MIRLN --- 24 Nov - 14 Dec 2013 (v16.17) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)
NEWS | PODCASTS | RESOURCES | DIFFERENT | LOOKING BACK | NOTES
- Fear of juror Googling didn't justify order to remove pages from lawyer website, appeals court says
- Digital disappointment: why are the telcos MIA in the NSA debate?
- The long arm of the national security-communications industry complex
- The NSA is tracking cell phone movements, generating 5 billion records a day
- New documents show how the NSA infers relationships based on mobile location data
- The foreign policy essay: Cheng Li and Ryan McElveen on "NSA revelations have irreparably hurt US corporations in China"
- Ryan Lizza's flawed account of surveillance law
- They had the beat
- Creative Commons next generation licenses - Welcome version 4.0!
- Fearful of sanctions, some companies don't discard documents
- US agrees to pay $50m after 'piracy' of software
- It's illegal for offline retailers to collect email addresses
- Is LinkedIn's endorsement feature ethical for lawyers?
- ABA makes the Model Rules available as a mobile app
- URL shortening in legal briefs, and now legal opinions
- Astroturfing bust spotlights online review troubles
- UK social media users get legal advice from on high on avoiding contempt of court
- Booz Allen says cyber attacks are the "new normal" for financial services industry
- Senator wants cybersecurity answers from automakers
- How the Bitcoin protocol actually works
- FBI surveillance malware in bomb threat case tests constitutional limits
- Woman's 140K tapes of TV news to be digitized, by Bay Area nonprofit
- Google catches French govt spoofing its domain certificates
- Coursera releases iPhone app for MOOCs
- Financial regulators issue final guidance on social media
- Firms will need cyber "badge" to win some British govt business
Fear of juror Googling didn't justify order to remove pages from lawyer website, appeals court says (ABA Journal, 4 Nov 2013) - A judge violated a lawyer's First Amendment rights when he ordered the lawyer to take down references to asbestos wins on her website during a 2011 trial on similar issues, a California appeals court has ruled. The Second District Court of Appeal ruled on behalf of lawyer Simona Farrise last week, the Recorder reports. The order was a prior restraint on speech that violated the U.S. and California constitutions, according to the decision (PDF) by the California Second District Court of Appeal. The trial judge, Thomas Anderle of Santa Barbara County, had ordered Farrise to remove two pages from her website touting victories in asbestos cases against Ford Motor Co., one of the automaker defendants in the suit being tried before Anderle. The plaintiffs, Richard and Christie Steiner, had claimed asbestos exposure from Richard's Steiner's work on automobiles contributed to his lung cancer. One Web page subject to the order touted a $1.6 million verdict against Ford and others. The write-up asserted that "at least one jury managed to successfully navigate defendants' courtroom confusion and find these companies at fault." The other Web page, also ordered removed, described a $4.35 million verdict against Ford. Volkswagen Group of America had sought removal of the Web pages, citing the possibility that a juror would find it, and Ford Motor Co. joined in the motion. Anderle granted the request, though he also told jurors they could not Google the lawyers and could not conduct independent research. Jury instructions, coupled with the possibility of contempt for those who disobey, is the proper way to handle the issue, the appeals court said.
Digital disappointment: why are the telcos MIA in the NSA debate? (Kevin Bankston, 21 Nov 2013) - Last Wednesday, I spent my morning in a hearing room on Capitol Hill talking about how I'd spent my summer: helping to build a broad coalition of privacy and free speech advocates, tech investors and trade associations, and Internet companies large and small, to press for greater transparency around the National Security Agency's surveillance programs. The hearing was my last public appearance as the Center for Democracy & Technology's Free Expression Director, before starting this week in my new role as the Policy Director of New America Foundation's Open Technology Institute (OTI). Also sitting at the witness table was a representative from Google, who like me was there in support of the Surveillance Transparency Act of 2013. That bill would allow companies and require the government to publish basic statistics about how the NSA is using its national security surveillance authorities to access information about Internet and telecommunications service providers' customers. Also in the hearing room, at least in spirit, was everyone else in our coalition: think tanks like OTI; nonprofit advocacy organizations from across the political spectrum, from the ACLU to Americans for Tax Reform; Internet giants like Apple, Facebook, Microsoft, and Twitter; and newer Internet players like Tumblr and Dropbox. This broad and unprecedented alliance, united to demand more transparency and accountability around the NSA's access to our personal data, stood behind me as I delivered my testimony. But do you know who didn't have my back? Who hasn't stepped up to support surveillance transparency, much less surveillance reform? Who, despite-or because of-being as deeply involved as anyone can be in the NSA's dragnet, has had nothing to say other than "no comment"? The telcos. In the current debate over NSA spying, the telecommunications companies (telcos) that provide all of us with our telephone and Internet service, the giant corporations like AT&T and Verizon that own the phone lines and cell towers and fiber optic cables and Internet exchange points that carry all of our data-and that the NSA is tapping into-are nowhere to be seen. The telcos' failure to work with the privacy community to protect their users against government overreach, in contrast with the Internet companies who've joined our coalition, is especially disappointing considering that they are the ones who should be helping the most.
- and -
The long arm of the national security-communications industry complex (editorial by former FCC Commissioner Michael Copps, 22 Nov 2013) - This is a story about more than just the national security implications of government surveillance, but it begins there. The New York Times reported in a front page story earlier this month that the Central Intelligence Agency is paying AT&T in excess of $10 million annually for information from the company's telephone records, including the international calls of U.S. citizens. The article pointed out that this work "is conducted under a voluntary contract, not under subpoenas or court orders compelling the company to participate, according to officials." The story adds yet another chapter to the still-unfolding revelations about National Security Agency surveillance. Every week seems to bring new reports about the close and almost seamless ties that bind the several intelligence agencies to the huge telecom and broadband companies that bestride our nation's communications infrastructure. When I became a Member of the Federal Communications Commission (FCC) in 2001, I assumed I would be privy to at least a credible amount of information about what the companies under FCC oversight were doing behind the scenes. My expectations went unfulfilled. Did I expect the nation's most sensitive intelligence information to be shared with me? No, I did not. But would it have been helpful for me to know more about how the industry executives who visited me on a whole range of non-national security communications industry issues were at the same time working hand-in-glove with the White House and these secretive agencies on a far more intimate and confidential basis than I was? Yes, absolutely. Maybe I'm a slow learner, or maybe I just wasn't supposed to know, but it finally dawned on me that the CEOs and top management who came calling on me at the FCC were far better informed and connected than I was -- because their companies were the ones running these sensitive monitoring and surveillance operations in behalf of the national security agencies. It was, very often, their workers and their technologies that drove the process. * * *
- and -
The NSA is tracking cell phone movements, generating 5 billion records a day (GigaOM, 4 Dec 2013) - Documents leaked by former NSA contractor Edward Snowden show that the National Security Agency is gathering a massive amount of data about the location of millions of cell phones all over the world. The news, which contradicts the agency's claims that it had only experimented with tracking but then abandoned the efforts, is likely to fuel the ongoing scandal over the U.S. government's surveillance of phone and internet activity. According to the documents, reported on Wednesday by the Washington Post, the NSA has been harvesting the location of cell phones by using interception equipment plugged into key nodes of phone carriers' networks. As the Post explains, the system relies on U.S. companies to collect the information at cell towers and other relevant locations to obtain nearly 5 billion records a day about cell phone whereabouts. For privacy advocates, the new revelations could prove especially troubling since cell phone location patterns can be deeply revealing and, unlike voice or internet data, it's not possible to disguise movements through encryption or private networks. As an ACLU technologist told the Post (which has graphics of how the system works), the only practical recourse to avoid the collection is to unplug from the networks and "live in a cave." [ Polley : Blistering report in The Atlantic about the skein of lies and misrepresentations from the Administration about these collection programs: Exactly What the State Says to Deceive You About Surveillance (The Atlantic, 11 Dec 2013); the story precisely flags the disingenuous language I decried in MILRN 16.09 , back in June when all this began to break. Then, I wrote: "Color me skeptical on this disclaimer. Also, parse their language very closely - when they say they "aren't collecting XXX-type of information under this program", they are NOT saying they don't collect it under some other program. These kinds of "lawyer tricks" are unbecoming and thwart serious debate." ]
- and -
New documents show how the NSA infers relationships based on mobile location data (Washington Post, 10 Dec 2013) - Everyone who carries a cellphone generates a trail of electronic breadcrumbs that records everywhere they go. Those breadcrumbs reveal a wealth of information about who we are, where we live, who our friends are and much more. And as we reported last week, the National Security Agency is collecting location information in bulk - 5 billion records per day worldwide - and using sophisticated algorithms to assist with U.S. intelligence-gathering operations. How do they do it? And what can they learn from location data? The latest documents show the extent of the location-tracking program we first reported last week. Read on to learn more about what the documents show. The NSA doesn't just have the technical capabilities to collect location-based data in bulk. A 24-page NSA white paper shows that the agency has a powerful suite of algorithms, or data sorting tools, that allow it to learn a great deal about how people live their lives. Those tools allow the agency to perform analytics on a global scale, examining data collected about potentially everyone's movements in order to flag new surveillance targets. For example, one NSA program, code-named Fast Follower, was developed to allow the NSA to identify who might have been assigned to tail American case officers at stations overseas. By correlating an officer's cellphone signals to those of foreign nationals in the same city, the NSA is able to figure out whether anyone is moving in tandem with the U.S. officer.
- and -
The foreign policy essay: Cheng Li and Ryan McElveen on "NSA revelations have irreparably hurt US corporations in China" (Lawfare, 8 Dec 2013) - Lawfare readers have followed and discussed the Snowden revelations with a mixture of dread and excitement. Our focus, understandably, is on the impact of the leaks on the intelligence community and on U.S. national security policy. The seemingly endless disclosures and associated news stories, along with the many declassified documents from the ODNI, have sparked discussions on technological change, government accountability and oversight, FISA reform, and other important issues. For many Americans, however, the bigger problem is the leaks' impact on the U.S. economy and on American businesses-many of whom do business overseas. European allies may eventually shrug off their frustrations with the NSA, but my Brookings colleagues Cheng Li and Ryan McElveen argue that China is far less likely to do so. The revelations are leading to a policy shift that may hinder U.S. technology firms in China for years or even decades. Cheng Li is director of research and a senior fellow at the John L. Thornton China Center in the Foreign Policy program at Brookings, and is a director of the National Committee on U.S.-China Relations. Ryan McElveen is a research assistant at the Thornton Center.
Ryan Lizza's flawed account of surveillance law (Lawfare, Tim Edgar, 13 Dec 2013) - Ryan Lizza's piece in this week's New Yorker , "State of Deception," is essential reading for those interested in surveillance and civil liberties. It is a gripping account of the history of the NSA telephone and Internet surveillance programs put in place after September 11. It traces these programs from their inception amid broad claims of wartime power during the first Bush Administration, explains the effort to put them under the FISA court in the second Bush Administration, and concludes with President Obama's decision to ratify them and the fallout from the Snowden revelations. Unfortunately, the piece is marred by Lizza's flawed description of surveillance law. He oversimplifies, and therefore distorts, the legal issues in a way that fits his narrative of Senator Wyden as the hero of his story. Perhaps the most important problem is that Lizza doesn't understand the issue with FISA prior to September 11 that led to these programs. He explains that while the NSA "was legally vacuuming up just about any foreign communications it wanted," it needed FISA court permission "when it targeted one side of a call or e-mail that involved someone in the United States . . . ." This is simply wrong. The NSA has been permitted for decades to collect international communications, including those with one end in the United States, as long as its target is foreign. The problem is that FISA distinguishes between collection that occurs over the air and collection that occurs from a wire, and between collection that occurs inside and outside the country. * * * [ Polley : Worth reading; now I'll turn to reading Lizza's piece.]
They had the beat (MLPB, 25 Nov 2013) - Jose Bellido, University of London, has published Popular Music and Copyright Law in the Sixties at 40 Journal of Law and Society 570 (2013). Here is the abstract: "Copyright and its relationship with popular music is one of the most disputed issues amongst music and copyright scholars. While some have accused copyright of being blind (or deaf) to the particularities of popular music, others have defended its significance within the industry. This article contributes to this debate by tracing the networks of connections between lawyers, musicians, and clerks that emerged in a formative period in British pop music (the Sixties). It considers how their collaborative efforts and strategies to present evidence in copyright infringement trials were articulated in an attempt to influence music copyright infringement tests in Britain. By highlighting the concrete geographical and temporal contexts from which these networks emerged and their particular contingencies, the article also casts a new light on the impact of the legal profession on copyright, showing a practice-oriented and historically situated way of observing differences between French and British copyright systems."
Creative Commons next generation licenses - Welcome version 4.0! (Creative Commons, 25 Nov 2013) - We proudly introduce our 4.0 licenses, now available for adoption worldwide. The 4.0 licenses - more than two years in the making - are the most global, legally robust licenses produced by CC to date. We have incorporated dozens of improvements that make sharing and reusing CC-licensed materials easier and more dependable than ever before. The 4.0 licenses are extremely well-suited for use by governments and publishers of public sector information and other data, especially for those in the European Union. This is due to the expansion in license scope, which now covers sui generis database rights that exist there and in a handful of other countries. Among other exciting new features are improved readability and organization, common-sense attribution, and a new mechanism that allows those who violate the license inadvertently to regain their rights automatically if the violation is corrected in a timely manner. You can find highlights of the most significant improvements on our website , track the course of the public discussion and evolution of the license drafts on the 4.0 wiki page , and view a recap of the central policy decisions made over the course of the versioning process.
Fearful of sanctions, some companies don't discard documents (ABA Journal, 27 Nov 2013) - Fearful of adverse consequences if they inadvertently discard electronic documents that are deemed to be relevant in litigation, some of the biggest companies in the U.S. are simply saving all documents, including email sent via employees' electronic devices. A minority of federal courts say companies can be sanctioned even if they discard documents without intending to. All allow sanctions, which can mean the loss of a big case, when documents are intentionally destroyed. So companies including Exxon Mobil Corp. and Microsoft Corp. are asking the federal Judicial Conference to recommend a new rule that would provide uniform standards for document retention and allow sanctions only when documents are destroyed willfully or in bad faith.
US agrees to pay $50m after 'piracy' of software (BBC, 28 Nov 2013) - The US government has agreed to pay $50m (£31m) after it was said to have pirated "thousands" of copies of military software. Apptricity, based in Texas, has provided logistics programs to the army since 2004. The company said it had discovered last year the software had been installed on many more machines than had been licensed. The Department of Justice has not commented on the settlement. The Dallas Morning News reported a DoJ spokeswoman had confirmed the agreement, but would not give more details. Apptricity's software allows the military to track the movements of soldiers as well as key supplies. It has also been used during relief efforts, most notably in Haiti following the 2010 earthquake. According to court documents filed in 2012, the deal with the military meant up to 500 named users could access the software. Apptricity later estimated that 9,000 users were accessing the program, in addition to the 500 that had been paid for. The unauthorised copying only came to light after a US Army official mentioned "thousands" of devices running the software during a presentation on technology. Apptricity called for $224m (£137m) to be paid to cover costs. [Washington Post's coverage here .]
It's illegal for offline retailers to collect email addresses (Eric Goldman's blog, 29 Nov 2013) - The California Supreme Court issued a decision a couple of years ago holding that a zip code is "personal identification information" under the Song-Beverly Credit Card Act of 1974, making it illegal for retailers to ask consumers to provide zip codes in connection with credit card transactions. (See " California Supreme Court Rules That a ZIP Code is Personal Identification Information - Pineda v. Williams-Sonoma .") Extending that precedent, this case holds that retailers can't ask for email addresses during credit card transactions. ( Note : the statute does not apply to online or other "card-not-present" transactions, so online retailers are off the hook.) Plaintiff alleged that Nordstrom requested his email address as a condition of completing the sale. Nordstrom allegedly asked plaintiff his email address so it could email him the receipt. According to plaintiff, this resulted in promotional emails from Nordstrom "on a nearly daily basis" as well as a general increase in email traffic. The statute prohibits retailers from "request[ing] or requir[ing] as a condition to accepting the credit card as payment . . . the cardholder to provide personal identification information." Personal identification information is defined as information concerning the cardholder, "including but not limited to, the cardholder's address and telephone number." In Pineda , the California Supreme Court held that this statute should be construed broadly, given the statute's protective purpose. Nordstrom argued that Pineda is distinguishable because an email address is something arbitrarily chosen by the holder of the email address and can frequently changed. The court disagrees, noting that someone's email address "permits direct contact and implicates the privacy interests of a cardholder." Nordstrom also argued, citing to Apple v. Superior Court , that as a new technology that was unlikely to be anticipated by the legislature at the time of enactment, the definition of personal identification information should not cover email addresses. The court says that although the California Supreme Court in Apple concluded that the same statute did not apply to internet transactions, the court's holding was not premised on the legislature's inability to anticipate these transactions but rather on the fact that zip codes could be collected for fraud-prevention purposes. Case is Capp v. Nordstrom, Inc. , No. 2:13-cv-00660 (E.D. Cal. Oct. 21, 2013)
Is LinkedIn's endorsement feature ethical for lawyers? (ABA Journal, 1 Dec 2013) - "Does Dennis have these skills or expertise?" If you've visited my, or anyone else's, LinkedIn profile page recently, you've been asked this question. For many lawyers, this seemingly simple inquiry has generated more questions than answers. LinkedIn is the most popular social media platform for lawyers. Most of you know your LinkedIn profile works as an extended form of a resume or biography. A relatively new feature highlights skills. You can list a number of skills that you have-public speaking, writing, leadership and legal skills like litigation, licensing or land-use finance. This can help you round out the story your profile tells. However, some lawyers and regulators have gotten hung up on what legal skills are. There has been debate about whether skills are the same as or at least imply the idea of specialty. Some will argue that lawyers shouldn't list legal skills at all. I feel that if you spend most of your days drafting contracts, it seems logical to say you have the skill of contract drafting. LinkedIn's use of skills brings us to its endorsements. Those of you who follow discussions of ethical rules will not be surprised that LinkedIn's choice of the word endorsement has triggered debate about the ethics of endorsing lawyers for their skills. To endorse someone on LinkedIn means something like "agreeing that this person has that skill." It's like a little yes vote. It's not a rating or a detailed analysis, just an acknowledgement that you think the person has the skill. Now, in the LinkedIn world, it's far better to have a recommendation than an endorsement. A recommendation typically describes a great experience working with a person. The trouble is, most people never get around to writing and posting recommendations. Endorsements are easy to do. There are two common concerns people have had with endorsements. First, LinkedIn suggests skills to endorse that you might not have. LinkedIn might suggest a transactional lawyer add litigation as a skill to endorse. But if your connections don't know exactly what you do, they could endorse you for litigation because they think you're good at everything, and you can get endorsements that don't make sense. Also, since people can see your endorsed skills, they might get confused about what you do. The good news is that there are ways to manage your endorsements and which ones appear. And if you mistakenly make an endorsement, you can withdraw it. Second, many people feel endorsements don't really have any meaning. My theory, and I admit that it is only a theory, is that there can be a point where the quantity of endorsements can tell you something useful.
- and -
ABA makes the Model Rules available as a mobile app (ABA Journal, 1 Dec 2013) - As a self-described "ethics nerd," Lucian T. Pera likes the idea of having easy access to a variety of reference materials on his mobile devices when he's away from the office. "I use this stuff," he says. So he was an early purchaser when the ABA Center for Professional Responsibility recently introduced its first app-the popular term for a software application, or program, that is designed to run on smartphones, tablet computers and other mobile devices. CPR's app makes it possible for lawyers to download the ABA Model Rules of Professional Conduct to their mobile devices. (Every state except California has adopted the format used by the Model Rules.) "I've got it right here on my iPhone," says Pera, a partner at Adams and Reese in Memphis, Tenn., who serves as ABA treasurer. "It's a nice, clean little app." For CPR, which has a wealth of information on ethics and related topics available for digital sharing, "it's a toe in the water," he says. But the Model Rules app is targeted toward a wider range of lawyers than those who take a specialized interest in ethics. The typical practitioner, says Pera, should have ready access to local rules of professional conduct, the Model Rules, ethics opinions and possibly a treatise or two. The benefit of apps, he says, is that those materials are accessible wherever the lawyer goes. "Then when something comes up," he says, "you pull it up and you've got what you need." The Model Rules app is not available directly from the ABA. Rather, it is being sold for $24.99 under a three-year license agreement with Ready Reference Apps, a company based in Salt Lake City. For now, at least, the app is available only from the Apple iStore as part of the company's Rulebook app, which is available at no charge. (Once that app is downloaded, the Model Rules app can be located by opening the Rulebook library manager and then navigating to "other federal authorities.")
URL shortening in legal briefs, and now legal opinions (Volokh Conspiracy, 2 Dec 2013) - Most readers will be familiar with URL shortening services - redirection services that give users a short web address that points to a longer one. I've come across URL shortening in legal briefs more and more, and I have used such links in briefs myself. The shortening avoids an unsightly excessively-long URL when you are linking to content on the web, and it's also easier for the reader who might hand-type the URL into a browser. In the opening brief in United States v. Auernheimer, for example, I linked to http://goo.gl/dVQ4k instead of to the ugly https://chrome.google.com/webstore/detail/scraper/mbigbapnjcgaffohmbkdlecaccepngjd?hl=en. In the last two years, federal court decisions have started to use URL shortening links, too. Judge Kozinski uses them extensively in today's dissent in Minority Television Project v. FCC , a case on the First Amendment implications on banning certain kinds of ads on public TV. A quick Westlaw search finds 9 judicial opinions before today's decision that use Google's URL shortener, goo.gl. Several of them use the service for maps. It's an interesting development, and I suspect it's one that we will see more of rather than less of in the future.
Astroturfing bust spotlights online review troubles (Corporate Counsel, 2 Dec 2013) - New York State Attorney General Eric Schneiderman in September revealed the details of a yearlong undercover operation designed to halt illegal activity occurring from New York City to as far away as Bangladesh and Eastern Europe. Schneiderman's target? Not white-collar criminals, crooked mobsters or corrupt politicians, but fake online reviewers. "Operation Clean Turf" busted 19 companies, both regular businesses and search engine optimization (SEO) firms, all of which were forced to discontinue their practices, and some of which were forced to pay penalties ranging from $2,500 to just under $100,000. To catch businesses and SEO companies "astroturfing" or putting fake consumer reviews on websites like Yelp, CitySearch or Google Local, Schneiderman's office posed as a Brooklyn, New York-based yogurt shop and called SEO companies to ask for help with online reputation management, a service that many SEO firms provide. Instead of merely offering to "manage" reputations though, several SEO representatives offered to post fake reviews of the client business online, using tactics like IP address spoofing, creating multiple profiles to add reviews and paying freelance writers from overseas to draft fake reviews. The attorney general's investigation brought to light not just the problem of fake reviews, but also underscored the difficulties of striking a balance between protecting consumers and protecting companies from nasty and inaccurate online reviews that function effectively as bad advertising.
UK social media users get legal advice from on high on avoiding contempt of court (TechCrunch, 4 Dec 2013) - [T]he immediacy of social media apparently makes it easy for some users to forget how far their views can travel - causing a small number of them to end up in legal hot water over the things they have posted online. Or, from the establishment perspective, to threaten the judicial process by potentially prejudicing prosecutions. The U.K. government's chief legal advisor, Attorney General Dominic Grieve, whose remit includes trying to ensure fair trials can take place, has decided the time has come to provide free legal advice (well, he calls it " advisories ") to Twitterers and Facebookers to help educate them on the responsibilities of using a "tool of mass communication". From today, Grieve will be publishing court advisory notes that have previously only been available to mainstream media outlets. The notes will be published on the gov.uk website and via the Twitter feed of the Attorney General's Office, @AGO_UK (which currently has less than 4,000 Twitter followers). As well as trying to ensure social media users don't trample over the ability of courts to conduct fair trials, Grieve noted the guidelines will aim to help people avoid saying things that might in themselves be a criminal offence. Just last week, for instance, a man who flouted court directions by posting pictures purporting to be of Jon Venables, who murdered the toddler James Bulger in 1993 when he himself was also a child, was handed a 14-month suspended prison sentence. Another recent example is Peaches Geldof, daughter of the singer Bob Geldof, who the Independent notes apologised this week for tweeting the names of two mothers whose babies were abused by the Welsh rock singer Ian Watkins.
Booz Allen says cyber attacks are the "new normal" for financial services industry (WSJ, 4 Dec 2013) - Five years ago, questions directed at boards of directors and senior executives at financial services firms on the toughest risk management issues might have resulted in responses like "liquidity risk," "regulatory compliance," or "bad debt." Few, if any, would have mentioned cyber security. Today, the same question generates a much different answer. In 2014, the trends that matter to CISOs, CIOs, chief risk officers and board members at large and small financial services enterprises reflect their acute concerns about cyber security risk management in today's "new normal" of persistent threats. Today, Booz Allen has compiled those areas of focus for its annual list of the "Top Financial Services Cyber Security Trends for 2014." In recent years, executives have watched the landscape change, seeing how DDoS attacks from the Izz ad-Din al-Qassam Cyber Fighters had the potential to destroy data, and reputations. They learned that cyber threats attack a bank wherever it does business, not just where it is headquartered. And they witnessed the critical benefits of public-private information sharing. "Our conversations with clients have significantly evolved from a focus on threats and capabilities to creating a balanced and holistic cyber program that responds to an institution's critical business risks, while considering the new realities of a complex and interconnected operating environment," said Bill Stewart, senior vice president and head of Booz Allen's commercial finance program. "We are increasingly helping clients to work through how best to align cyber spend with an ever increasing potential exposure. Threat actors continue to grow in sophistication, driving our clients to respond. Simply increasing spend is not the always the best option -- we are helping our clients build programs that respond to their material business risks while balancing resource expenditures." The Top Financial Services Cyber Security Trends for 2014: * * *
- and -
Senator wants cybersecurity answers from automakers (Tom's Guide, 5 Dec 2013) - A U.S. senator has asked 20 automobile manufacturers how each plans to stave off wireless hacking attempts on vehicle computer systems, as well as prevent violations of driver privacy. "I write to request information regarding your company's protections against the threat of cyberattacks or unwarranted invasions of privacy related to the integration of wireless, navigation and other technologies into and with automobiles," wrote Sen. Ed Markey, D-Mass, in a letter to Daniel Akerson , CEO of General Motors, on Monday (Dec. 2). Markey's questions imply that he wants carmakers to apply computer-industry security processes, including implementation of anti-virus software, incident logging, incident-response planning, software vulnerability patching and third-party penetration testing - the last of which would stage real hacker attacks on mass-production vehicles. Markey, one of the half-dozen lawmakers on Capitol Hill who has demonstrated a clear understanding of computer technology, cited research done earlier this year by two Pentagon-funded "white hat" hackers. "In a recent study that was funded by the Defense Advanced Research Projects Agency (DARPA)," Markey wrote, "Charlie Miller and Chris Valasek demonstrated their ability to directly connect to a vehicle's computer systems, send commands to different ECUs through the CAN and thereby control the engine, brakes, steering and other critical vehicle components."
How the Bitcoin protocol actually works (by Michael Nielsen and recommended by Bruce Schneier, 6 Dec 2013) - Many thousands of articles have been written purporting to explain Bitcoin, the online, peer-to-peer currency. Most of those articles give a hand-wavy account of the underlying cryptographic protocol, omitting many details. Even those articles which delve deeper often gloss over crucial points. My aim in this post is to explain the major ideas behind the Bitcoin protocol in a clear, easily comprehensible way. We'll start from first principles, build up to a broad theoretical understanding of how the protocol works, and then dig down into the nitty-gritty, examining the raw data in a Bitcoin transaction. Understanding the protocol in this detailed way is hard work. It is tempting instead to take Bitcoin as given, and to engage in speculation about how to get rich with Bitcoin, whether Bitcoin is a bubble, whether Bitcoin might one day mean the end of taxation, and so on. That's fun, but severely limits your understanding. Understanding the details of the Bitcoin protocol opens up otherwise inaccessible vistas. [ Polley : pretty dense reading, but more accessible than anything else I've found.]
FBI surveillance malware in bomb threat case tests constitutional limits (ArsTechnica, 6 Dec 2013) - The FBI has an elite hacker team that creates customized malware to identify or monitor high-value suspects who are adept at covering their tracks online, according to a published report. The growing sophistication of the spyware-which can report users' geographic locations and remotely activate a computer's camera without triggering the light that lets users know it's recording-is pushing the boundaries of constitutional limits on searches and seizures, The Washington Post reported in an article published Friday . Critics compare it to a physical search that indiscriminately seizes the entire contents of a home, rather than just those items linked to a suspected crime. Former US officials said the FBI uses the technique sparingly, in part to prevent it from being widely known. The 2,000-word article recounts an FBI hunt for "Mo," a man who made a series of threats by e-mail, video chat, and an Internet voice service to detonate bombs at universities, airports, and hotels across a wide swath of the US last year. After tracing phone numbers and checking IP addresses used to access accounts, investigators were no closer to knowing who the man was or even where in the world he was located. Then, officials tried something new. "The FBI's elite hacker team designed a piece of malicious software that was to be delivered secretly when Mo signed onto his Yahoo e-mail account, from any computer anywhere in the world, according to the documents," reporters Craig Timberg and Ellen Nakashima wrote. "The goal of the software was to gather a range of information-Web sites he had visited and indicators of the location of the computer-that would allow investigators to find Mo and tie him to the bomb threats." "We have transitioned into a world where law enforcement is hacking into people's computers, and we have never had public debate," Christopher Soghoian, principal technologist for the American Civil Liberties Union, told The Washington Post, speaking of the case against Mo. "Judges are having to make up these powers as they go along."
Woman's 140K tapes of TV news to be digitized, by Bay Area nonprofit (SiliconValley.com, 9 Dec 2013) - A woman who faithfully taped 35 years of TV news with the hope that one day it would prove to be valuable, searchable historical material did not live to see her dream realized. But the vision of Philadelphia resident Marion Stokes, who died last year at 83, will become a reality now that her 140,000 video cassettes are being archived in an online library. The trove, which totals about a million hours of newscasts, is expected to arrive in the Bay Area Tuesday at the Internet Archive in Richmond where it will be digitized and made available to the public, The Philadelphia Inquirer reported. "We were awestruck by two things," said Roger Macdonald, the virtual library's director of TV archives. "One, the size of the collection. And two, the human story behind it, that one person could create so extensive a collection." The massive collection, which was first reported last month by Fast Company magazine, include local news shows from Philadelphia between 1986 and 2012, and broadcasts from Boston, where she once lived, from 1977 to 1986. All the while, she also recorded national news and cable channels, leading to her to run several VCRs simultaneously 24 hours a day. Her son, Michael Metelits, described Stokes as "searingly intelligent" and said her passion was rooted in the belief that a well-informed public was essential to good governance. Shrewd investments funded the project. "My mother had a keen sense of the uniqueness of her mission," said Metelits, 53. "She would resist, forcefully, anybody who told us this was useless or a waste of time." The cassettes might include rare material. During the 1960s and '70s, local TV stations routinely wiped clean their tapes and reused them; it cost too much and required too much space to maintain an archive.
Google catches French govt spoofing its domain certificates (ZDnet, 9 Dec 2013) - France's cyberdefence division, Agence nationale de la sécurité des systèmes d'information (ANSSI), has been detected creating unauthorised digital certificates for several Google domains. Google states on its own security blog that an intermediate certificate authority (CA) issued the certificate, which links back to ANSSI. "Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate," Google wrote. In a statement by ANSSI , the cyberdefence organisation revealed that this intermediate CA is actually its own infrastructure management trust administration, or "L'infrastructure de gestion de la confiance de l'administration" (IGC/A). ANSSI itself is the cyber response and detection division of the French republic. ANSSI states that the fraudulent certificates were a result of "human error, which was made during a process aimed at strengthening overall IT security". Google states that the certificate was used in a commercial device, on a private network, to inspect encrypted traffic. According to the web giant, users on that network were aware that this was occurring, but the practice was in violation of ANSSI's procedures. Google used the incident to highlight the need for its Certificate Transparency project , aimed at fixing flaws in the SSL certificate system that could result in man-in-the-middle attacks and website spoofing. Google's answer to these flaws is for CAs to adopt a framework that monitors and audits these certificates, thus outing rogue CAs or when certificates are illegitimately issued. This is not the first time that the flaws of SSL certificates have been exposed. The US National Security Agency is alleged to have used man-in-the-middle attacks through unauthorised certificates against Google in the past. Additionally, in August 2011, a breach at DigiNotar , another CA, found that an Iranian hacker had created rogue certificates for Google domains, intercepting user passwords for Gmail.
Coursera releases iPhone app for MOOCs (GigaOM, 10 Dec 2013) - Coursera has built a name for itself by providing MOOCs (massive open online courses) in a variety of subjects to practically any student willing to learn. Now, the company will offer those lessons on the go with a new free app - a boon for students who want to take in lectures during commutes or trips. The first edition of the app, available today in the iTunes store, offers users the ability to browse through the hundreds of courses offered in 20 different subjects on Coursera. Lectures for those courses are offered via live streaming, and also available to download for offline viewing. Coursera's iPhone app not only fills a vacuum that has been otherwise filled with expensive third-party apps, but also jumps on the mobile learning bandwagon. For example, Codecademy created its first iPhone app in honor of "Hour of Code," earlier this week. While it seems like Coursera's iPhone app is more of a bare-bones version of its browser offerings, rather than a complete experience tailored to learning on mobile, it's a great start for those interested in using their phones and tablets to get a little extra learning done. [ Polley : Critical stories about MOOC issues, generally: After setbacks, online courses are rethought (NYT, 11 Dec 2013); and Year of the backlash (InsideHigherEd, 13 Dec 2013)]
Financial regulators issue final guidance on social media (FFEIC, 11 Dec 2013) - The Federal Financial Institutions Examination Council (FFIEC), on behalf of its members, today released final guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as nonbank entities supervised by the Consumer Financial Protection Bureau. The guidance is effective immediately. The guidance does not impose any new requirements on financial institutions. Rather, it is intended to help financial institutions understand potential consumer compliance and legal risks, as well as related risks such as reputation and operational risks, associated with the use of social media, along with expectations for managing those risks. The guidance provides considerations that financial institutions may find useful in conducting risk assessments and crafting and evaluating policies and procedures regarding social media. The FFIEC published the guidance in proposed form in January 2013 and invited public comments through March 25, 2013. The agencies received 81 comments through that process and took those comments into account in making certain revisions to the guidance. Guidance here .
Firms will need cyber "badge" to win some British govt business (Reuters, 12 Dec 2013) - Britain will announce on Thursday that firms wishing to bid for certain areas of government procurement will have to meet a new standard demonstrating basic levels of cyber security. The scheme forms part of the latest plank of Britain's attempt to counter a growth in hostile cyber assaults, which has been earmarked as a top national security issue but whose progress has come in for severe criticism from lawmakers. The plans will include creation of a government-backed cyber standard for businesses which would be adopted for future procurement, while also designed to give insurers, investors and auditors something "they can bite on" when they weigh how good companies are at managing risks.
NOTED PODCASTS
Why care about the NSA? (NYT, 5min video, 26 Nov 2013) - A short film explores whether ordinary Americans should be concerned about online surveillance.
Software Patents as a Barrier to Scientific Transparency: An Unexpected Consequence of Bayh-Dole (Stanford's CIS; 30 Oct 2013; 56 minutes) - Interview with Columbia Prof. Victoria Stodden, parsing issues associated with open research, transparency, and some of the still-emerging university policies on Bayh-Dole implementation (a third of a century on).
RESOURCES
2013 Techno-Gift Guide (Jeff Allen and Ashley Hallene, ABA, Dec 2013) - Over the years, people have come to regard technology as a desirable gift (among our favorites). For certain occasions within specific relationships, you may find it necessary to get your spouse or significant other a more personal gift, but for most holidays, and many relationships, technology offers highly suitable gifting opportunities. GPSolo magazine has published an annual technology gift guide in connection with the holiday season for many years. This year marks a change in that long-standing tradition. No, we have not canceled the guide; we have given it a perspective shift. For most of its existence, the gift guide reflected my (Jeffrey Allen's) personal views and opinions. Recently, I found an excellent writing partner in Ashley Hallene, and we have just completed writing two books on technology (both of which would, of course, make excellent gift choices): Technology Solutions for Today's Lawyer (ABA, 2013) and iPad for Lawyers (Thomson Reuters, 2013). Ashley and I have greatly enjoyed writing together. As a result, we decided to co-author the gift guide and, in so doing, share with you our joint perspectives on the best techno- gifts as well as give you the viewpoints of both a male and a female author.
DIFFERENT
82 years before Edward Snowden, there was Herbert Yardley (The Atlantic, 4 Dec 2013) - On the National Security Agency's site, there is a timeline dedicated to the most significant events in cryptologic history. Among its many entries: November 4, 1952, the day the NSA itself was created; December 7, 1941, when the Japanese attacked Pearl Harbor; and the earliest event that is commemorated, the U.S. State Department's decision to hire a 23-year-old Indiana native, Herbert O. Yardley, on November 16, 1912, just prior to the outbreak of World War I. An ambitious young man with a background as a railroad telegraph operator, Yardley quickly showed a talent for breaking codes. After proving himself able to decipher an ostensibly secret message to President Woodrow Wilson, he decided to spend his career improving the security of U.S. government communications. Soon after, he began breaking the codes of other governments in anticipation of war. He would ultimately spy on the communications of foreigners and U.S. citizens in peacetime, and head a secret surveillance agency headquartered in a New York City brownstone. But Yardley wasn't just the progenitor of the trade practiced at the NSA today. He was also the surveillance state's first betrayer, as loathed by insiders in his day as Edward Snowden is in ours. His 1931 book The American Black Chamber spilled secrets on a scale that a pre-Snowden-leak NSA described as follows: In today's terms, it would be as if an NSA employee had publicly revealed the complete communications intelligence operations of the Agency for the past 12 years-all its techniques and major successes, its organizational structure and budget-and had, for good measure, included actual intercepts, decrypts, and translations of communications not only of our adversaries but of our allies as well. [ Polley : quite interesting.]
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
IBM rents out supercomputer brawn (CNET, 8 Jan 2003) -- IBM has begun a new program to rent out processing power on its own supercomputers, signing up a petrochemical company as a first customer. Petroleum Geo-Services (PGS) is renting more than one-third of its computing capacity from IBM, a move that lets the company deal better with surges in demand for computing services used to find oil and gas deposits. PGS has about 1,000 of its own dual-processor Linux computers interconnected into a single computing resource, but the company is also using about 400 more from IBM, said Chris Semple, manager of developing technologies at PGS. Eventually, IBM expects other petrochemical companies and life-sciences companies to become customers. The service "is a precursor of what should be a broad push into petroleum industry or life sciences," said David Turek, vice president of IBM's Linux clusters and grid products. The project is a specific example of IBM's on-demand computing effort and of the larger "utility computing" concept, under which those who need varying amounts of computing power pay for it as they use it. It's intended to be less expensive alternative to buying equipment for moments of peak usage such as end-of-month account balancing or holiday shopping seasons then letting it sit comparatively idle the rest of the time.
Encryption backers brace for new threats (CNN, 1 April 2003) -- Cheating on income taxes or neglecting to pay sales taxes on online shopping could get you five extra years in prison if the government succeeds in restricting data-scrambling technology, encryption-rights advocates fear. Such a measure, they worry, might also discourage human rights workers in, say, Sri Lanka from encrypting the names and addresses of their confidants, in case they fall into the wrong hands. Draft legislation circulating in the Justice Department would extend prison sentences for scrambling data in the commission of a crime, something encryption advocates fear would achieve little in catching terrorists -- and only hurt legitimate uses of cryptography. "Why should the fact that you use encryption have anything to do with how guilty you are and what the punishment should be?" asks Stanton McCandlish of the CryptoRights Foundation, which teaches human rights workers to use encryption. "Should we have enhanced penalties because someone wore an overcoat?"
NOTES
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/
4. NewsScan and Innovation, http://www.newsscan.com
5. Aon's Technology & Professional Risks Newsletter
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html
7. McGuire Wood's Technology & Business Articles of Note
8. Steptoe & Johnson's E-Commerce Law Week
9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
10. The Benton Foundation's Communications Headlines
11. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top
