Saturday, August 10, 2013

MIRLN --- 21 July – 10 August 2013 (v16.11)

MIRLN --- 21 July - 10 August 2013 (v16.11) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | LOOKING BACK | NOTES

ANNOUNCEMENT

The ABA has just published a book I've co-edited: The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals , with chapters on sources of risk, legal and ethical obligations, practice-setting specifics, planning and recovery, and insurance. With Jill Rhodes (my co-editor), we've pulled together the analysis and recommendations of nearly thirty lawyers, judges, and technology professionals from across the ABA. This is the first work-product of the year-old ABA Cybersecurity Legal Task Force . Tip: buy the e-version-URLs will link to updated resources. MIRLN READER DISCOUNT: enter MIRLN15 for a 15% discount, good thru the end of August 2013. Press and discussion:

top

NEWS

Traveling to China? Don't take a laptop computer, universities warn academics (ABA Journal, 17 July 2013) - Colleges and universities in the U.S. are a prime target for hackers, who are outstripping efforts to prevent, or even detect, their cyber attacks, experts tell the New York Times (reg. req.) "We get 90,000 to 100,000 attempts per day, from China alone, to penetrate our system," said Bill Mellon, the associate dean for research policy at the University of Wisconsin. "There are also a lot from Russia, and recently a lot from Vietnam, but it's primarily China." Although the nation's educational institutions don't want to eliminate their teaching mission by creating impenetrable virtual walls around their computer systems, many are imposing new security measures, such as a rule against taking a laptop computer to certain countries. "There are some countries, including China, where the minute you connect to a network, everything will be copied, or something will be planted on your computer in hopes that you'll take that computer back home and connect to your home network, and then they're in there," senior fellow James A. Lewis of the Center for Strategic and International Studies told the newspaper. "Academics aren't used to thinking that way." [Polley: I've written a related how-to piece on cellphone planning/security while abroad - see Your Cell Phone Abroad: Stay on Budget, Stay Secure .]

top

High-end stores use facial recognition tools to spot VIPs (NPR, 21 July 2013) - When a young Indian-American woman walked into the funky L.A. jewelry boutique Tarina Tarantino, store manager Lauren Twisselman thought she was just like any other customer. She didn't realize the woman was actress and writer Mindy Kaling. "I hadn't watched The Office ," Twisselman says. Kaling both wrote and appeared in the NBC hit. This lack of recognition is precisely what the VIP-identification technology designed by NEC IT Solutions is supposed to prevent. The U.K.-based company already supplies similar software to security services to help identify terrorists and criminals. The ID technology works by analyzing footage of people's faces as they walk through a door, taking measurements to create a numerical code known as a "face template," and checking it against a database. In the retail setting, the database of customers' faces is comprised of celebrities and valued customers, according to London's Sunday Times . If a face is a match, the program sends an alert to staff via computer, iPad or smartphone, providing details like dress size, favorite buys or shopping history. The software works even when people are wearing sunglasses, hats and scarves. Recent tests have found that facial hair, aging, or changes in weight or hair color do not affect the accuracy of the system.

top

A black box for car crashes (NYT, 21 July 2013) - When Timothy P. Murray crashed his government-issued Ford Crown Victoria in 2011, he was fortunate, as car accidents go. Mr. Murray, then the lieutenant governor of Massachusetts, was not seriously hurt, and he told the police he was wearing a seat belt and was not speeding. But a different story soon emerged. Mr. Murray was driving over 100 miles an hour and was not wearing a seat belt, according to the computer in his car that tracks certain actions. He was given a $555 ticket; he later said he had fallen asleep . The case put Mr. Murray at the center of a growing debate over a little-known but increasingly important piece of equipment buried deep inside a car: the event data recorder, more commonly known as the black box. About 96 percent of all new vehicles sold in the United States have the boxes, and in September 2014, if the National Highway Traffic Safety Administration has its way, all will have them. The boxes have long been used by car companies to assess the performance of their vehicles. But data stored in the devices is increasingly being used to identify safety problems in cars and as evidence in traffic accidents and criminal cases. And the trove of data inside the boxes has raised privacy concerns, including questions about who owns the information, and what it can be used for, even as critics have raised questions about its reliability.

top

Cyber-sabotage is easy; so why aren't hackers crashing the grid? (FP, 23 July 2013) - Hacking power plants and chemical factories is easy. I learned just how easy during a 5-day workshop at Idaho National Labs last month. Every month the Department of Homeland Security is training the nation's asset owners -- the people who run so-called Industrial Control Systems at your local wastewater plant, at the electrical power station down the road, or at the refinery in the state next door -- to hack and attack their own systems. The systems, called ICS in the trade, control stuff that moves around, from sewage to trains to oil. They're also alarmingly simply to break into. * * * So it may come as a surprise to learn that attackers have never been able to engage in cyber-sabotage against America's critical infrastructure -- not once. ICS-CERT has never witnessed a successful sabotage attack in the United States, they told me. Sure, there have been network infiltrations. But those were instances of espionage, not destructive sabotage. Which raises two questions: one obvious, and one uncomfortable. If it's so easy, why has nobody crashed America's critical infrastructure yet? And why isn't the Defense Department doing more to protect the grid? [Polley: Spotted by MIRLN reader Gordon Housworth .]

top

- and -

Not cyber myths: Hacking oil rigs, water plants, industrial infrastructure (Network World, 5 August 2013) - If about 55 million people were to suddenly lose power and be plunged into darkness because malware attacked the smart grid, would you rank that as a large-scale cyberattack? It happened a decade ago, according to Eugene Kaspersky of Kaspersky Lab. At the AFCEA Global Intelligence Forum, he said a worm designed to attack Windows systems unexpectedly attacked Unix servers instead, and that malware was responsible for the infamous Northeast blackout of 2003 . However, "power companies do not admit that the blackout was caused by malware." The official public statement, Kaspersky said, is "that a control room software bug allowed an outage to cascade throughout the grid." * * * [W]e've been warned for years about SCADA, ICS, PLC and how vulnerable U.S. critical infrastructure is to attack. So when the Chinese army hackers "Comment Crew" infiltrated a water control system, it was a good thing their target turned out to be a decoy set up by Trend Micro's Kyle Wilhoit . He deployed 12 honeypots that attackers mistook for actual industrial control systems (ICS) at water plants, with about half of the 74 critical attacks being credited to China. Ten of those attacks were "sophisticated enough to wrest complete control of the dummy control system." He described [ pdf ] many attackers as "opportunists" and only "one appeared to be the work of Comment Crew." Wilhoit said, "These attacks are happening and the engineers likely don't know." At Black Hat, Cimation engineers Eric Forner and Brian Meixell took remote control of the programmable logic controller (PLC) on a simulation oil rig, turned the pumps on and off so it sprayed liquid - which would have been an oil pipeline rupture in real life - while sending data that made it appear as if nothing happened. Forner said , "We only had a 24-volt pump in the demo, but this [attack] could cause a complete environmental catastrophe." Also at Black Hat, during a presentation called Compromising Industrial Facilities From 40 Miles Away , security researchers from IOActive shared their findings about industrial automation and control systems (IACS) that use wireless sensors to collect data. Critical decisions are made from the remote sensor measurements, so sending false data could have disastrous consequences. Lucas Apa and Carlos Penagos showed a live demo of "temperature injection," reporting [ pdf slides] that the cost of the attack was a mere $40.

top

Firms fortify fraud defenses (WSJ, 23 July 2013) - Thousands of companies world-wide are planning to update systems and policies that act as their first line of defense against fraud and other hidden risks, following a sweeping overhaul of the most widely used guidelines for those safeguards. The new guidelines, which many companies expect to adopt by the end of next year, are for so-called internal controls, which the government has required U.S. public companies to have in place for the past decade, as part of an effort to protect investors. Companies might, for example, establish procedures to make sure that only employees responsible for certain types of inventory can access it, or require a particular method for inputting purchase orders. Having these systems helps companies monitor the transactions for errors, impropriety or fraud. Until now, internal controls have been based on a 20-year-old framework that didn't take into account the new risks posed by mobile technology and cloud computing, as well as the rise of outsourcing and shifts in corporate governance. Such controls haven't always been high on the corporate agenda. Lack of them has been blamed for past accounting scandals at big companies like Tyco International and Satyam Computer Services Ltd. Large companies spend upward of $1 million a year on internal-controls systems, according to consulting firm Protiviti, but some investors consider it money well spent. The effort to develop effective internal controls dates back decades. The updated guidelines, released in May, come from a group of five accounting associations known as the Committee of Sponsoring Organizations of the Treadway Commission. It is the offspring of a national commission on fraudulent financial reporting in the 1980s led by then-Securities and Exchange Commissioner James C. Treadway Jr. The group published its first guidelines in 1992, but they were little used until the Sarbanes-Oxley Act of 2002 essentially forced most U.S. public companies to adopt them. The new guidelines officially replace the existing ones in December 2014. Although companies face no penalty if they don't embrace them, ignoring them could put off investors who value tight management. [Polley: Spotted by MIRLN reader Roland Trope .]

top

EFF to court: forced decryption unconstitutional (EFF, 23 July 2013) - You shouldn't have to surrender your constitutional rights in order to safeguard your electronic privacy. In a new amicus brief we filed today, we told a federal court in Wisconsin that ordering a man to decrypt the contents of computers seized from his apartment would violate the Fifth Amendment privilege against self-incrimination. The case involves the FBI's attempts to decrypt the contents of more than ten storage devices and hard drives found in the apartment of Jeffrey Feldman in the course of a child pornography investigation. After spending months trying to decrypt the drives, the government applied for a court order forcing Feldman to provide the government with the decrypted contents of the drives. The Fifth Amendment protects a person from being "compelled in any criminal case to be a witness against himself." The question here is whether forcing Feldman to decrypt the contents of the computer drives is "testimony" that is protected by the Constitution. The issue ultimately boils down to whether the government is forcing him to reveal the contents of his mind and communicate a fact to the government it doesn't already know. If so, then the Fifth Amendment applies and the only way the government can compel Feldman to decrypt or "testify" is to offer that person immunity from the testimony. A magistrate judge initially denied the government's request, finding the act of decryption was protected by the Fifth Amendment. The court found the government hadn't sufficiently proven that the drives in question were accessed and controlled by Feldman. That would tell the government something it didn't necessarily know: that the drives -- and their contents -- belonged to and were controlled by Feldman. That testimony would incriminate him and therefore triggered the Fifth Amendment privilege. A month later, after the government was able to decrypt a portion of one of the drives and found personal files belonging to Feldman, the magistrate reversed its earlier decision, and found that since the government had sufficiently proven access and control to one drive, Feldman could now be compelled to provide the decrypted contents of all the drives. That was because the fact the government would learn -- that the drives belonged to and were accessed and controlled by Feldman -- was essentially a "foregone conclusion" and thus the government would learn no new facts as a result of Feldman's testimony. After Feldman objected, the district court stayed the magistrate's order, agreed to review the order, and asked for new briefing on the issue. Our brief supports Feldman's argument against decryption, explaining that the act of decryption triggers the Fifth Amendment privilege. The government failed to show Feldman's access and control of the remaining unencrypted devices is a "foregone conclusion" since they were only able to decrypt a portion of one drive -- that fact alone says nothing about the remaining drives. In the absence of any additional information that shows Feldman had access and control of the drives and the content inside, the Fifth Amendment protects him from decrypting. Ultimately, if the government wants Feldman's testimony it must give him immunity that is "coextensive" with the privilege. That means the government can't use the fact Feldman decrypted the drives against him. But it also means they can't use any evidence it derives from the decryption against Feldman in a later criminal case. Last year, we scored a major victory before the Eleventh Circuit Court of Appeals which found the act of decrypting a computer was protected by the Fifth Amendment privilege and reversed a contempt of court finding and released a man from jail who refused to decrypt. We hope the court here will follow the Eleventh Circuit's lead and understand that prohibiting the government from forcing Feldman to decrypt the devices preserves Fifth Amendment protections in our digitized world.

top

In search of the missing link (InsideHigherEd, 24 July 2013) - Among the duties of the Judicial Conference -- an august body consisting of federal judges, overseen by the Chief Justice of the Supreme Court -- is the fostering of "uniformity of management procedures and the expeditious conduct of court business." And so it was that, four year ago this month, the Conference issued guidelines for citing Internet materials in judicial opinions. A brief statement regarding the new policy was posted to the Web, as you do. Not long ago Raizel Liebler and June Liebert, two librarians at the John Marshall Law School in Chicago, needed to refer to the Conference's announcement in their pape r "Something Rotten in the State of Legal Citation: The Life Span of a United States Supreme Court Citation Containing an Internet Link (1996-2010)," which appeared a couple of weeks ago in the Yale Journal of Law and Technology. But the link for it they had filed away while doing their research was now dead. In the meantime, the document had migrated to another URL, so no damage done. In a footnote, the authors said, "The irony of being unable to access a website we wanted to cite in an article about the ephemeral nature of websites, including discussion of reasons to avoid citing websites, was not lost on us." It's a nuisance, certainly, but link rot also looms as a serious problem for the disciplinary production of knowledge, which relies, in part, on the existence of stable and documentable sources of information. Citation allows others to examine those sources -- whether to verify them or assess how accurately an author has used them, or as a basis for further research. Broken links in the bibliography are, in effect, broken links in an argument. That is particularly true given the role of law blogs, a.k.a. " blawgs ," as a source of real-time legal analysis and commentary -- something the traditional, rather slow-moving law review can't do. Around the time the Commission put forward its suggested practices for citing online materials, John Doyle published an article with the wonderfully sonorous title "The Law Reviews: Do Their Paths of Glory Lead but to the Grave?" Doyle, an associate law librarian at the Washington & Lee University School of Law, concluded that the survival of the review format (let alone the chance of having any effect beyond building ambitious students' résumés) depended on making articles available online with almost blawgish rapidity.

top

Survey says: Fortune 500 disclosing cyber risks (Mintz Levin, 24 July 2013) - Ever since our 2013 prediction , an ever increasing number of public companies are adding disclosure related to cybersecurity and data breach risks to their public filings. We previously analyzed how the nation's largest banks have begun disclosing their cybersecurity risks. Now, it appears that the rest of the Fortune 500 companies are catching on and including some level of disclosure of their cyber risks in response to the 2011 SEC Guidance . The recently published Willis Fortune 500 Cyber Disclosure Report, 2013 (the "Report"), analyzes cybersecurity disclosure by Fortune 500 public companies. The Report found that as of April 2013, 85% of Fortune 500 companies are following the SEC guidance and are providing some level of disclosure regarding cyber exposures. Interestingly though, only 36% of Fortune 500 companies disclosed that such risk was "material", "serious" or used a similar term, and only 2% of the companies used a stronger term, such as "critical". Following the SEC's recommendation in its guidance, 95% of the disclosing companies mentioned specific cyber risks that they face. Surprisingly, 15% of Fortune 500 companies indicated that they did not have the resources to protect themselves against critical attacks and only 52% refer to technical solutions that they have in place to defend against cyber risks. The Report notes that despite the large number of Fortune 500 companies that acknowledge cyber risks in their disclosure, only 6% mentioned that they purchase insurance to cover cyber risks. This number runs contrary to a survey published by the Chubb Group of Insurance Companies in which Chubb indicates that about 36% of public companies purchase cyber risk insurance. For whatever reason, it appears that many of the Fortune 500 companies are simply not disclosing that they purchase cyber risk insurance as a means of protecting against cyber risk.

top

- and -

Good cyber security starts at board level, not IT (Guardian, 25 July 2013) - When people hear cyber security they automatically think of IT. So when organisations hear the words "cyber security breach" there is often a tendency to leave it with the IT department, not only to deal with the breach but to ensure the breach doesn't happen again. If I told you human error (and systems glitches) caused nearly two-thirds of data breaches globally in 2012, would you quantify that as an IT issue? Currently, what tends to happen is at the first mention of poor cyber security, all eyes turn to look at the chief information officer - but are organisations right to single him or her out? They are not. Examples of true incidents that have been labelled cyber security breaches are as follows: a mis-sent email (a strategy document sent to a competitor); commercial papers lost on a train; a former employee that was not legally prevented from taking bid information to a competitor; a laptop left on a plane with passwords attached; and careless use of social media giving away IPR, and more frequently, because it's cheaper, the use of social engineering ("new best friends" who buy you drinks all night at the bar, fascinated by your company). So what can we learn from these breaches? The majority of the above examples could have been prevented with a holistic, organisation-wide approach to cyber security. It turns out that people, the most valuable resource, are invariably also the weakest link. So every company needs to invest in its people and this starts with the board. Interestingly, especially in large engineering, manufacturing or service-based organisations, there is quite often a flourishing, vibrant and effective health and safety culture - clearly understood and rigorously adhered to by management and employees alike. But when it comes to the life blood of an organisation, its critical business information, there is often a distinct lack of collective education, training and focus to support a company's business objectives, as well as suitable ICT products to use. Moreover, effective business processes, and the governance structures necessary to foster the correct pervasive culture of information risk management are also missing. To make the necessary changes to value and exploit an organisation's information better, the board needs to be fully engaged; the cultural change needed to successfully introduce an effective health and safety regime is not too dissimilar to that of holistic cyber security and this has to start at the top; board members need to lead by example.

top

Leaders of the 9/11 commission say NSA surveillance has gone too far (TechDirt, 25 July 2013) - One of the key talking points from defenders of the NSA surveillance program is that they had to implement it after the 9/11 Commission revealed "holes" in information gathering that resulted in 9/11. This is a misstatement of what that report actually indicated -- in that it showed that more than enough data had actually been collected, it's just that the intelligence community didn't do anything with it. Either way, it seems that the leadership of the 9/11 Commission -- Thomas Kean and Lee Hamilton, who were the chair and vice chair of the committee respectively -- have now spoken out against the NSA surveillance efforts . And they don't hold back: The NSA's metadata program was put into place with virtually no public debate, a worrisome precedent made worse by erecting unnecessary barriers to public understanding via denials and misleading statements from senior administration officials. When the Congress and the courts work in secret; when massive amounts of data are collected from Americans and enterprises; when government's power of intrusion into the lives of ordinary citizens, augmented by the awesome power of advanced technologies, is hugely expanded without public debate or discussion over seven years, then our sense of constitutional process and accountability is deeply offended. Officials insist that the right balance has been struck between security and privacy. But how would we know, when all the decisions have been made in secret, with almost no oversight?

top

Feds tell Web firms to turn over user account passwords (CNET, 25 July 2013) - The U.S. government has demanded that major Internet companies divulge users' stored passwords, according to two industry sources familiar with these orders, which represent an escalation in surveillance techniques that has not previously been disclosed. If the government is able to determine a person's password, which is typically stored in encrypted form, the credential could be used to log in to an account to peruse confidential correspondence or even impersonate the user. Obtaining it also would aid in deciphering encrypted devices in situations where passwords are reused. "I've certainly seen them ask for passwords," said one Internet industry source who spoke on condition of anonymity. "We push back." A second person who has worked at a large Silicon Valley company confirmed that it received legal requests from the federal government for stored passwords. Companies "really heavily scrutinize" these requests, the person said. "There's a lot of 'over my dead body.'" Some of the government orders demand not only a user's password but also the encryption algorithm and the so-called salt, according to a person familiar with the requests. A salt is a random string of letters or numbers used to make it more difficult to reverse the encryption process and determine the original password. Other orders demand the secret question codes often associated with user accounts. A Microsoft spokesperson would not say whether the company has received such requests from the government. But when asked whether Microsoft would divulge passwords, salts, or algorithms, the spokesperson replied: "No, we don't, and we can't see a circumstance in which we would provide it."

top

Major US bank offers online legal services in business hub (Virtual Law Practice, 26 July 2013) - An exciting breakthrough in online delivery is occurring through the new offering that Suntrust Bank is launching. They have partnered with a third party to create an online Business Hub which provides legal services in addition to assistance with planning, websites, data backup and finances. From the website: "This online portal helps you create legal documents, develop business plans and generate invoices and financial reports." It appears to be a one-stop shop for small business owners who need accounting and planning software, and even some marketing services. The service also claims to provide risk assessment services for businesses through the legal services tools. The online legal services are provide through a product called Legal Document Builder. According to the site, this lets the business owner handle the following: (1) Create legal documents for your business from a wide range of templates using a straight forward question and answer process; (2) Templates include: website terms and conditions, privacy policy, tenancy agreement, debt recovery letters, shareholders agreement and many more; (3) Avoid risks and disputes that could financially weaken your business and comply with Health & Safety legislation by performing risk assessments and more.

top

Spy agencies ban Lenovo PCs on security grounds (Financial Review, 26 July 2013) - Computers manufactured by the world's biggest personal computer maker, Lenovo, have been banned from the "secret" and "top secret" ­networks of the intelligence and defence services of Australia, the US, Britain, Canada, and New Zealand, because of concerns they are vulnerable to being hacked. Multiple intelligence and defence sources in Britain and Australia confirmed there is a written ban on computers made by the Chinese company being used in "classified" networks. The ban was introduced in the mid-2000s after intensive laboratory testing of its equipment allegedly documented "back-door" hardware and "firmware" vulnerabilities in Lenovo chips. A Department of Defence spokesman confirmed Lenovo ­products have never been accredited for Australia's secret or top secret ­networks. The classified ban highlights concerns about security threats posed by "malicious circuits" and insecure firmware in chips produced in China by companies with close government ties. Firmware is the interface be­tween a computer's hardware and its operating system. Lenovo, which is headquartered in Beijing, acquired IBM's PC business in 2005. Members of the British and ­Australian defence and intelligence communities say that malicious modifications to ­Lenovo's circuitry - beyond more typical vulnerabilities or "zero-days" in its software - were discovered that could allow people to remotely access devices without the users' knowledge. The alleged presence of these hardware "back doors" remains highly classified. A security analyst at tech research firm IBRS, James Turner, said hardware back doors are very hard to detect if well designed. They were often created to look like a minor design or manufacturing fault, he said. To avoid detection, they are left latent until activated by a remote transmission.

top

New legal research site combines case law with crowdsourcing (Robert Ambrogi, 26 July 2013) - Imagine if you could combine a full-text case law library for research with crowdsourced editing and annotating in the style of Wikipedia and user rankings of annotations and references in the style of a site such as Digg? That, roughly speaking, is the idea behind Casetext , an innovative legal research site launched this week that provides free access to court opinions together with a platform for crowdsourcing references and annotations. At its core, Casetext is simply a case law research database. Presently, it includes all Supreme Court cases, all federal circuit cases starting from volume one of the F.2d series, all federal district court cases published in F.Supp. and F.Supp. 2d since 1980, and Delaware cases published since Volume 30 of the Atlantic reporter. But what makes the site unique is the ability of its users to add descriptions and annotations to the cases. When you view a case, the screen is divided in half. On the left side, what you first see is a section of "Quick Facts" about the case - its holding, citation, court, judges, docket number and the like. After that comes a section called "Case Wiki" with a more narrative description of the case. Following those two sections comes the case itself. Both of those first two sections - Quick Facts and Case Wiki - are fully editable by registered users. Simply click the "edit" button and revise or supplement any of the text. Click the "revisions" button to see the full history of edits by all users. Similarly, the right side of the screen contains sections for "tags," "cases," "sources," "analysis," and "record." Users can create and edit any of these items.

top

Multiple listing service gets favorable appellate ruling in scraping lawsuit (Eric Goldman's blog, 27 July 2013) - This is a follow-up to our massive post on anti-scraping lawsuits in the real estate industry from New Year's Eve 2012 (Note: the portion on MRIS is about halfway through the post, labeled "Same Writ, Different Plaintiff").

AHRN is a California real estate broker that owns and operates NeighborCity.com . The site gets its data in part by scraping from MLS databases--in this case, MRIS. As part of the scraping, however, AHRN had collected and displayed copyrighted photographs among the bits and pieces of general textual information about the properties. MRIS sent a cease and desist letter to AHRN, and filed suit alleging various copyright claims after the parties failed to agree on a license to use the photographs. Ultimately, a district court in Maryland granted a motion made by MRIS for a preliminary injunction.

When we last left off, the district court had revised its preliminary injunction order to enjoin only AHRN's use of MRIS's photographs--not the compilation itself or any textual elements that may be considered a part of it. Since then, AHRN appealed the injunction. On July 18th, the Fourth Circuit Court of Appeals affirmed. Case is Metropolitan Regional Information Systems, Inc. v. American Home Realty Network, Inc. , 2013 WL 3722365 (4th Cir. July 17, 2013)

top

Software experts attack cars, to release code as hackers meet (Reuters, 28 July 2013) - Car hacking is not a new field, but its secrets have long been closely guarded. That is about to change, thanks to two well-known computer software hackers who got bored finding bugs in software from Microsoft and Apple. Charlie Miller and Chris Valasek say they will publish detailed blueprints of techniques for attacking critical systems in the Toyota Prius and Ford Escape in a 100-page white paper, following several months of research they conducted with a grant from the U.S. government. The two "white hats" - hackers who try to uncover software vulnerabilities before criminals can exploit them - will also release the software they built for hacking the cars at the Def Con hacking convention in Las Vegas this week. They said they devised ways to force a Toyota Prius to brake suddenly at 80 miles an hour, jerk its steering wheel, or accelerate the engine. They also say they can disable the brakes of a Ford Escape traveling at very slow speeds, so that the car keeps moving no matter how hard the driver presses the pedal.

top

AT&T's latest home broadband service isn't DSL or fiber. It's LTE (GigaOM, 29 July 2013) - AT&T has found another use for its LTE and HSPA networks besides connecting iPhones and Android devices to the internet. It's connecting homes. Ma Bell has started offering a residential broadband and voice service that relies on a 3G/4G modem for its link back to the network rather than traditional wireline access technologies. FierceWireless first spotted the new service on AT&T's website, which shows that that its is now available in Delaware; Maryland; New Jersey; Pennsylvania; Virginia; West Virginia, Washington, D.C.; and parts of eastern Kentucky on the West Virginia border. If those locations sound a bit odd, that's because they're all - with the exception of Kentucky - outside of AT&T's traditional wireline operating territory. In fact, they're squarely in the middle in of Verizon Communications' turf.

top

Massachusetts enacts 6.25% sales tax on "prewritten" software consulting (Slashdot, 29 July 2013) - Technical Information Release TIR 13-10 becomes effective in Massachusetts on July 31st, 2013. It requires software consultants to collect a 6.25% sales tax from their clients if they perform 'computer system design services and the modification, integration, enhancement, installation or configuration of standardized software.' TIR 13-10 was published to mass.gov on July 25th, 2013 to provide the public a few working days to review the release and make comments.

top

Metadata surveillance, secrecy, and political liberty (part one) (Harvard's DMLP, 29 July 2013) - As much of the world is now undoubtedly aware, the National Security Administration (NSA), and many other signals intelligence agencies around the world, have been conducting sophisticated electronic surveillance for quite some time. Many might have expected that such extensive surveillance was occurring, both domestically and globally, prior to Edward Snowden's release of classified information in June 2013. Indeed, we've known about the existence of government driven metadata surveillance and international intelligence cooperation and data-sharing for years. The UKUSA Agreement, which links intelligence agencies in the United States, United Kingdom, Canada, Australia and New Zealand, was declassified by the NSA in 2011, but its existence was reported much earlier. What we haven't known, perhaps, are some of the specifics (e.g., here and here ) brought to light by the recent revelations - or much about the legal analysis and oversight to which such surveillance activities are subjected to in practice. The fallout from Snowden's disclosures has not been limited to the U.S. either. News media in both Canada and the U.K. have released documents indicating that agencies in these countries are also conducting similar programs. Much of this surveillance appears limited to the metadata - information about information - associated with telephone calls, emails, and other forms of electronic communications. Officials are claiming that metadata is less revealing than the actual contents of our communications - although who hasn't sent or received an email that included all of its content in the subject line? However, as our landline-initiated telephone calls of the past have been largely supplanted by cellular phone, wireless, and Internet-based communication, the amount of metadata - and its ability to ascribe revealing attributes about us - has grown tremendously. Correspondingly, much more can be done with this data to reveal personal information. * * * This is not to say that eye-opening things could not be done with very simple sets of metadata about us in the past, as shown by this fascinating post by Professor Kieran Healy about using basic social network analysis to identify networks of people suspected of anti-government activities (in that case, Paul Revere and the rebellious colonists in America). Imagine what sophisticated statistical and social network analysis can do when we add large amounts of additional information and dramatically increase the number of subjects under study and the resources available to study them. The David Petraeus scandal has also shown us that metadata, like IP addresses indicating the locations where Petraeus and Paula Broadwell logged into their anonymous shared email account, can be enormously helpful in identifying people and telling stories about their lives. * * * [Polley: part two was published on 30 July, and is here .]

top

Again, Federal Court finds cops don't need a warrant for cellphone location data (ArsTechnica, 30 July 2013) - In a new 2-1 decision published (PDF) Tuesday, the Fifth Circuit Court of Appeals has held that law enforcement does not need a warrant to obtain cell-site location information (CSLI) from a mobile phone, falling in line with other recent high-level federal court decisions. The Fifth Circuit's majority judges cited the Stored Communications Act (also known as a 2703(d) order) as grounds to allow CSLI to law enforcement. Under that federal statute, authorities can't retrieve the contents of electronic communication, but they can find out where and to whom electronic communication was sent. In contemporary cases within the last decade, law enforcement and judges have increasingly used this reasoning to obtain extensive location data that can effectively turn the phone into a tracking device. Such information previously would have required a much higher legal threshold like a probable cause-driven warrant. In the majority decision, the judges wrote (PDF) that cell site information was nothing more than a business record, which "the Government has neither 'required [n]or persuaded' providers to keep." "In the case of such historical cell site information, the Government merely comes in after the fact and asks a provider to turn over records the provider has already created," the judges continued. "Moreover, these are the providers' own records of transactions to which it is a party. The caller is not conveying location information to anyone other than his service provider. He is sending information so that the provider can perform the service for which he pays it: to connect his call."

top

Announcer-free TV? Detroit's baseball fans say yes, please (NPR, 31 July 2013) - Baseball fans often declare their love of the game's rhythm, its quiet pauses and bursts of action. For such people, watching a game on TV can be a struggle, particularly if they're annoyed by the chatter of announcers. Fans in Detroit had another option last night: watching a TV broadcast that included only the natural sounds of the ballpark. On its "Plus" channel, Fox Sports Detroit offered fans a feed of Tuesday night's game pitting the Tigers against the Washington Nationals, titled "Natural Sounds at Comerica Park." The program's only voices came from the field and the stands. The broadcast was enhanced by "extra microphones around the park so viewers can hear more of the sounds of baseball - the bat cracks, ball popping in the mitt, vendors chiming in from the stands and the crowd's reaction to every play on the field," said Fox Sports Detroit's general manager, Greg Hammaren. As the Awful Announcing site notes, the move was a hit with many viewers, who took to Twitter to call the broadcast "awesome." Others said, "Wish it was like this every game." The experiment by Fox Sports Detroit follows in the footsteps of the famous NBC broadcast from 1980, when an NFL game between the New York Jets and the Miami Dolphins was aired without announcers providing play-by-play commentary or analysis.

top

The NSA's overreach and lack of transparency is hurting American businesses (TechDirt, 31 July 2013) - One major negative side effect of the NSA leaks is the problem it's causing for US-based tech companies. Not only have they been forbidden to discuss the details and scope of their interactions with American intelligence agencies, they've also been put in the worst possible light by some of the revelations. Very simply put, the actions of the NSA harm American businesses. The NSA's control of the narrative only makes it worse as existing and potential customers have no way of knowing the full extent of the protection (or lack thereof) surrounding their data. Under the current law, companies can't even acknowledge they've received FISA court orders, much less provide statistics on frequency and compliance. Pointing to the potential fallout from the disclosures about the scale of NSA operations in Europe, [Neelie] Kroes, the European commissioner for digital matters, predicted that US internet providers of cloud services could suffer major business losses. "If businesses or governments think they might be spied on, they will have less reason to trust cloud, and it will be cloud providers who ultimately miss out. Why would you pay someone else to hold your commercial or other secrets if you suspect or know they are being shared against your wishes?" she said. "It is often American providers that will miss out, because they are often the leaders in cloud services. If European cloud customers cannot trust the United States government, then maybe they won't trust US cloud providers either. If I am right, there are multibillion-euro consequences for American companies. If I were an American cloud provider, I would be quite frustrated with my government right now."

top

France cuts back further on employee privacy (Steptoe, 1 August 2013) - France's highest appeals court (Cour de cassation) has ruled, in Monsieur X v. Young & Rubicam France, that any content found on work-issued equipment is presumed to be work-related unless marked otherwise. Accordingly, employers can legally search all emails and files found in such equipment unless they are explicitly marked as "personal." The ruling applies even to employees' personal, non-work related email accounts, as long as those accounts are accessed from workplace computers. Since the Cour de cassation first established, in Nikon France SA v. Frédéric O., an employee's right to privacy in personal messages transmitted using a workplace computer, French courts have continually narrowed the scope of these protections.

top

Judge says patent lawyers have right to science articles under 'fair use' (GigaOM, 1 August 2013) - In a sign of the times for America's intellectual property regime, a federal judge had to break up a squabble between patent lawyers and copyright lawyers over the scientific articles that are submitted as part of most patent applications. This week, US Magistrate Judge Jeffrey Keyes sided with the patent lawyers, ruling that the reason they made unlicensed copies of the articles was to comply with the law for submitting applications to the patent office - and not to compete within the market for scientific journals. Publisher John Wiley had argued that Minnesota law firm, Schwegman Lundberg & Woessner, had assembled a private research library and that they should pay a license fee for doing so. The judge disagreed, saying the patent lawyers' qualified for "fair use" - an exception to copyright law that applies certain activities. "These are not the acts of a 'chiseler,'" Keyes ruled at the conclusion of a four-part fair-use analysis, noting that the patent lawyers' use of the work was transformative and did not impinge on the original market for scholarly journals. He also wrote that the lawyers' copying of the work did not prevent a fair-use finding (an argument that could help Google in its long-running fight over book-scanning). The case initially turned on the journal copies that the lawyers submitted to the patent office. John Wiley, however, withdrew this claim after the Patent Office took the unusual step of issuing a public menu stating that the practice was fair use (under patent law, applicants have to submit scientific articles and other so-called prior art to show an invention is new). The publisher then chose instead to focus on the copies that the law firm used internally. In the case of Schwegman, the firm downloaded copies of the articles from the patent office or obtained them by email or on public websites. (For one article, the firm paid for a license from the American Institute of Physics but the publishers still wanted them to pay again for the internal copies they made.)

top

Cloud computing and information privacy (MLPB, 5 August 2013) - Paul M. Schwartz, of the University of California, Berkeley, Law School, has published Information Privacy In the Cloud, in volume 161 of the University of Pennsylvania Law Review (2013). Here is the abstract: Cloud computing is the locating of computing resources on the Internet in a fashion that makes them highly dynamic and scalable. This kind of distributed computing environment can quickly expand to handle a greater system load or take on new tasks. Cloud computing thereby permits dramatic flexibility in processing decisions - and on a global basis. The rise of the cloud has also significantly challenged established legal paradigms. This Article analyzes current shortcomings of information privacy law in the context of the cloud. It also develops normative proposals to allow the cloud to become a central part of the evolving Internet. These proposals rest on strong and effective protections for information privacy that are sensitive to technological changes. This Article examines three areas of change in personal data processing due to the cloud. The first area of change concerns the nature of information processing at companies. For many organizations, data transmissions are no longer point-to-point transactions within one country; they are now increasingly international in nature. As a result of this development, the legal distinction between national and international data processing is less meaningful than in the past. Computing activities now shift from country to country depending on load capacity, time of day, and a variety of other concerns. The jurisdictional concepts of EU law do not fit well with these changes in the scale and nature of international data processing. A second legal issue concerns the multi-directional nature of modern data flows, which occur today as a networked series of processes made to deliver a business result. Due to this development, established concepts of privacy law, such as the definition of "personal information" and the meaning of "automated processing" have become problematic. There is also no international harmonization of these concepts. As a result, European Union and U.S. officials may differ on whether certain activities in the cloud implicate privacy law. A final change relates to a shift to a process-oriented management approach. Users no longer need to own technology, whether software or hardware, that is placed in the cloud. Rather, different parties in the cloud can contribute inputs and outputs and execute other kinds of actions. In short, technology has provided new answers to a question that Ronald Coase first posed in "The Nature of the Firm." New technologies and accompanying business models now allow firms to approach "make or buy" decisions in innovative ways. Yet, privacy law's approach to liability for privacy violations and data losses in the new "make or buy" world of the cloud may not create adequate incentives for the multiple parties who handle personal data.

top

Photographer who spied on Tribeca 'neighbors,' wins legal battle in privacy court case (Int'l Business Times, 6 August 2013) -The Tribeca artist who secretly snapped photos of his across-the-street neighbors won a decisive victory last week when a Manhattan judge dismissed a legal complaint filed by the parents of two of his underage subjects. In a court decision on Friday, State Supreme Court Judge Eileen Rakower ruled in favor of Arne Svenson, whose controversial exhibit "The Neighbors" featured photos of New York apartment-dwellers taken without their consent. Using a telephoto lens, Svenson took pictures through his neighbors' windows at the Zinc building, a luxury Tribeca condo with floor-to-ceiling glass windows. Svenson lives across the street from the building. In a blog post Monday, Mickey Osterreicher, general counsel for the National Press Photographers Association, posted the judge's decision.

top

DEA and NSA team up to share intelligence, leading to secret use of surveillance in ordinary investigations (EFF, 6 August 2013) - A startling new Reuters story shows one of the biggest dangers of the surveillance state: the unquenchable thirst for access to the NSA's trove of information by other law enforcement agencies. As the NSA scoops up phone records and other forms of electronic evidence while investigating national security and terrorism leads, they turn over "tips" to a division of the Drug Enforcement Agency ("DEA") known as the Special Operations Division ("SOD"). FISA surveillance was originally supposed to be used only in certain specific, authorized national security investigations, but information sharing rules implemented after 9/11 allows the NSA to hand over information to traditional domestic law-enforcement agencies, without any connection to terrorism or national security investigations. But instead of being truthful with criminal defendants, judges, and even prosecutors about where the information came from, DEA agents are reportedly obscuring the source of these tips. For example, a aw enforcement agent could receive a tip from SOD-which SOD, in turn, got from the NSA-to look for a specific car at a certain place. But instead of relying solely on that tip, the agent would be instructed to find his or her own reason to stop and search the car. Agents are directed to keep SOD under wraps and not mention it in "investigative reports, affidavits, discussions with prosecutors and courtroom testimony," according to Reuters . The government calls the practice "parallel construction," but deciphering their double speak , the practice should really be known as "intelligence laundering." This deception and dishonesty raises a host of serious legal problems. First, the SOD's insulation from even judges and prosecutors stops federal courts from assessing the constitutionality of the government's surveillance practices. Last year, Solicitor General Donald Verrilli told the Supreme Court that a group of lawyers, journalists and human rights advocates who regularly communicate with targets of NSA wiretapping under the FISA Amendments Act (FAA) had no standing to challenge the constitutionality of that surveillance. But Verrilli said that if the government wanted to use FAA evidence in a criminal prosecution, the source of the information would have to be disclosed. When the Supreme Court eventually ruled in the government's favor, finding the plaintiffs had no standing, it justified its holding by noting the government's concession that it would inform litigants when FAA evidence was being used against them.

top

Lawyers' use of cloud shows big jump in ABA tech survey (Robert Ambrogi, 6 August 2013) - The percentage of lawyers who say they use cloud-based software and services jumped from 21 percent in 2012 to 31 percent this year, according to the 2013 ABA Legal Technology Survey Report . Given that the percentage had held somewhat steady for three years - 20 percent in 2010, 16 percent in 2011 and 21 percent in 2012 - this year's increase of 10 percentage points reflects a significant move into cloud computing by the legal profession. Not surprisingly, the smaller the firm, the more likely its lawyers are to use the cloud, the survey indicates. Forty percent of solo lawyers now use the cloud, compared to 29 percent in 2012 and 23 percent in 2011. Of lawyers at firms of 2-9 members, 36 percent use the cloud, followed by 30 percent at firms of 10-49 attorneys and 19 percent at firms of 100 or more attorneys. When asked which cloud services they had used, lawyers' most common answer was Dropbox, cited by 58 percent of those who had used a cloud service. Of legal-specific cloud services, the most commonly mentioned was the practice-management platform Clio , cited by 13 percent of lawyers who had used a cloud service.

top

Federal Court doesn't 'Like' service of process via Facebook (Eric Goldman's blog, 7 August 2013) - People have mused about the inevitability of service of process via Facebook, but a recent decision shows that it may not be so quick to happen. Joe Hand sued Carrette for unlawful broadcasting. After several unsuccessful attempts at service, it sought permission to serve via Facebook. The court says Rule 4(e) and (h) of the Federal Rules of Civil Procedure contemplate various methods of service, but alternate service via means not listed in Rule 4 is all about due process. Email has been allowed in cases but only where the plaintiff demonstrates that service via email is likely to reach the defendant. The court says that no US court has allowed service via Facebook only. (In one FTC case the FTC sought to serve via email and Facebook; the court allowed the request but noted that if the FTC sought to serve only via Facebook it may not have been amenable.) The court overall has concerns regarding the reliability of Facebook for notice: Anyone with an e-mail address can access Facebook and create a profile 'using real, fake or incomplete information.' As a practical matter, the court cannot verify that the Facebook profile supposedly belonging to a defendant is real unless the movant presents the court with adequate evidence proving its authenticity. Case is Joe Hand Promotions, Inc. v. Carrette , 12-2633-CM (D. Kan. July 9, 2013)

top

N.S.A. said to search content of messages to and from U.S. (NYT, 8 August 2013) - The National Security Agency is searching the contents of vast amounts of Americans' e-mail and text communications into and out of the country, hunting for people who mention information about foreigners under surveillance, according to intelligence officials. The N.S.A. is not just intercepting the communications of Americans who are in direct contact with foreigners targeted overseas, a practice that government officials have openly acknowledged. It is also casting a far wider net for people who cite information linked to those foreigners, like a little used e-mail address, according to a senior intelligence official. While it has long been known that the agency conducts extensive computer searches of data it vacuums up overseas, that it is systematically searching - without warrants - through the contents of Americans' communications that cross the border reveals more about the scale of its secret operations. Government officials say the cross-border surveillance was authorized by a 2008 law, the FISA Amendments Act, in which Congress approved eavesdropping on domestic soil without warrants as long as the "target" was a noncitizen abroad. To conduct the surveillance, the N.S.A. is temporarily copying and then sifting through the contents of what is apparently most e-mails and other text-based communications that cross the border. [Polley: and, what does "that cross the border" mean?]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

The Wired 40 (Wired, June 2003) -- Meet the masters of innovation, technology, and strategic vision - 40 companies that are reshaping the global economy. Much has changed since 1998, when we launched our list of the 40 most wired companies. The tech boom and bust unleashed a wave of creative destruction that proved far more tempestuous than anyone had imagined. Our list, too, has seen its share of turmoil. Only 10 of the original 40 companies remain. This year's 13 new entries include inspired upstarts like Netflix and reinventions like BP. The growing power of Linux is reflected by the selection of open source-friendly IBM and the removal of Sun. Topping the list is Google, a private firm so compelling we bent our public-only rule to include it. We've also changed the name of the list from the Wired Index to the Wired 40. This reaffirms the original mission to highlight companies driven by innovative thinking, not marketplace brawn. Name aside, the selection criteria remain unaltered. This remarkable roster has demonstrated mastery of today's business essentials: innovation, technology, strategic vision, global reach, and networked communication. We've ranked them accordingly. [Editor in 2003: Schlumberger, AOL and Sun have fallen off the list for the first time; BP has been added. Editor in 2013: interesting to see which of these top-40 are still around, still leaders.]

top

Disney to Slip DVDs a Mickey (CNET, 16 May 2003) -- This disc will self-destruct in 48 hours. That is the warning Walt Disney will issue this August when it begins to "rent" DVDs that are set to become unplayable after two days and that therefore do not have to be returned. Disney home video unit Buena Vista Home Entertainment will launch a pilot movie "rental" program in August that uses self-destruction technology, the company said Friday. The discs stop working when a process similar to rusting makes them unreadable. The discs start off red, but when they are taken out of the package, exposure to oxygen eventually turns the coating black and makes it impenetrable by a DVD laser. Buena Vista hopes the technology will let it crack a wider rental market, since it can sell the DVDs in stores, or almost anywhere, without setting up a system to get the discs back. The discs work perfectly for the two-day viewing window, said Flexplay Technologies, the private company that developed the technology using material from General Electric. The technology cannot be hacked by programmers who would want to view the disc longer, because the mechanism that closes the viewing window is chemical and has nothing to do with computer technology. However, the disc can be copied within 48 hours, since it works like any other DVD during that window.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, sans@sans.org

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)