsTechnica, 14 April 2016) - This month the Texas Department of Criminal Justice (TDCJ) updated its offender handbook (PDF) to stipulate that inmates are not allowed to have social media accounts. While blog posts are still permitted, a spokesperson for the TDCJ told Ars that the rule was developed to get social media platforms to comply with the corrections department's takedown requests more readily. Since Texas inmates are not allowed Internet access, this rule applies to social media accounts managed by friends or family. As Fusion explains , "Prisoners write posts, send them to a friend or family member through snail mail, and ask the friend to post them on Facebook." If an inmate is caught having a friend or family member update an account for them, they're charged with a "level three violation," which TDCJ characterizes as the lowest level of violation in the Texas prison system. The Electronic Frontier Foundation (EFF), however, says that level three violations can result in loss of privileges, extra work duty, or confinement to an inmate's cell for up to 45 days. The EFF objects to the new rules in Texas, arguing that "a person does not lose all of their rights to participate in public discourse when they are incarcerated… This policy would not only prohibit the prisoners' exercise of their First Amendment rights, but also prevent the public from exercising their First Amendment rights to gather information about the criminal justice system from those most affected by it." The TDCJ had no response to the EFF's argument. In an e-mail to Ars, TDCJ spokesperson Jason Clark noted that the new rules did not apply to blog posts written by inmates. "The rule is specific to active social media accounts such as Facebook, Twitter, Instagram, etc," he wrote. "Those companies have mechanisms in place that allow us to request that the pages be deactivated. Private Web pages don't have a mechanism to request they be taken down and we cannot force them to comply." Clark clarified for Ars that the rule was put in place in part to appease social media companies that balked at the idea of taking down a social media account without a rule in place to force their hand in compliance. "Recently when we have asked that accounts be deactivated, increasingly we have found that the social media company would come back and indicate they would not do so because the agency did not have a rule prohibiting offenders from having social media accounts." With a rule in place, however, social media companies are more willing to meet the correctional system's demand.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Changes are expected in voting by 2008 election (New York Times, 8 Dec 2006) -- By the 2008 presidential election, voters around the country are likely to see sweeping changes in how they cast their ballots and how those ballots are counted, including an end to the use of most electronic voting machines without a paper trail, federal voting officials and legislators say. New federal guidelines, along with legislation given a strong chance to pass in Congress next year, will probably combine to make the paperless voting machines obsolete, the officials say. States and counties that bought the machines will have to modify them to hook up printers, at federal expense, while others are planning to scrap the machines and buy new ones. Motivated in part by voting problems during the midterm elections last month, the changes are a result of a growing skepticism among local and state election officials, federal legislators and the scientific community about the reliability and security of the paperless touch-screen machines used by about 30 percent of American voters. The changes also mean that the various forms of vote-counting software used around the country - most of which are protected by their manufacturers for reasons of trade secrecy - will for the first time be inspected by federal authorities, and the code could be made public. There will also be greater federal oversight on how new machines are tested before they arrive at polling stations. "In the next two years I think we'll see the kinds of sweeping changes that people expected to see right after the 2000 election," said Doug Chapin, director of electionline.org, a nonpartisan election group. "The difference now is that we have moved from politics down to policies." Many of the paperless machines were bought in a rush to overhaul the voting system after the disputed presidential election in 2000, which was marred by hanging chads. But concerns have been growing that in a close election those machines give election workers no legitimate way to conduct a recount or to check for malfunctions or fraud. Several counties around the country are already considering scrapping their voting systems after problems this year, and last week federal technology experts concluded for the first time that paperless touch-screen machines could not be secured from tampering.

top

MySpace gains top ranking of US web sites (Reuters, 11 July 2006) -- Online teen hangout MySpace.com ranked as the No. 1 U.S. Web site last week, displacing Yahoo's top-rated e-mail gateway and Google Inc.'s search site, Internet tracking firm Hitwise said on Tuesday. News Corp.'s MySpace accounted for 4.46 percent of all U.S. Internet visits for the week ending July 8, pushing it past Yahoo Mail for the first time and outpacing the home pages for Yahoo, Google and Microsoft's MSN Hotmail. Hitwise does not provide figures for the number of unique visitors to a site. MySpace, which dominates social networking on the Web, also gained share in June from other sites that aim to create virtual communities online for sharing music, photos or other interests, Hitwise said. MySpace captured nearly 80 percent of visits to online social networking sites, up from 76 percent in April. A distant second was FaceBook at 7.6 percent. Rupert Murdoch's News Corp bought MySpace for $580 million one year ago as part of a strategy to rapidly build up the media conglomerate's Internet presence.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Steptoe & Johnson's E-Commerce Law Week

7. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

8. The Benton Foundation's Communications Headlines

9. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Sunday, March 27, 2016

MIRLN --- 6-26 March 2016 (v19.05)

MIRLN --- 6-26 March 2016 (v19.05) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Over half of British businesses to suffer cyber attacks by 2018, PwC says (Independent, 25 Feb 2016) - Cybercrime is expected to affect over half of British firms in the next two years, according PriceWaterhouseCoopers. PwC's latest Global Economic Crime Survey 2016 said that cyber attack will become the UK's largest economic crime by 2018. More than half of UK organisations have been the victim of an economic crime, an illegal act committed by an individual or a group to obtain a financial or professional advantage, in the last two years, outstripping countries such as the US and China. A third of UK organisations admitted they have no response plan to protect themselves from an attack. Only 12 per cent of respondents believe that law enforcement authorities have the necessary skills to help. Nearly half of UK respondents say that cybercrime would have no impact on their reputation and almost 60 per cent are not concerned about the potential for theft of intellectual property.

top

How the SEC decides whether to investigate breached entities (Vedder Price, 26 Feb 2016) - In a February 19th speech at the annual SEC Speaks conference, Stephanie Avakian, Deputy Director of the SEC's Division of Enforcement, explained what the SEC expects of entities that experience a cyber intrusion and how the SEC decides whether to investigate such entities. With respect to responding to cyber intrusion, the SEC's stated expectations are high level and axiomatic. Entities are expected to (1) assess the situation, (2) address the problem and (3) minimize the damage. Ms. Avakian emphasized the importance of quickly involving authorities such as the FBI or Department of Homeland Security. Ms. Avakian also expressed awareness of the practical impediments to self-reporting cyber intrusions to the SEC. Specifically, entities may be hesitant to do so for fear of triggering an investigation and enforcement action regarding their policies/procedures and implementation thereof. To assuage this concern, Ms. Avakian noted that the SEC's goals in the cybersecurity area are to prevent hacking, protect customer data and ensure the smooth operation of America's financial system. In other words, the SEC-at least from a priority standpoint-is on the same side as the entities that may fall prey to a cyber intrusion. In the case of registrants, when investigating cyber intrusions the SEC will focus on whether a registrant had policies and procedures reasonably designed to protect customer data and related remediation action plans. In the case of public companies, the SEC is not looking to second-guess good-faith decisions regarding data privacy, and would likely not bring an enforcement action against a cyber intrusion victim absent a "significant" disclosure issue. Ms. Avakian also pointed out that entities who self-disclose cyber intrusions will be rewarded with cooperation credit.

top

- and -

Businesses are still scared of reporting cyberattacks to the police (ZDnet, 3 March 2016) - Under a third of cyberattacks against businesses are reported to the police, suggesting that organisations are underestimating the threat posed by hackers and cybercrime, a new study has warned. According to Cyber Security: Underpinning the Digital Economy , a report by the Institute of Directors and Barclays bank, companies are keeping quiet about being the victim of a cyberattack, even if their operations were badly affected by such an incident -- as figures suggest was the case for half of respondents. The research suggests that only 28 percent of cyberattacks against businesses were reported to the police, despite many police forces now having dedicated cybercrime divisions. Indeed, the report finds that whilst nine in ten business leaders said that cybersecurity was important, only around half had a formal strategy in place to protect themselves and just a fifth held insurance against an attack.

top

- and -

Investors don't reward candor about cyber risk - but the SEC might (Baker & McKenzie, 10 March 2016) - A study by three Creighton University professors concludes that company disclosures relating to cybersecurity risk are associated with significant declines in the company's share price. Reviewing the response to the SEC's 2011 guidance on disclosure regarding cybersecurity and cyber incidents, they find that few companies have chosen to make risk disclosures prior to the occurrence of a cyber breach and that those they do make disclosure suffer a decline in market price. Meanwhile, an SEC staff member has warned that companies that fail to disclose cyber breaches may face enforcement action. In " SEC Cybersecurity Guidelines: Insights into the Utility of Risk Factor Disclosures for Investors ," Edward A. Morse, Vasant Raval, John R. Wingender reviewed how companies have responded to the SEC Division of Corporation Finance's 2011 guidance entitled "Cybersecurity." The 2011 guidance states, in part, that companies "should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky." The Creighton study (which considers pre-incident risk disclosure) reaches the following conclusions * * *

top

DHS publishes interim regulations for cybersecurity information sharing (Steptoe, 27 Feb 2016) - Last month, the Department of Homeland Security published interim policies, procedures, and guidelines required by the Cybersecurity Act of 2015. Title I of the Act, entitled the Cybersecurity Information Sharing Act of 2015 (CISA), calls for processes and protections for sharing cybersecurity threat information between government and private sector entities. The interim regulations consist of (1) guidance to non-federal entities on how to share information; (2) guidance as to how government agencies share information; (3) guidelines for privacy and civil liberties; and (4) policies and procedures for how the government will receive and use threat data shared under the Act.

top

California courts demand total access to email and social media accounts (The Intercept, 29 Feb 2016) - As the FBI and Apple fight a media war over whether the federal government can force the computer company to hack an iPhone, in California a new privacy law is raising questions over how deeply government should be allowed to peer into a convicted criminal's digital life. That new law, the California Electronic Communications Privacy Act (CalECPA), requires law enforcement to obtain a warrant before searching a person's cellphone, laptop, or any digital storage device. At issue is whether the law covers people on probation, parole, and other forms of supervised release who've agreed to what's known as a "Fourth waiver," a condition that allows law enforcement to search their person and property at any time. CalECPA took effect on January 1, 2016. Three days later, San Diego County prosecutors and Superior Court judges began asking defendants who were eligible for probation to sign a form giving "specific consent" to county probation officers "and/or a law enforcement government entity" to collect information that would be otherwise protected under CalECPA. * * * Issues with digital privacy aside, probation conditions are supposed to be narrowly tailored to address a person's crime and what will "reasonably" prevent future criminal acts, said Jeff Thoma, outgoing president of California Attorneys for Criminal Justice. "The whole idea of probation and sentencing is to individualize something," Thoma said. "When you don't do that and are just trying to put all these restrictions, it becomes, 'Oh we might catch this person doing something.'" In late January, the San Diego County public defender's office filed a petition with a state appeals court, arguing that the consent form hadn't gone through the proper vetting process. Shortly after the appeal was filed, judges who had been using the form stopped requiring probationers to sign it, and the district attorney's office stopped including it in plea deals offering probation.

top

Time to rethink mandatory password changes (FTC, 2 March 2016) - Data security is a process that evolves over time as new threats emerge and new countermeasures are developed. The FTC's longstanding advice to companies has been to conduct risk assessments, taking into account factors such as the sensitivity of information they collect and the availability of low-cost measures to mitigate risks. The FTC has also advised companies to keep abreast of security research and advice affecting their sector, as that advice may change. What was reasonable in 2006 may not be reasonable in 2016. This blog post provides a case study of why keeping up with security advice is important. It explores some age-old security advice that research suggests may not be providing as much protection as people previously thought. When people hear that I conduct research on making passwords more usable and secure , everyone has a story to tell and questions to ask. People complain about having so many passwords to remember and having to change them all so frequently. Often, they tell me their passwords (please, don't!) and ask me how strong they are. But my favorite question about passwords is: "How often should people change their passwords?" My answer usually surprises the audience: "Not as often as you might think." I go on to explain that there is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. (And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren't taken to correct security problems.) Mandated password changes are a long-standing security practice designed to periodically lock out unauthorized users who have learned users' passwords. While some experts began questioning this practice at least a decade ago, it was only in the past few years that published research provided evidence that this practice may be less beneficial than previously thought, and sometimes even counterproductive. Let's take a look at two excellent peer-reviewed papers that address this issue. * * *

top

Company tracks Iowa caucusgoers by their cell phones (Schneier, 2 March 2016) - It's not just governments. Companies like Dstillery are too: "We watched each of the caucus locations for each party and we collected mobile device ID's," Dstillery CEO Tom Phillips said. "It's a combination of data from the phone and data from other digital devices." Dstillery found some interesting things about voters. For one, people who loved to grill or work on their lawns overwhelmingly voted for Trump in Iowa, according to Phillips. There was some pretty unexpected characteristics that came up too. "NASCAR was the one outlier, for Trump and Clinton," Phillips said. "In Clinton's counties, NASCAR way over-indexed." What really happened is that Dstillery gets information from people's phones via ad networks. When you open an app or look at a browser page, there's a very fast auction that happens where different advertisers bid to get to show you an ad. Their bid is based on how valuable they think you are, and to decide that, your phone sends them information about you, including, in many cases, an identifying code (that they've built a profile around) and your location information, down to your latitude and longitude. Yes, for the vast majority of people, ad networks are doing far more information collection about them than the NSA­ -- but they don't explicitly link it to their names. So on the night of the Iowa caucus, Dstillery flagged all the auctions that took place on phones in latitudes and longitudes near caucus locations. It wound up spotting 16,000 devices on caucus night, as those people had granted location privileges to the apps or devices that served them ads. It captured those mobile ID's and then looked up the characteristics associated with those IDs in order to make observations about the kind of people that went to Republican caucus locations (young parents) versus Democrat caucus locations. It drilled down farther (e.g., 'people who like NASCAR voted for Trump and Clinton') by looking at which candidate won at a particular caucus location.

top

- and -

FTC issues warning letters to app developers using 'Silverpush' code (FTC, 17 March 2016) - The staff of the Federal Trade Commission has issued warning letters to app developers who have installed a piece of software that can monitor a device's microphone to listen for audio signals that are embedded in television advertisements. Known as Silverpush, the software is designed to monitor consumers' television use through the use of "audio beacons" emitted by TVs, which consumers can't hear but can be detected by the software. The letters note that the software would be capable of producing a detailed log of the television content viewed while a user's mobile device was turned on for the purpose of targeted advertising and analytics. The letters note that Silverpush has stated publicly that its service is not currently in use in the United States, but it encourages app developers to notify consumers that their app could allow third parties to monitor consumers' television viewing habits should the software begin to be used in the United States. "These apps were capable of listening in the background and collecting information about consumers without notifying them," said Jessica Rich, Director of the FTC's Bureau of Consumer Protection. "Companies should tell people what information is collected, how it is collected, and who it's shared with." The warning letters note that app developers ask users for permission to use the device's microphone, despite the apps not appearing to have a need for that functionality. The letters also note that nowhere do the apps in question provide notice that the app could monitor television-viewing habits, even if the app is not in use. The letters warn the app developers that if their statements or user interface state or imply that the apps in question are not collecting and transmitting television viewing data when in fact they do, that the app developers could be in violation of Section 5 of the FTC Act. The FTC provided guidance in a 2013 staff report on best practices for privacy disclosures in mobile apps . The letters were issued to 12 app developers whose apps are available for download in the Google Play store and appear to include the Silverpush code.

top

Sounds emitted by 3D printers could put intellectual property at risk (3Ders.org, 2 March 2016) - A new study from the University of California, Irvine, has revealed the surprising fact that the sounds emitted from a 3D printer could be enough to compromise valuable intellectual property, allowing cyber attackers to reverse-engineer and re-create 3D printed objects based off of nothing more than a smartphone audio recording. The research was led by Mohammad Al Faruque, electrical engineer, computer scientist, and director of UCI's Advanced Integrated Cyber-Physical Systems Lab. He and his team demonstrated that the acoustic signals emitted by a 3D printer carry unique information about the precise movements of the nozzle, and that this information can be reverse-engineered to reveal the object's original source code. The acoustic information is in fact so precise, that Al Faruque and his team were able to recreate a key-shaped object with nearly 90 percent accuracy using only the 3D printer's audio recordings. If used maliciously, the technique could represent a significant security threat.

top

- and -

How White Hat hackers stole crypto keys from an offline laptop in another room (Motherboard, 15 Feb 2016) - In recent years, air-gapped computers, which are disconnected from the internet so hackers can not remotely access their contents, have become a regular target for security researchers . Now, researchers from Tel Aviv University and Technion have gone a step further than past efforts, and found a way to steal data from air-gapped machines while their equipment is in another room. "By measuring the target's electromagnetic emanations, the attack extracts the secret decryption key within seconds, from a target located in an adjacent room across a wall," Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer write in a recently published paper . The research will be presented at the upcoming RSA Conference on March 3. "The attack in its current form uses lab equipment that costs about $3000 and, as shown in the photos, is somewhat unwieldy," Tromer told Motherboard in an email. "However, experience shows that once the physical phenomena are understood in the lab, the attack setup can be miniaturized and simplified." Although similar research on "listening" to steal crypto keys has been carried out before , this is the first time such an approach has been used specifically against elliptic curve cryptography running on a PC, the authors say.

top

Federal Circuit recognizes patent agent privilege (Patently-O, 7 March 2016) - In an interesting and important mandamus ruling, the Federal Circuit has ordered the district court to withdraw its order compelling discovery of communications with non-attorney patent agents. The decision here recognizes "patent agent privilege": [W]e find that the unique roles of patent agents, the congressional recognition of their authority to act, the Supreme Court's characterization of their activities as the practice of law, and the current realities of patent litigation counsel in favor of recognizing an independent patent-agent privilege. The court, however, includes the important limitation that the privilege only extends to the extent that communications fall within the patent agent's scope-of practice as "authorized by Congress."

top

Google's Project Fi mobile network is now open to everyone in the US (The Verge, 7 March 2016) - Project Fi is ditching the invite system. 10 months after Google unveiled its own mobile network, which lets consumers pay only for the amount of data they use each month, the company is opening access to everyone inside the United States. "With Project Fi, we deliver fast wireless service with the flexibility to use it where you want (even internationally) and a monthly bill that's simple and easy to understand," wrote Simon Arscott, Fi's product manager, in a blog post. "Today, we're excited to be exiting our invitation-only mode and opening up Project Fi so that people across the U.S. can now sign up for service without having to wait in-line for an invite." For the next month, Google is discounting the Nexus 5X down to $199 as an inexpensive way to get started with Fi, which only works with Nexus smartphones. Project Fi connects to the cellular networks of both T-Mobile and Sprint, switching between the two to offer customers the best possible coverage. Google is also pushing Wi-Fi and public hotspots in a big way with Fi; over 50 percent of current customers connect to public hotspots using Fi's "Wi-Fi Assistant" on a weekly basis. As for cellular data, Google's Project Fi subscribers are impressively lean in their usage, averaging 1.6GB of data each month.

top

Maryland court suppresses evidence gathered by warrantless Stingray use (TechDirt, 9 March 2016) - The Maryland Special Appeals Court isn't buying government lawyers' arguments that warrantless deployment of Stingray devices has no 4th Amendment implications. The government had argued that " everyone knows " phones generate location data when turned on and this information is "shared with the rest of the world" (but most importantly with law enforcement). The court has yet to release its written opinion, but it did issue a one-page order upholding the lower court's suppression of evidence related to law enforcement's use of a Stingray. This ruling is especially important in Maryland, where Baltimore police have used the devices hundreds of times a year without seeking warrants or notifying judges and defendants about the origins of evidence . As has been noted here, the Baltimore police use pen register orders to deploy Stingrays, allowing it obscure the usage of the devices as well as to avail itself of lower evidentiary demands. This won't be the case going forward.

top

Legal industry was heavily targeted with cyber threats in January (Bloomberg, 9 March 2016) - The legal industry reported more "cyber threats" in January than nearly any other sector, according to one estimate. The estimate is taken from a report by the IT security company TruShield, and was published last week. Only the retail industry, followed by the financial industry were targeted more than the legal industry in January, the report found. It is consistent with other months for the legal industry to be in the top three most targeted, the report said. The majority of the threats in January, which include spamming, phishing, malware and scanning, originated in the U.S., followed by China and then South Korea. The report noted, however, that 60 to 70 percent of the malicious traffic from South Korea actually originates in China. Eran Kahana, a cyber security lawyer at the Maslon Law Firm in Minneapolis, said his own advice to law firms is that they gather their attorneys who deal in litigation, in cybersecurity and in privacy law so and come up with a plan for handling cyber threats. Kahana added that they must remember that the firm is no different from any other business and that it is open to the threat of cyber-attacks. The report called it a surprise that the legal industry did not face any significant incidents, despite the high number of threats. Laura Jehl, co-chair of Sheppard Mullin's data security group in Washington, D.C., who reviewed the report said the lack of significant events, such as a data breach, in the legal industry is likely because law firms are investing in network security. "I don't think they're necessarily safe," said Jehl, about law firms. "I think there's an element of luck, but I would hope there's been good training and preparation." [ Polley : I think it's due to a lack of publicity.]

top

- and -

FBI alert warns of criminals seeking access to law firm networks (Bloomberg, 11 March 2016) - Earlier this month, the FBI's cyber division issued an alert that it has information that hackers are specifically targeting international law firms as part of an insider trading scheme. "In a recent cyber criminal forum post, a criminal actor posted an advertisement to hire a technically proficient hacker for the purposes of gaining sustained access to the networks of multiple international law firms," the alert from March 3rd stated. The FBI alert - 160304-001 - didn't share any other information, such as the name of the forum where it saw this post, or when it exactly it was posted. But it did say that it believed the criminal behind the post is interested in obtaining sensitive information for insider trading purposes. The alert which was sent to some law firms did not appear to be posted online. "This goes well beyond hacking to obtain personal data and credit card numbers, " Michael Overly, a partner at Foley & Lardner who focuses on cyber security issues, wrote in an email, adding the alert highlights the growing sophistication of hackers. "In all honesty, I believe many law firms, particularly small and mid-size firms are behind the curve when it comes to addressing information security," Overly added. "That is certainly changing as clients are now routinely sending security due diligence questionnaires to their counsel to assess the security preparedness of their firms." In March 2015, the New York Times reported on an internal Citigroup report that found "digital security at many law firms, despite improvements, generally remains below the standards for other industries." Overly predicted that firms with poor security will lose clients and those with better security will gain a competitive advantage. Laura Jehl, a Sheppard Mullin Richter & Hampton partner who works on cyber security, said the alert was "disturbing," but "not really surprising." "We've known for a while that law firms are a frequent target of hackers because they hold significant amounts of non-public information," Jehl wrote in an email. "The FBI warning is a clear reminder to firms that they need to protect their networks and be alert to increasingly sophisticated phishing and other schemes."

top

- and -

Help wanted: Insider trader seeks hacker to access law-firm networks (ABA Journal, 14 March 2016) - An FBI alert issued earlier this month warns law firms about an online ad seeking a hacker to access the networks of international law firms. The ad, posted to a cyber criminal forum, listed search terms that could contribute to an insider-trading scheme, Bloomberg Big Law Business reports. The FBI alert was sent to some law firms. Bloomberg Big Law Business spoke with cyber security lawyers for their take on the alert. Michael Overly, a partner at Foley & Lardner, told the publication the alert shows how hackers are growing increasingly sophisticated. "In all honesty, I believe many law firms, particularly small and mid-size firms are behind the curve when it comes to addressing information security," Overly said. "That is certainly changing as clients are now routinely sending security due diligence questionnaires to their counsel to assess the security preparedness of their firms." Pillsbury partner Brian Finch agreed that cyber security is an increasing focus. He said many international law firms have been upgrading their security networks, particularly law firms serving large financial institutions that are demanding better security. "It's also becoming an ethics requirement among the state bars," Finch told Bloomberg Big Law Business. "They're increasingly focused on it and I think that will drive attention to the issue."

top

- and -

Cybersecurity experts offer stern warnings, tips for security in mass-surveillance era (ABA Journal, 19 March 2016) - FaceTime is actually a pretty secure way to communicate. The FBI can access the camera on your laptop without you knowing about it. And lawyers should think twice before storing their confidential files on Dropbox. Those were just some of the tips and warnings given out by a panel consisting of cybersecurity heavyweights during a Friday evening plenary session at ABA Techshow . The panel, entitled "Can They Hear Me Now? Practicing Law in an Age of Mass Surveillance," was moderated by Above the Law's managing editor David Lat and consisted of digital rights attorney Marcia Hofmann , American Civil Liberties Union technologist Chris Soghoian and ACLU attorney Ben Wizner . The plenary session expanded on some of the themes Electronic Frontier Foundation executive director Cindy Cohn talked about during her Friday afternoon keynote address -particularly mass surveillance and the need for greater awareness of cybersecurity. Panelists focused on providing practical tips for attorneys on how best to safeguard their confidential information when everyone seems to be trying to steal it. * * *

top

- and -

Amid hacking threats, law firms turn to cyber insurance (American Lawyer, 21 March 2016) - With news of crippling cyber attacks against big companies making regular headlines, more and more law firms are buying cyber insurance to cover the cost of a data breach. According to insurance brokerage Aon, more than 60 out of the 250 medium and large law firms that it services have purchased cyber insurance within the last two years. Marsh said that close to 40 percent of its roughly 100 large law firm clients have purchased the insurance, up from 20 percent two years ago. The policies that law firms typically carry, such as lawyers' professional liability insurance, general liability insurance and property insurance, do not always provide coverage when employee rather than client data is compromised, or when the firm must hire a forensic team to determine what data was lost and how. They also most likely won't cover the cost of notifying regulators or engaging a public relations firm. Daniel Garrie, co-head of the cybersecurity practice at Zeichner Ellman & Krause, identified another factor that is pushing firms to buy cyber insurance. "Their clients are compelling the action," Garrie said. "They're requiring the law firms to have cyber insurance as a matter of business."

top

Federal Circuit: No new card game patents unless you also invent a new deck (Patently-O, 10 March 2016) - Ray and Amanda Smith's patent applications claims a new method of playing Blackjack. The new approach offers ability to bet on the occurrence of "natural 0" hands as well as other potential side bets. Claim 1 in particular requires a deck of 'physical playing cards" that are shuffled and then dealt according to a defined pattern. Bets are then taken with the potential of more dealing and eventually all wagers are resolved. In reviewing the application, the Examiner Layno (Games art unit 3711) rejected these card games patents as ineligible under Section 101 - noting that the claim is "an attempt to claim a new set of rules for playing a card game [and thus] qualifies as an abstract idea." The Patent Trial & Appeal Board affirmed that ruling - holding that "independent claim 1 is directed to a set of rules for conducting a wagering game which . . . constitutes a patent-ineligible abstract idea." The particular physical steps such as shuffling and dealing are conventional elements of card-gambling and therefore (according to the Board) insufficient to transform the claimed abstract idea into a patent eligible invention. On appeal, the Federal Circuit has affirmed - agreeing that the method of playing cards is an unpatentable abstract idea. The court held that a wagering game is roughly identical to fundamental economic practices that the Supreme Court held to be abstract ideas in Alice and Bilski .

top

Microsoft: We store disk encryption keys, but we've never given them to cops (Motherboard, 11 March 2016) - Microsoft says it has never helped police investigators unlock its customers' encrypted computers-despite the fact that the company often holds the key to get their data. If you store important stuff on your computer, it's great to have the option to lock it up and encrypt your data so that no one can access it if you ever lose your laptop or it gets stolen. But what happens if, one day, you forget your own password to decrypt it? To give customers a way to get their data back in this situation, Microsoft has been automatically uploading a recovery key in the cloud for Windows computers since 2013. In light of the ongoing battle between Apple and the FBI over encryption, surveillance experts and technologists have criticized Microsoft for this feature because it doesn't give users a choice (other than deleting the key afterwards), and it gives the government the option to request that key from Microsoft if it ever needs it to get into a suspect's Windows computer. It's unclear if the US government, or any government, ever asked Microsoft for that, but a company spokesperson told Motherboard that Microsoft has never turned over customers' keys. "We haven't provided a customer encryption key to law enforcement," a Microsoft spokesperson told me in an email. [ Polley : Parse their language carefully - it's not credible that MS hasn't assisted law enforcement, and if they had they'd likely be under disclosure restrictions. I'd bet that the quote means that MS has given plaintext to law enforcement, but not the keys themselves. Turning over enough plaintext, of course, facilitates key discernment; might be equivalent to key delivery.]

top

TP-Link blocks open source router firmware to comply with new FCC rule (Ars Technica, 11 March 2016) - Networking hardware vendor TP-Link says it will prevent the loading of open source firmware on routers it sells in the United States in order to comply with new Federal Communications Commission requirements. The FCC wants to limit interference with other devices by preventing user modifications that cause radios to operate outside their licensed RF (radio frequency) parameters. The FCC says it doesn't intend to ban the use of third-party firmware such as DD-WRT and OpenWRT; in theory, router makers can still allow loading of open source firmware as long as they also deploy controls that prevent devices from operating outside their allowed frequencies, types of modulation, power levels, and so on. But open source users feared that hardware makers would lock third-party firmware out entirely, since that would be the easiest way to comply with the FCC requirements. The decision by TP-Link-described by the company in this FAQ -shows that those fears were justified. TP-Link's FAQ acknowledges that the company is "limiting the functionality of its routers." "The FCC requires all manufacturers to prevent user[s] from having any direct ability to change RF parameters (frequency limits, output power, country codes, etc.)," TP-Link says. TP-Link says that it distributes devices with country-specific firmware and that "devices sold in the United States will have firmware and wireless settings that ensure compliance with local laws and regulations related to transmission power." TP-Link says the change will go into effect for routers produced on and after June 2, 2016, a date set by the FCC in guidance issued in November .

top

Should all research papers be free? (NYT, 12 March 2016) - Drawing comparisons to Edward Snowden , a graduate student from Kazakhstan named Alexandra Elbakyan is believed to be hiding out in Russia after illegally leaking millions of documents. While she didn't reveal state secrets, she took a stand for the public's right to know by providing free online access to just about every scientific paper ever published, on topics ranging from acoustics to zymology. Her protest against scholarly journals' paywalls has earned her rock-star status among advocates for open access, and has shined a light on how scientific findings that could inform personal and public policy decisions on matters as consequential as health care, economics and the environment are often prohibitively expensive to read and impossible to aggregate and datamine. "Realistically only scientists at really big, well-funded universities in the developed world have full access to published research," said Michael Eisen , a professor of genetics, genomics and development at the University of California, Berkeley, and a longtime champion of open access. "The current system slows science by slowing communication of work, slows it by limiting the number of people who can access information and quashes the ability to do the kind of data analysis" that is possible when articles aren't "sitting on various siloed databases." Journal publishers collectively earned $10 billion last year, much of it from research libraries, which pay annual subscription fees ranging from $2,000 to $35,000 per title if they don't buy subscriptions of bundled titles, which cost millions. The largest companies, like Elsevier, Taylor & Francis, Springer and Wiley, typically have profit margins of over 30 percent, which they say is justified because they are curators of research, selecting only the most worthy papers for publication. Moreover, they orchestrate the vetting, editing and archiving of articles. That is the argument Elsevier made, supported by a raft of industry amicus briefs, when it filed suit against Ms. Elbakyan, resulting in an injunction last fall against her file-sharing website, Sci-Hub . But since a federal court order isn't enforceable in Russia (Ms. Elbakyan won't confirm where she is exactly), much less on the Internet, Sci-Hub continues to deliver hundreds of thousands of journal articles per day to a total of 10 million visitors.

top

- and -

Handful of biologists went rogue and published directly to Internet (Amy Harmon in NYT, 15 March 2016) - On Feb. 29, Carol Greider of Johns Hopkins University became the third Nobel Prize laureate biologist in a month to do something long considered taboo among biomedical researchers: She posted a report of her recent discoveries to a publicly accessible website , bioRxiv, before submitting it to a scholarly journal to review for "official" publication. It was a small act of information age defiance, and perhaps also a bit of a throwback, somewhat analogous to Stephen King's 2000 self-publishing an e-book or Radiohead's 2007 release of a download-only record without a label. To commemorate it, she tweeted the website's confirmation under the hashtag #ASAPbio, a newly coined rallying cry of a cadre of biologists who say they want to speed science by making a key change in the way it is published. Such postings are known as "preprints" to signify their early-stage status, and the 2,048 deposited on three-year-old bioRxiv over the last year represent a barely detectable fraction of the million or so research papers published annually in traditional biomedical journals. But after several dozen biologists vowed to rally around preprints at an "ASAPbio" meeting last month, the site has had a small surge, and not just from scientists whose august stature protects them from risk. On Twitter, preprint insurgents are celebrating one another's postings and jockeying for revolutionary credibility. * * *

top

VPN provider's no-logging claims tested in FBI case (Slashdot, 12 March 2016) - An anonymous reader writes from an article published on TorrentFreak: [A] criminal complaint details the FBI's suspicions that 25-year-old Preston McWaters had conveyed " false or misleading information regarding an explosive device ." The FBI started digging and in February 2016 two search warrants against Twitter and Facebook required them to turn over information on several accounts. Both did and the criminal complaint makes it clear that the FBI believes that McWaters was behind the accounts and the threats. With McWaters apparently leaving incriminating evidence all over the place (including CCTV at Walmart where he allegedly purchased a pre-paid Tracfone after arriving in his own car), the FBI turned to IP address evidence available elsewhere. "During the course of the investigation, subpoenas and search warrants have been directed to various companies in an attempt to identify the internet protocol (IP) address from where the email messages are being sent ," the complaint reads. "All the responses from [email provider] 1&1, Facebook, Twitter, and Tracfone have been traced by IP address back to a company named London Trust Media [doing business as] PrivateInternetAccess.com. A subpoena was sent to London Trust Media and the only information they could provide is that the cluster of IP addresses being used was from the east coast of the United States," the FBI's complain reads. "However, London Trust did provide that they accept payment for their services through credit card with a vendor company of Stripe and/or Amazon. They also accept forms of payment online through PayPal, Bitpay, Bit Coin, Cash You, Ripple, Ok Pay, and Pay Garden." [ Polley : This is one of the VPN services I use.]

top

White House requires agencies to share custom code with open-source community (SC Magazine, 14 March 2016) - The White House has released for public comment a draft of its Source Code Policy , which establishes rules for sharing customized software between federal agencies, in the hopes of improving government access to applications and reducing development costs. As part of this policy, the Obama Administration will also launch a pilot program that will require federal agencies to release at least 20 percent of third-party-developed custom coding as open source software, making it fully accessible to external developers within the open-source community. "Through this policy and pilot program, we can save taxpayer dollars by avoiding duplicative customer software purchases and promote innovation and collaboration across federal agencies," said Tony Scott , U.S. CIO, in an online blog post last week.

top

Crowdfunded 'Star Trek' fan film violates Klingon language copyright, says lawsuit by major studios (ABA Journal, 14 March 2016) - Boldly going where no lawsuit has gone before, two movie studios are contending that a crowdfunded Star Trek fan film has violated copyright law by-among many other things-using the Klingon language. But the original complaint by Paramount Pictures Corp. and CBS Studios Inc. wasn't detailed enough, Axanar Productions Inc. contended in a motion to dismiss the federal suit. So on Friday the plaintiffs filed an amended complaint against Axanar and lead producer Alec Peters. Among other allegations, it says the filmmakers infringed on Star Trek copyrights by depicting characters with the "Vulcan appearance," including pointed ears, wearing gold uniform shirts and, most interesting from a legal standpoint, speaking the Klingon language, says the Hollywood Reporter's THR, Esq. blog. Can a language, in fact, be copyrighted? That question has not yet been answered, the article says. As the lawsuit notes, "Klingonese or Klingon, the native language of Qo'NoS, was first spoken in Star Trek-The Motion Picture in 1979. It was used in several works moving forward, including Star Trek III The Search for Spock ." An earlier Geek post provides more details about the case, which was filed in federal district court in the Central District of California.

top

Judge says Chipotle social media rules violated labor law, orders rehiring of worker fired for tweet (ABA Journal, 16 March 2016) - Fired last year for criticizing Chipotle wages in a tweet, a server at one of the chain's suburban Philadelphia restaurants must now be rehired and get back pay, an administrative law judge ruled Monday. Social media rules at Chipotle that banned such critical comments violated the National Labor Relations Act, found the judge, who also is requiring the company to post signs acknowledging their error. The Associated Press and the Philadelphia Inquirer have stories. Plaintiff James Kennedy, who is now working for an airline in a union job at Philadelphia International Airport told the Inquirer he is very happy with his new position, which he got about a month after being fired by Chipotle. He also said he would be happy to accept food vouchers from Chipotle for some of the damages he is due.

top

Are ad blockers needed to stay safe online? (MIT Technology Review, 16 March 2016) - Last weekend some of the world's largest websites exposed millions of people to malicious software that encrypts data and demands money for its safe return. The incident adds weight to an argument made by some security experts that using software to block online ads is necessary to stay safe online. Security company Malwarebytes reports that MSN, the New York Times, BBC, and AOL were among those that served up the ransomware , as such software is known. It happened because those sites, like many, use third-party companies to display advertising. Criminals have a strong incentive to sneak malicious ads into ad networks because their reach is huge. This is far from the first time this has happened-Yahoo, Forbes, and the Economist have all been caught out in the same way in the past. And some research suggests the problem is growing . Because of this, some security experts say that apart from the ethical and business questions of whether it's okay to block online ads that support free content, you should do so just to stay safe . That was the conclusion of a study of the malicious ads problem led by the University of California, Santa Barbara , that singled out a popular ad blocker called Adblock Plus as the most effective defense against bad ads. Edward Snowden, the federal contractor who leaked information about NSA surveillance, also recommends ad blockers for safety reasons . The way some popular ad blockers are trying to make themselves more acceptable to publishers and the ad industry could undermine their protective effect, though. Adblock Plus, for example, will let ads through if they meet certain criteria , such as not showing moving imagery. The company behind the ad blocker even charges companies including Amazon and Google to include their ads in that scheme. Adblock Plus's criteria for "acceptable ads" don't include mention of security, and it and other companies that offer ad blockers are unlikely to have the resources to screen out malicious ads.

top

San Francisco legislators dodging public records requests with self-destructing text messages (Techdirt, 17 March 2016) - Cory Weinberg of The Information reports San Francisco legislators [warning: paywalled link] are using one of those infamous tools o' terrorism -- messaging service Telegram -- to dodge open records requests. [ Link to a non-paywalled story covering the same thing]: In an interview, a San Francisco government staff member said they were encouraged to use the app by colleagues in City Hall who described it as a way to skirt the city's public records laws. "That is exactly what it's being used for," the staff member said. "It's caught on." April Veneracion, a top aide to Supervisor Jane Kim and a Telegram user, said one reason officials use the app is because it "self destructs." She also praised the app's chat room feature that "allows us to be in touch with each other almost instantaneously." Yes, messaging apps are great for instant communications. Self-destructing messages, however, are antithetical to public records laws. Also: possibly illegal.

top

EU Court of Justice advocate general says open WiFi operators shouldn't be liable for infringement (Techdirt, 17 March 2016) - Back in 2010, there was a troubling ruling in Germany, saying that people who ran open WiFi access points needed to secure them , or they could be held liable for people using those connections to download infringing content. This seemed to contradict with the European Ecommerce Directive that gives safe harbors to internet service providers (similar to our DMCA safe harbors in the US). In the fall of 2014, we noted that the EU Court of Justice was taking up that case and now that court's Advocate General has recommended that the court allow open WiFi , in saying that, yes, those who operate WiFi access points can be considered ISPs under the law, and are thus protected from liability. * * *

top

Face-tracking software lets you make anyone say anything in real time (Mashable, 20 March 2016) - You know how they say, "Show me pictures or video, or it didn't happen"? Well, the days when you could trust what you see on video in real time are officially coming to an end thanks to a new kind of face tracking. A team from Stanford, the Max Planck Institute for Informatics and the University of Erlangen-Nuremberg has produced a video demonstrating how its software, called Face2Face , in combination with a common webcam, can make any person on video appear to say anything a source actor wants them to say. In addition to perfectly capturing the real-time talking motions of the actor and placing them seamlessly on the video subject, the software also accounts for real-time facial expressions, including distinct movements such as eyebrow raises. To show off the system, the team used YouTube videos of U.S. President George W. Bush, Russian President Vladimir Putin and Republican presidential candidate Donald Trump . In each case, the facial masking is flawless, effectively turning the video subject into the actor's puppet. It might be fun to mix this up with something like "Say it with Trump," but for now the software is still in the research phase. "Unfortunately, the software is currently not publicly available - it's just a research project," team member Matthias Niessner told Mashable . "However, we are thinking about commercializing it given that we are getting so many requests." We knew this kind of stuff was possible in the special effects editing room, but the ability to do it in real time - without those nagging "uncanny valley" artifacts - could change how we interpret video documentation forever. [ Polley : Watch the demo; unless they cheated, this is game-changing stuff.]

top

Siri and iAd restricted by Apple 'policy czars' to limit customer data collection (MacRumors, 21 March 2016) - Reuters has published a new report outlining how a team of "policy czars" has impacted Apple's data collection policy and restricted Siri and iAd in the process: Unlike Google, Amazon and Facebook, Apple is loathe to use customer data to deliver targeted advertising or personalized recommendations. Indeed, any collection of Apple customer data requires sign-off from a committee of three "privacy czars" and a top executive, according to four former employees who worked on a variety of products that went through privacy vetting. The three "policy czars" are Jane Horvath, a lawyer who served as global policy counsel at Google, Guy Tribble, a member of the original Macintosh team and the vice president of software technology who spends a significant amount of time on privacy, and Erik Neuenschwander, who reviews lines of engineer's code to confirm that they're following policy.

top

Lexmark: Can patent rights overwhelm traditional notions of title? (Patently-O, 22 March 2016) - I see the dispute between Impression and Lexmark as more of a property law issue than one focusing on patent law. Of course, the Federal Circuit sees it differently. In its en banc opinion, the Federal Circuit reaffirmed (1) that a seller can use its patent rights to block both downstream resale and downstream reuse of a product (here used printer ink cartridges) and (2) that sales of a product abroad presumptively do not exhaust the US patent rights associated with that product, even when the US patent holder expressly authorizes those foreign sales. Both of these holdings turn on the fact that the goods in question are covered by patent rights. For unpatented goods, these covenants and restrictions generally do not bind subsequent bona fide purchasers. Impression raises the following questions in its newly filed petition for writ of certiorari: 1. Whether a "conditional sale" that transfers title to the patented item while specifying post-sale restrictions on the article's use or resale avoids application of the patent exhaustion doctrine and therefore permits the enforcement of such post-sale restrictions through the patent law's infringement remedy. 2. Whether, in light of this Court's holding in Kirtsaeng v. John Wiley & Sons, Inc., 133 S. Ct. 1351, 1363 (2013), that the common law doctrine barring restraints on alienation that is the basis of exhaustion doctrine "makes no geographical distinctions," a sale of a patented article-authorized by the U.S. patentee-that takes place outside of the United States exhausts the U.S. patent rights in that article. I see the Federal Circuit's decision as dangerous in the way that it undercuts the notion of ownership and transfer-of-title. Restrictions on use and resale of goods have traditionally been unenforceable against downstream owners as a mechanism for facilitating a robust market economy. Impression Products, Inc. v. Lexmark Int'l, Inc. (Supreme Court 2016)

top

RESOURCES

Electronic Signature Laws Around the World: Download eBook (General Counsel News, 17 March 2016) - Electronic signatures are in use across the globe, reports eSignLive in a new ebook the company has made available for complimentary downloading. The widespread adoption of e-signatures has been supported by electronic signature laws around the world, including the Americas, Europe, Middle East, Africa and Asia-Pacific. Many of these are based on a model law enacted by the United Nations Commission on International Trade Law - Model Law on Electronic Signatures (2001). Today there are more than 75 countries that recognize the legal validity of e-signatures. This eBook provides an introduction to electronic signature laws around the world, including * * *

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

New security glitch found in Diebold system (InsideBayArea.com, 10 May 2006) -- Elections officials in several states are scrambling to understand and limit the risk from a "dangerous" security hole found in Diebold Election Systems Inc.'s ATM-like touch-screen voting machines. The hole is considered more worrisome than most security problems discovered on modern voting machines, such as weak encryption, easily pickable locks and use of the same, weak password nationwide. Armed with a little basic knowledge of Diebold voting systems and a standard component available at any computer store, someone with a minute or two of access to a Diebold touch screen could load virtually any software into the machine and disable it, redistribute votes or alter its performance in myriad ways. "This one is worse than any of the others I've seen. It's more fundamental," said Douglas Jones, a University of Iowa computer scientist and veteran voting-system examiner for the state of Iowa. "In the other ones, we've been arguing about the security of the locks on the front door," Jones said. "Now we find that there's no back door. This is the kind of thing where if the states don't get out in front of the hackers, there's a real threat." This newspaper is withholding some details of the vulnerability at the request of several elections officials and scientists, partly because exploiting it is so simple and the tools for doing so are widely available. A Finnish computer expert working with Black Box Voting, a nonprofit organization critical of electronic voting, found the security hole in March after Emery County, Utah, was forced by state officials to accept Diebold touch screens, and a local elections official let the expert examine the machines.

top

- and -

MD House approves paper ballots (Washington Post, 10 March 2006) -- The Maryland House of Delegates unanimously passed legislation yesterday to ditch the state's touch-screen voting machines for the coming election in favor of a system that uses paper ballots. The 137 to 0 vote in the House and the endorsement of the plan this week by Republican Gov. Robert L. Ehrlich Jr. represents a stunning turnaround for a state that was on the leading edge of touch-screen voting in 2001, and it reflects a national shift toward machines that provide a paper record. The touch-screen system, for which Maryland has committed more than $90 million, would be put aside for one year while the state spends at least $13 million to lease optical scan machines. "It's critically important for voters to know their vote was cast and that it will be counted correctly," said Del. Obie Patterson (D-Prince George's). The fate of the plan in the Senate is less certain, and Ehrlich has not set aside money in his budget to lease the new machines. Senate President Thomas V. Mike Miller Jr. (D-Calvert) yesterday defended the record of the state's touch-screen machines and said that changing systems six months before an election would cause headaches for local administrators and lead to long lines and late returns.

top

AND NOW SEE:

Why hasn't Internet voting caught on? This expert has a nefarious theory (WaPo, 24 March 2016)

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top