Saturday, July 23, 2016

MIRLN --- 26 June – 23 July 2016 (v19.10)

MIRLN --- 26 June - 23 July 2016 (v19.10) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS/MOOCS | RESOURCES | LOOKING BACK | NOTES

Lawyers prepare for 'driverless M&A' as smart contract era dawns (Australia Financial Review, 19 June 2016) - The nation's top law firms are braced for disruption as "smart contract" technology threatens thousands of legal jobs and lawyers' role intermediating commercial negotiations and disputes is automated by computers. One of the country's biggest law firms, Allens, sent a report to its clients on Friday afternoon admitting that lawyers' business model of profiting from an absence of trust in companies transacting with each is under threat from trust being coded into computers via distributed ledger technology, also known as blockchain . "Smart contracts" are an application on the blockchain, referring to computer protocols which verify and execute the terms of a contract, removing the need for humans to monitor compliance and enforcement. "For almost 200 years, our own business has been built on the basis that people need to transact but often lack the trust to rely on a handshake alone," Allens said. "In essence, we help organisations do business in the absence of trust - we design governance structures, we draft and negotiate contracts, and sometimes, if things go pear-shaped, we litigate. So when a new technology comes along that creates trust through computers - distributed ledger technology, also known as blockchain - is it going to be potentially disruptive." Gilbert+Tobin managing partner Danny Gilbert said disruptive change to law firms is inevitable and they will get smaller as lawyers are put out of jobs by automation of their role as a trusted adviser. "Legal services and legal products have been driven by the human mind and the human hand, and we're about to see a fundamental change in that. We have driverless cars, we have robots doing surgery and we will have driverless M&A," he said.

top

New Mexico top court overturns conviction due to Skype testimony, warns judges about social media (ABA Journal, 23 June 2016) - The New Mexico Supreme Court is warning judges about the perils of social media in an opinion that nonetheless sidesteps whether the trial judge's Facebook posts indicated bias. The New Mexico Supreme Court ruled (PDF) on June 20 that Truett Thomas was entitled to a new trial on a murder charge because the judge improperly allowed Skype testimony of a prosecution witness, the New Mexico Appellate Law Blog and the Santa Fe New Mexican report. The court said the Skype testimony violated Thomas' right to "physical face-to-face confrontation" of the witness, who did not appear because of inconvenience. As a result of the Skype reversal, the court didn't consider whether reversal was required because of the trial judge's Facebook post. The judge had posted on his campaign website that a guilty verdict had been returned and, "Justice was served. Thank you for your prayers." The opinion nonetheless cautioned judges "to avoid both impropriety and its appearance in their use of social media." "While we make no bright-line ban prohibiting judicial use of social media," the opinion said, "we caution that 'friending,' online postings, and other activity can easily be misconstrued and create an appearance of impropriety. Online comments are public comments, and a connection via an online social network is a visible relationship, regardless of the strength of the personal connection." The court said it agreed with an ABA ethics opinion that judicial campaign websites be maintained by campaign committees rather than the candidates. "We clarify that a judge who is a candidate should post no personal messages on the pages of these campaign sites other than a statement regarding qualifications" the court said. The judge should not allow public comments to be posted on the campaign website, the court said, "and should engage in no dialogue, especially regarding any pending matters that could either be interpreted as ex parte communications or give the appearance of impropriety." Judges should also use privacy settings to protect their online presence and should consider any statements posted online to be a public statement, the court said. Concerns raised by social media include the inability to truly delete a posted message, the public perception that friendships exist between people who are not actually acquainted, and the ease with which posts can be widely disseminated.

top

- and -

Social media endorsements: Undue flattery will get you nowhere (ABA's Peter Geraghty, July 2016) - It goes without saying, but I'll say it again: social media has a way of raising ethical issues that filter into the day-to-day practice of law in ways that may not have been fully anticipated, but at the same time raise familiar themes that the profession has addressed in different nonelectronic contexts over the past 100 years. Take for example the subject of endorsements that lawyers receive either from clients or from other lawyers on their social media websites. What if a lawyer who concentrates his practice in real estate transactions and who never engages in litigation receives an endorsement from a former client lauding his ability as a litigator? Or where a lawyer who has a Social Security disability practice gets an endorsement from another lawyer touting his abilities as an estate planner? Does a lawyer have an obligation to monitor his social media page to ensure that the endorsements he receives are accurate? We at ETHICSearch have produced a variety of columns on social media over the past few years, some of which touch on some of the issues addressed in this month's column. See, e.g., Facebook follies (April 2016), Privacy settings and postings on social media: Etched in plastic or carved in stone? (February 2015), Client reviews: Your thumbs down may come back around (September 2014) and May 2009 entitled, Ringing or stinging endorsements? * * * [ Polley : Excellent and thorough.]

top

- and -

This week in legal tech: Ethics and technology competence (Robert Ambrogi, 11 July 2016) - I had a call last week from two partners at a 25-lawyer firm. Their secretary arranged the call so I had no idea what it was about. At the appointed hour, they got quickly to the point. "When it comes to technology, we are still in the dark ages," they said. They realized that, to remain competitive, their firm needs to change. But not all their partners are on board. They wanted outside help to better understand the benefits and risks. They are no anomaly. My sense is that a lot of firms are still in the dark ages about technology. As these two partners correctly perceived, that is a competitive risk. What many lawyers fail to perceive, however, is that it is also an ethical risk. The very goal these two partners described - to better understand the benefits and risks of technology - is in fact an ethical duty in a growing number of U.S. states. Four years ago next month, the American Bar Association formally approved a change to the Model Rules of Professional Conduct to make clear that lawyers have a duty to be competent not only in the law and its practice, but also in technology. More specifically, the ABA's House of Delegates voted to amend Comment 8 to Model Rule 1.1, which pertains to competence, to read (emphasis added): * * * This being a model rule, it must be adopted in a state for it to apply there. I've been keeping a tally of the states that have adopted the duty of technology competence. So far, 21 states have done so. No doubt, there will be more to come. But what exactly does it mean for a lawyer to be competent in technology? Unfortunately, we do not yet have a lot of guidance to help us answer that question. But we do have some. One of the most detailed discussions of this issue came in the form of an ethics opinion last year from the State Bar of California. Part of the reason that Formal Opinion No. 2015-193 was so striking was that it dealt with technology competence in the context of e-discovery. Many attorneys still think of e-discovery as an esoteric specialty - an area of practice better left to others to understand. But this ethics opinion makes clear that, in an age when any case can involve electronic evidence, every attorney who steps foot in a courtroom has a basic duty of competence with regard to e-discovery. * * *

top

Law firms increasingly joining information sharing centers for cyber threat info (LegalTech News, 24 June 2016) - Law firms have different options to gain information on cyber risks. One option that many are currently undertaking is joining a regional consortium or an information sharing center to gain the most up-to-date threat information. It is true, according to Mark Sangster, vice president and industry security strategist at eSentire, that "many law firms still learn about cyber threats from the headlines, when the FBI shows up to report a breach or when illegal use of stolen data is used to front run trades." Also, "firms of all scale are quickly mobilizing mechanisms to detect and block threats. However, he told Legaltech News, "Many of the technologies adopted by resource-strapped firms produce automated reports that report on threats after the fact," when in actuality, "real-time detection and response is mission critical to stay on top of emerging threats." "Heightened cybersecurity awareness at all levels has helped to make cybersecurity a priority. It's impossible to ignore the incredible number of breach cases impacting organizations today," he added. "This year in particular has been a difficult one for the industry, which has seen a significant rise in the number of successful law firm cyberattacks." Moreover, Sangster pointed out that law firms "are recognizing the value in threat sharing organizations. … Actionable intelligence has become integral to every law firm as the number of cyberattacks targeting law firms continues to rise." For instance, he noted how the Financial Services Information Sharing and Analysis Center (FS-ISAC) recently launched the Information Sharing & Analysis Organization (LS-ISAO). It provides real-time alerts, access to analysts, curated intelligence, and crisis notifications. The center says such sharing communities are "recognized as one of the best defenses against cyber threats and attacks." The LS-ISAO launched after officials talked to close to 180 firms that may be interested in joining, Legaltech News reported last year. "Firms are no longer alone in this hostile environment - members are trust-sourcing threat indicators for analysts to research, scrub and anonymize, yielding actionable intelligence for dissemination in real-time," according to a center statement. There are other kinds of organizations that law firms are joining as well, some of which are more broad-based. For instance, the Massachusetts-based Advanced Cyber Security Center (ACSC) is a consortium, founded some five years ago, that brings together business, university and government organizations to address the most advanced cyber threats. It focuses on sharing cyber threat information, engaging in cybersecurity research and development, creating education programs to address the shortfall in cyber talent, and advancing policies that will enhance security. Current members include the Foley Hoag law firm, which also provides the center legal advice. The firm's chair of its privacy and data security practice group, Colin Zick, called the ACSC "unique," given its diverse membership, and such regional assets as major research universities, military resources and businesses. In this way, Foley Hoag can partner with a "broad cross-section of organizations" to improve its knowledge on advanced persistent threats and what may be coming. Other threat sharing organizations are often built around a specific industry or have members from a single state.

top

- and -

DHS issues final procedures for cybersecurity threat information sharing (Steptoe, 30 June 2016) - On June 15, the Department of Homeland Security, jointly with the Department of Justice, issued its final procedures and final guidelines for cybersecurity threat information sharing, which were required by the Cybersecurity Act of 2015. DHS also released updated guidance for non-federal entities sharing information with the government under the Act. The procedures and guidelines relate to Title I of the Act, entitled the Cybersecurity Information Sharing Act of 2015 (CISA), which provides processes and protections for sharing cybersecurity threat information between government and private sector entities. DHS had issued interim versions of the procedures and guidelines, along with two other guidance documents in February 2016. It was required by CISA to issue the final versions of the procedures and guidelines, and also opted to release updated guidance based on feedback from industry.

top

Mining sector has faced 17 major cyber-incidents in the past six years (Softpedia, 29 June 2016) - A comprehensive report published yesterday by security firm Trend Micro revealed that threat groups are intensifying their efforts against companies activating in the mining sector. The reasons behind these attacks can be geo-political, but related to also financial gains. Threat groups are targeting these companies to gain insights on state-operated mining firms in order to understand or subvert local politics but also to steal intellectual property and other proprietary information. This information usually reaches the black market or is passed on to local mining corporations in case of state-powered cyber-attacks. Since 2010, cyber-security firms have been called in to investigate 17 incidents involving cyber-attacks on 22 entities activating in the mining sector. The first attack took place in April 2010 and targeted the Rio Tinto Group, BHP Billiton Ltd., and Fortescue Metal Groups. Experts believe the hackers were from Asia and sought information for commercial espionage. The second attack occurred in February 2011, again against BHP Billiton. The company's boss suspected that the main reason behind the cyber-attack was for nation states and competitors to get their hands on market pricing for key commodities. In April 2011, hackers broke into the Australian Federal Parliament email accounts to gain access to email conversations between ministers and executives of Australian mining companies operating in China. Later that year, in October and November, hackers attacked law firms and the Government of Canada's Finance Department and Treasury Board to obtain insight on bids to take over Canadian mining firm Potash Corporation of Saskatchewan. * * *A more in-depth read is available via Trend Micro's Cyber Threats to the Mining Industry 50-page report.

top

What media companies don't want you to know about ad blockers (Columbia Journalism Review, 29 June 2016) - New York Times CEO Mark Thompson caused a minor stir a couple weeks ago when he gave a speech at an advertising conference declaring that "No one who refuses to contribute to the creation of high quality journalism has the right to consume it." He went on to say that while the Times is "not there yet," the company may soon prevent users with ad blockers from accessing its site. But newspaper executives like Thompson often focus exclusively on the drawbacks of ad blockers, leaving a big part of the story untold. Thompson did not say one word in his keynote address about the significant security benefits of ad blockers, which is ironic, because his paper was one of several news organizations that served its users ransomware-a particularly vicious form of malware that encrypts the contents of your computer and forces you to pay the perpetrators a ransom in bitcoin to unlock it-through its ad networks just a few months ago. Several major news sites-including the Times , the BBC, and AOL-had their ad networks hijacked by criminal hackers who attempted to install ransomware on readers' computers. Advertising networks have served malware onto the computers of unwitting news readers over and over in the past couple years. Ads on Forbes , for example, attacked their readers in January, right after the magazine forced readers to disable ad-blocking software to view its popular annual "30 Under 30" feature. As Engadget reported , "visitors were immediately served with pop-under malware, primed to infect their computers, and likely silently steal passwords, personal data and banking information." It wasn't the first time this had happened at Forbes , either. And it's not just in the US. A couple months ago, almost every major news site in the Netherlands served malware through its ads to its users.

top

Keeper and Ponemon Institute study finds more than 50% of SMBs breached in past year (MarketWired, 30 June 2016) - Keeper Security, Inc., the world's leading password manager and secure digital vault, today announced the results of a North American study analyzing the state of cybersecurity in small and medium-sized businesses (SMBs). Sponsored by Keeper Security and conducted by the Ponemon Institute, the study found that more than 50% of SMBs have been breached in the last 12 months. No business is too small to evade a cyber attack or data breach and businesses across all industries are impacted by this threat. Only 14% of the companies surveyed rated their ability to mitigate cyber attacks as highly effective. Confidence in SMB cybersecurity posture is so low primarily because personnel, budget and technologies aren't sufficient. Additionally, IT security priority determination is not centralized to one specific function in a company, therefore reducing accountability and resulting in less informed decision making. [ Polley : There's no reason to suspect that law firms don't have the same exposure.]

top

Evidence from the Wayback machine is admissible (at least in Kansas) (Lawyerist, 1 July 2016) - Although the internet is well-entrenched in every aspect of our lives, the legal profession still struggles with how it is to be used as a source of information, connectedness, and admissible evidence. Heck, states even differ wildly on whether or not you can friend a judge on Facebook. No one is entirely sure what to do about sitting jurors and use of social media. With all of that confusing (and sometimes downright Luddite ) thinking about the virtual world, it is gratifying when there are decisions that reflect that a judge understands how the internet works. Recently, the United States District Court for the District of Kansas issued an opinion which held that evidence obtained from the Wayback Machine was admissible. The plaintiff, a trucking company, brought a trademark infringement suit against the defendant, a truck driver job posting website, alleging unauthorized use of the plaintiff's trademark on the defendant's website. To prove the defendant's use of the trademark, the plaintiff intended to introduce at trial screenshots of defendant's website taken from the Wayback Machine, along with authenticating deposition testimony from an employee of the Internet Archive.

top

Bulgaria got a law requiring open source (Slash-Dot, 4 July 2016) - All software written for the government in Bulgaria are now required to be open-source. The amendments to put such laws in motion were voted in domestic parliament and are now in effect , announced software engineer Bozhidar Bozhanov, who is also an adviser to the Deputy Prime Minister at Council of Ministers of the Republic of Bulgaria. All such software will also be required by law to be developed in a public repository. Bozhanov writes in a blog post: That does not mean that the whole country is moving to Linux and LibreOffice, neither does it mean the government demands Microsoft and Oracle to give the source to their products. Existing solutions are purchased on licensing terms and they remain unaffected (although we strongly encourage the use of open source solutions for that as well). It means that whatever custom software the government procures will be visible and accessible to everyone. After all, it's paid by tax-payers money and they should both be able to see it and benefit from it. As for security -- in the past "security through obscurity" was the main approach, and it didn't quite work -- numerous vulnerabilities were found in government websites that went unpatched for years, simply because a contract had expired. With opening the source we hope to reduce those incidents, and to detect bad information security practices in the development process, rather than when it's too late.

top

European Union's first cybersecurity law gets green light (Bloomberg, 6 July 2016) - The European Union approved its first rules on cybersecurity, forcing businesses to strengthen defenses and companies such as Google Inc. and Amazon.com Inc. to report attacks. The European Parliament endorsed legislation that will impose security and reporting obligations on service operators in industries such as banking, energy, transport and health and on digital operators like search engines and online marketplaces. The law, voted through on Wednesday in Strasbourg, France, also requires EU national governments to cooperate among themselves in the field of network security. The rules "will help prevent cyberattacks on Europe's important interconnected infrastructures," said Andreas Schwab, a German member of the 28-nation EU Parliament who steered the measures through the assembly. EU governments have already supported the legislation.

top

Standards body whines that people who want free access to the law probably also want 'free sex' (TechDirt, 7 July 2016) - You would think that "the law" is obviously part of the public domain. It seems particularly crazy to think that any part of the law itself might be covered by copyright, or (worse) locked up behind some sort of paywall where you cannot read it. Carl Malamud has spent many years working to make sure the law is freely accessible... and he's been sued a bunch of times and is still in the middle of many lawsuits, including one from the State of Georgia for publishing its official annotated code (the state claims the annotations are covered by copyright). But there's another area that he's fought over for many years: the idea that standards that are "incorporated by reference" into the law should also be public. The issue is that many lawmakers, when creating regulations will often cite private industry "standards" as part of the regulations. So, things like building codes may cite standards for, say, sheet metal and air conditioning that were put together by the Sheet Metal and Air Conditioning Contractors National Association (SMACNA), and say that buildings need to follow SMACNA's standards. And those standards may be great -- but if you can't actually read the standards, how can you obey the law. At one point SMACNA went after Malamud for publishing its standards. And while they eventually backed down, others are still in court against Malamud -- including the American Society for Testing & Materials (ASTM), whose case against Malamud is set to go to trial in the fall. In the midst of all of this, various standards making bodies, along with the American National Standards Institute (ANSI), have been working over time to get the American Bar Association to adopt a proposal that limits publication of standards that are incorporated by reference. ANSI has pushed for a solution it prefers called "reasonable availability," in which the standard-makers decide by themselves how best to make the standards "available." ANSI, for example, hosts a bunch of incorporated by reference standards on its website -- but the only way to read them is to install a special kind of DRM (Windows and Mac only) that makes the documents purely read only. You are not allowed to save them. You are not allowed to download them permanently. You are not allowed to print them. And it's not all standards that are incorporated by reference. Why do they do this? Well, most of them sell their standards to professionals who need to buy them, and they don't want to give up on that revenue source (especially once those standards are incorporated by reference because at that point they become mandatory). [ Polley : The pending ABA policy is in Resolution 112, to be taken up by the House of Delegates on August 8 or 9. It's less-than-transparent and pernicious - see bolded language above . If you're in the House, look carefully at this language, and hear out Carl Malamud, who'll be in the audience.]

top

Appeals court says government email stored on private servers is still subject to FOIA requests (TechDirt, 8 July 2016) - There were indications that Clinton's use of a private email address was an attempt to route around FOIA requests. As her server was being set up, communications from both her staff and the State Department's noted that an account in her name existed already, but would be subject to FOIA requests. This has been a problem elsewhere. Several government officials have conducted an inordinate amount of government business using private email accounts or personal devices in hopes of skirting public records requests. The DC Circuit Court's case deals with a little-known government agency, but an all-too-familiar dodge by public officials . In a decision Tuesday in a case not involving Clinton directly, the U.S. Court of Appeals for the D.C. Circuit held that messages contained in a personal email account can sometimes be considered government records subject to Freedom of Information Act requests. The case ruled on by the D.C. Circuit focused on a relatively obscure White House unit: the Office of Science and Technology Policy. * * *

top

- and -

Is the DOJ using obsolete software to subvert FOIA requests? (Slash-Dot, 17 July 2016) - A new lawsuit alleges that the U.S. Department of Justice intentionally conducts inadequate searches of its records using a decades-old computer system when queried by citizens looking for records that should be available to the public," reports The Guardian. Slashdot reader Bruce66423 writes: An MIT PhD student has filed a suit in Federal court alleging that the use of a 21-year-old, IBM green screen controlled search software to search the Department of Justice databases...constitutes a deliberate failure to provide the data that should be being produced. Ryan Shapiro's lawsuit alleges "failure by design," saying that the Justice Department records are inadequately indexed -- and that they fail to search the full text of their records when responding to requests "When few or no records are returned, Shapiro said, the FBI effectively responds 'sorry, we tried' without making use of the much more sophisticated search tools at the disposal of internal requestors." The FBI has a $425 million software system to handle FOIA requests, but refuses to use it, saying that would be "needlessly duplicative...and wasteful of Bureau resources."

top

Does the First Amendment protect citizen journalists who film police? (MLPB, 8 July 2016) - Does the First Amendment protect a citizen's right to film police officers while they perform their duties? The Supreme Court hasn't ruled, but some lower courts have. See Gericke v. Weare (1st Circuit) and Glik v. Cunliffe (1st Circuit), Smith v. City of Cumming (11th Circuit), ACLU v. Alvarez (7th Circuit), generally upholding the right of the public to film officers who are in public, discharging their duties, and when the activities are of public interest and the individual filming is not interfering with the officer's activities. In the wake of police shootings in Baton Rouge, LA, and Falcon Heights, MN, and shootings of officers in Dallas, TX, here's a short discussion of the issue from the National Coalition Against Censorship (NCAC). See also this article in the New York Times, reporting that Ruben An has filed a lawsuit against the New York Police Department, claiming that the NYPD violated his rights by interfering with him while he filmed officers interacting with another person in 2014. Police arrested Mr. An; some charges were later dropped, and he was acquitted on the remaining counts.

top

9th Circuit: It's a federal crime to visit a website after being told not to visit it (Orin Kerr on Volokh, 12 July 2016) - The U.S. Court of Appeals for the 9th Circuit has handed down a very important decision on the Computer Fraud and Abuse Act, Facebook v. Vachani , which I flagged just last week. For those of us worried about broad readings of the Computer Fraud and Abuse Act , the decision is quite troubling. Its reasoning appears to be very broad. If I'm reading it correctly, it says that if you tell people not to visit your website, and they do it anyway knowing you disapprove, they're committing a federal crime of accessing your computer without authorization. I think this decision is wrong, and that it has big implications going forward. Here's a rundown of the case and why it matters. I'll conclude with a thought about a possible way to read the case more narrowly, as well as why I'm not convinced that narrow reading is correct. * * * [ Polley : Orin Kerr is my designated go-to authority on conservative readings of internet-related 4th Amendment jurisprudence; I often don't like what he writes, but it's always compelling.]

top

- and -

Second Circuit: Warrants cannot be used to compel disclosure of emails stored outside the United States (Orin Kerr on Volokh, 14 July 2016) - The Second Circuit has handed down its long-awaited decision in the Ireland warrant case, In the Matter of a Warrant to Search a Certain E ‐Mail Account Controlled and Maintained by Microsoft Corporation . The holding: If a U.S. company stores customer email outside the United States, whether of U.S. or foreign customers, the government cannot use a domestic search warrant to compel the disclosure of the email. If the data is stored outside the United States, the government has to find some other way to compel the email other than a traditional search warrant. This post will cover the reasoning of the opinion, and in another post I'll address its implications and what happens next. * * * [ Polley: see also Microsoft just won a big victory against government surveillance -- why it matters (Dan Solove, 15 July 2016)]

top

Pokémon Go: Who owns the virtual space around your home? (The Guardian, 13 July 2016) - When a virtual space overlaps a real-world space, then whose space is it, and who controls what is created as a result? The success of augmented-reality game Pokémon Go has forced this question into focus. Since its launch less than a week ago, groups worldwide have struggled with the game's unforeseen ramifications. Washington DC's Holocaust Museum has asked Pokémon Go players to stay away : the museum was designated a Pokéstop, where players can pick up items like Pokéballs and revives, forcing its communications director to point out that playing a game inside a memorial to victims of Nazism is "extremely inappropriate". In the Sydney suburb of Rhodes, a chance confluence of Pokéstops has led to "hundreds" of players milling around a small outdoor area . "The place is in complete chaos with crowds of well over 1,000 per night. There is a massive level of noise after midnight, uncontrollable traffic, excessive rubbish, smokers, drunk people, people who are 'camping' in the site, and even people peddling mobile phone chargers," a resident told Buzzfeed. Boon Sheridan, a Massachusetts man who lives in a converted church, has found his house has been designated a Pokémon Gym , the most important category of locations in the game. For days, people have been loitering outside his house, leaving him concerned it "could easily make this place look like a dealer's house". Ingress, a science fiction-tinged game developed back when the company was still a subsidiary of Google, has been running for six and half years. In July 2015, the company faced an almost identical controversy, after the German magazine Zeit reported that concentration and death camps including Dachau, Buchenwald and Auschwitz-Birkenau were all set up as in-game "portals". Some were deleted the day after Zeit contacted Google; others remained, including a portal specifically located at the notorious "Arbeit Macht Frei" gates in Auschwitz. * * * [ Polley : Interesting; I watched oblivious Pokemon-Go players bumping into visitors in Stockholm's Kungstradgarden park last week.]

top

- and -

Pokémon Go players in Bosnia warned to avoid minefields (Mashable, 20 Jul 2016) - Bosnian players of the popular Pokémon Go app have been told to avoid areas still littered with landmines from the war in the 1990s. A charity which deals with demining in the Balkan country, Posavina bez mina, has issued a warning after receiving reports of gamers hunting for Pokémon in risky areas. "Today we received information that some users of the Pokémon Go app in Bosnia were going to places which are a risk for [unexploded] mines, in search of a Pokémon. Citizens are urged not to do so, to respect demarcation signs of dangerous minefields and not to go into unknown areas," the NGO said. About 120,000 mines are still to be found in Bosnia, according to another demining group. As the popularity of Pokémon Go increases around the world, several incidents have been reported, from people falling into a pond to a car crash . Two men were rescued in California after falling off a seaside cliff while playing the game.

top

- and -

Augmented Reality - Technology & Policy Primer (University of Washington's Tech Policy Lab, October 2015) - This whitepaper is aimed at identifying some of the major legal and policy issues augmented reality (AR) may present as a novel technology, and outlines some conditional recommendations to help address those issues. Our key findings include: (1) AR exists in a variety of configurations, but in general, AR is a mobile or embedded technology that senses, processes, and outputs data in real-time, recognizes and tracks real-world objects, and provides contextual information by supplementing or replacing human senses; (2) AR systems will raise legal and policy issues in roughly two categories: collection and display. Issues tend to include privacy, free speech, and intellectual property as well as novel forms of distraction and discrimination; (3) We recommend that policymakers-broadly defined-engage in diverse stakeholder analysis, threat modeling, and risk assessment processes. We recommend that they pay particular attention to: a) the fact that adversaries succeed when systems fail to anticipate behaviors; and that, b) not all stakeholders experience AR the same way; and (4) Architectural/design decisions-such as whether AR systems are open or closed, whether data is ephemeral or stored, where data is processed, and so on-will each have policy consequences that vary by stakeholder.

top

HHS: Healthcare groups must report all ransomware attacks (SC Magazine, 14 July 2016) - The Federal Health and Human Services Department (HHS) issued guidelines this week that could require hospitals and doctor offices to notify HHS if they are victimized by a ransomware attack. The HHS guidance has several stipulations for if and when health providers would be required to make a notification. The primary trigger would be if the electronic protected health information (ePHI) is not protected in accordance with HHS regulations or if the ePHI is properly encrypted making it impervious to a criminal enterprise. However, if neither of these thresholds are met than the affected organization would have to notify HHS if a ransomware incident takes place. This differs from the current standard which only required healthcare providers report incidents in which the personal information of more than 500 people was compromised through a data breach. A ransomware attack did not fall under these guidelines. One example provided by HHS states, "if a laptop encrypted with a full disk encryption solution in a manner consistent with HHS guidance is properly shut down and powered off and then lost or stolen, the data on the laptop would be unreadable, unusable and indecipherable to anyone other than the authenticated user. Because the PHI on the laptop is not "unsecured PHI", a covered entity or business associate need not perform a risk assessment to determine a low probability of compromise or provide breach notification." The HHS guidance stated that entities that comply with HIPAA security rules will be more secure from ransomware and other cyberattacks as they require the implementation of cybersecurity measures, conducting a risk analysis to identify threats and vulnerabilities and taking measures to remediate those risks.

top

DHS looking to link to the blockchain (ReadWrite, 15 July 2016) - The Department of Homeland Security has stepped up its research and investment into blockchain technologies, as it searches for ways to make the government more secure, accountable, and autonomous. Public interest in the blockchain from the DHS started in December last year, when it called for small business proposals to research the advantages and disadvantages of the emerging technology. Six months later, it awarded the $200,000 grant to Factom. Factom is not the only startup working with the DHS on blockchain, Solarity Solutions, Respect Network and Digital Bazaar have also received funding, according to CoinDesk , to research the blockchain. The DHS also has a Silicon Valley office looking into authentication advantages using the tech pioneered by Bitcoin. Most of the research seems preliminary: separate the fact from fiction, research the technology's capabilities, report back. But in the near future we may see the DHS move from inquiry into active adoption of the blockchain for all sorts of privacy and security interests.

top

Just as open competitor to Elsevier's SSRN launches, SSRN accused of copyright crackdown (TechDirt, 18 July 2016) - A couple of months ago, we wrote about how publishing giant Elsevier had purchased the open access pre-publisher SSRN. SSRN is basically the place where lots of research that we regularly report on is published. Legal and economics academics quite frequently post their journal articles there. Of course, Elsevier has a well-known reputation for being extreme copyright maximalists in dangerous ways. Having Elsevier take over SSRN concerned a lot of academics, and even led to calls for alternatives, including many asking the famed arXiv to open a social science research operation as well. Indeed, it appears that arXiv was paying attention, because just about a week ago, SocArXiv was announced , and it already has a temporary home hosted by Open Science Framework. And perhaps this came just in time, because just as that happened, Stephen Henderson, a law professor, noted that SSRN took down his paper saying that they didn't think he retained the copyright to it. When I posted a final PDF of an article for which not only do my co-author and I retain the copyright, but for which the contract also includes _explicit_ permission to post on SSRN, I received the typical happy "SSRN Revision Email" saying all was well. Only when I went to take a look, I found there was no longer any PDF to download at all-merely the abstract. So, download counts are gone, and no article. Not the former working version nor the final version. And then in the revision comments, I found this: "It appears that you do not retain copyright to the paper, and the PDF has been removed from public view. Please provide us with the copyright holder's written permission to post. Alternatively, you may replace this version with a working paper or preprint version, if you so desire. Questions and/or written permissions may be emailed to support@ssrn.com, or call 1-877-SSRNHELP (877-777-6435 toll free) or 1-585-442-8170 outside the US." So, not only have they completely changed their model, but-at least to me-they gave no effective notice, and they pull papers without asking. Nobody bothered to _ask_ whether I had permission; they simply took down every version of the article and said nothing. Alas. And when I called customer support and someone called back, I pointed out that some profs have hundreds of articles posted for which SSRN doesn't hold the copyright agreements. "Are you going to take all those down too?," I asked. The answer, in essence, "Those were posted in error." Unbelievable.

top

Legalist is making it easier for lawyers to find state court records (TechCrunch, 19 July 2016) - Imagine a lawyer with a client who lives in one county and works in another. Or even a lawyer who litigates in multiple states. Both common occurrences, but situations that make it very hard to keep track of legal documents. Essentially, it should be easy to keep track of court records from multiple counties and states - but it's not. In fact, it's pretty awful. Most are hosted online, but each county could have different databases and even different databases providers, making it a huge hassle to constantly search for court records and updates. For example, Ohio has 88 counties, and you have to search each one separately for legal records. It's such a mess that some lawyers have found it easier to have employees just drive from county to county tracking down records in person. Enter Legalist - a startup launching in Y Combinator's Summer '16 batch. Founded by Eva Shang and Christian Haigh, two current Harvard undergrads, the startup is trying to become a Google for state court records. They are doing this by scraping these databases and aggregating the documents into one main searchable database. This takes a while - most counties and states have records going back to 1989. For example, the startup is currently scraping 10 different states - a process that is providing them with 400,000 new documents a day. Besides searchable records, the startup also offers email updates for cases. This means that the site will scrape databases each day for updates to flagged cases and automatically email lawyers with the new documents so they don't have to manually check every day for case updates. So far the site is live for users in Massachusetts, Ohio, and Maryland - with more to come soon. These three states have provided the databases with documents for over 7 million cases and 110,000 different lawyers. The service is also free for any licensed attorney registered with their state's bar association. However the startup plans on charging for additional features in the future. These include an option to see cases sorted by outcome based on a certain judge - this will help lawyers choose the best litigation strategy in a specific case. Another future paid feature is "predicted timeline", which uses their millions of archived cases to provide an estimate on how long a certain case will take. The startup says that lawyers find this feature especially helpful because the first question a client often asks their lawyer is how long the entire legal process will take. For now, the startup is just focused on state and county records. This is because the vast majority of court cases happen on the state level. Out of an approximately 95 million cases filed each year nationwide, only about 1 million happen in federal court. Plus, federal court records are already organized in a central database called PACER . So while Legalist eventually plans on adding federal records to their database, it isn't an immediate need.

top

After errant Melania tweet, DOJ rethinks social media policy (NextGov, 20 July 2016) - The Justice Department is adjusting its social media policy after a staffer posted a personal message to DOJ's more than 1 million Twitter followers. The gaffe occurred Tuesday, in apparent response to allegations that Melania Trump's speech at the Republican National Convention lifted chunks of a speech delivered by Michelle Obama during the 2008 Democratic National Convention. "CNN is the biggest troll of them all lmao #Petty," DOJ's official account tweeted, posting a link to a CNN news story headlined, "Campaign denies Melania Trump's speech plagiarizes parts of Michelle Obama's." The tweet, since deleted, was posted "erroneously" and "was meant for a personal account," said a DOJ statement provided to Nextgov. The staffer's access to the account has been revoked. This incident prompted DOJ to make "procedural changes to the way we use our social media accounts," the statement said. The department also plans to "provide additional social media training for employees." DOJ didn't respond to multiple requests for more detail about what those procedural changes, or additional training, entail. The General Services Administration's DigitalGov team, which encourages other agencies to use social media in a controlled manner, has outlined several suggestions for safe use, including using two-step verification for access from mobile devices.

top

WSJ reporter: Homeland Security tried to take my phones at the border (Motherboard, 21 July 2016) - On Thursday, a Wall Street Journal (WSJ) reporter claimed that the Department of Homeland Security demanded access to her mobile phones when she was crossing the border at the Los Angeles airport. The case highlights the powers that border agents purport to have, and how vulnerable sensitive information can be when taken through airports in particular. "I wanted to share a troubling experience I had with the Department of Homeland Security (DHS), in the hopes it may help you protect your private information," Maria Abi-Habib, a WSJ journalist focused on ISIS and Al Qaeda wrote in a post on Facebook . (Abi-Habib confirmed to Motherboard that the Facebook account was hers, but declined to comment further.) Abi-Habib says she had arrived in town for a wedding, when an immigration officer approached her, and took her aside from the main queue. This by itself was not unusual, Abi-Habib writes: because of her job, she has reportedly been put on a list that allows her to bypass the usual questioning someone with her travel profile may encounter. But things changed quickly, and Abi-Habib was escorted to another part of the airport. "Another customs agent joined her at that point and they grilled me for an hour-asking me about the years I lived in the US, when I moved to Beirut and why, who lives at my in-laws' house in LA and numbers for the groom and bride whose wedding I was attending. The first DHS agent then asked Abi-Habib for her two cell phones, in order "to collect information," Abi-Habib reports the officer as saying. "And that is where I drew the line," Abi-Habib writes. "I told her I had First Amendment rights as a journalist she couldn't violate and I was protected under. I explained I had to protect my government and military sources-over the last month, I have broken two stories that deeply irked the US government, in addition to other stories before I went on maternity leave, including one in Kabul that sparked a Congressional investigation into US military corruption, all stories leaked by American officials speaking to me in confidence." The agent passed over a document, which Abi-Habib later photographed and posted to Facebook, purportedly showing that the agent has the right to seize those devices. Abi-Habib instead said that the border agents would need to contact WSJ's lawyers. After some back and forth, the agent went to see her supervisor, and eventually said Abi-Habib is free to go. Abi-Habib said she reported the incident to a WSJ lawyer, encryption expert and the outlet's in-house security. From those conversations, Abi-Habib says, "My rights as a journalist or US citizen do not apply at the border, as explained above, since legislation was quietly passed in 2013 giving DHS very broad powers (I researched this since the incident). This legislation also circumvents the Fourth Amendment that protects Americans' privacy and prevents searches and seizures without a proper warrant."

top

NOTED PODCASTS/MOOCS

Steptoe Cyberlaw Podcast: An Interview with Jamie Smith (Steptoe, 24 June 2016; 46 minutes) - With Stewart on vacation, the blockchain takes over the podcast! In episode 121, Jason Weinstein and Alan Cohn talk all things bitcoin, blockchain, and distributed ledger technology, and interview Jamie Smith, Global Chief Communications Officer for the BitFury Group, one of the largest full-service blockchain technology companies. [ Polley : very interesting, with discussion ranging across the Atlantic and describing the DAO "hack".]

top

RESOURCES

The Future of Transatlantic Data Flows: Privacy Shield or Bust? (Prof Greg Voss, 1 May 2016) - Abstract: This article starts by providing background for the recently announced EU-US Privacy Shield, beginning with the adoption of the European Union's 1995 Data Protection Directive that limited cross border transfers of personal data to countries with "an adequate level of protection" of such data. The resulting "Safe Harbor" negotiated between the EU and the U.S. in order to allow continuing data flows between the two blocs is described, together with the Schrems decision invalidating it, with the consequences for transatlantic data flows being highlighted. The need for a "Safe Harbor 2.0," and details of the same, relabelled as the "Privacy Shield," are provided. Finally, the current legal uncertainty surrounding the Privacy Shield and potential alternatives to it are evoked.

top

Digital Searches and Seizures: Overview of Proposed Amendments to Rule 41 of the Rules of Criminal Procedure (CRS, 29 June 2016) - With the Rules Enabling Act, Congress granted to the Supreme Court the authority to write federal rules of procedure, including the rules of criminal procedure. After several years of evaluation by the Judicial Conference, the policy-making arm of the federal judiciary, on April 28, 2016, the Supreme Court transmitted to Congress proposed changes to Rule 41 of the Federal Rules of Criminal Procedure. These proposed changes would amend the federal search and seizure rules to permit the government to remotely access electronic devices although the location of the device may be unknown. This issue has become more pressing in recent years with an increasing number of users anonymizing their communications, hindering the government's ability to pinpoint the location of the target, and thus making it difficult to discern the appropriate federal court to apply for a search warrant. In recent years, a tension has arisen between Rule 41 as currently drafted and the Department of Justice's (DOJ's) desired use of the rule for digital searches. This issue arose recently in a 2012 magistrate judge's ruling from the Southern District of Texas, in which the court denied DOJ's application to conduct remote searches of a computer believed to have been part of a fraudulent scheme, because the government could not establish the location of the target, thereby placing it outside the scope of Rule 41 and in violation of the Fourth Amendment particularity requirement. There have been at least two lines of argument against the proposed rule change, one based on the substance of the proposed amendment and the other grounded in the process by which the rule is being changed. The substantive arguments pertain to the actual substance of the rule and include for example, an argument that the new rule would breach the particularity requirement of the Fourth Amendment. The procedural arguments pertain to how this potential authorization should be made law: through the rulemaking process by the courts or through enacted legislation by Congress. While federal law enforcement has been supportive of the proposed change, some advocacy groups have argued that the proposed rule change "would have significant legal and technical implications" and thus "merit[s] open consideration by Congress, rather than a rulemaking proceeding of the Judicial Conference." This report provides a brief overview of the proposed amendment to Rule 41. First, it provides a background on the origin of, and rationale underlying, the proposed amendment and a description of the rule as currently written. Second, it reviews the potential changes made by the proposed amendment and will survey various concerns commenters have raised with the proposal. Lastly, this report addresses efforts being made in Congress to alter, delay, or stop this rule change.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Senators caught rewriting Wikipedia (NewsFactor.com, 9 Feb 2006) -- Online reference compendium Wikipedia has found that employees working in the U.S. Congress have made several changes to political biographies, removing facts considered negative and tweaking language to portray politicians in a better light. Wikipedia began an investigation after a Democratic representative, Marty Meehan, admitted that he had spiffed up his online biography page. It was found that articles on other senators had been changed, sometimes significantly, and that the edits could be traced to computers on Capitol Hill. Although Wikipedia is a collectively run reference, and can be edited by any of its users, those who run the site attempt to police changes to make sure they adhere to fact and not opinion or prejudice. In its investigation, Wikipedia examined the public edit history on the political biography pages in question. Researchers discovered the links to the U.S. Senate and began checking the biographies that had been visited. Half a dozen pages were changed, according to Wikipedia, including those of California Senator Dianne Feinstein, Iowa Senator Tom Harkin, and Minnesota Senator Norm Coleman. Senator's Coleman staff confirmed the changes, noting that they had made several changes, such as a description of the senator in college. Where he had once been described as a "liberal," the staff edited the listing to dub him an "activist." Staff members of Senator Harkin removed a paragraph noting that Harkin had claimed falsely to have been in combat in North Vietnam, a claim he later recanted.

top

British law goes online (ComputerActive, 20 Dec 2006) -- The British government has made the entirety of the country's law statutes available online. The Statute Law website contains the 'official revised edition' of the UK's primary legislation - that is, any acts passed by parliament. The database includes details of how laws have changed over time, as well as how existing laws will be amended by future legislation that is not yet in force. The content - all 30,000 items - is available for free for private use. In addition to acts of parliament, the website also contains secondary legislation - laws passed directly by the government of the day - that has come into effect since 1991. In addition to national law, the database also contains acts of the Scottish parliament and the Northern Ireland assembly.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Steptoe & Johnson's E-Commerce Law Week

7. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

8. The Benton Foundation's Communications Headlines

9. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, June 25, 2016

MIRLN --- 29 May - 25 June 2016 (v19.09)

MIRLN --- 29 May - 25 June 2016 (v19.09) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS/MOOCS | RESOURCES | LOOKING BACK | NOTES

Ethics opinion draws line on when social media is considered advertising (ABA, 20 May 2016) - Whether social media constitutes attorney advertising is an unsettled question for attorneys. A recent ethics opinion provides much-needed guidance on the question. Attorneys can post away on professional networking sites like LinkedIn with certain caveats, according to an ethics opinion of the Association of the Bar of New York Committee on Professional Ethics . Attorneys looking for guidance regarding attorney advertising will find the opinion a useful resource. Whether social media constitutes attorney advertising is a question that has plagued attorneys in recent years. Ethics committees "find themselves straining to force fit the proverbial peg of social media into the round hole of legal ethics-with varying degrees of success," the New York City Bar noted. In addition, "due to the pace of technological change, bar regulators may be reluctant to amend ethics rules to incorporate social media use," the opinion added. This is because of "a legitimate concern that any such rules may become obsolete as social media platforms develop and change." The New York City Bar provided a detailed analysis in an attempt to address these concerns. A lawyer's LinkedIn profile is attorney advertising only if the profile meets five criteria: the lawyer makes the content; the primary purpose is for client retention of the lawyer for pecuniary gain; the content relates to the lawyer's legal services; new clients are the intended audience; and the content does not fall into an exception to the definition of attorney advertising. The New York City Bar noted that, although its opinion focused on LinkedIn, it applies to other social networking sites such as Facebook and Twitter. The New York City Bar emphasized that a LinkedIn profile comprises advertising only if there is "clear evidence that a lawyer's primary purpose is to attract paying clients." The opinion allows many types of LinkedIn content, for example, including a list of skills or description of practice areas. Simply displaying recommendations and endorsements is similarly permissible. * * *

top

- and -

Attorney confidentiality, cybersecurity, and the cloud (Dan Solove, 6 June 2016) - There is a significant degree of confusion and lack of awareness about attorney confidentiality and cybersecurity obligations. This issue is especially acute when it comes to using the cloud to store privileged documents. A common myth is that storing privileged documents in the cloud is a breach of attorney-client confidentiality. In other instances, many attorneys and firms are not paying sufficient attention to their obligation to protect the confidentiality and security of the client data they maintain. The general rules of professional conduct are written broadly, without specifically addressing privacy and cybersecurity issues. Under Rule 1.6 of the ABA Model Rules of Professional Conduct , "a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent." Lawyers must "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." The application of this rule to digital technologies has been dealt with by resolutions and commentary. Fairly recently, the ABA published Resolution 109 , calling for firms to "develop, implement, and maintain an appropriate cybersecurity program." And few years ago, the ABA amended Comment 8 to Model Rule 1.1 (requiring "competent representation to a client") to state that "a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology ." (added language italicized). Is it ethical for attorneys and law firms to store privileged documents in the cloud? After all, they are storing such documents on a third party's computer. This question has been a widespread concern, enough so that several state bar associations have issued guidance. Their consistent conclusion is that it is ethical to store privileged documents in the cloud. For example, according to the Pennsylvania Bar Association Formal Opinion 2011-200 : "An attorney may ethically allow client confidential material to be stored in 'the cloud' provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks." According to the Florida Bar Association Opinion 12-3 , "Cloud computing is permissible as long as the lawyer adequately addresses the potential risks associated with it." The Massachusetts Bar Association Opinion 12-03 provides that lawyers "may store and synchronize electronic work files containing confidential client information across different platforms and devices using an Internet based storage solution" if they undertake "reasonable efforts to ensure that the provider's terms of use and data privacy policies, practices and procedures are compatible with the lawyer's professional obligations, including the obligation to protect confidential client information." * * *

top

- and -

Another state adopts the duty of technology competence for lawyers (Robert Ambrogi, 17 June 2016) - I have been tracking here the states that have adopted the ethical duty of technology competence for lawyers. I have just learned of one more state that has adopted the duty. That brings the total number of states to 21. The latest state is North Dakota, where the Supreme Court ordered adoption effective March 1, 2016, of an amendment to Rule 1.1 of the North Dakota Rules of Professional Conduct. The amendment to the rule on maintaining competence adds the phrase adopted by the ABA in 2012 in Model Rule 1.1, Comment 8. In North Dakota, the comment is number 5 and reads: "To maintain the requisite knowledge and skill, a lawyer must keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements." The amendment added the italicized phrase, which is identical to the phrase in the Model Rule. (For the full list of states that have adopted the rule, see my earlier post .)

top

Rethinking the "standard" arbitration clause in cloud agreements (part ii) (LeClair Ryan, 23 May 2016) - Part I of this article included a little bit of history about how it came to be so common that modern technology agreements - including "cloud agreements" - often include a rather ubiquitous, sort of "standard" arbitration clause. The first article in this three-part series also put forth the question of whether some of the common assumptions about arbitration - namely, that arbitration is cheaper, faster and better than a traditional lawsuit - are true. This middle article in the series aims to try to answer that question: Is arbitration truly "cheaper, faster or better?" A close examination of these common assumptions reveals that, while there are indeed some clear advantages to arbitration, some of the claimed advantages may be lost if parties simply agree to a "standard" arbitration clause, without giving the matter any considered thought on the front end of a transaction. This kind of inertia often leads to an arbitration proceeding that looks very much like a traditional lawsuit. The parties who agree to an arbitration provision without giving it any thought will find that arbitration is often just as expensive as a traditional lawsuit, that it may not be any faster, and that a "more rational result" does not necessarily work to every party's advantage.

top

Born in the VCR era, great courses seeks to evolve (NYT, 27 May 2016) - Decades before TED Talks, so-called massive open online courses and YouTube videos made top educators accessible to the masses, the Great Courses built a loyal audience of lifelong learners by making "the world's greatest professors" available to anyone with a VCR or cassette player. Larry Weinberg, 72, typifies the Great Courses' core customer: A voracious learner, he got hooked on the Great Courses video and audio classes shortly after he retired from Boeing a decade ago. His personal library now includes more than 200 courses, as varied as "Understanding Multivariable Calculus" and "Yoga for a Healthy Mind and Body," all carefully cataloged on bookshelves and computer hard drives. Now the Great Courses program hopes to broaden its demographics with an all-you-can-learn streaming service, Great Courses Plus, which it introduced late last year. With the streaming option, customers are not limited to a single course. For $19.99 a month, or about $180 for an annual subscription, they have unlimited online access to more than 280 of the most recent and popular courses from the company's library of roughly 600 courses on topics including astrophysics and wine tasting. "I'm a big believer that we are the Netflix of learning," said Paul Suijk, chief executive of the Teaching Company of Chantilly, Va., which owns the Great Courses and has $150 million a year in revenue. "Looking at Netflix and where they are going, I think there are many similarities."

top

Doctors fire back at bad Yelp reviews - and reveal patients' information online (WaPo, 27 May 2016) - Burned by negative reviews, some health providers are casting their patients' privacy aside and sharing intimate details online as they try to rebut criticism. In the course of these arguments -- which have spilled out publicly on ratings sites like Yelp - doctors, dentists, chiropractors and massage therapists, among others, have divulged details of patients' diagnoses, treatments and idiosyncrasies. One Washington state dentist turned the tables on a patient who blamed him for the loss of a molar: "Due to your clenching and grinding habit, this is not the first molar tooth you have lost due to a fractured root," he wrote. "This tooth is no different." And a California dentist scolded a patient who accused him of misdiagnosing her. "I looked very closely at your radiographs and it was obvious that you have cavities and gum disease that your other dentist has overlooked. … You can live in a world of denial and simply believe what you want to hear from your other dentist or make an educated and informed decision." Health professionals are adapting to a harsh reality in which consumers rate them on sites like Yelp, Vitals and RateMDs much as they do restaurants, hotels and spas. The vast majority of reviews are positive. But in trying to respond to negative ones, some providers appear to be violating the Health Insurance Portability and Accountability Act, the federal patient privacy law known as HIPAA . The law forbids them from disclosing any patient health information without permission. Yelp has given ProPublica unprecedented access to its trove of public reviews -- more than 1.7 million in all -- allowing us to search them by keyword. Using a tool developed by the Department of Computer Science and Engineering at the NYU Tandon School of Engineering, we identified more than 3,500 one-star reviews (the lowest) in which patients mention privacy or HIPAA. In dozens of instances, responses to complaints about medical care turned into disputes over patient privacy.

top

Goldman Sachs: 5 practical uses for blockchain - from Airbnb to stock markets (Business Insider, 28 May 2016) - "Is the hype around blockchain justified?" asks Goldman Sachs in a blockbuster 88-page note sent to clients this week. The financial world has been going crazy for blockchain technology for the last year or so, hypothesising how it could rip out huge amounts of costs for big banks and streamline operations. Goldman itself was one of the key hype men, declaring in December that the technology "can change... well everything." The bank has examined the technology's application in 5 markets. We've summed up its thinking below * * *

top

Get the complete guide to preservation case law 2008-2016 (GC News, 31 May 2016) - Zapproved has published its updated Preservation Case Law Summaries 2008-2016 , the definitive guide to preservation case law with summaries tagged by venue, sanction and topic. Zapproved says courts are analyzing preservation cases for spoliation with a high bar to determine if awarding sanctions is appropriate. The standards set forth in proposed changes to Rule 37(e) require that in order to impose an adverse inference, spoliation must have (i) caused substantial prejudice in the litigation and the result of willfulness or bad faith; or (ii) irreparably deprived a party of any meaningful opportunity to present or defend against the claims in the litigation.

top

Panama Papers fallout: What if your lawyer gets hacked? (Information Week, 31 May 2016) - Your company has likely spent a lot of time, effort, and money keeping its security systems, policies, and practices up to date. Can the same be said of your law firm? The legal industry isn't exactly known for its technology leadership, which should be of concern, especially from a security perspective. Don't assume that your data is safe, in other words. Be prepared to do your own due diligence. "Law firms retain a lot of sensitive corporate data that would be extremely valuable to hackers or outside parties. In particular, hackers are interested in corporate legal information, intellectual property from their clients, information on directors and officers of corporate clients, settlement terms, and more," said Jacob Olcott, the former legal adviser to the Senate Commerce Committee, counsel to the House of Representatives Homeland Security committee, and current VP at Bitsight Technologies , in an interview. "Since law firms often deal with highly sensitive information, they are a clear target for hackers trying to earn money on the black market. In addition, hacktivists may be interested in the information held by a law firm for political purposes." "Many top law firms have pretty good structural security. However, they drop the ball in two places: They use less sophisticated local counsel and give them sensitive documents, and they don't put sufficient checks on their people," said Jay Edelson, founder and CEO at law firm Edelson PC , in an interview. The actual scope of attacks is difficult to gauge. For example, in its 2015 Annual Security Report, Cisco named the legal industry No. 7 in its list of top 10 company types at risk for Web malware infections. According to an American Bar Association (ABA) 2015 Legal Technology Survey Report , 15% of the 880 lawyer respondents said their firms had experienced a security breach, and 23% of them said they didn't know if they had. More than four in ten (42%) said their computers had been affected by a virus, while 23% said they didn't know. The larger the law firm, the greater the increase in breaches. "Law firms represent a critical component of most companies' supply chain[s]," said BitSight's Olcott. "Most companies are focused on managing the cyber risk of their supply chain, and one of the first organizations they start with is their law firm." [ Polley : See also The security vulnerabilities law firm hacks create for corporations (Inside Counsel, 1 June 2016)]

top

- and -

A brief history of law firm cyberattacks (Law360, 2 June 2016) - The legal industry is the latest gold mine for hackers, whose attacks continue growing in sophistication, frequency and motivation. This, coupled with the fact that so many law firms have branches and associates located around the world, means the entry points for hackers have become even more numerous. Over the past few months alone, major law firms including Cravath Swaine & Moore LLP , Weil Gotshal & Manges LLP , and most recently, Mossack Fonseca, have all fallen victim to simple, easily preventable data breaches. In the case of Mossack Fonseca, more than 2.6 terabytes of data were stolen without the firm detecting any sign of theft, and overall, a whopping 11.5 million sensitive records were confiscated. Most law firms do not have basic cybersecurity controls in place for detecting and mitigating data breaches. The incident at Mossack Fonseca just scratched the surface of demonstrating the lack of cybersecurity resources within the legal sector, as 90 percent of law firms have five or fewer employees dedicated to information security and safeguarding the business' crown jewels. The fact that the law firms entrusted with so much sensitive information have such poor cybersecurity policies, procedures and technologies should be alarming to just about every business, as the quickening pace of breaches could put thousands of businesses at risk. The FBI has reacted by issuing warnings to firms, but overall, the legal industry is - and always has been - lagging. Here's a look at the history of events leading up to the Mossack Fonseca incident: * * * [interesting graphic timeline] * * * According to Vincent I. Polley, former deputy general counsel for Schlumberger Ltd . for 20 years and co-author of a recent book for the American Bar Association on cybersecurity, "A lot of firms have been hacked, and like most entities that are hacked, they don't know that for some period of time. Sometimes, it may not be discovered for months and even years." History has a tendency of repeating itself, and given the aforementioned cybersecurity events, law firms must take proactive measures to properly secure the sensitive data. Through actions such as regular employee and third-party contractor training, cybersecurity audits, and investing in data protection technology tools and resources, firms can avoid falling victim to the next data breach - which could happen at any second. [ Polley : I wasn't interviewed for this story.]

top

Tattoo recognition research threatens free speech and privacy (EFF, 2 June 2016) - Tattoos are inked on our skin, but they often hold much deeper meaning. They may reveal who we are, our passions, ideologies, religious beliefs, and even our social relationships. That's exactly why law enforcement wants to crack the symbolism of our tattoos using automated computer algorithms, an effort that threatens our civil liberties. Right now, government scientists are working with the FBI to develop tattoo recognition technology that police can use to learn as much as possible about people through their tattoos. But an EFF investigation has found that these experiments exploit inmates, with little regard for the research's implications for privacy, free expression, religious freedom, and the right to associate. And so far, researchers have avoided ethical oversight while doing it. The research program is so fraught with problems that EFF believes the only solution is for the government to suspend the project immediately. At a minimum, scientists must stop using any tattoo images obtained coercively from prison and jail inmates and tattoos that contain personal information or religious or political symbolism. EFF has been filing public records requests around the country to reveal how law enforcement agencies are using mobile biometric technology-including facial recognition, digital fingerprinting, and iris scanning-to identify people based on their physical and behavioral characteristics. As part of this investigation, we learned that the National Institute for Standards and Technology (NIST), one of the oldest federal scientific institutions, began an initiative in 2014 to promote and refine automated tattoo recognition technology for the FBI. The FBI's plans for automated tattoo recognition go beyond developing algorithms that can identify people by their tattoos. The experiments facilitated by NIST also focused on improving technology that can map connections between people with similarly themed tattoos or make inferences about people from their tattoos (e.g. political ideology, religious beliefs). On top of the free speech concerns, the project should raise red flags for religious liberty advocates, since many of the experiments involved sorting people and their tattoos based on Christian iconography. NIST's Tattoo Recognition Technology program also raises serious questions for privacy: 15,000 images of tattoos obtained from arrestees and inmates were handed over to third parties, including private companies, with little restriction on how the images may be used or shared. Many of the images reviewed by EFF contained personally identifying information, including people's names, faces, and birth dates.

top

Ponemon 2016 Cost of Data Breach study (June 2016) - IBM and Ponemon Institute are pleased to release the 2016 Cost of Data Breach Study: Global Analysis . According to our research, the average total cost of a data breach for the 383 companies participating in this research increased from $3.79 to $4 million2. The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $154 in 2015 to $158 in this year's study. In addition to cost data, our global study looks at the likelihood of a company having one or more data breach occurrences in the next 24 months. We estimate a 26 percent probability of a material data breach involving 10,000 lost or stolen records.

top

Will the Constitution protect your next smartphone? (The Atlantic, 3 June 2016) - Will new unlocking methods enjoy the same Fifth Amendment protections that prevent the government from forcing a person to give up their passwords? It all comes down to a distinction that the legal system uses to determine how far Fifth Amendment protections extend. The amendment covers what's in your head (thoughts, memories) but not what you are (fingerprints, DNA). A memorized password is unambiguously protected. But devices secured by biometrics or behavioral traits exist in a grayer area. When Apple introduced its first fingerprint reader-equipped iPhone in 2013, scholars speculated that the Fifth Amendment may not apply to fingerprints. Indeed, just a year later, a Virginia judge ruled that police could force a person to unlock his own iPhone with his fingerprint. And this February, a federal judge in Los Angeles signed a search warrant that compelled a 29-year-old woman to do the same. But these decisions don't necessarily mean the debate over the Fifth Amendment and fingerprint readers is all wrapped up, says Al Gidari, a technology lawyer and the director of privacy at Stanford University's Center for Internet and Society. Gidari disagrees with the judges who signed warrants for fingerprint unlocks. The Supreme Court has determined that the Fifth Amendment applies only to "testimonial communication that is incriminating." Gidari says that even though a fingerprint on its own isn't covered by the Fifth Amendment, the act of unlocking a device with a fingerprint falls into the special protected category. "When you put your fingerprint on the phone, you're actually communicating something," Gidari said. "You're saying, 'Hi, it's me. Please open up.'" [ Polley : Gidari is smart and experienced; his views are welcome counterpoint to others; see immediately below.]

top

- and -

The Fifth Amendment limits on forced decryption and applying the 'foregone conclusion' doctrine (Orin Kerr in Volokh Conspiracy, 7 June 2016) - The U.S. Court of Appeals for the 3rd Circuit has a case pending on the Fifth Amendment limits of forcing a suspect to enter his password to decrypt a computer. The case provides an opportunity for the 3rd Circuit to correct an error in the 11th Circuit's treatment of the same question, specifically on how to apply the "foregone conclusion" doctrine to an order requiring decryption of a storage device. Given the importance of the issue, I want to explain the issue, show where the 11th Circuit got it wrong, and explain what I think the right analysis should be. I'll start with a short summary of the facts in the pending case as found in the government's brief and the defense brief . The suspect, referred to in the briefs only as "John Doe," is a Philadelphia police officer. (News reports have named him as Francis Rawls , but I'll stick with "John Doe" to be consistent with the briefs.) Doe is believed to have used a peer-to-peer network to download a lot of child pornography from the Internet. Investigators were able to decrypt Doe's Apple computer without Doe's help pursuant to a search warrant. A search of the computer revealed evidence that Doe had accessed more than 20,000 files with child-porn-related file names and then stored the files on two external hard drives that were connected to Doe's computer when the government seized them. This case is about the government's access to the two external hard drives. The government obtained a search warrant to search the two hard drives as well as a supplemental order under the All Writs Act ordering Doe to decrypt them. Doe was then taken to a government computer lab where the drives were connected to a computer, and he was told to enter in the passwords to decrypt his hard drives. Doe claimed that he was unable to comply with the order because he did not remember the passwords. * * * [ Polley : pretty interesting reading.]

top

'Wifi whisperer' siphons your data in the creepiest way possible (Wired, 4 June 2016) - If you're connected to a wireless network, odds are high that little bits of data are trickling out of your device like water from a leaky faucet. "Our phones leak data in a bunch of different ways," says artist Kyle McDonald. "Sometimes it's really insidious or unexpected." Recently at Moogfest, a music and technology festival in Durham, N.C., McDonald with the help of fellow artist Surya Mattu created an installation called WiFi Whisperer that called attention to all that data your phone is giving away for free. As festivalgoers walked past the installation, the artwork grabbed insecure data and display it on monitors, while a hidden speaker whispered the stream of data-what networks you've recently connected to and websites you've visited, for example-like a creepy, demon-voiced Big Brother. "It's sort of like looking over someone's shoulder," says McDonald, "except you're doing it without actually looking over their shoulder." The artists built sniffers made from eight Raspberry Pis and wireless antennas, tuned to the different frequencies of open wireless channels. "We know where the data is in the air," McDonald explains. "Normally these packets are getting sent from one device to another, but there's no reason you can't just stand nearby and listen to that same data as though you were the device it was intended for." By partnering with Festify, Moogfest's wireless internet provider, the artists were able to grab even more data-things like the names of networks you were previously connected to, your device's MAC address, the host name of your laptop or phone, the server your http traffic is aiming for, and even text from whatever website you're visiting. "You can see exactly what articles people are looking at," McDonald says. "You can see exactly which comment they've thumbs-up'd." Businesses have actually used this kind of data to build consumer profiles. In 2012, Nordstrom began tracking the wifi signals emitted from shoppers' phones, to pinpoint their location in the store. Nordstrom argued it was simply the brick and mortar version of what online retailers do with cookies. Consumers didn't agree, and Nordstrom ended its experiment. Analytics companies like Euclid and Nomi use what they claim is anonymous data to figure out exactly where customers go and how many customers leave without buying something. Fairly practical information, you might think. The issue, McDonald says, is that most of us don't even realize we're broadcasting personal information.

top

This interactive proves just how wrong our world maps really are (FastCoDesign, 6 June 2016) - There are millions of reasons to love The West Wing , especially in a literally insane election year. But for design nerds, these four minutes in which White House Press Secretary C.J. Cregg takes a meeting with the Cartographers for Social Equality might be the highlight of the series. It's probably the only pop culture explanation of how well and truly borked our world maps actually are. Across the board, the Mercator projection of the Earth-which has been our baseline for world maps since the 16th century-skews the actual size of countries so they look bigger (and therefore, more important than they are) when they fall within the middle of the Northern Hemisphere. It's not just bad design, it has real geopolitical implications. For example, in most people's minds, Greenland is a much larger country than Australia. But the reality is that Australia dwarfs Greenland. Likewise, you probably think Africa and North America are roughly the same size, but Africa can swallow all of North America and Greenland with room for all of Western Europe to spare. And so on. Inspired by the aforementioned episode of The West Wing , James Talmage and Damon Maneice created The True Size . The web app lets you drag-and-drop different countries on a world map and see how they shrink or grow on a standard Mercator Projection map. It's a simple tool, but an eye-opening one that can be quickly used to show just how skewed our maps really are.

top

Google's fair use victory is good for open source (Pam Samuelson, 13 June 2016) - Oracle and Google have been fighting for six years about whether Google infringed copyright by its use of 37 of the 166 packages that constitute the Java API in the Android software platform for smart phones. Last week Google won a jury trial verdict that its reuse of the Java API elements was fair use. Let me first explain the main facts and claims in the lawsuit, and then why Google's fair use victory is a good thing not only for Google, but also for open source developers, for software developers more generally, and for the public. * * * [ Polley : excellent piece.]

top

Cloaking threat risk assessments under legal privilege (Aird & Berlis, 15 June 2016) - Threat risk assessments against technology-based systems and surrounding environments are increasingly mandated by customers and regulators. Threat risk assessments (TRAs) are typically done either pre-breach event as internal due diligence, or responsive to an event to determine the origins of the event and the scope of the impact. The breadth and penetration level of TRAs vary, but they are inherently intrusive, command significant time and financial resources, and will inevitably result in disclosing areas of possible vulnerabilities. The intent of TRAs is in part to identify those weaknesses, but that goal is often balanced by the concern that having actual knowledge of weaknesses and vulnerabilities exposes businesses to greater liability upon a breach event if the business was unable to implement a solution before the breach event occurs. Rectifying vulnerabilities, which could include simply catching up on ever-changing industry standards, often takes a significant amount of time to complete and that assumes that the business in question has the resources to allocate to such effort (whether or not this is simply the cost of doing business can be discussed another time). That inherently leaves a period of time between when an organization becomes aware of a vulnerability and when the solution is in place. In the United States, many law firms have standing agreements with cyber security experts to undertake TRAs. This is often done with the view that if the law firm engages the cyber security expert to perform the TRA and provide the resulting TRA report to the law firm, the TRA report and findings therein would be protected by a form of legal privilege and harder to use against the client should someone want to discover that TRA report. This approach has been tested in limited cases in the United States, and in certain post-breach incident TRAs, it has had some success. (We refer you to an Order issued by the U.S. District Court of Minnesota on October 23, 2015 by a U.S. Magistrate Judge, Jeffrey J. Keyes, in the matter relating to Target and a TRA prepared by Verizon Business Network Services). In Canada, the approach of law firms retaining cyber security experts to undertake the TRAs is less prevalent, but the merits and limitations should be considered.

top

The net neutrality court decision, in plain English (WaPo, 15 June 2016) - You may have heard something Tuesday about a court and net neutrality and something about the Internet. Maybe it didn't make much sense. And that's a good thing! If we all spent our time trying to decipher the Web, we'd never get around to actually using it, or creating awesome new things with it. That said, some debates are so important to the healthy function of the Internet that they're worth learning about in depth, and in the process grasping their implications for free speech, online commerce, educational opportunity and all the reasons that make the Internet worth using in the first place. One of those debates reached a key turning point Tuesday, when a federal appeals court said that the Internet is basically like a giant telephone network and that the companies that provide it, such as Comcast and Verizon, must offer essentially the same protections to Internet users that the government has required of phone companies for decades. [ Polley : This is key - while the "net neutrality" stuff is nice, the fundament of it is the recharacterization of ISPs as "telecom service" providers rather than "information service" providers. That recharacterization enables the FCC to regulate things like net neutrality; but also lots of other things, too.]

top

Key takeaways from the SEC Morgan Stanley cybersecurity case (D&O Diary, 16 June 2016) - As I noted in a recent post , on June 8, 2016, the SEC, in what one commentator called "the most significant SEC cybersecurity-related action to date," announced that Morgan Stanley Smith Barney LLC had agreed to pay a $1 million penalty to settle charges that as a result of its alleged failure to adopt written policies and procedures reasonably designed to protect customer data, some customer information was hacked and offered for sale online. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC's Office of Internet Enforcement, takes a look at the circumstances at the company that led to this enforcement action and reviews the important lessons that can be learned from what happened. A version of this article originally appeared on CybersecurityDocket. I would like to thank John for his willingness to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site's readers. Please contact me directly if you would like to submit a guest post. Here is John's guest post. * * *

top

Blockchain tech tested for Sweden's land registry system (ArsTechnica, 17 June 2016) - Blockchain-the technology that underpins Bitcoin-is to be tested on Sweden's land registry to see if it helps speed up property deals in the country. The Swedish National Land Survey ( Lantmäteriet ) has announced a trial that could have a significant impact on land deals, which are currently jotted down on paper, requiring several official documents, and the use of physical mail. A proof-of-concept both of the technology itself, and how it would work within the land registry has been developed by the government agency, alongside Swedish blockchain outfit ChromaWay‚ consulting firm Kairos Future, and telecoms company Telia. They say that the system is faster, more secure, and far less prone to human error than the current method.

top

Tor torpedoed! Tesco Bank app won't run with privacy tool installed (The Register, 18 June 2016) - UK supermarket giant Tesco's mobile banking app refuses to run on handsets where the Tor app is also installed, it emerged this weekend. Mainframe database admin Marcus Davage revealed the Tesco banking app tells users they must remove the Tor Project's anonymizing Android software to access the supermarket's money services. Davage posted an image of the message, which advises that in order to use the Tesco app, the Tor Project's Orbot Android client has to not only be turned off but removed entirely from the device. The issue appears to be related to security. Tesco's help site notes that the Android app checks for malware and other possible security risks (such as the phone being rooted) upon launching and, in this case, the Tor software triggers an alert.

top

Fed internal watchdog to study oversight of cybersecurity at banks (Reuters, 20 June 2016) - The Federal Reserve's internal watchdog plans to study how well the central bank is overseeing cybersecurity practices at financial institutions, the U.S. central bank said on Monday. The Office of Inspector General (OIG) at the Fed's Board of Governors plans to release the audit in the fourth quarter, the OIG said in a report on current and upcoming projects. Fed Chair Janet Yellen is due to appear before a U.S. Senate committee on Tuesday and will likely face questions about cybersecurity breaches involving the central bank. Lawmakers are also probing the Fed's own cybersecurity practices after a Reuters report revealed more than 50 cyber breaches at the Fed between 2011 and 2015. "The growing sophistication and volume of cybersecurity threats presents a serious risk to all financial institutions," the OIG said in its report released on Monday. The OIG study due later this year could be the first public report on how well the Fed is holding banks to rules that require them to have effective information security programs. Past studies posted on the Fed's website focused on the central bank's overall cybersecurity practices or on the security of particular information technology systems at the Fed.

top

Online interactive legal documents would be legal in North Carolina under bill passed by legislature (ABA Journal, 22 June 2016) - North Carolina lawmakers have passed a bill that amends the state's definition of law practice to permit websites that offer interactive legal documents. House Bill 436 (PDF) won unanimous approval last week, ending a long-running dispute with LegalZoom, WRAL reports. The bill was forwarded to Gov. Pat McCrory on Tuesday, according to the legislature's website. The bill says the practice of law does not include websites offering interactive software that generates a legal document based on the consumer's answers to legal questions. The bill adds several restrictions, including these: * * *

top

Law schools are going online to reach new students (NYT, 22 June 2016) - Law schools, in the face of marked declines in enrollment, revenue and jobs for graduates, are beginning to adopt innovative new ways of delivering legal education. Some law schools are moving away from relying solely on classic settings and instead are blending classroom learning with online instruction, said Michael B. Horn, a founder of the Clayton Christensen Institute, a research institution in San Mateo, Calif., that explores disruptive innovation in education. "Legal education is confronting the most imminent threat in higher education," Mr. Horn said. "Law schools are increasingly out of step with shifts in the legal services market." Law schools that "are able to pioneer online, competency-based programs that focus outside of the traditional J.D. will have a leg up in the struggle to survive," said Mr. Horn, an author of the newly released report, "Disrupting Law School: How Disruptive Innovation Will Revolutionize the Legal World." Mitchell Hamline School of Law, in St. Paul; Washington University School of Law, in St. Louis; and Syracuse University College of Law, in New York, all offer programs that fuse some elements of traditional legal education with technology in new educational vehicles. Harvard Law School also offers an online class on copyright law to its on-campus students and to students who can enroll for the free, not-for-credit course from anywhere in the world. Opportunities to earn a full-fledged law degree online are few, so far. The William Mitchell College of Law began offering a hybrid law degree in January 2015. The school has since merged with Hamline University School of Law. Syracuse's law school adopted a somewhat different approach when it announced in April that it would offer a hybrid law degree once it received approval from New York State and the American Bar Association, which regulates accredited law schools. Syracuse is working with 2U Inc., an education technology provider in Landover, Md., that has collaborated with some major universities, including Northwestern and Georgetown. The online degree program would use 2U's platform. The program will be for people whose work or family obligations prevent them from attending a residential law program. It will offer live online classes with Syracuse Law faculty members who will interact with students. The program, which is expected to begin in 18 months, will also include courses on campus and internships with outside employers.

top

Applying the Fourth Amendment to placing calls from a locked phone to identify its owner (Orin Kerr in Volokh Conspiracy, 22 June 2016) - A story in the Sacramento Bee flags a novel Fourth Amendment issue pending in federal court. Here's the issue: If the police find a locked phone that was left behind at a crime scene, do the police need to get a warrant before trying to identify the phone's owner by calling 911, thereby generating a caller-ID record at 911 that discloses the phone's number and leads to identification of its owner? This question has come up in the "Gone Girl" kidnapping case currently before Judge Troy Nunley in Sacramento. As I understand the facts from the SacBee story, the defendant, Matthew Muller, allegedly attempted a home burglary months after the kidnapping. The homeowner fought back, and Muller fled. In the course of fleeing, Muller left his locked cellphone behind. Cellphones allow emergency calls without unlocking the phone. The police took advantage of this and used the phone to call 911. Placing the call necessarily sent the phone's number to 911, and investigators then obtained the number from 911. The number was registered as a Verizon cellphone number. The police went to Verizon to find out who the registered user was. After serving a warrant on Verizon for this information, the police learned that the phone was registered to Muller's stepfather. That led the police to Muller. Muller has now moved to suppress the evidence that resulted from his identification. The issue being litigated is whether the government could call 911 from the phone without a warrant. Muller says no, because using the phone was a warrantless search. The government says yes, because the phone was abandoned when Muller left it behind. There are a lot of interesting issues here, and I can't do all of them justice in one post. But here's an overview of my thoughts. First, I think that calling 911 from another person's phone generally should be deemed a Fourth Amendment search of the phone. It's accessing another person's property to obtain information stored inside it, which I think of as a classic kind of search . Granted, the information from inside the phone (the number) is being retrieved in an unusual way. It's being pushed out and routed to 911 rather than revealed on the screen. And the only information retrieved is the number stored inside. But I think that is still accessing information from inside the device , and that it should still count as a search. That's my view, but there's some authority that points the other way. The best precedents on the other side are probably the recent cases holding that accessing the magstripe of a credit card is not a search. Those cases reasoned in part that there was no search because the information stored inside was disclosed to others in the ordinary course of use. The phone number associated with a phone is also disclosed to others in the ordinary course of use. If you buy the reasoning of the magstripe cases, you might say that getting the number from a phone is not a search for that reason. Because I don't think those cases are persuasive for reasons explained in my earlier posts , I would still say that calling from a phone is ordinarily a search.

top

- and -

The Fourth Amendment does not protect your home computer (EFF, 23 June 2016) - In a dangerously flawed decision unsealed today , a federal district court in Virginia ruled that a criminal defendant has no "reasonable expectation of privacy" in his personal computer, located inside his home. According to the court, the federal government does not need a warrant to hack into an individual's computer. This decision is the latest in, and perhaps the culmination of, a series of troubling decisions in prosecutions stemming from the FBI's investigation of Playpen -a Tor hidden services site hosting child pornography. The FBI seized the server hosting the site in 2014, but continued to operate the site and serve malware to thousands of visitors that logged into the site. The malware located certain identifying information (e.g., MAC address, operating system, the computer's "Host name"; etc) on the attacked computer and sent that information back to the FBI. There are hundreds of prosecutions, pending across the country, stemming from this investigation. The implications for the decision, if upheld, are staggering: law enforcement would be free to remotely search and seize information from your computer, without a warrant, without probable cause, or without any suspicion at all. To say the least, the decision is bad news for privacy. But it's also incorrect as a matter of law, and we expect there is little chance it would hold up on appeal. (It also was not the central component of the judge's decision, which also diminishes the likelihood that it will become reliable precedent.) [ see also Judge says FBI can hack computers without a warrant because computer users get hacked all the time (TechDirt, 24 June 2016)]

top

NOTED PODCASTS/MOOCS

'State of Surveillance' with Edward Snowden (Vice, 8 June 2016; 27 minute video) - When NSA whistleblower Edward Snowden leaked details of massive government surveillance programs in 2013, he ignited a raging debate over digital privacy and security. That debate came to a head this year, when Apple refused an FBI court order to access the iPhone of alleged San Bernardino Terrorist Syed Farook. Meanwhile, journalists and activists are under increasing attack from foreign agents. To find out the government's real capabilities, and whether any of us can truly protect our sensitive information, VICE founder Shane Smith heads to Moscow to meet the man who started the conversation, Edward Snowden.

top

RESOURCES

Griffiths on exhaustion and the alteration of copyright works in EU copyright law (MLPB, 6 June 2016) - Jonathan Griffiths, Queen Mary University of London, School of Law, has published Exhaustion and the Alteration of Copyright Works in EU Copyright Law - (C-419/13) Art & Allposters International BV v Stichting Pictoright at ERA Forum 1 (May 2016). Here is the abstract: The Judgment of the Court of Justice in (C-419/13) Art & Allposters International BV v Stichting Pictoright concerned a claim that the transfer of an image from paper poster to artist's canvas infringed copyright in that image. It is argued here that, while the case sheds little light on the potential application of the Usedsoft principle to copyright works more generally, its significance extends well beyond the relatively specialist practices with which the national proceedings were concerned. Following an outline of the Judgment, the article goes on to consider its implications for our understanding of the reproduction, distribution and adaptation rights in EU copyright law.

top

Manning on Hyperlinks and Copyright Law (MLPB, 9 June 2016) - Colin Manning, Cork Institute of Technology, has published Hyperlinks & Copyright Law . Here is the abstract: Reconciling the desire for wide distribution with the desire for control has proven challenging for the law. Deep linking is a good illustration of how applying print and broadcast era concepts to the challenges of the digital era can result in uncertainty and unintended consequences. In the Svennson decision, the court not only failed to acknowledge the distinction between linking and embedding, but it explicitly permitted embedding of content from other sites. This could have implications for how content is distributed, and may ultimately harm user privacy.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Choicepoint to pay $15 million for data breach (CSO Online, 26 Jan 2006) -- ChoicePoint Inc., the data broker that set off a national debate after disclosing a data breach early in 2005, will pay US$15 million in fines and other penalties for lax security standards, the U.S. Federal Trade Commission (FTC) announced Thursday. ChoicePoint's $10 million fine is the largest civil fine in the FTC's history, the FTC said. Under a settlement with the FTC, the Georgia company will also set up a $5 million fund to aid victims of identity theft that resulted from the data breach, and the company has agreed to implement new security measures and have an independent auditor review its security every other year until 2026, said FTC Chairwoman Deborah Platt Majoras.

top

- and -

Keeping your enemies close (New York Times, 12 Nov 2006) - If you found yourself running a company suddenly branded one of the most reviled in the country - if, for example, you noticed that visitors to Consumerist.com, a heavily visited consumer Web site, voted yours as the second "worst company in America" and you had just been awarded the 2005 "Lifetime Menace Award" by the human rights group Privacy International - you might feel obliged to take extraordinary steps. You might even want to reach out to your most vocal critics and ask them, "What are we doing wrong?" So it was in early 2005 that Douglas C. Curling, the president of ChoicePoint, a giant data broker that maintains digital dossiers on nearly every adult in the United States, courted two critics whom he had accused just months earlier of starting "yet another inaccurate, misdirected and misleading attack" on his company. Mr. Curling also contacted others who had spent years calling for laws requiring better safeguarding of personal information that ChoicePoint and other data brokers assemble - records such as Social Security numbers, birth dates, driver's license numbers, license plate numbers, spouse names, maiden names, addresses, criminal records, civil judgments and the purchase price of every parcel of property a person has ever owned. "It was sort of like when I talk with my wife when she's not happy with me," Mr. Curling said of his dealings with some of ChoicePoint's harshest critics. "It's not exactly a dialogue I look forward to, but I can't deny it's important." He also could not deny his motivations for engaging in these conversations: in the public's mind, ChoicePoint had come to symbolize the cavalier manner in which corporations handled confidential data about consumers. [ Polley in 2006 : Long, excellent, thorough, piece on the fall, and rise, of ChoicePoint. Includes useful collateral graphics and timelines. Illuminates the social-engineering dimension of data security.]

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Steptoe & Johnson's E-Commerce Law Week

7. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

8. The Benton Foundation's Communications Headlines

9. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top