re last MIRLN story " Dutch government pays millions to extend Microsoft XP support ", we heard: "How many institutions and enterprises are now going back to revise their TCO for Windows XP to accommodate these added end-of-life support costs? And moreover, how many are now realizing that their failure at the time to assess the promises made by M$ (which have been fully met--they never promised to support XP even this long) have now added costs they never budgeted for? And how much of that stems from lawyers failing to consider consequences, or taking time to explain, and so forth? The profession's continuing disconnect from the facts of what it is reviewing (combined with too many clients' unjustified presumption that the lawyers actually know things) is only getting worse IMHO." - from MIRLN reader Michael Fleming - @flemingmf]
- The Heartbleed bug: data breach and liability risks
- Government employees cause nearly 60% of public sector cyber incidents
- We need online alter egos now more than ever
- FBI warning highlights healthcare's security infancy
- Didn't read those terms of service? Here's what you agreed to give up
- Phones are giving away your location, regardless of your privacy settings
- DOE issues guidance on electric grid cybersecurity
- Google halts student Gmail advertisement scans
- Cybersecurity examiner for securities industry gets failing grade
- Apple, Facebook, others defy authorities, notify users of secret data demands
- Apple releases guidelines for law enforcement data requests
- FTC told to disclose the data security standards it uses for breach enforcement
- US contractors scale up search for Heartbleed-like flaws
- Legal Loop: ABA on lawyers mining social media for evidence
- Why ABA opinion on jurors and social media falls short
- Level 3 accuses five unnamed US ISPs of abusing their market power in peering
- Target CEO Gregg Steinhafel resigns in data breach fallout
- 100 lawyers in a room: Target case draws the suits to St. Paul
- Aspen doesn't want you to own your own casebooks
- The importance of cybersecurity to the legal profession and outsourcing as a best practice
- FCC decides that it will no longer enforce the Zapple doctrine - killing the last remnant of the Fairness Doctrine
- Intelligence policy bans citation of leaked material
- Is U.S. cybersecurity plan a carrot, stick or legal nightmare?
- Federal Election Commission says political action committees can accept payment via Bitcoins
- Hackers now crave patches, and Microsoft's giving them just what they want
- Are APIs patent or copyright subject matter?
- Forged certificates common in HTTPS sessions
- Which World Bank reports are widely read?
- Purge pay TV, binge on data: Cord-cutters are gulping down bandwidth
- Comcast plans data caps for all customers in 5 years, could be 500GB
The Heartbleed bug: data breach and liability risks (Jones Day, 17 April 2014) - * * * Beyond the obvious implications inherent to the loss of such data, companies may now have an obligation to report past data breaches that were thought not to trigger reporting obligations because the lost data was encrypted and otherwise inaccessible by unauthorized people. The discovery of the heartbleed bug means that such data may have been accessible after all. [ Polley : Pretty startling suggestion, with which I take issue.]
Government employees cause nearly 60% of public sector cyber incidents (NextGov, 22 April 2014) - About 58 percent of cyber incidents reported in the public sector were caused by government employees, according to an annual data breach report compiled by Verizon. Most (34 percent) of the insider incidents in the global public sector during the past three years were miscellaneous errors such as emailing documents to the wrong person. Unapproved or malicious use of data by public servants accounted for 24 percent of reported incidents. By contrast, cyber espionage accounted for 30 percent and 40 percent of incidents in the manufacturing and mining industries, respectively. And 41 percent of the incidents reported in the information sector involved break-ins through website weaknesses. Miscellaneous errors represented only 1 percent of reports in that industry.
We need online alter egos now more than ever (Harvard's Judith Donath writing in Wired, 25 April 2014) - Online, I use my real name for many things. But sometimes, I prefer to use a pseudonym. Not because I want to anonymously harass people or post incendiary comments unscathed; no, I simply want to manage the impression I make, while still participating in diverse conversations and communities. "Hold on!" some of you are saying. "Writing under a fake name is a form of lying. It's cowardly and the tactic of bullies and trolls. We need to make people use their real names online to ensure civility and trust." Indeed, whenever a new controversy about cyberbullying or anonymous rumors arises, a frequently offered "solution" is to ban anonymous comments and insist that people use real names. But this approach focuses on the wrong issue and creates a false dichotomy, presenting the choices as either fully identified, real names or untraceable anonymity. Instead, we should focus on how to design for keeping online discourse civil and constructive. And this involves supporting the middle ground, pseudonymous identities, which can provide both accountability and privacy.
FBI warning highlights healthcare's security infancy (InfoWeek, 25 April 2014) - Hospitals may be able to give a clean bill of health to their patients, but infections from malware require a diagnosis of a different kind. Earlier this month, the FBI issued a warning to healthcare providers that the industry was not as prepared to deal with cyberattacks as the financial and retail sectors, and the possibility of increased attacks is likely. The threat to the healthcare industry can come in all shapes and sizes. St. Joseph Health System in Texas, for example, acknowledged in February it was hit by an attack in December that exposed information on 405,000 employees and their beneficiaries as well as current and former patients. More recently, there have been reports about attacks on Boston Children's Hospital suspected by some to have been carried out by hacktivists in the Anonymous collective. According to Verizon's latest data breach report , the firm analyzed 26 breaches of healthcare organizations in 2013. Seven of these incidents were confirmed to have resulted in the loss of data, the report notes. The two main reasons for data breaches in the industry cited in the report were physical loss or theft of a device and miscellaneous errors where unintentional actions directly compromised security. "The [FBI] warning is just bringing additional awareness to a healthcare market that has really reflected the industry's lack of awareness to date of the cyber threat they face," says Mick Coady, PricewaterhouseCoopers (PwC) Health Information Privacy and Security Partner. "Healthcare is where the financial industry was 10- to 12 years ago in terms of IT security." Late last year PwC released a survey that provided two key takeaways: Security programs have not been particularly effective at blocking actual incidents and more than two thirds of respondents said current or former employees were likely the source of security incidents that were detected, Coady says.
Didn't read those terms of service? Here's what you agreed to give up (NYT, 28 April 2014) - On Twitter, Facebook and other sites that promote sharing of content, users can typically choose whether they want to post their updates publicly to everyone or carefully select their audience. But even careful users may not be aware that sites where they post their status updates, photos, videos, fiction or digital art may be able to repurpose that content, using it for marketing or remixing it with other people's submissions and republishing it. In fact, the terms of service on many sites are so wordy and so legalistic that users may not understand - or even be aware of - the intellectual property rights that they cede when they check the "agree" box to set up an account, according to a new study from researchers at the Georgia Institute of Technology . Take Craigslist, where, the researchers reported, people who wanted to post were obliged to give the site license "to copy, perform, display, distribute, prepare derivative works from (including, without limitation, incorporating into other works) and otherwise use any content that you post." The Georgia Tech study reviewed 30 popular social networking and creative community sites that encourage people to share material, examining the rights to use work that were claimed in the sites' terms of service agreements. Sites examined in the study included: Wikipedia, LinkedIn, Pinterest, YouTube, Flickr, IMDB, Facebook, Twitter, Google Plus, Remix64 and Fanfiction.net. Of course, people who wish to see their creative work published need to permit certain uses - like authorizing a site to publicly post their content. But users may be surprised to learn about other permission they must grant in order to use a site. For instance, the study reported that 11 of the sites required users to agree that the sites could license their content to a third party.
Phones are giving away your location, regardless of your privacy settings (Quartz, 28 April 2014) - Sensors in your phone that collect seemingly harmless data could leave you vulnerable to cyber attack, according to new research. And saying no to apps that ask for your location is not enough to prevent the tracking of your device. A new study has found evidence that accelerometers-which sense motion in your smartphone and are used for applications from pedometers to gaming-leave "unique, trackable fingerprints" that can be used to identify you and monitor your phone. Here's how it works, according to University of Illinois electrical and computer engineering professor Romit Roy Choudhury and his team: Tiny imperfections during the manufacturing process make a unique fingerprint on your accelerometer data. The researchers compared it to cutting out sugar cookies with a cookie cutter-they may look the same, but each one is slightly, imperceptibly different. When that data is sent to the cloud for processing, your phone's particular signal can be used to identify you. In other words, the same data that helps you control Flappy Bird can be used to pinpoint your location. Choudhury's team was able to identify individual phones with 96% accuracy. "Even if you erase the app in the phone, or even erase and reinstall all software," Choudhury said in a press release, "the fingerprint still stays inherent. That's a serious threat." Moreover, Choudhury suggested that other sensors might be just as vulnerable: Cameras, microphones, and gyroscopes could be leaving their smudgy prints all over the cloud as well, making it even easier for crooks to identify a phone.
DOE issues guidance on electric grid cybersecurity (The Hill, 28 April 2014) - The Department of Energy (DOE) issued recommendations Monday for how the energy industry and its suppliers should build cybersecurity protections into power delivery systems. The guidance lays out language that utilities and other should use in the procurement process to ensure that they're buying the right products and features to keep the electric grid safe from cyber attacks, DOE said. It followed a 2009 guidance on cybersecurity that focused on power control systems. "The Energy Department is committed to building a stronger and more secure electric grid through partnerships with industry, state and local governments and other federal agencies," Energy Secretary Ernest Moniz said in a Monday statement. "As we deploy advanced technologies to make the U.S. power grid more reliable and resilient, we must simultaneously advance cybersecurity protections." DOE touted the guidance as a product of a partnership with the private sector and the agency's research laboratories.
Google halts student Gmail advertisement scans (BBC, 30 April 2014) - Google has stopped scanning millions of Gmail accounts linked to an educational scheme - a process it uses to target adverts. The decision includes email accounts associated with Google Apps for Education (GAE) . This initiative provides teachers and students with access to free apps and storage, as well as customised @schoolname.edu email addresses. The move follows reports the scans might have breached a US privacy law. Google highlighted its use of such scans when it updated its terms and conditions last month. "Our automated systems analyse your content (including emails) to provide you personally-relevant product features, such as customised search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored," the terms read . However, the Education Week website said this data-mining activity might place the firm in breach of the US Family Educational Rights and Privacy Act. "We've permanently removed all ads scanning in Gmail for Apps for Education, which means Google cannot collect or use student data in Apps for Education services for advertising purposes," wrote Google for Education director Bram Bout on a company blog. The change is also promised for users who signed up to Gmail as part of the service while at school or university, but have now moved on.
Cybersecurity examiner for securities industry gets failing grade (Steptoe, 1 May 2014) - The Securities and Exchange Commission is continuing to assert itself in the field of cybersecurity. On April 15, the agency's Office of Compliance Inspections and Examinations announced that, as part of its cybersecurity preparedness initiative, it will examine the cybersecurity practices of more than 50 registered broker-dealers and investment advisers. Simultaneously, it released a sample list of requests for information that it may use during these examinations. Ironically, a Government Accountability Office report, released on April 17, finds that the SEC's own cybersecurity is not up to snuff.
Apple, Facebook, others defy authorities, notify users of secret data demands (Washington Post, 1 May 2014) - Major U.S. technology companies have largely ended the practice of quietly complying with investigators' demands for e-mail records and other online data, saying that users have a right to know in advance when their information is targeted for government seizure. This increasingly defiant industry stand is giving some of the tens of thousands of Americans whose Internet data gets swept into criminal investigations each year the opportunity to fight in court to prevent disclosures. Prosecutors, however, warn that tech companies may undermine cases by tipping off criminals, giving them time to destroy vital electronic evidence before it can be gathered. Fueling the shift is the industry's eagerness to distance itself from the government after last year's disclosures about National Security Agency surveillance of online services. Apple, Microsoft, Facebook and Google all are updating their policies to expand routine notification of users about government data seizures, unless specifically gagged by a judge or other legal authority, officials at all four companies said. Yahoo announced similar changes in July. As this position becomes uniform across the industry, U.S. tech companies will ignore the instructions stamped on the fronts of subpoenas urging them not to alert subjects about data requests, industry lawyers say. Companies that already routinely notify users have found that investigators often drop data demands to avoid having suspects learn of inquiries. The changing tech company policies do not affect data requests approved by the Foreign Intelligence Surveillance Court, which are automatically kept secret by law. National security letters, which are administrative subpoenas issued by the FBI for national security investigations, also carry binding gag orders.
- and -
Apple releases guidelines for law enforcement data requests (CNET, 7 May 2014) - Apple has published a new set of guidelines regarding how law enforcement agencies and other government entities may request information from the company about user data. The new rules , which were posted to Apple's website late Wednesday, reflect Apple's move toward notifying its customers when it receives law enforcement requests for user data. "Apple will notify its customers when their personal information is being sought in response to legal process except where providing notice is prohibited by the legal process itself, by a court order Apple receives (e.g., an order under 18 U.S.C. §2705(b)), or by applicable law or where Apple, in its sole discretion, believes that providing notice could create a risk of injury or death to an identifiable individual or group of individuals or in situations where the case relates to child endangerment," the guidelines state. Apple says it can extract active user-generated data from native apps on passcode-locked iOS such as SMS, photos, videos, contacts, audio recording, and call history. However, it can't provide email, calendar entries, or any third-party app data. Also it can only perform data extraction from devices running iOS 4 or later "in good working order" at its Cupertino headquarters. Apple also said that upon the receipt of a valid wiretap order, it can intercept users' email communications but not their iMessage or FaceTime communications because those communications are encrypted.
FTC told to disclose the data security standards it uses for breach enforcement (Computerworld, 2 May 2014) - The Federal Trade Commission (FTC) can be compelled to disclose details of the data security standards it uses to pursue enforcement action against companies that suffer data breaches, the agency's chief administrative law judge ruled Thursday. The decision came in response to a motion filed by LabMD, a now-defunct medical laboratory that has been charged by the FTC with unfair trade practices for exposing sensitive information belonging to 10,000 patients in 2010. LabMD has accused the FTC of holding it to data security standards that do not exist officially at the federal level. It has maintained that the agency must publicly disclose the data security standards it uses to determine whether a company has reasonable security measures in place. The judge held that while LabMD may not inquire about the FTC's legal standards or rationale, it has every right to know what data security standards the commission uses when pursuing enforcement action. The FTC's Bureau of Consumer Protection "shall provide deposition testimony as to what data security standards, if any, have been published by the FTC or the Bureau upon which [it] intends to rely on at trial," Chappell ruled. [ Polley : Steptoe writes : "LabMD is surely hoping that having the FTC acknowledge on the record that it does not actually have "data security standards" will underscore - for the ALJ, for courts, for Congress, and the public - LabMD's contention that the FTC is acting as a lawless bully."]
US contractors scale up search for Heartbleed-like flaws (Bloomberg, 2 May 2014) - On Florida's Atlantic coast, cyber arms makers working for U.S. spy agencies are bombarding billions of lines of computer code with random data that can expose software flaws the U.S. might exploit. In Pittsburgh, researchers with a Pentagon contract are teaching computers to scan software for bugs and turn them automatically into weapons. In a converted textile mill in New Hampshire, programmers are testing the combat potential of coding errors on a digital bombing range. Across the U.S., a new league of defense contractors is mining the foundation of the Internet for glitches that can be turned to the country's strategic advantage. They're part of a cybermilitary industrial complex that's grown up in more than a dozen states and employs thousands of civilians, according to 15 people who work for contractors and the government. The projects are so sensitive their funding is classified, and so extensive a bid to curb their scope will be resisted not only by intelligence agencies but also the world's largest military supply chain. "We're in an arms race," said Chase Cunningham, the National Security Agency's former chief cryptologic technician. The competition to find exploitable bugs before an enemy does is as intense as "the space race and the Cold War combined." The U.S. has poured billions of dollars into an electronic arsenal built with so-called zero-day exploits, manipulations of missteps or oversights in code that can make anything that runs on a computer chip vulnerable to hackers. They go far beyond flaws in web encryption like SSL and OpenSSL, which the NSA has exploited for years without warning the public about it, according to people with knowledge of the matter. The agency's stockpile of exploits runs into the thousands, aimed at every conceivable device, and many are not disclosed even to units within the agency responsible for defending U.S. government networks, people familiar with the program said. Michael Daniel, the White House cybersecurity coordinator, said in a blog post this week that "building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest."
Legal Loop: ABA on lawyers mining social media for evidence (NY Daily Record, 4 May 2014) - Social media has been around for more than a decade now and its impact on our society is indisputable. But it's only been in recent years that lawyers have begun to fully realize what a treasure trove of useful information can be obtained from social media throughout the litigation process. Of course, mining social media for evidence has both drawbacks and benefits. Lawyers who seek to use social media evidence to obtain evidence for their cases must tread carefully and ensure that they fully comply with their ethical obligations when doing so. Fortunately, there is a good amount of guidance available since a number of jurisdictions have addressed the ethics of mining social media for evidence. For the most part, the ethics boards have concluded that lawyers may not engage in deception when attempting to obtain information on social media, regardless of whether the party from whom information is sought is represented by counsel. See, for example: Oregon State bar Ethics Committee Op. 2013-189 (lawyer may access an unrepresented individual's publicly available social media information but "friending" known represented party impermissible absent express permission from party's counsel); New York State Bar Opinion No. 843 [9/10/10] (attorney or agent can look at a party's protected profile as long as no deception was used to gain access to it); New York City Bar Association Formal Opinion 2010-2 (attorney or agent can ethically "friend" unrepresented party without disclosing true purpose, but even so it is better not to engage in "trickery" and instead be truthful or use formal discovery); Philadelphia Bar Association Opinion 2009-02 (attorney or agent cannot "friend" unrepresented party absent disclosure that it relates to pending lawsuit); San Diego County Bar Association Opinion 2011-2 (attorney or agent can never "friend" represented party even if the reason for doing so is disclosed); and New York County Lawyers Association Formal Opinion No. 743 (attorney or agent can monitor jurors' use of social media, but only if there are no passive notifications of the monitoring. The attorney must tell court if s/he discovers improprieties and can't use the discovery of improprieties to gain a tactical advantage). The American Bar Association's Standing Committee on Ethics and Responsibility weighed in just last month. In Opinion 466, the committee considered "whether a lawyer who represents a client in a matter that will be tried to a jury may review the jurors' or potential jurors' presence on the Internet leading up to and during trial, and, if so, what ethical obligations the lawyer might have regarding information discovered during the review."
- and -
Why ABA opinion on jurors and social media falls short (NY Law Journal, 5 May 2014) - We write in response to ABA Formal Opinion 466 entitled, "Lawyer Reviewing Jurors' Internet Presence," issued April 24, 2014. It provides in relevant part that it is not an ethically prohibited communication if "a juror or potential juror may become aware that a lawyer is reviewing his Internet presence when a network setting notifies the juror of such." We suggest that the ABA opinion does not appropriately protect jurors and insulate them from outside influences such as contact by counsel. We believe that the appropriate way to proceed when seeking to investigate jurors is set forth in the "Social Media Ethics Guidelines" issued on March 18, 2014 by the Commercial and Federal Litigation Section of the New York State Bar Association. Guideline 5.B provides that: "[a] lawyer may view the social media ... of a prospective juror or sitting juror provided that there is no communication (whether initiated by the lawyer, agent or automatically generated by the social media network) with the juror." This guideline is based on the well-reasoned New York County Lawyers' Association Formal Opinion No. 743 (May 18, 2011) and New York City Bar Association Formal Opinion 2012-02. Specifically, the city bar opinion provides: "[a] request or notification transmitted through a social media service may constitute a communication even if it is technically generated by the service rather than the attorney, is not accepted, is ignored, or consists of nothing more than an automated message of which the 'sender' was unaware. In each case, at a minimum, the researcher imparted to the person being researched the knowledge that he or she is being investigated." The ABA opinion, however, does make two recommendations: (1) that lawyers "be aware of these automatic, subscriber-notification procedures," and (2) "lawyers who review juror social media should ensure that their review is purposeful and not crafted to embarrass, delay, or burden the juror or the proceeding." We agree with these recommendations, but believe that they do not go far enough.
Level 3 accuses five unnamed US ISPs of abusing their market power in peering (GigaOM, 5 May 2014) - Level 3 Communications, a company that provides bandwidth for a wide variety of customers trying to get content from point A to point B on the internet, just accused five U.S. ISPs and one European ISP of using their market power to interfere with how traffic flows from Level 3 onto the ISPs' last-mile network. The result is that customers of those ISPs experience degraded quality for services going over Level 3′s network. This is a so-called peering problem . The topic has been in the news since early this year, when consumers began complaining about the quality of their Netflix , Hulu and Amazon Instant Video streams on networks like Comcast, AT&T, Verizon and Time Warner Cable. The issue is that at the interconnection points where Netflix traffic attempts to enter the last-mile ISP's network, there isn't enough capacity. Usually, when that happens, the transit provider or the content provider negotiate to add more capacity by opening up more ports. However, in recent months Level 3, Netflix and Cogent have all gone public accusing some ISPs of keeping those ports congested while trying to charge above-market rates for direct interconnection. Netflix has signed such a direct interconnection agreement with both Comcast and Verizon . But it isn't happy about it and accuses the ISPs of abusing their market power to extract payments from content companies trying to serve the last mile. These peering agreements are deeply held secrets, which means the FCC will have to force providers to disclose the terms of their agreements and what traffic looks like on their networks. By sharing some of its network details, Level 3 is offering us a transparency strip tease, giving us (and the FCC) a glimpse of the data it has without naming names.
Target CEO Gregg Steinhafel resigns in data breach fallout (Forbes, 5 May 2014) - Target's TGT -0.72% CEO is the latest casualty of the widespread data breach that saw hackers steal personal data and credit card information from millions of customers. On Monday, the Minneapolis-based retail chain announced that 35-year company veteran Gregg Steinhafel had stepped down effective immediately. Target's statement referred to Steinhafel's handling of the disastrous data breach that unfolded in December, when it became apparent that as many as 40 million shoppers' credit card details and 70 million customers' personal data, like addresses and numbers, had been compromised * * *
- and -
100 lawyers in a room: Target case draws the suits to St. Paul (TwinCities.com, 14 May 2014) - The Target data breach is now the subject of a massive court case, and Wednesday, nearly 100 lawyers from across the country crowded into a St. Paul courtroom as the legal jockeying began. More than 140 lawsuits -- filed against Target by consumers, shareholders and banks -- have been consolidated before U.S. District Judge Paul Magnuson. With so many players, the judge made it clear that resolving the mess will be a long slog, and he won't tolerate stalling. "I know Target would like to have big, long, indefinite stays," Magnuson said at Wednesday's case management conference. "I don't think it's appropriate." Gathered in the courtroom were scores of attorneys who had variously handled huge cases, including 9/11 lawsuits, the NFL antitrust case, the Sony data breach, the TJX data breach and the Heartland Payment data breach. "I'm beginning to learn this data breach business is quite a cottage industry," Magnuson said. Those lawyers are now focusing their firepower on Target Corp., where 40 million shoppers had their credit- and debit-card data stolen by cyberthieves during the past holiday shopping season. Much of the stolen information was sold online to other criminals, which alarmed shoppers and led to sizeable losses. And possibly some 70 million additional shoppers had other data compromised. The cases will be grouped into three clusters. The largest group of 111 cases is the consumer lawsuits. A second group of 29 cases was filed by banks and credit unions, which suffered fraud losses and the costs of reissuing cards. A third group of four cases is shareholder lawsuits.
Aspen doesn't want you to own your own casebooks (Laboratorium, 6 May 2014) - Aspen imprint is a leading publisher of law school casebooks. Over the years, it's built a reputation for high editorial and design standards. Some of its casebooks, like Property, by the late Jesse Dukeminier et al., are perennially popular. I like to tell new Property professors that no one ever got fired for assigning Dukeminier. Unfortunately, Aspen has chosen to use Dukeminier's Property in launching a disturbing new program: the "Connected Casebook. The official website isn't live yet, but law professor Josh Blackman blogged about an email he received from Aspen describing the program. My account follows his. In brief, students, will be required to "buy" a Connected Casebook, which consists of two pieces. First, there is "lifetime access" to a digital version of the casebook, together with various supplementary materials. Second, there is a bound physical version of the casebook, which students can highlight and mark up freely, "but which must be returned to us at the conclusion of the class." The obvious goal is to dry up the used book market by draining the supply of used copies. But as Josh points out, it seems unlikely that every student will return the physical book. Rather, reading between the lines, Aspen may argue that the physical book is "licensed" rather than "sold" under the reasoning of cases like Vernor v. Autodesk . The result would be that first sale (the right of the owner of a book, or a DVD, or any other copy of a copyrighted work to resell it freely) would never attach, since the students wouldn't be "owners" of their physical copies. [ Polley : this seemed ill-conceived when announced, and Aspen was back-peddling within a day; Prof James Grimmelmann @grimmelm led the forces, and routed Aspen; it was a nice Twitter feed to watch unfold.]
The importance of cybersecurity to the legal profession and outsourcing as a best practice (e-Discovery Team blog, 8 May 2014) - Cybersecurity should be job number one for all attorneys. Why? Because we handle confidential computer data, usually secret information that belongs to our clients, not us. We have an ethical duty to protect this information under Rule 1.6 of the ABA Model Rules of Professional Conduct . If we handle big cases, or big corporate matters, then we also handle big collections of electronically stored information (ESI). The amount of ESI involved is growing every day. That is one reason that Cybersecurity is a hard job for law firms. The other is the ever increasing threat of computer hackers. The threat is now increasing rapidly because there are now criminal gangs of hackers, including the Chinese government , that have targeted this ESI for theft. These bad hackers, knows as crackers , have learned that when they cannot get at a company's data directly, usually because it is too well defended, or too risky to attack, there is often a back door to this data by way of the company lawyers. The hackers focus their industrial espionage on the law firms that collect vast amounts of data from corporate clients as part of e-discovery and corporate due diligence. The hackers have found from successful intrusions that most firms are lax in cybersecurity, or as I have put it before: law firms are the soft underbelly of corporate cybersecurity . Best Practices in e-Discovery for Handling Unreviewed Client Data . Also see: China-Based Hackers Target Law Firms to Get Secret Deal Data (Bloomberg 2012). According to Bloomberg's 2012 article, cybersecurity experts estimated that at least 80 major U.S. law firms were hacked in 2011. Indications suggest the attacks have intensified since 2011. See eg. Law Firms Are Pressed on Security for Data (NYT, 2014); Big Law Firms Are Most Vulnerable To Hackers: ABA Panel (Law 360, 2013); Attacking the Weakest Link: BYOD in the Law Firm Culture (Huffington 2014). The legal profession needs to recognize this threat and take immediate action to defend against cyber intrusions of client data. One solution is the action that I recommend: outsource e-discovery data possession and cybersecurity of large collections of client data to trusted professionals. I follow my own advice on best practices. My law firm has outsourced e-discovery data possession and cybersecurity to trusted professionals, in our case, Kroll Ontrack . [ Polley : What do you think? Is outsourcing a good idea? Can it help solve the problem?]
FCC decides that it will no longer enforce the Zapple doctrine - killing the last remnant of the Fairness Doctrine (Broadcast Law Blog, 8 May 2014) - The Zapple Doctrine was an outgrowth of the FCC's Fairness Doctrine. The Zapple Doctrine required that broadcast stations that give air time to the supporters of one candidate in an election give time to the supporters of competing candidates as well. Even though the Fairness Doctrine has been defunct for years, having had various manifestations of the Doctrine declared unconstitutional either by the Courts or the FCC, Zapple apparently lived on, or at least a death certificate had never been issued (see, for instance, our articles mentioning the continued life support of the Doctrine, here and here ). Thus stations had to be concerned about giving air time to supporters of political candidates for fear of having to provide a similar amount of time to those supporting competing candidates. Apparently, that uncertainty has now been resolved, as in two just released cases, the FCC"s Media Bureau has declared that Zapple, like the rest of the Fairness Doctrine, is dead. The cases just decided (available here and here ) both involved the recall election of Wisconsin Governor Scott Walker, where complaints were filed against the renewals of two radio stations, complaining that those stations did not provide equal opportunities to supporters of Walker's recall opponent even though station hosts provided on-air support for Walker. The FCC rejected those complaints, declaring: Given the fact that the Zapple Doctrine was based on an interpretation of the fairness doctrine, which has no current legal effect, we conclude that the Zapple Doctrine similarly has no current legal effect.
Intelligence policy bans citation of leaked material (NYT, 8 May 2014) - The Obama administration is clamping down on a technique that government officials have long used to join in public discussions of well-known but technically still-secret information: citing news reports based on unauthorized disclosures. A new pre-publication review policy for the Office of Director of National Intelligence says the agency's current and former employees and contractors may not cite news reports based on leaks in their speeches, opinion articles, books, term papers or other unofficial writings. Such officials "must not use sourcing that comes from known leaks, or unauthorized disclosures of sensitive information," it says. "The use of such information in a publication can confirm the validity of an unauthorized disclosure and cause further harm to national security." Timothy H. Edgar, a visiting professor at Brown University who worked at the intelligence office and the White House from 2006 to 2013, said it was appropriate to block former officials from disclosing classified information and confirming leaks. But, he said, it went too far to retroactively block former officials from citing news reports in the public domain, as long as they did so neutrally and did not confirm them as factually correct. [ Polley : Who's setting policy on these matters? They don't seem to be deep-thinkers or serious students of government and policy.]
Is U.S. cybersecurity plan a carrot, stick or legal nightmare? (E&E Publishing, 9 May 2014) - In a scenario on the minds of many in the electric power sector, a powerful cyber assault triggers a massive blackout that cascades into damaging legal fights about who's to blame. Taking the stand, the utility chief executive faces a pointed question: "Was your company in compliance with the NIST cybersecurity standards?" Energy companies have just begun adjusting to the cybersecurity framework issued in February by the National Institute of Standards and Technology (NIST). Officials from the White House and NIST, attending the Utilities Telecom Council's cybersecurity conference here this week, have praised industry leaders for embracing the framework. But among the first questions they got from a conference audience Wednesday was a familiar one: Would the voluntary NIST framework become a de facto standard of care against which power companies could be measured in court in litigation that followed an outage? Alan Tilles, an attorney with Shulman Rogers in Potomac, Md., told conference panelists that the framework "is setting a standard of care that we have to make sure we're communicating to others." The message, he said, is, "Here is the floor, and if you're not compliant with that [the framework] even though it's voluntary, you have some potential danger if you have a breach." Samara Moore, a member of the White House national security staff and coordinator of cybersecurity and critical infrastructure protection, replied that the question "has come up in many of these discussions." But, she continued, it's wrong to think of the framework as a new compilation of requirements. "These aren't standards that popped up overnight," she said.
Federal Election Commission says political action committees can accept payment via Bitcoins (Techdirt, 9 May 2014) - After some amount of hand-wringing, the Federal Election Commission has said that political action committees (PACs) may accept bitcoin donations , though they can't then buy goods and services with those bitcoins. Furthermore, it has to convert the bitcoins to dollars before depositing them into its campaign accounts. In other words, its effectively allowing the use of bitcoin as a payment system, rather than as a currency. However, at the same time, it will allow campaigns to buy bitcoins as an investment vehicle. There's also some confusion over what this all means. Rather than issuing a full ruling, the FEC released an "advisory opinion" based on a specific request from the Make Your Laws PAC, which specifically asked for the ability to accept bitcoin donations up to $100. What's not clear is if the FEC is just agreeing to that level of donations or if it's okaying larger donations as well.
Hackers now crave patches, and Microsoft's giving them just what they want (Computerworld, 11 May 2014) - Hackers will have at least one, perhaps as many as four, patches next week to investigate as they search for unfixed flaws in Windows XP, the 13-year-old operating system that Microsoft retired from support April 8. On May 13, Microsoft's regularly-scheduled monthly Patch Tuesday, the Redmond, Wash. company will issue eight security updates for its software. But because it has stopped providing updates to owners of Windows XP PCs, those customers will not see any of the eight. Hackers looking for vulnerabilities in Windows XP will be using the patches to find vulnerabilities in XP, Microsoft and security experts have said. By conducting before- and after-patch code comparisons, attackers may be able to figure out where a vulnerability lies in Windows 7 -- which will be patched -- then sniff around the same part of XP's code until they discover the bug there. From that point, it will be relatively straight forward for them to craft an exploit and use it against unprotected XP PCs.
Are APIs patent or copyright subject matter? (Pam Samuelson, 12 May 2014) - Application programming interfaces (APIs) are informational equivalents of the familiar plug and socket design through which appliances, such as lamps, interoperate with the electrical grid. Just as a plug must conform precisely to the contours of the socket in order for electricity to flow to enable the appliance to operate, a computer program designed to be compatible with another program must conform precisely to the API of the first program which establishes rules about how other programs must send and receive information so that the two programs can work together to execute specific tasks. No matter how much creativity might have gone into the design of the existing program's interfaces and no matter how many choices the first programmer had when creating this design, once that the API exists, it becomes a constraint on the design of follow-on programs developed to interoperate with it. Anyone who develops an API is, in a very real sense, designing that aspect of the program for itself and for others. One of the many errors in Judge O'Malley's decision in the Oracle v. Google case was her insistence that the merger of idea and expression in computer program copyright cases can only be found when the developer of an API had no choice except to design the interface in a particular way. If there is any creativity in the design of the API and if its designer had choices among different ways to accomplish the objective, then copyright's originality standard has been satisfied and not just the program code in which the API is embodied, but the SSO of the API, becomes copyrightable. Indeed, harkening back to an earlier era, Judge O'Malley repeated the unfortunate dicta from the Apple v. Franklin case about compatibility being a "commercial and competitive objective" which is irrelevant to whether program ideas and expressions have merged. * * *
Forged certificates common in HTTPS sessions (Cory Doctorow, 12 May 2014) - In Analyzing Forged SSL Certificates in the Wild [PDF] a paper authored by researchers at CMU and Facebook, we learn that "a small but significant percentage" of HTTPS connections are made using forged certificates generated by adware and malware. Disturbingly, some of this malware may be working by attacking anti-virus software and stealing its keys, and the authors also speculate that anti-virus authors may be giving their keys out to governments in order to allow police to carry out man-in-the-middle attacks. The researchers used a technique to detect forged-cert connections that has post-Heartbleed applications, since it would allow sites to discover whether their visitors are being man-in-the-middled through keys stolen before Heartbleed was widely known. This all points to a larger problem with HTTPS, which has been under increased scrutiny since Heartbleed, but whose defects were well understood within the security community for a long time. I co-wrote this editorial for Nature with Ben Laurie in 2012 describing a system called "Certificate Transparency" that makes it easier to audit and remediate problems with SSL certificates, which Google is now adding to Chrome * * * [ Polley : Spotted by MIRLN reader Mike McGuire ]
Which World Bank reports are widely read? (BeSpacific, 12 May 2014) - "Knowledge is central to development. The World Bank invests about one-quarter of its budget for country services in knowledge products. Still, there is little research about the demand for these knowledge products and how internal knowledge flows affect their demand. About 49 percent of the World Bank's policy reports, which are published Economic and Sector Work or Technical Assistance reports, have the stated objective of informing the public debate or influencing the development community. This study uses information on downloads and citations to assesses whether policy reports meet this objective. About 13 percent of policy reports were downloaded at least 250 times while more than 31 percent of policy reports are never downloaded. Almost 87 percent of policy reports were never cited. More expensive, complex, multi-sector, core diagnostics reports on middle-income countries with larger populations tend to be downloaded more frequently. Multi-sector reports also tend to be cited more frequently. Internal knowledge sharing matters as cross support provided by the World Bank's Research Department consistently increases downloads and citations." Policy Research Working Paper 6851 .
Purge pay TV, binge on data: Cord-cutters are gulping down bandwidth (Recode.net, 14 May 2014) - Here's a question that may be increasingly relevant for some of you: If you don't pay for cable, and you get all your video from the Internet instead, how much bandwidth do you eat up each month? Quite a bit, it turns out. Much more than everyone else. Sandvine, the broadband networking company that provides periodic reports on Web usage, says that the top 15 percent of streaming video users go through 212 gigabytes of data month. That's more than seven times the average broadband user, who uses 29 gigabytes. * * * Sandvine doesn't know that this group of broadband users are actually relying on the Web for all their video, instead of using TV. It just thinks they are, based on their outsized consumption. It figures they are streaming something like 100 hours of video a month. [ Polley : We're headed toward this, and the broadcast/bundled-cable model will die.]
- and -
Comcast plans data caps for all customers in 5 years, could be 500GB (ArsTechnica, 14 May 2014) - A Comcast executive said he expects the company will roll out "usage-based billing"-what most people call "data caps"-to all of its customers within five years. Speaking with investors today ( transcript ), Comcast Executive VP David Cohen said, "I would predict that in five years Comcast at least would have a usage-based billing model rolled out across its footprint." Comcast, which has about 20 million broadband customers, has rolled out caps to some of the areas that it serves, including Huntsville and Mobile, Alabama; Atlanta, Augusta, and Savannah, Georgia; Central Kentucky; Maine; Jackson, Mississippi; Knoxville and Memphis, Tennessee; and Charleston, South Carolina. Customers generally get 300GB of data per month, with $10 charges for each extra 50GB. Comcast told Ars last November that "98 percent of our customers nationally don't use 300GB/month." Cohen today said that Comcast will raise the limit over time so that the large majority of users won't go over it, suggesting that 500GB is a possible monthly limit five years from now.
At the nexus of cybersecurity and public policy: some basic concepts and issues (National Research Council, May 2014) - We depend on information and information technology (IT) to make many of our day-to-day tasks easier and more convenient. Computers play key roles in transportation, health care, banking, and energy. Businesses use IT for payroll and accounting, inventory and sales, and research and development. Modern military forces use weapons that are increasingly coordinated through computer-based networks. Cybersecurity is vital to protecting all of these functions. Cyberspace is vulnerable to a broad spectrum of hackers, criminals, terrorists, and state actors. Working in cyberspace, these malevolent actors can steal money, intellectual property, or classified information; impersonate law-abiding parties for their own purposes; damage important data; or deny the availability of normally accessible services. Cybersecurity issues arise because of three factors taken together - the presence of malevolent actors in cyberspace, societal reliance on IT for many important functions, and the presence of vulnerabilities in IT systems. What steps can policy makers take to protect our government, businesses, and the public from those would take advantage of system vulnerabilities? At the Nexus of Cybersecurity and Public Policy offers a wealth of information on practical measures, technical and nontechnical challenges, and potential policy responses. According to this report, cybersecurity is a never-ending battle; threats will evolve as adversaries adopt new tools and techniques to compromise security. Cybersecurity is therefore an ongoing process that needs to evolve as new threats are identified. At the Nexus of Cybersecurity and Public Policy is a call for action to make cybersecurity a public safety priority. For a number of years, the cybersecurity issue has received increasing public attention; however, most policy focus has been on the short-term costs of improving systems. In its explanation of the fundamentals of cybersecurity and the discussion of potential policy responses, this book will be a resource for policy makers, cybersecurity and IT professionals, and anyone who wants to understand threats to cyberspace.
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
Many web users log on outside home, work (NBC, 8 March 2004) -- In yet another sign that the Internet has become more pervasive, a quarter of adult users have logged on outside the traditional settings of home or work. Some are lower-income Americans who have no other choice but to do their Web surfing in schools or libraries. But many are younger adults who are "moving toward this anytime, anywhere access," said Lee Rainie, director of the Pew Internet and American Life Project, which conducted the study. Beside work and home, the most popular places for logging on are friends' or neighbors' homes, schools and libraries. Less common are from a relative's house, Internet cafes and churches. Only 3 percent say they exclusively use a location other than work or home, but 28 percent of those earning less than $30,000 cited such a location as an access point. About half of those age 18 to 24 log on outside home or school, although that includes college students. Removing school usage, the 25-34 age group was most likely to use "other places."
American passports to get chipped (WIRED, 21 OCT 2004) -- New U.S. passports will soon be read remotely at borders around the world, thanks to embedded chips that will broadcast on command an individual's name, address and digital photo to a computerized reader. The State Department hopes the addition of the chips, which employ radio frequency identification, or RFID, technology, will make passports more secure and harder to forge, according to spokeswoman Kelly Shannon. "The reason we are doing this is that it simply makes passports more secure," Shannon said. "It's yet another layer beyond the security features we currently use to ensure the bearer is the person who was issued the passport originally." But civil libertarians and some technologists say the chips are actually a boon to identity thieves, stalkers and commercial data collectors, since anyone with the proper reader can download a person's biographical information and photo from several feet away. "Even if they wanted to store this info in a chip, why have a chip that can be read remotely?" asked Barry Steinhardt, who directs the American Civil Liberty Union's Technology and Liberty program. "Why not require the passport be brought in contact with a reader so that the passport holder would know it had been captured? Americans in the know will be wrapping their passports in aluminum foil." Last week, four companies received contracts from the government to deliver prototype chips and readers immediately for evaluation. Diplomats and State Department employees will be issued the new passports as early as January, while other citizens applying for new passports will get the new version starting in the spring. Countries around the world are also in the process of including the tags in their passports, in part due to U.S. government requirements that some nations must add biometric identification in order for their citizens to visit without a visa.
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:email@example.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/
4. NewsScan and Innovation, http://www.newsscan.com
5. Aon's Technology & Professional Risks Newsletter
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html
7. McGuire Wood's Technology & Business Articles of Note
8. Steptoe & Johnson's E-Commerce Law Week
9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
10. The Benton Foundation's Communications Headlines
11. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top