Saturday, June 16, 2018

MIRLN --- 27 May - 16 June 2018 (v21.08)

MIRLN --- 27 May - 16 June 2018 (v21.08) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENTS

Register now for the upcoming ABACLE webinar series "Cybersecurity Wake-Up Call: The Business You Save May Be Your Own". This 5-part series starts June 27 (with ethics CLE credit!), followed by other episodes in July, August, September, and October. Each episode parses related parts of the best-selling " ABA Cybersecurity Legal Handbook ". For more information, visit ambar.org/cyberwakeup to register. The "colleagues" discount is 15% - use code FACMARK at checkout. Get 20% off if you subscribe to the full series, along with a free e-copy of the handbook.

NEWS

Law firm cybersecurity 'an imperative' as clients make demands clear (Law.com, 21 May 2018) - As corporate clients fret over the potential threat posed by cyber breaches, Pennsylvania law firms are increasingly making data privacy and cybersecurity a top priority, putting time and resources behind the effort. Legal software company Aderant this month released its second "Business of Law and Legal Technology" survey , which showed general optimism among law firm professionals. But when respondents were asked about the key challenges they faced, more than 32 percent of them named cybersecurity as a top concern. Pennsylvania law firms are grappling with the issue- and the cost -along with the rest of the industry. Law firm technology professionals and firm management in the region say the days are gone when clients could treat their outside lawyers' cybersecurity efforts as an afterthought. Devin Chwastyk, chair of the privacy and data security group at McNees Wallace & Nurick , said the driver for law firm clients has been demands from their customers for assurance of data privacy. More and more, he said, clients are putting data security addenda on their fee agreements. "Every RFP now requires us to disclose how we protect confidential information," said Jeff Lobach, managing partner of Barley Snyder. And that requires a greater investment of time and money, he said. Lobach said clients have never been dissatisfied with the measures his firm has put in place. But if they were, he said, the firm would likely be expected to change its practices to keep the work. " Cybersecurity as a line item has certainly become a bigger expense for us," Chwastyk said. "That was inevitable regardless of client demands." top

- and -

The law firm cybersecurity audit grows up (Law.com, 29 May 2018) - A few years ago, law firms faced a wake-up call. More and more, their networks were being infiltrated, their staff exposed to a new threat called ransomware. They saw the crosshairs on their backs, understood the risks of their coveted position as holders of clients' sensitive information. But they didn't come to this realization entirely on their own. Clients in heavily regulated industries, like finance, demanded protections for crucial sensitive data. And slowly, through client security audits and questionnaires, a high of standard cybersecurity awareness at law firms became the norm. * * * But in response, law firm cybersecurity requirements have evolved, too. There are now more in-depth cybersecurity assessments, more expectations around transparency, and more engagement between client and law firm. Cybersecurity questionnaires and audits have been, and still remain, the foundation of law firm cybersecurity assessments. Now, though, they are performed far more rigorously than they were in the past. For one thing, the time between audits is shrinking. "Typically, audits used to be once every three years, then they became once every two years. Now, with big clients, they increasingly tend to be every year," says Paul Greenwood, chief information officer at Clifford Chance. Clients have also become more demanding, seeing cybersecurity reviews as more of a collaborative and custom process than a simple matter of housekeeping. "It's more of an engagement than a point-in-time audit," says Robert Kerr, chief information officer at Cooley. "It used to be a check-the-box type of exercise; now it's an interactive exercise where they seek clarifications." And often, these audits will get into the weeds. Brett Don, chief information officer at Stradley Ronon, says that from his experience working with information security prior to entering the law firm world, corporations have "gotten more granular, they've gotten more specific in terms of the information they are trying to glean from their business partners, including law firms." The details that clients usually ask from a law firm will vary, but oftentimes will focus around the technical minutiae of their data security. "The client security questionnaires will ask how we protect their data, and our protocol is to share the results of our ongoing penetration tests and vulnerability scans with them," says Andrea Markstrom, chief information officer at Blank Rome. This means that, at a minimum, modern law firms need to hold "routine and regular scans of vulnerabilities in their systems," Don adds. But demanding and detailed audits, even yearly, may not be enough in today's cyberthreat world. "The other thing that I think we're seeing more of is these one-off, what I call 'diligence inquiries' around high risk vulnerabilities," Don says, pointing to "Spectre" and "Meltdown" microprocessor vulnerabilities that were disclosed in January 2018 as examples. Such inquiries come "outside the questionnaire process," he explains, and may encompass several questions about the firm's susceptibility to the vulnerability. In some cases, he says, clients ask the firm directly to certify that they've addressed a particular vulnerability. top

Pentagon cracks down on personal mobile devices (FCW, 23 May 2018) - The Defense Department is cracking down on personal mobile devices inside secure areas of the Pentagon. Under a new policy memo released May 22, DOD personnel, contractors and visitors to the building and supporting facilities in Arlington County, Va., are restricted from having mobile devices in areas designated or accredited for "processing, handling, or discussion of classified information." Personal and unclassified government-issued mobile devices are prohibited in secure spaces but may be used in common areas. Government-issued unclassified devices being used as desktop replacements must have approved "interim mitigations applied until replaced with compliant devices" within 180 days. Mitigations include disabling the camera, microphone and Wi-Fi settings. Government-issued classified mobile devices can continue to operate per previous authorization while exemptions are reviewed. top

Chase Bank sues Landry's for $20M over data breach (Houston Chronicle, 23 May 2018) - Chase and its credit card payment processor Paymentech filed a breach-of-contract lawsuit Thursday in federal court in Houston, claiming Landry's failed to comply with credit card data security standards and is refusing to reimburse the Ohio-based financial institutions for assessments imposed by Visa and MasterCard in the wake of the data breach. Hackers in 2014 and 2015 compromised point-of-sale systems at more than 40 Landry's properties, including Bubba Gump, McCormick & Schmick's, Rainforest Cafe and Saltgrass restaurants. In response, Landry's hired a cyber security firm to examine its payment-card systems and implemented enhanced security measures for processing credit cards, including end-to-end encryption. top

This Frida Kahlo digital collection is massive & free (Remezcle, 25 May 2018) - More than six decades after her death, there is still immense interest in Frida Kahlo . And a new retrospective will allow fans to learn more about the Mexican artist right from their homes. Google Arts & Culture has collaborated with 33 museums from seven countries across the world to bring us Faces of Frida , the largest collection of photographs, documents, and artworks associated with Kahlo. The collection promises to give us a multi-faceted look at the queer, feminist, and disabled icon. "It's a true global effort," said Jesús García, Google's Head of Hispanic Communications, according to Forbes . "Frida's name kept coming up as a top contender when we started to think of what artists would be the best to feature in a retrospective. There's so much of her that was not known and could still be explored from an artistic perspective and life experience." Excitingly, the collection gives us a look into items and artworks that have rarely been displayed, including a sketch Kahlo made of New York in 1932 for Mexican actress Dolores del Río . She sketched what she saw from the Barbizon Plaza Hotel. If you've also wanted to visit La Casa Azul , where she lived and worked, but haven't had a chance, Google also has you covered. "This expertly curated online exhibition presents an intimate view of Frida Kahlo's life and loves through her vibrant letters, candid photographs, and unpublished essays," added Kate Haw, director of the Smithsonian Archives of American Art. "Through the story threads of these original records - a total of 54 rare documents drawn from our collections - we gain a deeper understanding of Frida's relationships with historian Florence Arquin, artist Emmy Lou Packard, photographer Nickolas Muray, art collector Chester Dale, and writer John Weatherwax." Enjoy it in its full glory here . top

Four days into GDPR, US publishers are starting to feel the effects (Columbia Journalism Review, 29 May 2018) - For something that has been in the works for more than two years , the EU's General Data Protection Regulation seemed to take at least some people by surprise when it went into effect May 25th-including more than a few publishers. And some warn the long-term effects of the regulations could be severe: Ad exchanges used by many news sites reportedly saw an immediate drop in demand of between 25 and 40 percent, and many believe this could help increase the dominance of platforms like Google and Facebook, since they are better prepared for the data-handling rules and have deeper pockets. When the new rules on how to handle user information went into effect, a number of news sites responded by simply shutting off access to anyone who appeared to be coming from a European address, and for many that continued to be the case right through the Memorial Day weekend. As of Monday, for example, several of the papers belonging to the tronc chain-including the Los Angeles Times and Chicago Tribune- were still showing EU visitors a message saying : "Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism." Other news sites such as USA Today's responded to the new rules-under which multi-million-dollar fines can be issued for improper use of data-by removing some or all of the ad-related software that harvests information from users and tracks their behavior. According to one web engineer , the US version of the USA Today site was 5.5 megabytes in size and included more than 800 ad-related requests for information involving 188 different domains. The EU version was less than half a megabyte in size and contained no third-party content at all, meaning it not only didn't track as much data but also loaded much faster. top

A trip to the ER with your phone may mean injury lawyer ads for weeks (ArsTechnica, 29 May 2018) - With digital traps in hospitals, there's no need for personal injury lawyers to chase ambulances these days. Law firms are using geofencing in hospital emergency rooms to target advertisements to patients' mobile devices as they seek medical care, according to Philadelphia public radio station WHYY. Geofencing can essentially create a digital perimeter around certain locations and target location-aware devices within the borders of those locations. Patients who unwittingly jump that digital fence may see targeted ads for more than a month, and on multiple devices, the outlet notes. While the reality may seem like a creepy nuisance to some, privacy experts are raising alarms. "Private medical information should not be exploited in this way," Massachusetts Attorney General Maura Healey told WHYY. "Especially when it's gathered secretly without a consumer's knowledge-without knowledge or consent." Last year, Healey's office barred a digital firm from using geofencing in healthcare settings in the state after the firm was hired by a Christian pregnancy counseling and adoption agency to use digital perimeters to target ads to anyone who entered reproductive health facilities, including Planned Parenthood clinics . The goal was to make sure "abortion-minded women" saw certain ads on their mobile devices as they sat in waiting rooms. The ads had text such as "Pregnancy Help" or "You Have Choices," which, if clicked, would direct them to information about abortion alternatives. top

Cybersecurity: Why it matters in M&A transactions (Schonherr, 30 May 2018) - At a time when we are all dependent on our IT systems and when digital assets are of central importance, cybersecurity is one of the most critical aspects to protect our businesses, know-how and data from being stolen, disclosed, deleted and/or manipulated. In light of the global threats that potentially could affect every business ("no one is safe"), public regulators have started adopting regulations on cybersecurity (e.g. the Austrian Financial Market Authority published guidelines for IT security in financial institutions ). In addition, the GDPR specifically deals with data breach issues. Still, it feels that awareness of cybersecurity issues is lacking. This is particularly true for private M&A transactions. A recent regulation of the New York Department of Financial Services (" NYDFS ") now specifically addresses cybersecurity risks in M&A transactions . The NYDFS's regulation was issued in the context of the 2014 large-scale data breach of Yahoo! and Yahoo!'s failure to disclose the breach until September 2016, shortly before the sale of its operating unit to Verizon Communications Inc. The non-disclosure of the 2014 data breach had a direct impact on the sale, i.e. Yahoo! and Verizon agreed to a USD 350 million reduction in the acquisition price , among other things because Yahoo! had positively represented to Verizon in the publicly available stock purchase agreement that, to the best of its knowledge, there had been no security breaches. In its FAQ , the NYDFS now has clarified the importance of cybersecurity also in M&A transactions: "when Covered Entities are acquiring or merging with a new company, Covered Entities will need to do a factual analysis of how these regulatory requirements apply to that particular acquisition. Some important considerations include, but are not limited to, what business the acquired company engages in, the target company's risk for cybersecurity including its availability of PII, the safety and soundness of the Covered Entity, and the integration of data systems. The [NYDFS] emphasizes that Covered Entities need to have a serious due diligence process and cybersecurity should be a priority when considering any new acquisitions." Now, the NYDFS regulation underlines that cybersecurity has become an issue to be also considered in M&A processes, namely in the due diligence and in the transaction documents. top

New data show substantial gains and evolution in internet use (NTIA, 6 June 2018) - The digital divide is showing signs of giving way as more Americans from all walks of life connect to the Internet. Several historically disadvantaged groups showed significant increases in online adoption, according to initial results from NTIA's most recent survey on Internet use conducted by the U.S. Census Bureau. The survey, which was conducted in November 2017, reveals new contours of Americans' Internet use. In 2017, more households had a mobile data plan than wired broadband service. Additionally, for the first time since NTIA began tracking use of different types of computing devices, tablets were more popular than desktop computers among Americans, and the number of people who used multiple types of devices also increased substantially. The data show that 78 percent of Americans ages 3 and older used the Internet as of November 2017, compared with 75 percent in July 2015, when our previous survey was conducted. This increase of 13.5 million users was driven by increased adoption among low-income families, seniors, African Americans, Hispanics, and other groups that have been less likely to go online. For example, among Americans living in households with family incomes below $25,000 per year, Internet use increased from 57 percent in 2015 to 62 percent in 2017, while households earning $100,000 or more showed no change during this period. While the trend is encouraging, low-income Americans are still significantly less likely to go online (see Figure 1). top

Special counsel Robert Mueller's team is requesting that witnesses turn in their personal phones to inspect their encrypted messaging programs (Benton, 7 June 2018) - Apparently, special counsel Robert Mueller's team is requesting that witnesses turn in their personal phones to inspect their encrypted messaging programs and potentially view conversations between associates linked to President Donald Trump. Since as early as April, Mueller's team has been asking witnesses in the Russia probe to turn over phones for agents to examine private conversations on WhatsApp, Confide, Signal and Dust, apparently. Fearing a subpoena, the witnesses have complied with the request and have given over their phones. While it's unclear what Mueller has discovered, if anything, through this new request, investigators seem to be convinced that the apps could be a key to exposing conversations that weren't previously disclosed to them. [ see also , Are any encrypted messaging apps fail-safe? Subjects of Mueller's investigation are about to find out. (WaPo, 8 June 2018)] top

FTC rebuked in LabMD case: What's next for data security? (Wiley Rein, 7 June 2018) - On June 6, the U.S. Court of Appeals for the Eleventh Circuit decided the long-awaited LabMD saga. As Wiley Rein attorneys recently explained in a webinar on agency priorities, this case is an important milestone and inflection point for the new Federal Trade Commission (FTC) leadership. The FTC's authority and role in data security has been key to ongoing debates over federal privacy and security policy domestically and globally. This case raised issues going to FTC power and practice, but ultimately turned on the remedy imposed by the agency which was found to be so vague as to be unenforceable. The court did not address the key substantive questions: (1) First, in a data breach case, what type of consumer injury gives rise to "unfairness" under Section 5 of the FTC Act, an issue sometimes identified as the "informational injury" question? (2) Second what type of notice is the FTC required to provide regarding reasonable data security measures? Despite its failure to answer these questions, the decision has implications for those issues and the agency's overall approach to data security. In particular the Eleventh Circuit's decision was a rebuke to the agency's remedial efforts, which lean heavily on consent decrees to prod action the agency could not otherwise mandate. The Court found that the FTC's cease and desist order "mandates a complete overhaul of LabMD's data-security program and says precious little about how this is to be accomplished." According to three appeals court judges, "[t]his is a scheme that Congress could not have envisioned." * * * [ Polley : good analysis.] top

Blockchain's once-feared 51% attack is now becoming regular (Telegra.ph, 8 June 2018) - Monacoin, bitcoin gold, zencash, verge and now, litecoin cash. At least five cryptocurrencies have recently been hit with an attack that used to be more theoretical than actual, all in the last month. In each case, attackers have been able to amass enough computing power to compromise these smaller networks, rearrange their transactions and abscond with millions of dollars in an effort that's perhaps the crypto equivalent of a bank heist. More surprising, though, may be that so-called 51% attacks are a well-known and dangerous cryptocurrency attack vector. While there have been some instances of such attacks working successfully in the past, they haven't exactly been all that common. They've been so rare, some technologists have gone as far as to argue miners on certain larger blockchains would never fall victim to one. The age-old (in crypto time ) argument? It's too costly and they wouldn't get all that much money out of it. But that doesn't seem to be the case anymore. NYU computer science researcher Joseph Bonneau released research last year featuring estimates of how much money it would cost to execute these attacks on top blockchains by simply renting power, rather than buying all the equipment. One conclusion he drew? These attacks were likely to increase. And, it turns out he was right. [ see also , Bitcoin's price was artificially inflated, fueling skyrocketing value, researchers say (NYT, 13 June 2018)] top

Not just corporate: Law firms too are struggling with GDPR compliance (Law.com, 11 June 2018) - Despite the yearslong build up to the EU's General Data Protection Regulation (GDPR), which came into force on May 25, many organizations are still behind in their compliance efforts. And while much attention has been paid to corporations' compliance shortcomings, a recent Wolters Kluwer survey found that law firms are also lagging in meeting GDPR mandates. Conducted among 74 medium (26-100 staff members) to large (100-plus) law firms, the survey found that only 47 percent of law firms said they were "fully prepared" to meet the GDPR's requirements. While 16 percent said they were "somewhat prepared," more than a third, 37 percent, said they have not prepared specifically for the GDPR at all. Barry Ader, vice president of product management and marketing at Wolters Kluwer, noted that part of the reason why many law firms were unprepared for GDPR was because they thought there would be an extension to the deadline. "Many of the law firms kind of half expected that there would be a delay, and they wouldn't have had to solve the problem by May 25 , " he said. However, Ader noted that the lack of preparation was also a sign that "law firms just don't have the necessary skills, people, and budget to figure out how to handle GDPR." Indeed, law firms are in a unique situation when it comes to the GDPR, given that many not only have to ensure their own firm's compliance while also managing and directing their clients' GDPR compliance efforts. Such " double duty " is forcing some firms to staff up and overextend their attorneys. Yet even with added staff and hours, firms can find it challenging to meet GDPR demands. London-based Squire Patton Boggs partner Ann LaFrance, for example, told The American Lawyer that hiring cannot keep up with the wide-ranging compliance needs of their clients. "It still isn't enough, and there isn't enough experience out there." Still, while firms may have a lot of GDPR preparation to do, 60 percent had already assigned a point person, consultant or team to spearhead GDPR compliance efforts, while 72 percent were investing in cybersecurity. What's more, 43 percent assigned a data protection officer (DPO), though they were not required to under the regulation. Such a mandate only applies to companies classified as "data controllers" who determine the purposes for, and the means of, processing EU personal data. One area where many firms' GDPR preparations lagged behind is with employee training. The survey found that only 43 percent of law firms conducted security and privacy training annually, while 24 percent had done training in the past three years. An additional 15 percent said that while they did not currently train employees, they were planning to do so in the near future. Seventeen percent did not and had no plans to train at all. [ Polley : Spotted by MIRLN reader Gordon Housworth ] top

On Facebook, a place for civil discussion (NYT, 12 June 2018) - In the run-up to the 2016 election, Russian trolls wielding ads and memes used Facebook as a tool to darken lines of division. More recently, one corner of Facebook has emerged in pursuit of the opposite: civil conversation, even among those who disagree. It has become part of Bethany Grace Howe's morning routine, right alongside her yogurt and cup of tea. The New York Times's Reader Center put out a call early last December inviting readers to apply to join a Facebook group where they could offer feedback on The Times's coverage and talk about how the news affects them. Ms. Howe, 49 - a longtime media scholar, journalist and reader of The Times since she was 13 - was among the first 100 people chosen to join the group. "It was like, O.K., this is too good to be true," she said. And it soon became clear that the group was a lot more than just a place to talk about the Gray Lady. "I joined because I thought I was going to learn a lot about The New York Times from the people who work at The Times," Ms. Howe said. "What's ended up happening is I've learned an amazing amount about this country by talking to the readers of The Times." It has come to mean enough that she is now working to organize a real life meet-up of group members near her in Oregon, where she is a doctoral student of mass media studies examining questions of transgender identity and depictions in media. The Reader Center group is one of four Facebook groups that The Times has created since last spring. There's NYT Australia , where the focus is Australia but the discussion regularly stretches wider, run by the journalists in The Times's Australia bureau. There's Now Read This , an online book club co-managed by The New York Times Book Review and "PBS Newshour" where members discuss a different book every month, guided in part by questions from the two news organizations. And there's The New York Times Podcast Club (which I help run), where podcast lovers can talk about what they're listening to and Times employees select a show every week for discussion. These are different from The Times's institutional Facebook page, or pages run by sections like Styles or Science, which you might follow to see their news articles show up in your feed. In these groups, people at The Times - and collaborators - guide discussions and often engage with group members. Administrators must approve people before they can join, and must sign off on individual posts, too. They can also delete comments or remove members if things get nasty or inappropriate. top

Apple will update iOS to block police hacking tool (The Verge, 13 June 2018) - For months, police across the country have been using a device called a GrayKey to unlock dormant iPhones, using an undisclosed technique to sidestep Apple's default disk encryption. The devices are currently in use in at least five states and five federal agencies , seen as a breakthrough in collecting evidence from encrypted devices. But according to a new Reuters report , Apple is planning to release a new feature to iOS that would make those devices useless in the majority of cases, potentially sparking a return to the encryption standoff between law enforcement and device manufacturers. Under the new feature, iPhones will cut off all communication through the USB port if they have not been unlocked in the past hour. Once the hour expires, the USB port can only be used to charge the device. The result will give police an extremely short window of time to deploy GrayKey devices successfully. According to a Malware Bytes report published in March, GrayKey works by installing some kind of low-level software through the iPhone's Lightning port. After plugging into the GrayKey device briefly, the target iPhone will continue to run the GrayKey software on its own, displaying the device's passcode on-screen between two hours and three days after the software was installed. While politically sensitive, the change will close off an entire class of attacks through the iPhone's Lightning port, including attacks that copy GrayKey's techniques. Apple described the change as a general security update rather than a response to law enforcement specifically. top

Google adds federal data to college searches (Inside Higher Ed, 13 June 2018) - Search for a four-year college on Google, and you'll now be presented with data on admission rates, graduation rates and tuition costs, in addition to the usual link to Wikipedia. Google said the addition of more information to college search results would make it easier for prospective students to choose the right institution for them. Writing in a blog post Tuesday, Jacob Schonberg, product manager for Google, said the process for finding information on colleges is "confusing" and that it is "not always clear what factors to consider and which pieces of information will be most useful for your decision." Schonberg said Google used data from the U.S. Department of Education's College Scorecard and Integrated Postsecondary Education Data System (IPEDS). Though IPEDS is one of the most comprehensive sources of data on four-year colleges, its numbers are often criticized for not being representative of student populations, particularly at open-access colleges, as IPEDS data tend to reflect only first-time, full-time students. In addition to data from IPEDS, Google has introduced new college-search features such as lists of notable alumni and suggestions for "similar colleges." top

How Firefox is using Pocket to try to build a better news feed than Facebook (The Verge, 13 June 2018) - On this week's episode of Converge , Pocket founder and CEO Nate Weiner tells us why he sold his company to Mozilla, and how he's working to build a better version of Facebook's News Feed into the Firefox browser. Pocket, which lets you save articles and videos you find around the web to consume later, now has a home inside Firefox as the engine powering recommendations to 50 million people a month. By analyzing the articles and videos people save into Pocket, Weiner believes the company can show people the best of the web - in a personalized way - without building an all-knowing, Facebook-style profile of the user. "We're testing this really cool personalization system within Firefox where it uses your browser history to target personalized [recommendations], but none of that data actually comes back to Pocket or Mozilla," Weiner said. "It all happens on the client, inside the browser itself. There is this notion today... I feel like you saw it in the Zuckerberg hearings. It was like, 'Oh, users. They will give us their data in return for a better experience." That's the premise, right? And yes, you could do that. But we don't feel like that is the required premise. There are ways to build these things where you don't have to trade your life profile in order to actually get a good experience." Pocket can analyze which articles and videos from around the web are being shared as well as which ones are being read and watched. Over time, that gives the company a good understanding of which links lead to high-quality content that users of either Pocket or Firefox might enjoy. In a world where trust in social feeds has begun to collapse, Pocket offers a low-key but powerful alternative. And as Mozilla has integrated it deeper into Firefox, Pocket has become a significant source of traffic for some publishers, The Verge included. [ Polley : I love Pocket.] top

Free MOOCs face the music (Inside Higher Ed, 14 June 2018) - Massive open online courses got a little less open with edX's recent announcement that it is introducing support fees for some of its MOOCs. Midway through an innocuous-looking blog post , Anant Agarwal, CEO of edX, said the nonprofit would be "moving away from our current model of offering virtually everything for free." On May 3, edX began testing the introduction of a "modest support fee" that will "enable edX and partners to continue to invest in our global learning platform." Adam Medros, edX COO and president, said in an interview that the support fee was just one option being explored to ensure the long-term sustainability of the MOOC provider. Previously edX users were able to take most of its courses at no cost, an option that edX calls "auditing" a course. Those who want a certificate to show they have completed a course typically pay between $50 and $300. Some options, such as edX's MicroMasters programs , cost over $1,000. Now some users will be asked to pay a support fee, "from $9 up to some portion of the certification cost," said Medros. The price of the support fee "will be aligned to the value and experience" that a course gives to a learner, said Medros, suggesting that the best courses will also be the most expensive. By introducing a support fee, Medros said, there is a possibility that completion rates may go up. "There is a lot of evidence showing that having some 'skin in the game' is beneficial in online learning," said Medros. Medros did not say how many courses the support fee would be applied to, but he said it was edX's intention that "some portion" of its content "will always be free." He said edX had not decided which content will remain free and what proportion of the total catalog it will represent. top

Beware of buying a competitor's name to market your law practice (MyShingle.com, 14 June 2018) - Can lawyers use a competitor's name as a keyword to market their own law practice? Although Google allows law firms' to purchase competitors' names as keywords, at least two states - North Carolina and South Carolina - forbid this practice, finding it inherently deceptive. By contrast, Florida and Texas -allow lawyers to use keywords to advertise with the caveat that the ads must be designed so as not to trick consumers into thinking they are going to one firm's website when they are instead lead to another. But the bar regulations don't much matter because increasingly, law firms whose names have been appropriated are suing competitors and winning. As the Daily Report Online reports, a Georgia court recently enjoined a Texas marketing firm called ELM from running ads for a law firm that used a rival firm's trade name to draw traffic to the advertising firm's site. Further compounding the confusion, the marketing company used photos of the rival firm's site as background for the ads and included phone numbers to call centers where operators were instructed to use a generic greeting so that callers would believe that they had reached the rival firm's answering service. top

RESOURCES

Encryption Workarounds (Orin Kerr and Bruce Schneier, Georgetown Law Journal, revised 13 May 2018) - Abstract : The widespread use of encryption has triggered a new step in many criminal investigations: The encryption workaround. We define an encryption workaround as any lawful government effort to reveal unencrypted plaintext of a target's data that has been concealed by encryption. This Article provides an overview of encryption workarounds. It begins with a taxonomy of the different ways investigators might try to bypass encryption schemes. We classify six kinds of workarounds: find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. For each approach, we consider the practical, technological, and legal hurdles raised by its use. The remainder of this Article develops lessons about encryption workarounds and the broader public debate about encryption in criminal investigations. First, encryption workarounds are inherently probabilistic. None work every time, and none can be categorically ruled out every time. Second, the different resources required for different workarounds will have significant distributional effects on law enforcement. Some techniques are inexpensive and can be used often by many law enforcement agencies; some are sophisticated or expensive and likely to be used rarely and only by a few. Third, the scope of legal authority to compel third-party assistance will be a continuing challenge. And fourth, the law governing encryption workarounds remains uncertain and underdeveloped. Whether encryption will be a game changer or a speed bump depends on both technological change and the resolution of important legal questions that currently remain unanswered. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

CIA monitors YouTube for intelligence (Information Week, 6 Feb 2008) - In keeping with its mandate to gather intelligence, the CIA is watching YouTube. U.S. spies, now under the Director of National Intelligence (DNI), are looking increasingly online for intelligence; they have become major consumers of social media. "We're looking at YouTube, which carries some unique and honest-to-goodness intelligence," said Doug Naquin, director of the DNI Open Source Center (OSC), in remarks to the Central Intelligence Retirees' Association last October. "We're looking at chat rooms and things that didn't exist five years ago, and trying to stay ahead. We have groups looking at what they call 'Citizens Media': people taking pictures with their cell phones and posting them on the Internet." In November 2005, the OSC subsumed the CIA's Foreign Broadcast Information Service, which housed the agency's foreign media analysts. The OSC is responsible for collecting and analyzing public information, including Internet content. Steven Aftergood, director of the Federation of American Scientists project on government secrecy, posted transcript of Naquin's remarks on his blog. "I found the speech interesting and thoughtful," he said in an e-mail. "I would not have thought of YouTube as an obvious source of intelligence, but I think it's a good sign that the Open Source Center is looking at it, and at other new media." top

Google, UN unveil project to map movement of refugees (SiliconValley.com, 8 April 2008) - Internet search giant Google Inc. unveiled a new feature Tuesday for its popular mapping programs that shines a spotlight on the movement of refugees around the world. The maps will aid humanitarian operations as well as help inform the public about the millions who have fled their homes because of violence or hardship, according to the office of the U.N. High Commissioner for Refugees, which is working with Google on the project. "All of the things that we do for refugees in the refugee camps around the world will become more visible," U.N. Deputy High Commissioner for Refugees L. Craig Johnstone said at the launch in Geneva. Users can download Google Earth software to see satellite images of refugee hot spots such as Darfur, Iraq and Colombia. Information provided by the U.N. refugee agency explains where the refugees have come from and what problems they face. Google says more than 350 million people have already downloaded Google Earth. The software was launched three years ago and originally intended for highly realistic video games, but its use by rescuers during Hurricane Katrina led the company to reach out to governments and nonprofit organizations. top

Saturday, May 26, 2018

MIRLN --- 6-26 May 2018 (v21.07)

MIRLN --- 6-26 May 2018 (v21.07) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENTS

Take a look at the new ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals (2nd Edition). Published in November, it's already out-sold the 1st edition, probably because cyberattacks on law firms are in the news every day. The Handbook contains actionable information about "reasonable" security precautions for lawyers in every practice setting (solos, smalls, and large firms; in-house, government, and public-interest practitioners). Produced by the ABA Cybersecurity Legal Task Force (which I co-chair), it complements other resources for ABA members. Learn more here: ambar.org/cyber

NEWS

Working group releases draft protocol on cybersecurity in international arbitration (NY City Bar, 16 April 2018) - Stating that "[i]nternational arbitration in the digital landscape warrants consideration of what constitutes reasonable cybersecurity measures to protect the information exchanged during the process," a Working Group on Cybersecurity has released a Draft Cybersecurity Protocol for International Arbitration. The Working Group, consisting of the International Council for Commercial Arbitration (ICCA), the International Institute for Conflict Prevention & Resolution (CPR), and the New York City Bar Association, presented the Draft Protocol at the ICCA Congress in Sydney, Australia, on April 15, local time. "International arbitration is not uniquely vulnerable to cyber breaches, but the stakes are often quite high," said Mark Morril, an independent arbitrator who represents the New York City Bar Association along with independent arbitrator Stephanie Cohen and Lea Haber Kuck of Skadden Arps Slate Meagher & Flom LLP. "Like any sector that involves high value data, international transmissions and multiple actors, it will require strong security going forward." * * * Ms. Cohen noted that the Protocol purposefully avoids specific cybersecurity recommendations. She said, "We considered but unanimously rejected the 'one size fits all approach.' The Protocol guides parties and arbitrators through a risk-based approach to determine reasonable cybersecurity measures that fit each individual matter." [ Polley : see also, TDM Call for Papers: Special Issue on Cybersecurity in International Arbitration (TDM 18 Amy 2018); spotted by MIRLN reader Phil Ray - @philray66] top

Corporate America takes action as awareness of risk to key assets grows (Kilpatrick Townsend, 24 April 2018) - Continuing to respond to the ever-increasing targeted attacks on organizations' most vital confidential information - their "knowledge assets" - Kilpatrick Townsend & Stockton and the Ponemon Institute released today their findings from The Second Annual Study on the Cybersecurity Risk to Knowledge Assets . The first study, Cybersecurity Risk to Knowledge Assets , was released in July 2016. top

Washington utility boosts security after Bitcoin mining moratorium (GT Magazine, 3 May 2018) - Bitcoin belligerence is on the rise, according to Chelan County PUD staff reports, prompting a boost in employee safety and security measures that include bulletproof panels and security cameras at PUD headquarters. The reported bad behavior stems from two cryptocurrency-related groups - unauthorized miners whose power has been disconnected and high-density load service applicants denied because of the current moratorium. "PUD employees in the field and those in the office who are handling issues related to high-density load service have encountered an increasing number of upset customers and potential customers," said PUD spokeswoman Kimberlee Craig. "In some cases people can get agitated and argumentative. Our goal always is to provide excellent customer service, as well as to keep customers, the public and employees safe, especially when emotions may be running high." None of the incidents have escalated to the point of calling law enforcement, she said. "The volume of requests and the sense of urgency by applicants has changed the dynamics of the interaction by staff with the cryptocurrency customers," she said. As a result, staff is taking some proactive steps, which PUD Security Director Rich Hyatt outlined for commissioners on Monday. The increase in tension follows steps taken to put the brakes on blockchain operations that use specialized computer equipment and require a large amount of electricity, running continuously, which can put a strain on the system. The PUD commissioners in March declared an emergency moratorium on new high-density load hookups to give staff time to develop a plan for dealing with the demand for electricity from digital currency miners. The demand spiked when Bitcoin values topped $19,000 last fall. It's now down to about $7,000, but still up from $500 in 2013. Staff also reported concerns about unauthorized bitcoin operators overloading the system, creating fire hazards and damaging power grid infrastructure. [ Polley : Remember 15 years ago or so when some employees were punished for unauthorized use of computer power (via screensavers like SETI@home) to solve computer problems for others (like folding proteins)? Some of these bitcoin apps sound like that, on steroids. See also, Cryptojacking campaign exploits Drupal bug, over 400 websites attacked (Threat Post, 7 May 2018)] top

The role of norms in internet security: Reputation and its limits (Lawfare, 8 May 2018) - Who maintains the security and stability of the internet-and how do they do it? It's a simple question, but a difficult one to answer. Internet security, writ large, comprises a diverse set of social and technical tools and an equally diverse set of industry norms around mitigating and remediating abusive behavior. Those tools are developed and used by what I term operational security communities-groups of individuals, largely unaffiliated with governments, that do the day-to-day work of maintaining the security and stability of the internet. What these communities actually do, and the scope and nature of the challenges that they face, is often poorly understood, even among sophisticated state actors. But one of the key mechanisms on which operational security communities rely is a surprisingly familiar one: reputation. * * * [ Polley : Interesting. I've been involved with some international norms-development activities in the cyber-warfare arena, and the process is glacial.] top

Law firm data is catnip for hackers (Security Boulevard, 8 May 2018) - Dig into a law firm, and you'll find secrets. Sometimes these secrets are mundane, like who's getting divorced, or who's getting cut out of the will. Sometimes, however, these secrets can shake nations and economies. Huge companies are merging and getting acquired, national leaders are hiding graft in numbered accounts, and you might find all those secrets within the server at a nondescript law firm - which might be possibly the most unsafe place to hide it. Law firms may be extremely discrete when protecting their clients' identities from judges, the media, and other lawyers, but their track record is less than stellar when it comes to the digital realm. Those who've heard of the firm Mossack Fonseca or the Panama Papers (a 2TB data leak that exposed how the wealthy avoid paying taxes) may know that the firm in question was: (1) running a version of WordPress that was 2 years out of date; (2) running a version of Drupal that was three years out of date; (3) running its web server on the same network as its mail server; (4) running its web server without a firewall; (5) running an out-of-date plugin known as "Revolution Slider," which contained a file upload vulnerability that had been documented since 2014. This multitude of sins collectively led to a scandal that, among other things, brought down the Icelandic Prime Minister. What's more troubling, however, is that Mossack Fonseca wasn't a standout among law firms. Many if not most law firms have an equally bad security posture. [ see ANNOUNCEMENTS , above.] top

Important Fourth Circuit ruling on cell phone border searches (Orin Kerr on Volokh Conspiracy, 9 May 2018) - The Fourth Circuit handed down a significant ruling today in United States v. Kolsuz on how the Fourth Amendment applies to cell phone searches of cell phones seized at the border. Although the court ultimately affirmed the conviction based on the good-faith exception, the court also introduced a new and significant limit on border searches. Judge Pamela Harris penned the majority opinion, and Judge Wilkinson added a concurrence. There's a lot going on in the opinion, and it merits a close read, but I'll try to offer some highlights and commentary here. * * * [ Polley : Orin Kerr is THE expert on this area of the law in the US; his article is thorough, and interesting. See also, Fourth Circuit rules that suspicionless forensic searches of electronic devices at the border are unconstitutional (EFF, 9 May 2018)] top

- and -

Eleventh Circuit creates circuit split on cell phone border searches (Orin Kerr on Volokh Conspiracy, 23 May 2018) - The Eleventh Circuit has handed down an important new ruling on cell phone searches at the border, United States v. Touset . In an opinion by Judge William Pryor, the court disagrees with the Fourth Circuit and Ninth Circuit caselaw requiring suspicion to conduct a forensic search at the border. The basic issue in these cases is this: When the government seizes a computer or cell phone at the border, and they want to search it using forensic equipment, do they need some sort of suspicion that evidence or contraband is on the device? Or does the traditional border search exception (which ordinarily permits searches of property crossing the border without suspicion) apply? Regular readers of this blog have heard a lot about this question over the years. Just two weeks ago, I post on the Fourth Circuit's May 9th ruling in United States v. Kolsuz , by Judge Pamela Harris, which required some kind of suspicion to conduct such a search. And I've blogged extensively about the Ninth Circuit's en banc ruling from 2013 in United States v. Cotterman , authored by Judge Margaret McKeown, which required reasonable suspicion for forensic searches at the border. The new Eleventh Circuit decision disagrees with Kolsuz and Cotterman , arguing that no suspicion should be required for a forensic border search. * * * top

SEC not looking to file many cybersecurity cases, official says (BNA, 9 May 2018) - The SEC isn't planning to make cybersecurity cases part of the "bread and butter" of its enforcement activity, despite its multimillion-dollar penalty against the former Yahoo! Inc. in a first-of-its-kind case in the space, a senior Securities and Exchange Commission official said May 9. The remarks by SEC Cyber Unit Chief Robert Cohen at an enforcement conference in New York came after Yahoo successor Altaba Inc. reached a $35 million settlement with the agency in April to resolve claims that it delayed telling investors about a massive data breach. Cohen didn't rule out more SEC cases like the one against Yahoo. But, he said, the commission looks to bring cybersecurity cases in which the "facts are particularly bad and when the conduct really violates the statute very clearly." Insider trading, market manipulation, and accounting fraud are the kinds of matters that will continue to populate a majority of the SEC's case roster, Cohen said. "We're not looking to bring dozens and dozens of cybersecurity cases every year," he said at the conference organized by the Practising Law Institute. The agency in February issued new guidance on how to inform investors about cyber threats and breaches. The document stressed that companies should have procedures to notify company leaders and shareholders about cyberattacks. The SEC, however, doesn't seek to "second-guess good-faith, reasonable decisions" on cybersecurity disclosure, Cohen said, echoing similar comments from other SEC officials. top

Alexa and Siri can hear this hidden command. You can't. (NYT, 10 May 2018) - Many people have grown accustomed to talking to their smart devices, asking them to read a text, play a song or set an alarm. But someone else might be secretly talking to them, too. Over the last two years, researchers in China and the United States have begun demonstrating that they can send hidden commands that are undetectable to the human ear to Apple's Siri, Amazon's Alexa and Google's Assistant. Inside university labs, the researchers have been able to secretly activate the artificial intelligence systems on smartphones and smart speakers, making them dial phone numbers or open websites. In the wrong hands, the technology could be used to unlock doors , wire money or buy stuff online - simply with music playing over the radio. A group of students from University of California, Berkeley, and Georgetown University showed in 2016 that they could hide commands in white noise played over loudspeakers and through YouTube videos to get smart devices to turn on airplane mode or open a website. This month, some of those Berkeley researchers published a research paper that went further, saying they could embed commands directly into recordings of music or spoken text. So while a human listener hears someone talking or an orchestra playing, Amazon's Echo speaker might hear an instruction to add something to your shopping list. top

IBM bans all removable storage, for all staff, everywhere (The Register, 10 May 2018) - IBM has banned its staff from using removable storage devices. In an advisory to employees, IBM global chief information security officer Shamla Naidoo said the company "is expanding the practice of prohibiting data transfer to all removable portable storage devices (e.g.,: USB, SD card, flash drive)." The advisory stated some pockets of IBM have had this policy for a while, but "over the next few weeks we are implementing this policy worldwide." Big Blue's doing this because "the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised." IBMers are advised to use Big Blue's preferred sync 'n' share service to move data around. But the advisory also admitted that the move may be "disruptive for some." She's not wrong: The Register understands that frontline IBM staff sometimes need to download patches so they can be installed on devices they manage for clients and that bootable USB drives are one means of installing those patches. Indeed, IBM offers advice on how to install Linux on its own POWER 9 servers using a USB key. top

The Santa Clara Principles on transparency and accountability in content moderation (Benton Foundation, 10 May 2018) - The Santa Clara Principles offer guidance to internet platforms on how to provide users with meaningful due process when their posts are taken down or their accounts are suspended, and to help ensure that the enforcement of company content guidelines is fair, unbiased, and respectful of users' free expression rights. The three principles urge companies to: (a) Publish the numbers of posts removed and accounts permanently or temporarily suspended due to violations of their content guidelines; (b) Provide clear notice to all users about what types of content are prohibited , and clear notice to each affected user about the reason for the removal of their content or the suspension of their account; and (c) Enable users to engage in a meaningful and timely appeals process for any content removals or account suspensions. top

Industry insight: Collaboration tools might be the next great security risk (PC Magazine, 14 May 2018) - Collaboration tools have become hugely popular with all kinds of businesses because they enable strategies like virtual teams and keep employees working tightly together no matter how far apart they might be physically. But whether it's a workflow-based utility such as Asana or a chat-oriented app such as Slack, these tools have also created new opportunities for cybercriminals looking to access your company's most vital information. Bad actors can infiltrate your collaboration software through application programming interfaces (APIs) or through accidental authorizations that leak private information outside of your organization. In other words, even if they're being hosted elsewhere, your collaboration tools might still be putting a huge security hole in your network. Greg Arnette is the Director of Data Protection Platform Strategy at Campbell, Calif-based Barracuda Networks, a security, networking, and storage products provider. We recently sat down with Arnette to discuss the sort of attacks that could happen via collaboration services and how businesses can protect themselves. top

20 years of the Laws of Cyberspace (Harvard, 16 May 2018) - It's been two decades since Harvard Law School Professor Lawrence Lessig published "The Laws Of Cyberspace," which, in the words of Professor Jonathan Zittrain, "imposed some structure over the creative chaos of what maybe was a field that we'd call cyberlaw." Lessig's groundbreaking paper describes four types of constraints that together regulate behavior - law, social norms, the market, and architecture - and argues that due to its special architecture, cyberspace is different from "real" space and thus subject to new possibilities for control by governments and other centers of power. "The world we are entering is not a world where freedom is assured," Lessig wrote in 1998, but instead, "has the potential to be the most fully, and extensively, regulated space in our history." On April 16, the Berkman Klein Center of Internet & Society hosted a special event commemorating the 20th anniversary of the publication of "The Laws of Cyberspace," with Lessig, Harvard Law School Professors Ruth Okediji and Jonathan Zittrain , and Dr. Laura DeNardis of American University. The panelists reflected on the paper, and where the field of cyberlaw has taken us over the last two decades, and they considered how some of the concerns raised in 1998 might apply today. top

Do attorneys need mandatory technology CLEs? N.C. Bar says yes (Bloomberg, 21 May 2018) - Lawyers need technological expertise, whether to protect a client's sensitive information, apply a data analytics tool during discovery, or simply to be adept at using a word processing program. But though lawyers are ethically bound to understand the technology they use to practice, only one state requires continuing legal education on technology. A new proposal would make North Carolina the second. The North Carolina State Bar later this year will ask the state's high court to approve an amendment that would require attorneys to complete a one-hour class devoted to technology training, as part of their 12-hour annual CLE requirements. North Carolina would join Florida in requiring technology CLE credits. The Florida Supreme Court in 2016 amended the rules regulating the state bar to require that lawyers obtain three hours of technology CLE credits every three years, of the 33-hour total. The new CLE requirement is a step towards encouraging attorneys to stay current with technological advancements, academics told Bloomberg Law. "The change sends an important message: that lawyers need to understand how technology is affecting the delivery of legal services," Andrew M. Perlman, dean of Suffolk University School of Law in Boston, told Bloomberg Law. Perlman is also chair of the American Bar Association's Center for Innovation. top

Play-Doh smell trademarked (Lowering the Bar, 21 May 2018) - Bad news for those of you who currently emit a sweet, slightly musky, vanilla fragrance, with slight overtones of cherry, combined with the smell of a salted, wheat-based dough. You need to stop doing that immediately, because that particular smell has just been trademarked by the Hasbro Corporation . Hasbro announced on Friday that the trademark it claimed for the "iconic" Play-Doh scent had been officially recognized by the U.S. Patent and Trademark Office. That makes it one of only about a dozen scent trademarks that the PTO has recognized to date, including Verizon's "flowery musk" store scent, the bubble-gum smell of Grendene jelly sandals, and the scent of strawberries with which Lactona toothbrushes are "impregnated." Why so few trademarks, when there are so many smells? Well, it isn't easy to trademark a smell, and the concept itself is a little controversial. The main problem seems to be the requirement that a trademarked feature be "nonfunctional," designed to keep trademarks from limiting competition too much and probably also to keep them from overlapping with patents. This, ironically, means that the smell of a perfume cannot be trademarked, because the PTO considers that to be its function. It is possible to patent a scent molecule , as we have discussed here before. See "' Pretty Sure Stank Is Patented,' Lawyer Claims-But It's Complicated ," Lowering the Bar (Oct. 18, 2017). But that too is rare. top

The Wayback Machine is deleting evidence of malware sold to stalkers (Motherboard, 22 May 2018) - The Internet Archive's goal, according to its website, is "universal access to all knowledge." As part of that mission, the non-profit runs the Wayback Machine , an online tool that anyone can use to digitally preserve a snapshot of a website. It provides an important public service, in that if a company tries to quietly change its policy, or perhaps a government tries to scrub a position from its website, the Wayback Machine can provide robust proof of the switch. But the Internet Archive has been purging its banks of content related to a company which marketed powerful malware for abusive partners to spy on their spouses . The news highlights the broader issue of the fragility of online archives, including those preserving information in the public interest. "Journalists and human rights defenders often rely on archiving services such as the Wayback Machine as tools to preserve evidence that might be key to demand accountability," Claudio Guarnieri, a technologist at human rights charity Amnesty International, told Motherboard in an online chat. The company in question is FlexiSpy, a Thailand-based firm which offers desktop and mobile malware. The spyware can intercept phone calls, remotely turn on a device's microphone and camera, steal emails and social media messages, as well as track a target's GPS location. Previously, pages from FlexiSpy's website saved to the Wayback Machine showed a customer survey, with over 50 percent of respondents saying they were interested in a spy phone product because they believe their partner may be cheating. That particular graphic was mentioned in a recent New York Times piece on the consumer spyware market. In another example, a Wayback Machine archive of FlexiSpy's homepage showed one of the company's catchphrases: "Many spouses cheat. They all use cell phones. Their cell phone will tell you what they won't." Now, those pages are no longer on the Wayback Machine. Instead, when trying to view seemingly any page from FlexiSpy's domain on the archiving service, the page reads "This URL has been excluded from the Wayback Machine." (After Motherboard published a series of articles about the consumer spyware market, FlexiSpy purged its own website of content relating to illegal spying on spouses.) top

Privacy Policy (Writers HQ, 23 May 2018) - " Wow has anyone ever read one of these? We have to have one of these dealios to explain how we comply with the GDPR (General Data Protection Regulation), the DPA (Data Protection Act) and the PECR (Privacy and Electronic Communications Regulations) because God knows there's not enough actual interesting things in the world to read, you need to read 1,000 words of legalese nonsense that makes literally not one bit of difference to anyone, ever. Also we don't really know what these things are. We're just two under-heighted writers who thought we'd have a laugh and get other people writing with us. The best bit about the GDPR is that all this has to be "concise, transparent, intelligible and easily accessible" so hold on to your hats, motherf*&^ers, this is going to be the shortest, clearest and best freakin' privacy policy you ever did see. So. Here we go… * * * [ Polley : Hilarious. And possibly compliant.] top

Take a look at your Twitter timeline 10 years ago (TechCrunch, 25 May 2018) - Here's a fun thing for a Friday: go back and see what your Twitter timeline looked like 10 years ago. Twitter has pretty powerful search settings, but Andy Baio - of Kickstarter fame and more - did the heavy-lifting for us all by sharing a link that lets you look at your timeline exactly a decade ago, assuming you followed the same people. Try it here . (The search will work even if you didn't have an account 10 years ago.) top

Thanks to Google, you can now view Frida Kahlo's artwork from the comfort of your home (Mashable, 25 May 2018) - There's nothing quite like going to a museum to view a retrospective of a renowned artist. But for those who cannot do so, Google's offered up a neat solution. The Arts & Culture arm of the tech company has worked with museums and collections around the world to create an online exhibit dedicated to the life and art of Frida Kahlo. The exhibition is called " Faces of Frida ," and features Kahlo's paintings, snippets of her diary , reimagined works , and editorial pieces exploring hidden meaning behind her paintings and her relationship to folk art . According to Forbes , there are 800 items in total, and the exhibit is a joint effort between 33 museums spanning 7 countries. top

RESOURCES

Encryption Workarounds (Orin Kerr and Bruce Schneier, Georgetown Law Journal, revised 13 May 2018) - Abstract : The widespread use of encryption has triggered a new step in many criminal investigations: The encryption workaround. We define an encryption workaround as any lawful government effort to reveal unencrypted plaintext of a target's data that has been concealed by encryption. This Article provides an overview of encryption workarounds. It begins with a taxonomy of the different ways investigators might try to bypass encryption schemes. We classify six kinds of workarounds: find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. For each approach, we consider the practical, technological, and legal hurdles raised by its use. The remainder of this Article develops lessons about encryption workarounds and the broader public debate about encryption in criminal investigations. First, encryption workarounds are inherently probabilistic. None work every time, and none can be categorically ruled out every time. Second, the different resources required for different workarounds will have significant distributional effects on law enforcement. Some techniques are inexpensive and can be used often by many law enforcement agencies; some are sophisticated or expensive and likely to be used rarely and only by a few. Third, the scope of legal authority to compel third-party assistance will be a continuing challenge. And fourth, the law governing encryption workarounds remains uncertain and underdeveloped. Whether encryption will be a game changer or a speed bump depends on both technological change and the resolution of important legal questions that currently remain unanswered. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Google begins blurring faces in street view (CNET, 13 May 2008) - Google has begun testing face-blurring technology for its Street View service, responding to privacy concerns from the search giant's all-seeing digital camera eye. The technology uses a computer algorithm to scour Google's image database for faces, then blurs them, said John Hanke, director of Google Earth and Google Maps, in an interview at the Where 2.0 conference here. Google has begun testing the technology in Manhattan, the company announced on its LatLong blog. Ultimately, though, Hanke expects it to be used more broadly. Dealing with privacy-both legal requirements and social norms-is hard but necessary, Hanke said. Street View poses other privacy issues besides just faces. Some people aren't eager to have their houses on display, for example. But much of the hubbub seems to have waned since Google launched Street View in May 2007, and indeed other companies such as Blue Dasher are working on similar technology. Street View presents a view of dozens of United States cities from a driver's perspective. It appears Google has begun collecting imagery in Europe as well, along with detailed 3D maps, including Milan, Rome, and Paris. top

FBI's net surveillance proposal raises privacy, legal concerns (CNET, 25 April 2008) - The FBI director and a Republican congressman sketched out a far-reaching plan this week for warrantless surveillance of the Internet. During a House of Representatives Judiciary Committee hearing, the FBI's Robert Mueller and Rep. Darrell Issa of California talked about what amounts to a two-step approach. Step 1 involves asking Internet service providers to open their networks to the FBI voluntarily; step 2 would be a federal law forcing companies to do just that. Both have their problems, legal and practical, but let's look at step 1 first. Issa suggested that Internet providers could get "consent from every single person who signed up to operate under their auspices" for federal police to monitor network traffic for attempts to steal personal information and national secrets. Mueller said "legislation has to be developed" for "some omnibus search capability, utilizing filters that would identify the illegal activity as it comes through and give us the ability to pre-empt" it. These are remarkable statements. The clearest reading of them points to deep packet inspection of network traffic--akin to the measures Comcast took against BitTorrent and to what Phorm in the United Kingdom has done, in terms of advertising--plus additional processing to detect and thwart any "illegal activity." "That's very troubling," said Greg Nojeim, director of the project on freedom, security, and technology at the Center for Democracy and Technology. "It could be an effort to achieve, through unknowing consent, permission to monitor communications in a way that would otherwise be prohibited by law." Unfortunately, neither Issa nor Mueller recognized that such a plan is probably illegal. California law, for instance, says anyone who "intentionally and without the consent of all parties to a confidential communication" conducts electronic surveillance shall be imprisoned for one year. (I say "probably illegal" because their exchange didn't offer much in the way of details.) "I think there's a substantial problem with what Mueller's proposing," said Al Gidari, a partner at the Perkins Coie law firm who represents telecommunications providers. "He forgets the states have the power to pass more restrictive rules, and 12 of them have. He also forgets that we live in a global world, and the rest of the world doesn't quite see eye to eye on this issue. That consent would be of dubious validity in Europe, for instance, where many of our customers reside." top

Saturday, May 05, 2018

MIRLN --- 15 April - 5 May 2018 (v21.06)

MIRLN --- 15 April - 5 May 2018 (v21.06) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENTS

Join me in Washington, D.C. on May 9-10 at the ABA's Internet of Things National Institute. Conference keynotes include US Sen. Mark Warner and Rep. Jerry McNerney (who introduced the Securing IoT Act), Rep. Robin Kelly (Ranking Member of the Subcommittee on Information Technology), Commerce Department GC Peter Davidson, and former FTC Commissioner Terrell McSweeny. DC Bar ABA members get a discount with DCBAR2018iot . Learn more here: ambar.org/iot2018

NEWS

Oil and gas cybersecurity projects went 'to the bottom of the pile' in energy slump (Houston Chronicle, 12 April 2018) - Oil companies put cybersecurity initiatives on hold while crude prices languished at multi-year lows in 2015 and 2016, falling behind in hardening their systems while state-sponsored hacking groups only got more proficient at probing U.S. energy networks, security experts say. As oil companies cut thousands of jobs and pared back drilling operations in the downturn, cybersecurity teams faced funding shortfalls for projects to secure computer networks that run rigs, pipelines and other oil field assets, increasing pressure for a field already challenged by finite resources and competing priorities. In an oil bust, "projects, capabilities and needs that aren't exactly on top of mind go to the bottom of the pile," said Paul Brager Jr., a cybersecurity professional at Houston oil field services firm Baker Hughes, a GE company. But among federal agencies and security professionals called in to respond to online attacks, there's no longer any doubt foreign adversaries in Russia, Iran and North Korea have planned and executed attacks to plant themselves in U.S. critical infrastructure, which includes pipelines, refineries and petrochemical plants. top

Facebook and Cambridge Analytica (Bruce Schneier, 15 April 2018) - In the wake of the Cambridge Analytica scandal, news articles and commentators have focused on what Facebook knows about us. A lot, it turns out. It collects data from our posts, our likes, our photos, things we type and delete without posting, and things we do while not on Facebook and even when we're offline. It buys data about us from others. And it can infer even more: our sexual orientation, political beliefs, relationship status, drug use, and other personality traits -- even if we didn't take the personality test that Cambridge Analytica developed. But for every article about Facebook's creepy stalker behavior, thousands of other companies are breathing a collective sigh of relief that it's Facebook and not them in the spotlight. Because while Facebook is one of the biggest players in this space, there are thousands of other companies that spy on and manipulate us for profit. Harvard Business School professor Shoshana Zuboff calls it "surveillance capitalism." And as creepy as Facebook is turning out to be, the entire industry is far creepier. It has existed in secret far too long, and it's up to lawmakers to force these companies into the public spotlight, where we can all decide if this is how we want society to operate and -- if not -- what to do about it. There are 2,500 to 4,000 data brokers in the United States whose business is buying and selling our personal data. Last year, Equifax was in the news when hackers stole personal information on 150 million people, including Social Security numbers, birth dates, addresses, and driver's license numbers. You certainly didn't give it permission to collect any of that information. Equifax is one of those thousands of data brokers, most of them you've never heard of, selling your personal information without your knowledge or consent to pretty much anyone who will pay for it. Surveillance capitalism takes this one step further. Companies like Facebook and Google offer you free services in exchange for your data. Google's surveillance isn't in the news, but it's startlingly intimate. We never lie to our search engines. Our interests and curiosities, hopes and fears, desires and sexual proclivities, are all collected and saved. Add to that the websites we visit that Google tracks through its advertising network, our Gmail accounts, our movements via Google Maps, and what it can collect from our smartphones. That phone is probably the most intimate surveillance device ever invented. It tracks our location continuously, so it knows where we live, where we work, and where we spend our time. It's the first and last thing we check in a day, so it knows when we wake up and when we go to sleep. We all have one, so it knows who we sleep with. Uber used just some of that information to detect one-night stands; your smartphone provider and any app you allow to collect location data knows a lot more. Surveillance capitalism drives much of the internet. It's behind most of the "free" services, and many of the paid ones as well. Its goal is psychological manipulation, in the form of personalized advertising to persuade you to buy something or do something, like vote for a candidate. And while the individualized profile-driven manipulation exposed by Cambridge Analytica feels abhorrent, it's really no different from what every company wants in the end. This is why all your personal information is collected, and this is why it is so valuable. Companies that can understand it can use it against you. * * * [ Polley : Good perspective.] top

OLPC's $100 laptop was going to change the world - then it all went wrong (The Verge, 16 April 2018) - It was supposed to be the laptop that saved the world. In late 2005, tech visionary and MIT Media Lab founder Nicholas Negroponte pulled the cloth cover off a small green computer with a bright yellow crank. The device was the first working prototype for Negroponte's new nonprofit One Laptop Per Child, dubbed "the green machine" or simply "the $100 laptop." And it was like nothing that Negroponte's audience - at either his panel at a UN-sponsored tech summit in Tunis, or around the globe - had ever seen. After UN Secretary-General Kofi Annan offered a glowing introduction, Negroponte explained exactly why. The $100 laptop would have all the features of an ordinary computer but require so little electricity that a child could power it with a hand crank. It would be rugged enough for children to use anywhere, instead of being limited to schools. Mesh networking would let one laptop extend a single internet connection to many others. A Linux-based operating system would give kids total access to the computer - OLPC had reportedly turned down an offer of free Mac OS X licenses from Steve Jobs. And as its name suggested, the laptop would cost only $100, at a time when its competitors cost $1,000 or more. Then, Negroponte and Annan rose for a photo-op with two OLPC laptops, and reporters urged them to demonstrate the machines' distinctive cranks. Annan's crank handle fell off almost immediately. As he quietly reattached it, Negroponte managed half a turn before hitting the flat surface of the table. He awkwardly raised the laptop a few inches, trying to make space for a full rotation. "Maybe afterwards…" he trailed off, before sitting back down to field questions from the crowd. The moment was brief, but it perfectly foreshadowed how critics would see One Laptop Per Child a few years later: as a flashy, clever, and idealistic project that shattered at its first brush with reality. If you remember the OLPC at all, you probably remember the hand crank. It was OLPC's most striking technological innovation - and it was pure vaporware. Designers dropped the feature almost immediately after Negroponte's announcement, because the winding process put stress on the laptop's body and demanded energy that kids in very poor areas couldn't spare. * * * top

Virtual annual meetings: updated "best practices" (CorporateCounsel.net, 16 April 2018) - Like it did back in 2012, Broadridge recently convened a group of 17 different stakeholders to look at the state of virtual annual meetings - both "virtual only" and hybrid. The end product is this set of " Principles & Best Practices for Virtual Annual Meetings. " Like before, the report's conclusions are not that profound - but can be useful to help guide those considering virtual meetings (and it includes a useful appendix that summarizes each state's laws governing electronic participation in shareholder meetings). top

Cybersecurity standards for private companies: Taking notes from the SEC's public company guidance (Nixon Peabody, 18 April 2018) - The Securities and Exchange Commission ("SEC") recently updated and expanded its guidance to public companies on cybersecurity risks and incidents in its " Commission Statement and Guidance on Public Company Cybersecurity Disclosures " (the "2018 Guidance"). The 2018 Guidance represents a broad recognition of the critical role that cybersecurity plays in the health of companies and the stability of markets. "There is no doubt that the cybersecurity landscape and the risks associated with it continue to evolve," said a statement released by SEC Chairman Jay Clayton . "Public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion." To support this effort, the SEC has created a cybersecurity website with helpful alerts and bulletins, compliance toolkits, and educational resources. In addition, the Unit charged with targeting a wide range of cyber-related misconduct, such as market manipulation through the spread of false information, hacking, and intrusions and attacks on trading platforms and market infrastructure. While a private company can be reassured that a member of the Cyber Unit will not show up at its door, the 2018 Guidance offers useful insights about the evolving risks in the digital marketplace, as well as effective controls and procedures to manage these risks-all of which can inform a private company that must navigate similar pitfalls in the modern e-commerce environment. Cybersecurity is, as the SEC's website states, "a responsibility of every market participant." To that end, the following are some key takeaways for private companies from the 2018 Guidance: * * * top

- and -

Cybersecurity: NIST's new framework (Version 1.1) (CorporateCounsel.net, 20 April 2018) - Recently, NIST released an updated cybersecurity framework . This popular framework is entitled "Version 1.1" rather than the "2.0" that some have been calling it (including us) when the proposal was released last year. Here's an excerpt from this Wachtell Lipton memo : The updated Framework, entitled Version 1.1, is intended to clarify and refine (rather than replace) NIST's original 2014 Cybersecurity Framework, Version 1.0, and builds on the original version's five core cybersecurity functions-Identify, Protect, Detect, Respond, and Recover-and tiered implementation system. Instead of a "one-size-fits-all" approach, the Framework continues to be a flexible platform that can be customized to address the particular cybersecurity risks faced by any company. Of broader import, the updated Framework encourages companies to integrate cybersecurity objectives into strategic planning and governance structures and to ensure that cybersecurity is a central part of overall risk management. In terms of other specific changes, Version 1.1 provides new guidance on how to use the Framework to conduct self-assessments of internal and third-party cybersecurity risks and mitigation strategies, includes an expanded discussion of how to manage cyber risks associated with third parties and supply chains, advances new standards for authentication and identity proofing protocols, and addresses how to apply the Framework to a wide range of contexts, such as industrial controls, the use of off-the-shelf software, and the Internet of Things. top

- and -

New standard accepted by Federal Energy Regulatory Commission for critical infrastructure protection (SC Media, 23 April 2018) - The Federal Energy Regulatory Commission (FERC) approved a new standard to improve electronic access controls to low impact Bulk Electronic Systems (BES), mandatory security controls for mobile devices and develop modifications to critical infrastructure protection (CIP) reliability standards. Work on the new standard began in October 2017 when FERC asked NERC to clarify electronic access controls, adopt mandatory requirements for transient electronic devices and to require the creation of a response policy in case of a system threat. The genesis of this request comes from a group of bipartisan bills that were advanced out of the House Energy and Commerce subcommittee to improve the government's response to cybersecurity attacks on the electric grid. Particularly against less critical facilities. "CIP-003-7 pushes forward on FERC's concern that even the less critical assets covered by these standards (referred to as low impact facilities) present risks to the bulk electric system that need to be addressed," said Daniel Skees, a partner at the law firm Morgan Lewis. Skees represents electric utilities before FERC. FERC officially approved the new CIP reliability standard CIP-003-7 (Cybersecurity Security Management Controls that were submitted by the North American Electric Reliability Corporation (NERC). By accepting the standard NERC is tasked with implementing the new standards. FERC noted that the new rules developed by NERC improve upon the prior CIP reliability standards by clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems, adopting mandatory security controls for transient electronic devices such as thumb drives, laptop computers, and other portable devices used frequently with a low impact BES Cyber Systems; and for adding the requirement to have responsible entities have in place a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. top

- and -

BSA releases international cybersecurity framework to promote strong and consistent cybersecurity governance (BSA, 25 April 2018) - The Software Alliance released an International Cybersecurity Policy Framework to serve as a tool both for policymakers considering foundational cybersecurity legislation and for those examining gaps and shortfalls in existing policies. top

- and -

DOD releases new guidance giving teeth to cybersecurity rules to protect data within the supply chain (CSO, 30 April 2018) - The US Department of Defense issued new guidance on how it might penalize business partners that do not adequately adhere to new security rules codified in NIST SP 800-171. NIST has prescribed a set of 110 security requirements that are derived from a larger standard called NIST SP 800-53 that governs cybersecurity standards for government systems. December 31, 2017 was the designated deadline for implementing the controls as part of DFARS 252.204-7012 to protect confidential unclassified information (CUI). To facilitate gradual adoption, DoD allowed businesses to specify a future date for implementing security controls through the Plan of Actions & Milestones (POAM) artifact. Many organizations have resorted to "POAM'ing" requirements in a checkbox exercise and generated System Security Plans that are very light and do not adequately describe the security posture of the vendor. The new DOD guidance for reviewing system security plans and the NIST SP 800-171 security requirements not yet implemented assigns risk scores to controls. Security controls that are deemed high risk and have not been implemented pose a continued risk to the government. The latest guidance helps ensure that businesses can assess and prioritize how they wish to go about implementing the 110 security controls. The new guidance also provides specific information on the downsides of not implementing the new security controls. The "Assessing the State of a Contractor's Internal Information System in a Procurement Action" document outlines the specific conditions during the request for proposals (rfp), source selection and subsequent contract award that will looked at by government officials related to NIST SP 800-171 compliance. top

Facebook moves 1.5bn users out of reach of new European privacy law (The Guardian, 19 April 2018) - Facebook has moved more than 1.5 billion users out of reach of European privacy law, despite a promise from Mark Zuckerberg to apply the "spirit" of the legislation globally. In a tweak to its terms and conditions, Facebook is shifting the responsibility for all users outside the US, Canada and the EU from its international HQ in Ireland to its main offices in California. It means that those users will now be on a site governed by US law rather than Irish law. The shift highlights the cautious phrasing Facebook has applied to its promises around GDPR. Earlier this month , when asked whether his company would promise GDPR protections to its users worldwide, Zuckerberg demurred. "We're still nailing down details on this, but it should directionally be, in spirit, the whole thing," he said. A week later, during his hearings in front of the US Congress, Zuckerberg was again asked if he would promise that GDPR's protections would apply to all Facebook users. His answer was affirmative - but only referred to GDPR "controls", rather than "protections". Worldwide, Facebook has rolled out a suite of tools to let users exercise their rights under GDPR, such as downloading and deleting data, and the company's new consent-gathering controls are similarly universal. top

- and -

Survey reveals that many companies are behind schedule to achieve Global Data Protection Regulation compliance (McDermott Will & Emery, 20 April 2018) - A major survey sponsored by international law firm McDermott Will & Emery and carried out by the Ponemon Institute has revealed that many companies are behind schedule to achieve Global Data Protection Regulation (GDPR) compliance by the looming May deadline. The survey results show that 40% of companies only expect to achieve compliance with the regulation after May 25th when the Regulation comes into effect. The McDermott-Ponemon study surveyed companies across the US and Europe on their understanding of the impact of GDPR and their readiness for it. Key findings of this important benchmark survey are: * * * [ Polley : thorough report , as usual. I was surprised how un-ready so many organizations are - it's almost laughable. Reminds me of how long organizations were running without full compliance with the DPD, dating from 1995.] top

- and -

Here's why you're getting all those terms of service update emails (Mashable, 25 April 2018) - Get the feeling you're suddenly being bombarded with emails from companies about updated terms of service policies? You are. And there's a good reason: the European Union's forthcoming efforts to protect our personal data. And though the law is based in the EU, the GDPR has a worldwide impact because any global online company that collects data from someone living in the EU will be held accountable. While the specific updates made to each terms of service policy will be individual to every company, the law expands the definition of what information is considered personal data. This means companies will likely be adjusting their privacy policies to inform users that less basic information such as IP addresses, location data, web browsing cookies, and other details are also defined as personal data. Though the new internet regulations don't go into effect until May 25, 2018, companies like Facebook, Instagram, Google, and more, are starting to prepare by updating their terms of services and privacy policies now. top

Federal judge adopts CFTC position that cryptocurrencies are commodities (ABA's Business Law Today, 20 April 2018) - A New York federal judge held that virtual currencies are commodities that can be regulated by the Commodity Futures Trading Commission ("CFTC"), enjoining the defendants, an individual and affiliated entity, from trading cryptocurrencies on their own or others' behalf or soliciting funds from others, and ordering an expedited accounting. CFTC v. McDonnell , No. 18-cv-0361, Dkt. 29 (E.D.N.Y. Filed Jan 18, 2018). While the CFTC announced its position that cryptocurrencies are commodities in 2015, this case marks the first time a court has weighed in on whether cryptocurrencies are commodities. Having answered that question in the affirmative, the court went on to hold that the CFTC has jurisdictional authority over defendants' alleged cryptocurrency fraud under 7 U.S.C. § 9(1), which permits the CFTC to regulate fraud and manipulation in underlying commodity spot markets. top

- and -

Goldman Sachs to open a bitcoin trading operation (NYT, 2 May 2018) - Most big banks have tried to stay far away from the scandal-tainted virtual currency Bitcoin. But Goldman Sachs, perhaps the most storied name in finance, is bucking the risks and moving ahead with plans to set up what appears to be the first Bitcoin trading operation at a Wall Street bank. In a step that is likely to lend legitimacy to virtual currencies - and create new concerns for Goldman - the bank is about to begin using its own money to trade with clients in a variety of contracts linked to the price of Bitcoin. While Goldman will not initially be buying and selling actual Bitcoins , a team at the bank is looking at going in that direction if it can get regulatory approval and figure out how to deal with the additional risks associated with holding the virtual currency. * * * Over the last two years a growing number of hedge funds and other large investors around the world have expressed an interest in virtual currencies. Tech companies like Square have begun offering Bitcoin services to their customers, and the commodity exchanges in Chicago started allowing customers to trade Bitcoin futures contracts in December. But until now, regulated financial institutions have steered clear of Bitcoin, with some going so far as to shut down the accounts of customers who traded Bitcoin. Jamie Dimon, the chief executive of JPMorgan Chase, famously called it a fraud, and many other bank chief executives have said Bitcoin is nothing more than a speculative bubble. top

Abbott issues software patches for more cardiac devices (Gov Info Security, 20 April 2018) - Abbott Laboratories has issued software updates for certain implantable cardiac devices to address cybersecurity flaws and battery issues that pose potential safety risks to patients. The products were previously sold by device maker St. Jude Medical, which Abbott acquired last year. More than 382,000 of these affected devices are distributed in the U.S., including 350,000 devices that are currently implanted in patients, according to the Food and Drug Administration and Abbott. The remainder of the devices are in inventories and will be updated "in-box," an Abbott spokeswoman says. The device problems were also the subject of previous warnings by the FDA and the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team , which both issued new advisories on April 17 about the availability of the Abbott software patches. The impacted devices include certain families of Abbott implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators, which are devices that provide pacing for slow heart rhythms and electrical shock or pacing to stop dangerously fast heart rhythms, the FDA notes in its alert. Last August, Abbott also issued software updates to address similar cybersecurity vulnerabilities in certain implantable cardiac pacemaker devices (see A FDA First: Cyber Recall for Implantable Devices ). top

Newly disclosed documents on the Five Eyes Alliance and what they tell us about intelligence-sharing agreements (Lawfare, 23 April 2018) - The United States is party to a number of international intelligence sharing arrangements-one of the most prominent being the so-called "Five Eyes" alliance. Born from spying arrangements forged during World War II, the Five Eyes alliance facilitates the sharing of signals intelligence among the U.S., the U.K., Australia, Canada and New Zealand. The Five Eyes countries agree to exchange by default all signals intelligence they gather, as well as methods and techniques related to signals intelligence operations. When the Five Eyes first agreed to this exchange of intelligence-before the first transatlantic telephone cable was laid-they could hardly have anticipated the technological advances that awaited them. Yet, we remain in the dark about the current legal framework governing intelligence sharing among the Five Eyes, including the types of information that the U.S. government accesses and the rules that govern U.S. intelligence agencies' access to and dissemination of Americans' private communications and data. In July 2017, Privacy International and Yale Law School's Media Freedom & Information Access Clinic filed a lawsuit against the National Security Agency, the Office of the Director of National Intelligence, the State Department, and the National Archives and Records Administration seeking access to records related to the Five Eyes alliance under the Freedom of Information Act. Over the past few months, we have begun to receive limited disclosure from the NSA and the State Department. While we have not seen the text of the current agreement-as well as other records that would shed important light on how the agreement operates-the disclosures to date give us insight into the nature and scope of U.S. intelligence sharing agreements. Below, we summarize a few of these disclosures and talk through their implications. In particular, we highlight how, taken together, they suggest that the U.S. government takes an inconsistent approach to legal classification and therefore publication of these types of agreements. We also take a closer look at one agreement-the 1961 General Security Agreement between the Government of the United States and the Government of the United Kingdom-which further illuminates our understanding of the privatization of intelligence activities and provides us with a rare glimpse of the "third party rule," an obstacle to oversight and accountability of intelligence sharing. top

US regulator fines Altaba $35 million over 2014 Yahoo email hack (Reuters, 24 April 2018) - U.S. regulators fined Altaba Inc, the company formerly known as Yahoo! Inc, $35 million on Tuesday to settle charges that kept its massive 2014 cyber security breach a secret from investors for more than two years. The Securities and Exchange Commission's case marks the first time it has gone after a company for failing to disclose a cyber security breach. Steven Peikin, co-director the SEC's enforcement division, said cyber breaches were a priority for the agency and hoped companies facing similar issues would take note. top

How hackers could cause chaos on America's roads and railways (Pew Trusts, 24 April 2018) - When hackers struck the Colorado Department of Transportation in a ransomware attack in February and again eight days later, they disrupted the agency's operations for weeks. State officials had to shut down 2,000 computers, and transportation employees were forced to use pen and paper or their personal devices instead of their work computers. Staffers whose computers were infected didn't have access to their files or data, unless it was stored on the internet, and the attack affected the payroll system and vendor contracts. It could have been a lot worse: The Colorado hacks didn't affect traffic signals, cameras or electronic message boards, and state information technology officials, who refused to pay the ransom, said the system had been 95 percent restored as of last week. Transportation systems are ripe targets for cybercriminals, according to cybersecurity experts, and many state and local government officials are only now waking up to the threat and realizing they need to beef up their defenses. In February, Maryland Department of Transportation Secretary Pete Rahn told a meeting of the American Association of State Highway and Transportation Officials that security breaches are a big concern for his agency, which oversees public transit, highways, tolls, a port, an airport and the motor vehicle administration. If hackers get into the network, he said, "they can play with our trains, traffic signals, variable message boards. We've never had to think about these things before." * * * top

Top federal IT contractors leave emails vulnerable to phishing, spoofing (Global Cyber Alliance press release, 25 April 2018) - Only one of the largest federal contractors have fully implemented the top defense against email phishing and spoofing, according to research released today by the Global Cyber Alliance (GCA). In an examination of the top 50 information technology (IT) contractors to the United States government , GCA found that only one contractor is using email-validation security - the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol - at its highest level. DMARC weeds out fake emails (known as direct domain spoofing) deployed by spammers and phishers targeting the inboxes of workers in all sectors of society. According to the 2017 Symantec ISTR report , 1 in 131 emails contained malware, the highest rate in 5 years. Late last year, the Department of Homeland Security mandated that all federal agencies implement DMARC . Security experts praised DHS and Senator Ron Wyden, who called for agencies to implement DMARC , for pushing government agencies to quickly implement DMARC at the highest level possible. Contractors' failure to follow suit could make them more enticing to threat actors looking for new ways to access government information. top

Building on sand isn't stable: Correcting a misunderstanding of the National Academies report on encryption (Lawfare's Susan Landau, 25 April 2018) - The encryption debate is messy. In any debate that involves technology-encryption, security systems and policy, law enforcement, and national security access-the incomparable complexities and tradeoffs make choices complicated. That's why getting the facts absolutely right matters. To that end, I'm offering a small, but significant, correction to a post Alan Rozenshtein wrote on Lawfare on March 29. Rozenshtein argued that in opposing an exceptional-access mandate-the ability for law enforcement to access an encrypted communication or locked device with a warrant-the computer-security community had deluded itself into thinking that such systems couldn't be built securely. As evidence of this, Rozenshtein pointed to the recent National Academies study on the tradeoffs involved in government access to encrypted content. (Note: I served on the study committee.) He wrote that the report made an important point that many missed: "High-level experts in the information-security community itself are trying to build secure third-party-access systems." But this is not what the report said. The Academies report does discuss approaches to "building ... secure systems" that provide exceptional access-but these are initial approaches only. The report states as much in writing that computer scientists have "begun to explore" this area of research. The presentations to the Academies committee were brief descriptions of ideas by three smart computer scientists, not detailed architectures of how such systems would work. There's a huge difference between a sketch of an idea and an actual implementation-Leonardo da Vinci's drawings for a flying machine as opposed to the Wright brothers' plane at Kitty Hawk. The presentations that the Academies saw are more akin to sketches than a system architecture. None of the three presentations involved anything more than the thoughts of a single individual. The study did not hear presentations about engineering teams "trying to build secure third-party-access systems"-there is no such effort at present. (This does not include key-recovery solutions such as those provided in Apple's FileVault or Microsoft's BitLocker ; these solve a different problem from the "going dark" issue.) An exceptional-access system is not merely a complex mathematical design for a cryptosystem; it is a systems design for a complex engineering task. * * * [ Polley : pretty interesting post, and Landau is quite expert in this field.] top

- and -

Encryption policy and its international impacts: A framework for understanding extraterritorial ripple effects (Lawfare, 2 May 2018) - Encryption technologies play a complicated role in today's connected, mobile, data-driven world. My colleagues, Herbert Burkert and Urs Gasser, and I have written a paper offering a conceptual framework that can help policy-makers better understand and anticipate the international ramifications of domestic encryption policies. There is no doubt that encryption has enabled our digital economy, securing everything from online commerce, financial transactions, connected devices, and more. At the same time, examples abound of concerns from law enforcement and intelligence agencies that encryption technologies are making it harder to address crime and terrorism. The 2016 battle between Apple and the FBI over the availability of essentially unbreakable encryption on consumer devices like the iPhone is perhaps the most public, but far from the only example of the complex challenges that encryption poses for legislators, law enforcement agencies, national security agencies, and other policymakers. In response to these technological and legal challenges, decisionmakers and leaders of all kinds-legislators, regulators, intelligence and law enforcement agencies, and companies-are increasingly faced with difficult decisions that ultimately have both direct and indirect impacts on the effectiveness and availability of encryption tools. For example, legislators might mandate the inclusion of so-called "backdoors" in consumer devices, regulators might only allow the government to purchase technologies that meet minimum levels of security, intelligence agencies might attempt to influence encryption technical standards in ways that are beneficial to intelligence gathering, and companies might make encryption a default in their products. Collectively, choices like these effectively define a country's encryption "policy." It is not one law or a regulation, but instead the cumulative impact of each (sometimes conflicting) decision that affects the availability and effectiveness of encryption technologies. The challenge for such decisionmakers is that although the domestic impacts of such individual decisions are often intended and predictable, the international implications are often both unintentional and poorly understood. The purpose of this paper is to help policymakers better anticipate the numerous global ramifications, including those that can undermine the intent of the original policy. top

Equifax data breach cost hits $242 million (SC Magazine, 26 April 2018) - The massive data breach that compromised the data of 147.9 million Equifax customers last year has cost the company more than $242 million in related expenses, but luckily for the company, much of this cost has been covered by its cybersecurity insurance. Equifax noted the expenditures in its first-quarter financial report . The total tally for the breach since it became public in September has been $242.7 million with $78.7 million in pre-tax expenses being spent during the first quarter, ended March 30. This included $45.7 million in IT and security costs to transform the company's IT infrastructure and improve application, network, and data security, and the costs of development and launch of Lock and Alert. Another $28.9 million was spent during the quarter on legal and investigative fees and $4.1 million on product liability costs include the expected costs of fulfillment of TrustedID Premier and support of consumers using TrustedID Premier. In the financial filing, Equifax said it carries $125 million in cybersecurity insurance, with a $7.5 million deductible and has so far received $60 million in payments from its carrier, $10 million was received during the first quarter. top

25 years ago today, the web opened up and the world changed (Fast Company, 30 April 2018) - On April 30, 1993, CERN-the European Organization for Nuclear Research-announced that it was putting a piece of software developed by one of its researchers, Tim Berners-Lee, into the public domain. That software was a "global computer networked information system" called the World Wide Web, and CERN's decision meant that anyone, anywhere, could run a website and do anything with it. In an era when online services were still dominated by proprietary, for-profit walled gardens such as AOL and CompuServe, that was a radical idea. top

Facebook says it will let users remove data from outside sites (Axios, 1 May 2018) - Facebook said Tuesday that in the coming months it would let users see and wipe the data fed into its ad targeting system by outside websites and applications. Why it matters : Facebook is grappling with a data privacy reckoning after the Cambridge Analytica scandal focused a spotlight on its relations with external developers. What they're saying : "This feature will enable you to see the websites and apps that send us information when you use them, delete this information from your account, and turn off our ability to store it associated with your account going forward," said Erin Egan, who the company recently said would focus full-time on her role as Chief Privacy Officer. If a user deletes this information, it will no longer be associated with their account - although Facebook says it will continue to give outside parties broad analytics reports. Facebook founder and chief executive Mark Zuckerberg called the new control a "Clear History" option, similar to what web browsers offer, and said in a post that when users take advantage of it, "Facebook won't be as good while it relearns your preferences." [ see also Facebook's Zuckerberg unveils privacy tool 'clear history' (CNET, 1 May 2018)] top

Under the Foreign Sovereign Immunities Act, where do hacking torts happen? (Lawfare, 1 May 2018) - The Democratic National Committee's lawsuit against the Russian Federation will run aground, as Ingrid Wuerth notes , unless the DNC can find a way around Russia's immunity in American courts. In that respect, the suit raises a question on which precedent remains thin: whether allegations of state-sponsored hacking can fit through the Foreign Sovereign Immunities Act exception for cases that involve "personal injury or death, or damage to or loss of property, occurring in the United States and caused by the tortious act or omission of the foreign state." That provision, the noncommercial tort exception, was written primarily to address traffic accidents, as the Supreme Court noted in Argentine Republic v. Amerada Hess . Very few plaintiffs have attempted to invoke it in challenges to nation-state spying, and the case most squarely on point-the D.C. Circuit's 2017 decision in Doe v. Federal Democratic Republic of Ethiopia -suggests that the DNC will face an uphill battle. But as I recently argued in a case comment for the Harvard Law Review, and as this post summarizes, there are reasons for the Southern District of New York to think carefully before following Doe . top

- and -

The digital vigilantes who hack back (The New Yorker, 7 May 2018) - American companies that fall victim to data breaches want to retaliate against the culprits. But can they do so without breaking the law? [ Polley : worth a close read; very interesting.] top

Data breach that revealed client file sparks legal malpractice action (New Jersey Law Journal, 1 May 2018) - A matrimonial attorney and her firm are facing a malpractice suit in state Superior Court in Morris County, New Jersey , after litigation over a divorce was disrupted by a data breach . top

Pirate radio stations explode on YouTube (NYT, 3 May 2018) - Luke Pritchard and Jonny Laxton were 13 when they met at a boarding school in Crowthorne, England, in 2011. They bonded over a shared love of underground music and in 2014 started a YouTube channel, College Music , to promote the artists they liked. At first, the channel grew slowly. Then, in the spring of 2016, Mr. Pritchard discovered 24/7 live-streaming, a feature that allows YouTube's users to broadcast a single video continuously. College Music had 794 subscribers in April 2015, a year before Mr. Pritchard and Mr. Laxton started streaming. A month after they began, they had more than 18,440. In April 2016, they had 98,110 subscribers and as of last month, with three active live streams, they have more than triple that amount, with 334,000. They make about $5,000 a month from the streams. The boys stumbled upon a new strategy, one that, in the past two years, has helped a certain kind of YouTube channel achieve widespread popularity. Hundreds of independently run channels have begun to stream music nonstop, with videos that combine playlists with hundreds of songs and short, looped animations, often taken from anime films without copyright permission. * * * The channels occupy a precarious space between YouTube's algorithm and its copyright policing, drawing comparisons to the unlicensed pirate radio stations of the 20th century , recreated in the digital sphere. Many of the channels blink in and out of existence within a week, but their presence has become a compelling part of the site's musical ecosystem. And while competitors like Spotify are gaining, YouTube still dominates the streaming world, Report from the International Federation of the Phonographic Industry. top

RESOURCES

A fantastic chart on the admissibility of electronic evidence (RideTheLightning, 24 April 2018) - Thanks to my friend Craig Ball for a "Christmas in April" gift of a splendid post onthe admissibility of electronic evidence and a related chart shared with him by U.S. District Judge Paul Grimm and Kevin Brady, who is Of Counsel to Redgrave LLP. The chart is beautifully designed and easy to use. It covers authentication, relevance, hearsay exceptions and the Best Evidence rule. top

Distributed Stock Ledgers and Delaware Law (ABA's The Business Lawyer, April 2018) - Effective August 1, 2017, the Delaware General Corporation Law (the "DGCL") now authorizes Delaware corporations to use blockchain technology to maintain stock ledgers and communicate with stockholders. Consistent with the DGCL's status as an enabling act that facilitates private ordering, the blockchain amendments are permissive. In the near term, they create a foundation for a technology ecosystem by removing any uncertainty about the validity of shares that have been issued or are maintained using blockchain technology. Over a longer time horizon, the amendments foreshadow a more flexible, dynamic, and digital future in which distributed ledger technology and smart contracts play major roles. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

The internet's 100 oldest dot-com domains (PC World, 21 Dec 2008) - The Internet's been around in some form for decades. It wasn't until the mid-80s, though, that the Web as we know it started coming together -- and those precious dot-com domains started getting snatched up. As we finish out the tech-centric year of 2008, we thought we'd take a look back at the Internet's oldest commercial Web sites -- the ones registered back when chatting about "the Net" was as socially acceptable as wearing Jedi garb into a crowded nightclub. So grab your light sabers, dear friends -- we're boarding the Millennium Falcon and heading back to a virtual galaxy far, far away. [ Polley in 2008: Schlumberger was number 75 on May 20, 1987.] top

AT&T mulls watching you surf (New York Times, 14 August 2008) - AT&T is "carefully considering" monitoring the Web-surfing activities of customers who use its Internet service, the company said in a letter in response to an inquiry from the House Committee on Energy and Commerce. While the company said it hadn't tested such a system for monitoring display advertising viewing habits or committed to a particular technology, it expressed much more interest in the approach than the other big Internet providers who also responded to the committee's letter. AT&T did however promise that if it does decide to start tracking its customers online, it will "do so the right way." In particular, the advertising system will require customers to affirmatively agree to have their surfing monitored. This sort of "opt-in" approach is preferred by privacy experts to the "opt-out" method, practiced by most ad targeting companies today, which records the behavior of anyone who doesn't explicitly ask to not to be tracked. top