Saturday, June 28, 2014

MIRLN --- 8-28 June 2014 (v17.09)

MIRLN --- 8-28 June 2014 (v17.09) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | LOOKING BACK | NOTES

Cybersecurity in the boardroom: the new reality for Directors (IAPP, 27 May 2014) - Not long ago, cybersecurity was a term rarely, if ever, heard in the boardroom. Rather, information security was deemed to be a risk managed solely by the chief information or technology officer. Those days are gone. With the litany of high profile cybersecurity hacks-and the potential resulting drop in shareholder value, regulatory inquiries and litigations which inevitably follow-cybersecurity has become an increasingly challenging risk that boards must address. The board's role in understanding and monitoring cybersecurity risk has been underscored by a new breed of lawsuits alleging boards were asleep at the switch in the face of a known danger. Target, for example, is now facing a shareholder derivative lawsuit-Case number 14-cv-14-cv-203-alleging Target's board members and directors breached their fiduciary duties to the company by failing "to maintain proper internal controls" related to data security and misleading affected consumers about the scope of the breach after it occurred. That complaint alleges Target was damaged by having to pay costs associated with the data breach, including expending money for credit monitoring services for affected customers, causing Target "to be exposed to millions of dollars of potential liability in class-action lawsuits," and through "substantial damage" to "the company's sales during the 2013 holiday season, its market capitalization, goodwill, consumer confidence and brand trust." It remains to be seen whether the lawsuits against directors and officers will succeed. Regardless of their outcomes, however, these suits highlight that the board plays a fundamental role in preventing and detecting risks associated with information security breaches. The board's role in cybersecurity was also emphasized by the SEC during its March 26 Cybersecurity Roundtable, where one of the key themes was the instrumental role the board of directors and senior management should play in leading an organization's cybersecurity preparedness and resilience to cybersecurity attacks. One roundtable panelist opined in that regard that senior management can play an important role in creating a cybersecurity culture that "starts at the keyboard" and in which cybersecurity is not seen as a technology issue for the IT department to resolve but a business issue in which all employees take action and understand their role in protecting their companies. While cybersecurity risk is often considered an intimidating area for directors to address due to its technical nature, it is important to remember that directors are not required to be experts in this area but are entitled to rely on management and outside experts for advice. In attempting to fulfill their fiduciary duties to the company by managing cybersecurity risks, the following are some guideposts for directors to follow: * * *

top

- and -

AIG, NACD, and ISA issue cyber-risk oversight guidance for corporate directors (GlobeNewswire, 11 June 2014) - Designed to provide corporate directors with expert guidelines to improve their cybersecurity oversight, American International Group (AIG) , the National Association of Corporate Directors (NACD) , and the Internet Security Alliance (ISA) today announced the release of the latest issue in NACD's Director's Handbook Series, Cyber-Risk Oversight. Access this new resource at www.NACDonline.org/Cyber . "Ninety percent of directors participating in our latest governance survey indicated they would like to improve their understanding of cybersecurity risk," said Ken Daly, NACD president and CEO. "This handbook provides boards with practical tools to do just that, including self-assessment questions for directors, sample board report dashboards, and guidelines for conversations with management." This unique publication is organized around five key principles and covers a wide spectrum of board-level considerations related to oversight of cybersecurity, including board composition, liability implications, disclosure issues, access to expertise, and risk appetite calibration. "Recent breaches in both the public and private sectors have put the issue of cybersecurity on every board's agenda," said Larry Clinton, president and CEO of ISA. "This handbook is a natural extension of ISA's mission to create private sector standards and practices that integrate both the technological and economic aspects of cybersecurity." Boards should adapt the recommendations set forth in the handbook based on their company's unique characteristics, including size, life-cycle stage, business strategy, industry sector, geographic footprint, and culture.

top

- and -

Why senior leaders are the front line against cyberattacks (McKinsey, June 2014) - The importance of cybersecurity is no secret to anyone who's opened a newspaper or attended a board meeting. So, senior executives may ask, what's the holdup? The answer is simple: understanding the issue is quite different from effectively addressing it. A number of structural and organizational issues complicate the process of implementing business-driven, risk-management-oriented cybersecurity operating models, and only sustained support from senior management can ensure progress and ultimately mitigate the risk of cyberattacks. * * * [ Polley : This McKinsey & Co report is quite useful.]

top

Health data breach victims have standing to sue says West Virginia Supreme Court (Nat'l Law Review, 3 June 2014) - The most common defense against class actions for data breach has itself been breached in a ruling last week by the West Virginia Supreme Court. The Court's opinion held that representatives of the class of medical clinic patients whose names, contact details, social security numbers and medical information had been accidentally posted to a publicly accessible web site had standing to sue the clinic notwithstanding that no class representative had established that anyone had actually accessed the mistakenly released information and no one had suffered any quantifiable economic loss as a result. The most frequently relied upon defense against suits for damages for a release of personal information is that the plaintiff or class of plaintiffs lack standing because the harm they suffered as a result of the breach is conjectural or speculative. The West Virginia case differs from other data breach standing cases in two respects: (i) it concerns health data, in addition to personal identifying information, and health data has the benefit of legal protections that other personal information does not enjoy; and (ii) West Virginia has a judicial history of allowing actions based upon an invasion of the right of privacy without proof of special economic (liquidated, out-of-pocket) damages. The Court said that while the mere risk of future identify theft alone does not constitute in injury in fact sufficient to confer standing, the plaintiffs also asserted causes of action for breach of physician-patient confidentiality and invasion of privacy, and that those claims were not hypothetical or speculative. The breach by a doctor of his duty of confidentiality to the patient is an independent basis of a tort claim that may result in damages for the loss of the confidential relationship. Likewise, under West Virginia law (and in a number of other states as well) an unwarranted invasion of personal privacy, which includes the appropriation of another's name or likeness or that places another in a false light before the public, is grounds for an action in tort against the perpetrator.

top

FAA orders Boeing to protect 737s from computer hackers (USA Today, 6 June 2014) - The Federal Aviation Administration is ordering Boeing to modify the technology aboard late-model 737 aircraft to prevent computer hackers from damaging the planes. The order published Friday in the Federal Register is effective immediately, although the agency allowed a comment period until July 21. The special conditions are urgent because the FAA is trying to avoid slowing down design and delivery of new planes, according to the agency. Doug Alder, a Boeing spokesman, said the special conditions will institutionalize actions that the manufacturer was already taken or planned, in line with similar protections for the 747-8, 777 and 787. The special conditions apply to these aircraft because their technology is connected more thoroughly than other planes with computer networks outside the aircraft, making the 737 more vulnerable, according to FAA. The plane's technology "may allow the exploitation of network security vulnerabilities resulting in intentional or unintentional destruction, disruption, degradation, or exploitation of data, systems and networks critical to the safety and maintenance of the airplane," the FAA said. The order from Jeffrey Duven, manager of FAA's certification services, calls for Boeing to "ensure that the airplanes' electronic systems are protected from access by unauthorized sources external to the plane, including those possibly caused by maintenance activity."

top

Cyberattack insurance a challenge for business (NYT, 8 June 2014) - Julia Roberts's smile is insured. So are Heidi Klum's legs, Daniel Craig's body and Jennifer Lopez's derrière. But the fastest-growing niche in the industry today is cyberinsurance. Specialized policies to protect against online attacks are offered by about 50 carriers, including big names like the American International Group, Chubb and Ace. As data breaches have become a reality of the business world, more companies are buying policies; demand increased 21 percent last year from 2012, according to Marsh, a risk management company and insurance broker. Yet companies say it is difficult to get as much coverage as they need, leaving them vulnerable to uncertain losses. The main problem is quantifying losses from attacks, because they are often intangible - lost sales or damage to a brand name, like the public relations disaster Target suffered after the breach of its point-of-sale systems late last year. "The losses that are more tangible and more readily quantifiable are the ones you'll be able to insure against more easily," said Ed Powers, who heads the online risk services practice at Deloitte & Touche, the accounting firm. "The ones that are less tangible and less quantifiable are more challenging, but those are often the bigger ones." At the same time, underwriters lack the data they need to figure out how likely it is that an attack will occur, or what it will cost. The problems companies face in getting insurance are illustrated by the situation Target faced last year. At the time of its breach, the retailer had cobbled together $100 million in coverage, on top of a $10 million deductible, according to regulatory filings. The coverage, which came from multiple carriers, will barely compensate for the $1 billion in losses some analysts are forecasting. Since the breach was discovered, the company has incurred $88 million in breach-related expenses, its filings say, and it expects insurance to cover $52 million of that.

top

- and -

The state of cyberinsurance (Bruce Schneier, 16 June 2014) - Good essay on the current state of cyberinsurance: So where does that leave the growing cyber insurance industry as it tries to figure out what losses it should cover and appropriate premiums and deductibles? One implication is that the industry faces much greater challenges than trying to quantify or cover intangible -- and perhaps largely imaginary -- losses to brands' reputations. In light of the evidence that these losses may be fairly short-lived, that problem pales next to the challenges of determining what should be required of the insured under such policies. Insurers -- just like the rest of us -- don't have a good handle on what security practices and controls are most effective, so they don't know what to require of their customers. If I'm going to insure you against some type of risk, I want to know that you're taking appropriate steps to prevent that risk yourself 00 installing smoke detectors or wearing your seat belt or locking your door. Insurers require these safety measures when they can because there's a worry that you'll be so reliant on the insurance coverage that you'll stop taking those necessary precautions, a phenomenon known as moral hazard. Solving the moral hazard problem for cyberinsurance requires collecting better data than we currently have on what works --and what doesn't -- to prevent security breaches.

top

Google books round 86: libraries win yet again (James Grimmelmann, 10 June 2014) - The Second Circuit's decision in Authors Guild v. HathiTrust is out. This, as a reminder, is the offshoot of the Google Books litigation in which the Authors Guild inexplicably sued Google's library partners. The trial judge, Harold Baer, held for the libraries in 2012 in a positively exuberant opinion: I cannot imagine a definition of fair use that would not encompass the transformative uses made by Defendants' MDP [Mass Digitization Project] and would require that I terminate this invaluable contribution to the progress of science and cultivation of the arts that at the same time effectuates the ideals espoused by the ADA. The Second Circuit's opinion drops the grand rhetoric, but otherwise the bottom line is basically the same: mass digitization to make a search engine is fair use, and so is giving digital copies to the print-disabled. The opinion on appeal is sober, conservative, and to the point; it is the work of a court that does not think this is a hard case. * * * These holdings merely affirm the District Court's conclusions, but they are still a big deal. The Second Circuit's decisions are binding precedent in New York, the nation's publishing capital, and are highly influential beyond. Five judges have now upheld the legality of scanning books to make a search engine; none have disagreed.

top

The Bank of England goes to cyber war (WSJ, 10 June 2014) - The Bank of England has launched a new cyber security strategy for financial institutions in the U.K., as the sector struggles to protect itself against the increased threat of cyber-attacks.

The framework, called CBEST, is based on penetration tests that mimic techniques and procedures used by cyber criminals to harm large financial organizations, such as banks and stock exchanges, our sister publication Financial News reports Tuesday.

The new strategy is based on real threat intelligence gathered about potential attacks to a specific financial institution. The intelligence is gathered through the monitoring of thousands of online sources, including hacker forums, blogs and chat rooms.

Research will be carried out on an ad hoc basis by cyber intelligence firms vetted by the Council for Registered Ethical Security Testers, or CREST, a non-profit representing the information security industry.

top

Comcast is turning the US into its own private hotspot (TechCrunch, 10 June 2014) - On paper it looks like a win-win: in the next few days, Comcast is quietly turning on public hotspots in its customers' routers , essentially turning private homes into public hotspots. Comcast customers get free Wi-Fi wherever there is a Comcast box and the company gets to build out a private network to compete with telecoms. Win-win. Fifty thousand users with Arris Touchstone Telephony Wireless Gateway Modems - essentially basic modems that cable providers drop off at your home - have already been turned into public hotspots in Houston, and there are plans to enable 150,000 more. Most subscribers will be enabled in the next few months. It's not like they didn't warn you. After all, news of this bold Xfinity Wifi project popped up months ago and began rolling out in 2013. But here's the problem: Comcast is essentially using your private residence as a corporate resource. They're using your electricity. They're using your Internet connection (although they claim they aren't) and they're opening up your private browsing to potential hackers. While Comcast will claim that these two streams are independent, there is nothing to stop a dedicated hacker from figuring out how to snoop data passing through the router. There is also nothing to stop someone from downloading illicit material, software, and other junk from your hotspot and then reporting you for theft or worse. Again, it's all ostensibly secure, but, like all things, it really isn't. Finally, it's also an opt-out solution, which means it is enabled by default and you, the consumer have to turn it off. But Comcast doesn't want that. "We encourage all subscribers to keep this feature enabled as it allows more people to enjoy the benefits of Xfinity Wi-Fi around the neighborhood," said a company spokesperson last year. Not convinced? Dwight Silverman offers instructions for turning it off .

top

- and -

New open-source router firmware opens your Wi-Fi network to strangers (ArsTechnica, 20 June 2014) - We've often heard security folks explain their belief that one of the best ways to protect Web privacy and security on one's home turf is to lock down one's private Wi-Fi network with a strong password. But a coalition of advocacy organizations is calling such conventional wisdom into question. Members of the "Open Wireless Movement," including the Electronic Frontier Foundation (EFF), Free Press, Mozilla, and Fight for the Future are advocating that we open up our Wi-Fi private networks (or at least a small slice of our available bandwidth) to strangers. They claim that such a random act of kindness can actually make us safer online while simultaneously facilitating a better allocation of finite broadband resources. The OpenWireless.org website explains the group's initiative. "We are aiming to build technologies that would make it easy for Internet subscribers to portion off their wireless networks for guests and the public while maintaining security, protecting privacy, and preserving quality of access," its mission statement reads. "And we are working to debunk myths (and confront truths) about open wireless while creating technologies and legal precedent to ensure it is safe, private, and legal to open your network." One such technology, which EFF plans to unveil at the Hackers on Planet Earth (HOPE X) conference next month, is open-sourced router firmware called Open Wireless Router. This firmware would enable individuals to share a portion of their Wi-Fi networks with anyone nearby, password-free, as Adi Kamdar , an EFF activist, told Ars on Friday. Home network sharing tools are not new , and the EFF has been touting the benefits of open-sourcing Web connections for years, but Kamdar believes this new tool marks the second phase in the open wireless initiative. Unlike previous tools, he claims, EFF's software will be free for all, will not require any sort of registration, and will actually make surfing the Web safer and more efficient. Open Wi-Fi initiative members have argued that the act of providing wireless networks to others is a form of "basic politeness… like providing heat and electricity, or a hot cup of tea" to a neighbor, as security expert Bruce Schneier described it.

top

In major privacy ruling, court says police need warrant to track phone users' location (GigaOM, 11 June 2014) - In a victory for privacy advocates, a federal appeals court in Florida ruled that law enforcement agents cannot force mobile carriers to turn over the location history of their customers without a search warrant. The case involved an appeal by Quartavius Davis, who was convicted by a jury for his role in a violent armed robbery spree targeting restaurants and gas stations. The evidence included location data gleaned from cellphone towers that showed Davis had been in proximity of the various businesses. In finding that the police should had obtained a warrant to obtain the location data, the 11th Circuit Court of Appeals unanimously ruled that the government violated Davis' Fourth Amendment right against unreasonable search and seizure. The case is groundbreaking because higher courts have yet to rule definitively on whether people have a privacy right in the location disclosed by their cell phones. Citing a recent Supreme Court case that suggested police in some cases need a warrant to track a suspect's automobile, the appeals court noted that a cell phone carries deeper privacy implications. The court also drew a firm line between what police must do to obtain call records from a phone company, which can share records without a warrant under the so-called "third-party doctrine," versus what is required to obtain a person's location. Declaring that a person's location is more analogous to the content of a phone call (for which police do need a warrant), the court stated that people can reasonable expect that their mobile carrier will not hand over a historic record of the places they have been. Finally, the case also highlights the ability of cellphone towers to observe and record a phone user's location. While the court acknowledged that the tower's do not disclose a person's precise location, it ruled that they reveal enough information to trigger the Fourth Amendment's privacy protection.

top

Amazon blocking Warner movies pre-orders in latest feud (Bloomberg, 11 June 2014) - Customers trying to pre-order films such as "The Lego Movie," "300: Rise of an Empire" and "Winter's Tale" are instead asked to sign up to be notified when the item becomes available. Digital downloads of the movies are available for purchase through Amazon Instant Video. The world's biggest online retailer is seeking concessions from Warner Bros. that would give it more of a margin on sales of DVDs and digital versions of its movies, said a person familiar with the matter, who asked not to be identified because the negotiations are private. Amazon is already in a standoff with Hachette Book Group over e-book pricing in a tussle that will help determine whether publishers can gain any leverage against the online retailer and biggest seller of e-books. To ratchet up pressure on Hachette, Amazon started delaying shipments and blocking some book pre-orders -- including big-name titles such as "The Silkworm," J.K. Rowling's new novel written under a pseudonym.

top

7 apps for cataloguing your home library (InsideHigherEd, 12 June 2014) - Summer is just around the corner, and I've been drawing up a list of all the things I'd like to accomplish before next academic year. It's a fine time to relax, to step back and reassess my existing workflow, and to reorganize. One of the projects I'm trying this summer? Cataloging my own library. Do you ever spend too long looking for a book that you just know you already have? Have you ever accidentally purchased a book twice? Sadly, I can answer "yes" to both of these questions. One of my problems is that I can never remember if I own a particular book, or if I've just checked it out of the library frequently enough that I think it's a permanent fixture in my personal collection. I also often struggle to remember if I own a book in hard copy or Kindle form. And one of my least favorite feelings is when I know that I've loaned a book to a friend or colleague, but I'm unable to remember which person borrowed it or when. So, inspired by fellow GradHacker Justin Dunnavant's post on using Goodreads to organize his library , I've decided that it's time to reorganize my own collection of books. My requirements: must be an iOS-friendly app, must be less than $5, and must allow me to track borrowing. Here are a few of the contenders I've been considering, for any of you who might be interested in doing the same * * *

top

Why online tracking is getting creepier (ProPublica, 12 June 2014) - The marketers that follow you around the web are getting nosier. Currently, many companies track where users go on the Web-often through cookies-in order to display customized ads. That's why if you look at a pair of shoes on one site, ads for those shoes may follow you around the Web. But online marketers are increasingly seeking to track users offline, as well, by collecting data about people's offline habits-such as recent purchases, where you live, how many kids you have, and what kind of car you drive. Here's how it works, according to some revealing marketing literature we came across from digital marketing firm LiveRamp: (1) A retailer-let's call it The Pricey Store-collects the e-mail addresses of its high-spending customers. (Ever wonder why stores keep bugging you for your email at the checkout counter these days?) (2) The Pricey Store brings the list to LiveRamp, which locates the customers online when the customers use their email address to log into a website that has a relationship with LiveRamp. (The identity of these websites is a closely guarded secret.) The website that has a relationship with LiveRamp then allows LiveRamp to "tag" the customers' computer with a tracker. (3) When those high-spending customers arrive at PriceyStore.com, they see a version of the site customized to "show more expensive offerings to them." (Yes, the marketing documents really say that.) Tracking people using their real names-often called "onboarding"-is a hot trend in Silicon Valley. In 2012, ProPublica documented how political campaigns used onboarding to bombard voters with ads based on their party affiliation and donor history. Since then, Twitter and Facebook have both started offering onboarding services allowing advertisers to find their customers online.

top

- and -

Facebook turns user tracking 'bug' into data mining 'feature' for advertisers (ZDnet, 17 June 2014) - Facebook announced changes to its privacy and advertising policies on its company blog last Thursday, extending Facebook's ability to track users outside of Facebook -- undoing previous assurances it "does not track users across the web." The press reports initially sounded like good news, announcing that Facebook would be "letting people better control their advertising preferences." Indeed, users will soon be able to click on a little arrow on an ad, which will show them a simplified version of Facebook's marketing dossier on them, and the user can check or un-check different advertising interests. Facebook also announced Thursday it will begin tracking its users' browsing and activities on websites and apps outside Facebook, starting within a few weeks. Facebook said it will begin to disregard its users' choice of using their in-browser "Do Not Track" setting: Soon, anyone who clicks "ask websites not to track me" in Safari (or any other browser) will be completely ignored by Facebook. Google and Yahoo already ignore people's Do Not Track settings; fortunately, Twitter, Microsoft and Pinterest still respect the browser setting.

top

Feds tell local law enforcement to remain silent about cellphone surveillance (ABA Journal, 13 June 2014) - The federal government is putting pressure on local law enforcement to keep quiet about its use of Stingray and other surveillance technology used to gather data off of mobile phones. The Associated Press reports that the Obama administration has taken the rare step of becoming actively involved with state records request cases and local criminal trials in an effort to keep details of its surveillance secret. As a result, the AP reports that police departments have either refused to turn over, or have heavily redacted, documents and materials relating to such surveillance. One well-known piece of technology used by cops is Stingray. The device gathers information off a mobile phone by impersonating a cell tower and getting a phone to transmit data to it. According to the AP, Stingray allows police to obtain data off a mobile phone without having to get the cooperation of a user's mobile carrier, like Verizon Wireless or AT&T. Several civil liberties groups have tried to get state and federal agencies to release more information about what kind of information they are taking. "These extreme secrecy efforts are in relation to very controversial, local government surveillance practices using highly invasive technology," said Nathan Freed Wessler, a staff attorney with the American Civil Liberties Union, to the AP. "If public participation means anything, people should have the facts about what the government is doing to them." The FBI is contesting a lawsuit filed in Tucson, Ariz, that seeks to force it to give up its information by claiming that such disclosures would "result in the FBI's inability to protect the public from terrorism and other criminal activity because through public disclosures, this technology has been rendered essentially useless for future investigations." [ Polley : see also Your Secret Stingray's No Secret Anymore: The Vanishing Government Monopoly Over Cell Phone Surveillance and Its Impact on National Security and Consumer Privacy (SSRN, by Stephanie Pell and Chris Soghoian, 15 May 2014)]

top

Companies involved in M&A activity more likely targets of cyberattacks (Cooley, 13 June 2014) - According to this article in the WSJ , companies involved in M&A activity had better make special efforts with regard to cybersecurity. In the course of the transaction, thieves may try to gain access to internal systems. extract negotiating positions or other information about the transaction, or make off with trade secrets or other inside information. Apparently, data thieves target companies engaged in M&A deals because, in light of the confusion that often surrounds M&A activity, employees are more vulnerable to cyberattacks. Employees of merged companies do not know who may be sending them emails and are more likely to open them. For example, in one case, cyberthieves went phishing by sending emails to employees of a newly acquired subsidiary announcing the acquisition. That email included malware that allowed the hackers to enter the company's network and steal proprietary data. Similarly, executives travelling for deal negotiations can also be a prime target for data thieves. To help address these risks, employees should be advised to be more cautious about opening emails when the company is going through a merger or acquisition. It may also be perilous for travelling executives to use Wi-Fi on mobile devices or plug into free Wi-Fi in hotels and public areas. In addition, companies should also "be careful not to link up their networks until the new network has been tested by the security team to make sure it's safe."

top

Apple starts letting Bitcoin transfer apps back into its app store (TechCrunch, 16 June 2014) - Apple's Bitcoin freeze appears to be thawing fast, with bitcoin wallet apps that offer the ability to transfer BTC now filtering back into the App Store. The move was picked up by Coindesk yesterday which noted that the Coin Pocket BTC wallet app was back in the store. The Coin Pocket app allows users to send and receive bitcoin from an iOS device, as well as offering an in-app QR code scanner; a private key sweep and encryption feature; and the ability to check bitcoin to USD conversion rates. Last year Apple was bumping bitcoin wallets from the App Store, taking a cautious approach to the virtual currency and enraging bitcoin enthusiasts in the process . Half a year on it looks like Cupertino is pulling the handbrake hard to make a sharp U-turn on BTC. As well as apps allowing BTC transfers others that allow in-app bitcoin purchases, such as eGifter, are also being let into the App Store, offering a channel for developers to circumvent Apple's 30% share of in-app purchases if their users are savvy enough to be able to pay with BTC. Despite Apple's prior freezing out of certain bitcoin apps, the arrival of an app like Coin Pocket which offers BTC transfer is not a huge surprise given that, at its WWDC developer conference earlier this month, Apple added a new rule to its developer agreement that sanctioned apps offering the transmission of "approved virtual currencies". [ Polley : I've installed Coin Pocket and am experimenting with Bitcoin; see also A beginner's guide to Bitcoin (Boing Boing, 4 June 2014)]

top

Nokia paid millions in ransom to stop release of signing key in 2007 (Ars Technica, 18 June 2014) - On Tuesday, MTV News in Finland reported for the first time that in 2007, Nokia paid millions of euros to someone who had acquired the Symbian encryption signing key to prevent its distribution. If released, that key would have allowed Nokia phones to accept non-authorized applications. At the time, Nokia was the world's leading smartphone manufacturer. After receiving the ransom demand, Nokia informed the National Bureau of Investigation , which appears to have orchestrated a surveillance operation. Nokia paid the multi-million euro ransom in cash, left in a bag at a parking lot near the Särkänniemi amusement park in the city of Tampere. As MTV News reported, "Police, however, lost track of the blackmailer and the money was gone. The case is still unsolved."

top

The GM lawyers were here (Corporate Counsel, 18 June 2014) - The deadly ignition switch fiasco at General Motors Co. has spawned a remarkable breadth of legal issues, ranging from the law department's role in recalls to the company's duty, if any, to compensate victims after it declared bankruptcy. Indeed, seldom has a legal department been thrust into such a high-profile role in a huge public controversy. The ignition switch debacle inevitably cast the legal team in a harsh light and led to the oft-repeated phrase: Where were the lawyers? Well, they were right here. GM's legal department has had three different, and impressive, leaders since the defective switch was uncovered. Any one of them might have led the company down a very different path, and perhaps saved lives along the way. But they didn't. Instead they allowed the company to waste nearly 10 years. That's 10 years of committee meetings and haggling and ignoring possible solutions. And 10 years of not issuing a recall while GM cars crashed and people died. * * * The company has suffered a massive blow to its reputation. It faces dozens of lawsuits carrying billions of dollars in potential liability. GM conducted an internal investigation, and a report was released in early June. At least four in-house lawyers, one a vice president, lost their jobs-though not general counsel Michael Millikin. No former or current GM lawyer responded to requests for comment for this story. The Valukas report made several recommendations to reform how the legal department works. The U.S. Department of Justice is conducting a criminal investigation, and several state attorneys general were also investigating the matter. * * * At the heart of it all is a legal department of about 200 attorneys who failed to communicate. And that's putting their failure in the best possible light. Some observers prefer the phrase "cover-up." At least one class action suit over the defect clearly points at the lawyers' role in not disclosing the truth during GM's 2009 bankruptcy proceedings. First the complaint offers a detailed timeline of GM actions, along with emails that show the company knew about the defect for over a decade. Then the complaint states that it is "inconceivable that individuals within GM's upper management and general counsel's office did not know about the ignition switch defect in GM vehicles, or the attendant contingent liabilities, when GM entered bankruptcy in June 2009." [ Polley : I was deputy GC in a similar-sized multinational; I'd have been fired if I hadn't know what my people were doing. It seems to me that Millikin should be fired if he knew, and fired if he didn't. In a related vein, see GM recalls: How General Motors silenced a whistle-blower (Bloomberg, 18 June 2014), and How GM's lawyers failed in their duties (NYT, 9 June 2014). Along with the Wal-Mart Mexico bribery/FCPA story from 2012, I can't think of more egregious examples of disastrous corporate culture.]

top

The strange demise of TrueCrypt and what it says about cybersecurity (Paul Rosenzweig on Lawfare, 18 June 2014) - A small earthquake happened at the end of May - a well-regarded, widely known encryption program called TrueCrypt shut its doors. For those who care about surveillance, encryption, and open-source methodologies, the change was abrupt and disturbing. It's the type of thing that goes unnoticed by the broader public, but has quiet effects that should not go unremarked. * * * What are we to make of all this? Well, for starters, I like a mystery as much as anyone and you have to admit this is a good one. Famous product all of a sudden pulled from the market. Why? Nobody knows. So it's just a good yarn … But beyond that, the episode re-emphasizes the challenge of an "open source" method of security. [Lawyerly footnote: There are some who dispute that TrueCrypt was truly open-source because it was licensed, so you couldn't modify it at will. I use the term here to mean that the code could be seen, reviewed, prodded, tested, and deconstructed.] As with Heartbleed , open source methods work only for as long as volunteers are willing to work on the project. I tend to think that you get what you pay for - and if nobody was paying the TrueCrypt developer(s) it is not at all surprising that he/they eventually just decided to find a better way to spend his time (heck, maybe he got married - or maybe she did …). Third, the incident serves to reemphasize how much the whole Snowden affair has disrupted settled expectations. Pre-Snowden, concerns over encryption were limited to a much smaller minority of folks and the demise of TrueCrypt would not have been accompanied by grim views of government enforcement. Today, those are common place. Finally, the episode serves to also illuminate how broken our system of security is. We can't trust the government to provide it; we can't trust private corporations to provide it; and we can't rely on the kindness of strangers to provide it either. Unless you are one of the rare individuals who can build and install their own encryption code (I am =not=!) you are inevitably reliant on somebody else for your security. Yet nobody is somebody you can trust. And that leaves us hopelessly vulnerable - not just to mistrusted governments but to malevolent actors across the globe. The Russian cyber gangs must rejoice at the demise of TrueCrypt. [ Polley : worth reading the whole post.]

top

Medtronic says was victim of cyber attack, lost patient records (Reuters, 20 June 2014) - Medtronic Inc, the world's largest stand-alone medical device maker, was the victim of a cyber attack and lost some patient records in separate incidents last year, it said in a regulatory filing on Friday. "Medtronic, along with two other large medical device manufacturers, discovered an unauthorized intrusion to our systems that was believed to originate from hackers in Asia," the company said in a 10-K filing with the U.S. Securities and Exchange Commission. Medtronic officials could not be reached to elaborate on the contents of the 10-K filing, which did not identify the other companies involved in the breach.

top

Scan license plates so you can text flirty messages to cute drivers with GM's new app (Digital Trends, 21 June 2014) - There are plenty of smartphone apps that make it easier to flirt and set up dates with strangers, but GM has an ace up its sleeve that may trump all of them. No, the car manufacturer isn't muscling its way into the dating game - at least not directly. But its China R&D team has developed an Android app that lets a driver scan a license plate in order to start texting the owner of that car. The romantic implications of DiDi Plate, a prototype app debuted earlier this month at the Telematics Detroit 2014 conference, are obvious enough, even to GM. A video demo at the conference run by John Du, director of GM's China R&D Division, even highlighted a scenario where a male driver scans the license plate in front of him in order to see that female driver's profile. He smoothly proceeds to tell her that he's going to a mountain and would like someone to go with, to which she responds, "OK, let's go together." However, there are other practical (and less creepy) uses for the app. For instance, the demo showed a driver whose car was blocked in a parking lot scanning the license plate of the inconveniently placed car and asking the owner to move their automobile. Du added that his team has found a way to make the prototype app work with Google Glass, which would make its uses more dynamic or unsettling, depending on how you view it.

top

Unblinking eyes track employees (NYT, 21 June 2014) - Advanced technological tools are beginning to make it possible to measure and monitor employees as never before, with the promise of fundamentally changing how we work - along with raising concerns about privacy and the specter of unchecked surveillance in the workplace. Through these new means, companies have found, for example, that workers are more productive if they have more social interaction. So a bank's call center introduced a shared 15-minute coffee break, and a pharmaceutical company replaced coffee makers used by a few marketing workers with a larger cafe area. The result? Increased sales and less turnover. Yet the prospect of fine-grained, digital monitoring of workers' behavior worries privacy advocates. Companies, they say, have few legal obligations other than informing employees. "Whether this kind of monitoring is effective or not, it's a concern," said Lee Tien, a senior staff lawyer at the Electronic Frontier Foundation in San Francisco. Sociometric Solutions is already working with 20 companies in the banking, technology, pharmaceutical and health care industries, involving thousands of employees. The workers must opt in to have their data collected. Mr. Waber's company signs a contract with each one guaranteeing that no individual data is given to the employer (only aggregate statistics) and that no conversations are recorded. "Privacy policy," Mr. Waber said, "is going to have to deal with the workplace and not just the consumer issues." The payoff for well-designed workplace monitoring, Mr. Waber said, can be significant. The underlying theme of human dynamics research is that people are social learners, so arranging work to increase productive face-to-face communication yields measurable benefits. For example, the company studied workers in Bank of America call centers and observed that those in tightknit communications groups were more productive and less likely to quit. To increase social communication, the shared 15-minute coffee break was introduced to the daily routine. Afterward, call-handling productivity increased more than 10 percent, and turnover declined nearly 70 percent, Mr. Waber said. Mr. Waber's company also provided the data-guided insight to help the pharmaceutical company increase sales with its new cafe area. At a tech company, his company found, workers who sat at larger tables in the cafeteria, thus communicating more, were more productive than workers who sat at smaller tables. Bryan Koop, a commercial office developer who has worked with Sociometric Solutions, points to the potential for more scientifically designed work environments. There are current fashions in office design, he said, that are assumed to increase productivity, like stationing workers at communal bench-style tables and constructing work cubicles with lower dividers. "We don't know if those tactics work," Mr. Koop said. "What we're starting to see is the ability to quantitatively measure things instead of just going by intuition."

top

State Department issues ITAR advisory opinion on cloud computing (Hogan Lovells, 24 June 2014) - In a recent advisory opinion related to an exemption under the International Traffic In Arms Regulations (ITAR), the State Department confirmed that a company could use a data security method called "tokenization" to protect export-controlled technical data stored in the cloud on servers located outside the United States, provided the company satisfied the conditions of the exemption and took "sufficient means" to prevent foreign persons from accessing such technical data. Although the advisory opinion is quite narrow in scope, it is the first publicly-available formal position from the State Department on the ITAR implications of cloud computing. The requesting company has posted a redacted version of the advisory opinion here , and the State Department has posted its clarification of the opinion - emphasizing the narrow scope of the opinion and taking issue with the company's initial press release characterizing the opinion - here . Given the agency's public objection to the company's original interpretation of the advisory opinion, exporters that use cloud-based services will need to continue to be very cautious about the storage of ITAR data on cloud-based servers and should consider seeking guidance from the State Department on these issues. [ Polley : Roland Trope spotted this caveat in the advisory opinion: "The advisory opinion is not intended to imply that 'sufficient means' to accomplish the requisite assurance levels exists today technologically, nor does it suggest that tokenization by itself could achieve that end" . Interesting.]

top

Did the Justices really understand Aereo? (LA Times editorial, 25 June 2014) - In siding with broadcasters against Aereo, a pay-TV service that lets subscribers watch local stations through the Internet, the Supreme Court resorted to a simple principle: If it looks like a duck and walks like a duck, the law should treat it as a duck, no matter what kind of creature it is. But in doing so, the court threw a legal shadow over a slew of other tech-driven companies. Writing for the court's majority, Justice Stephen G. Breyer pooh-poohed the technological distinctions between Aereo and cable TV. But as dissenting Justice Antonin Scalia observed, the majority glossed over a crucial detail: Aereo may be providing the equipment, but its customers are the ones transmitting the programs. By shifting responsibility for those transmissions to Aereo because it "looks like cable," Scalia wrote, the court threw into doubt a long-settled principle that technology providers don't violate copyrights just by enabling others to do so.

top

Over NSA worries, Germany ends government contract with Verizon (ArsTechnica, 26 June 2014) - Germany has opted not to renew its government contract with Verizon, citing concerns over spying by the National Security Agency. The contract will expire in 2015, and the move marks a rare concrete step from Berlin following the October 2013 revelations that the NSA was spying on Chancellor Angela Merkel. In a German-language statement (Google Translate) posted to the Ministry of the Interior's website, Berlin noted that it needs "an infrastructure with an increased level of security." Verizon has maintained the contract since 2010. "There are indications that Verizon is legally required to provide certain things to the NSA, and that's one of the reasons the cooperation with Verizon won't continue," Interior Ministry spokesman Tobias Plate told reporters , according to the Associated Press.

top

Law firms' own employees are among the major cyberthreats to be protected against (ABA Journal, 1 July 2014) - Law firms face an array of cyberthreats from foreign governments, competitors and hackers. And then there's the threat that has always existed in the offline world, but has migrated online: inside jobs-or what cybersecurity experts call extrusion. That threat comes from firm employees who may be disgruntled or who want to make a quick buck from selling private information. While there's no such thing as 100 percent protection against extrusion, to guard against it experts recommend tight background checks, formal written policies, perpetual vigilance, appropriate attention to technical considerations, and striking a balance between security and usability of the firm's files and data. While inside jobs may not be common, they do happen, says Edwin Reeser, an Altadena, California, sole practitioner who writes about law management issues. To start with, firms must perform background reviews and make judgments about a potential employee's reliability during the hiring process, says Alan Charles Raul, a Washington, D.C., partner at Sidley Austin and author of a chapter in The ABA Cybersecurity Handbook . "You need intake scrutiny," he says. Writing and disseminating formal policies helps ensure that honest personnel know to be aware of and report any suspicious activity, Raul says. Those policies should make clear that firms have the right to monitor their networks to enforce compliance and prevent wrongdoing, and that no expectation of privacy should exist in the use of the firm's network. "The formal, written policies are not necessarily going to deter the renegade," he says. "But by sensitizing all the honest employees, you do make the environment less hospitable for dishonest employees." [ Polley : I was co-editor of the mentioned Handbook, which is an ABA best-seller. The ABA is about to launch a follow-on cybersecurity curriculum for lawyers and law firms.]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

"Digital Evidence and the New Criminal Procedure" - 10 Years Later (Orin Kerr, 27 June 2014) - In Riley v. California , handed down on Wednesday, the Supreme Court blessed the creation of new Fourth Amendment rules to account for the new facts of computer search and seizure. In light of Riley , I hope readers won't mind me reposting an article that I first noted here at the blog a decade ago: Digital Evidence and the New Criminal Procedure , 105 Colum. L. Rev. 279 (2005). When I circulated a draft of this essay in 2004, some colleagues suggested that it was over-the-top to make the grand claim that computers would lead to a new set of criminal procedure rules. Helpful for law review placement, sure. But awfully unlikely to happen. A decade later, thanks to cases like Riley and Ganias , I'm hoping that the article comes off more as prescient than foolish. A bit dated, as a decade is like a century in Internet time. But hopefully more prescient than foolish. The abstract: This essay shows how existing rules of criminal procedure are poorly equipped to regulate the collection of digital evidence. It predicts that new rules of criminal procedure will evolve to regulate digital evidence investigations, and offers preliminary thoughts on what those rules should look like and what institutions should generate them. This Essay explores the dynamics of computer crime investigations and the new methods of collecting electronic evidence. It contends that the new dynamics demonstrate the need for procedural doctrines designed specifically to regulate digital evidence collection. The rules should impose some new restrictions on police conduct and repeal other limits with an eye to the new social and technological practices that are common to how we use and misuse computers. Further, the Essay suggests that we should look beyond the judiciary and the Fourth Amendment for the source of these new rules. While some changes can and likely will come from the courts, many more can come from legislatures and executive agencies that can offer new and creative approaches not tied directly to our constitutional traditions.

top

Notebooks to dial up built-in phones (CNET, 18 Feb 2004) -- Toward the end of the year, more people will be talking to their notebooks. Manufacturers plan to start selling notebooks with integrated Voice over Internet Protocol (VoIP) this year and plan later to offer notebooks with built-in cell phone capabilities, Anand Chandrasekher, vice president and general manager of the Intel Mobile Platforms Group, said in an interview. The phone module will also let people review incoming e-mail and calendar information while the notebook remains in sleep state. Thematically, these additional communications features are termed Extended Mobile Access (EMA).

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, June 07, 2014

MIRLN --- 18 May – 7 June 2014 (v17.08)

MIRLN --- 18 May - 7 June 2014 (v17.08) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | RESOURCES | LOOKING BACK | NOTES

Agencies need to improve cyber incident response practices - GAO (GAO, April 2014) - From the highlights of a newly released GAO report: Twenty-four major federal agencies did not consistently demonstrate that they are effectively responding to cyber incidents (a security breach of a computerized system and information). Based on a statistical sample of cyber incidents reported in fiscal year 2012, GAO projects that these agencies did not completely document actions taken in response to detected incidents in about 65 percent of cases (with 95 percent confidence that the estimate falls between 58 and 72 percent). For example, agencies identified the scope of an incident in the majority of cases, but frequently did not demonstrate that they had determined the impact of an incident. In addition, agencies did not consistently demonstrate how they had handled other key activities, such as whether preventive actions to prevent the reoccurrence of an incident were taken. Although all 6 selected agencies that GAO reviewed in depth had developed parts of policies, plans, and procedures to guide their incident response activities, their efforts were not comprehensive or fully consistent with federal requirements. In addition, the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) conduct CyberStat reviews, which are intended to help federal agencies improve their information security posture, but the reviews have not addressed agencies' cyber incident response practices. Without complete policies, plans, and procedures, along with appropriate oversight of response activities, agencies face reduced assurance that they can effectively respond to cyber incidents. * * * Although US-CERT receives feedback from agencies to improve its services, it has not yet developed performance measures for evaluating the effectiveness of the assistance it provides to agencies. Without results-oriented performance measures, US-CERT will face challenges in ensuring it is effectively assisting federal agencies with preparing for and responding to cyber incidents.

top

- and -

The SEC'S cybersecurity assessment: a roadmap for companies nationwide (Aiken Gump, 14 May 2014) - The U.S. Securities & Exchange Commission (SEC) provided cybersecurity guidance to the securities industry in the form of a Risk Alert issued by the SEC's Office of Compliance Inspections and Examinations (OCIE) on April 15, 2014. The guidance, which is neither a rule nor a regulation, outlines a series of questions that the SEC is sending to approximately 50 registered broker-dealers and investment advisers. According to one SEC official, the OCIE decided to issue a Risk Alert and publish the questions in an attempt to encourage widespread diligence on cybersecurity. The Risk Alert notes that it "is intended to empower compliance professionals in the industry with questions and tools they can use to assess their firms' level of preparedness, regardless of whether they are included in OCIE's examinations." Although the Risk Alert applies specifically to the securities industry, the questions will likely serve as a model for companies nationwide and provide a framework for discussing cybersecurity best practices.

top

Discussion paper: Lawyers professional liability insurance versus cyber liability insurance (Stuart Pattison, May 2014) - Over the last few years, law firms have been making significant investments in network hardware and software for the operation of their business, including the protection of client data. There is now also increased interest by law firms in purchasing Cyber Liability Insurance, primarily in response to increased scrutiny by clients as to what steps they are taking to improve security of data. In some cases, clients will even audit law firms to ensure compliance with their required standards. Buying Cyber Insurance can provide clients comfort that data security issues are being addressed since insurers have an interest in learning what steps are being taken to mitigate the risk for claims that could fall within the terms of the policy. In addition, Cyber Insurance provides a source of recovery in the event the client incurs financial loss due to a data breach emanating from the law firm. A second driver for these investments is reputational risk and the belief by law firms that loss of client confidence could have significant negative consequences. Of course, law firms have always had an ethical obligation to keep their clients information confidential and secure; indeed it is the cornerstone of the attorney-client relationship and the advent of the internet has not changed those duties. What has changed is the ease by which large amounts of data can be stored, managed and transmitted, and the increased opportunities for third parties to steal information. [ Polley : Interesting paper. Stuart has been involved in the evolution of cyberinsurance-for-lawyers from the very beginning.]

top

Target, Gap, other retailers join to share cyberthreat data (Computerworld, 15 May 2014) - Some of the biggest U.S. retailers have banded together to share information about cyberthreats, in a bid to avert breaches like that suffered by Target last holiday season. Target, The Gap, Walgreens and J.C. Penney are among the members of the group, which will share real-time threat information with each other and with the Department of Homeland Security, Secret Service, FBI and other "public and private stakeholders," they said Wednesday. They'll share information about new strains of malware, activity on underground forums and potential software vulnerabilities, which they said will be translated into "actionable intelligence." They'll also share anonymized information with the U.S. government. The goal of the organization, called the Retail Cyber Intelligence Sharing Center, or R-CISC, is to help the retailers get out in front of emerging threats. Education and training are part of the program, but the success of the effort hinges on the amount of information retailers can gather and their willingness to share it.

top

NLRB strikes down disclaimer language in social media policy (McLane, 19 May 2014) - An administrative law judge ("ALJ") writing on behalf of the National Labor Relations Board ("NLRB") reviewed the social media/on line communications policy of The Kroger Co. of Michigan, a retail grocery chain, in the context of an unfair labor practices complaint. In the decision issued on April 22, 2014, the ALJ ruled that portions of Kroger's policy were unlawfully broad and in violation of Section 7 of the National Labor Relations Act. What was the offending language?: " If you identify yourself as an associate of the Company and publish any work-related information online, you must use this disclaimer: "The postings on this site are my own and do not necessarily represent the postings, strategies or opinions of The Kroger Co. family of stores." In striking down the disclaimer language the ALJ stated that "Given the breadth of online communications to which the rule applies, it would be extremely burdensome to have to post the disclaimer in each instance or on each new page, and this would have a reasonable tendency to chill Section 7 activity in this regard." The Decision itself is worth the read in that it gives startling insight into the reasoning of at least this one ALJ.

top

You can learn a lot about America from each state's internet search history (Estately.com, 19 May 2014) - America's fifty states have a lot in common, but if their internet search histories are any indication they also have significant differences. Estately ran hundreds of search queries through Google Trends to determine which words, terms, and questions each state was searching for more than any other. The results ranged from mildly amusing to completely disturbing. No doubt this information will come in handy for anyone trying to decide which state they want to buy a home in, especially for those curious how their potential neighbors spend their time online. The results on the map above are just the tip of the online search iceberg. Check out what other search queries each state performed more of than any other in the list below… [ Polley : Spotted by MIRLN reader Elizabeth Polley = @ebpolley]

top

PTO: Business method patent in 100 days (Patently-O, 19 May 2014) - A couple of weeks ago, the USPTO issued U.S. Patent No. 8,712,797 to the drug-price-shopping company named GoodRX. The patent appears to be a typical business-method type invention based on the idea that automated internet communications can help solve consumer information problems. Here, the basics are to obtain a price list from two different pharmacy benefit managers and then display "at least a portion" of those prices through a user interface. What is unusual is that the patent issued only 98 days after its filing date. The notice-of-allowance was mailed 44 days after filing. (Note - this is not a continuation or divisional but it does claim priority to a provisional application.) The application included a track-one request ($2,000 for small entity) filed by Knobbe. This is an incredibly short timeline for issuing a broad business-method patent that is very likely invalid.

top

Car-hacking goes viral in London (Forbes, 20 May 2014) - The days when thieves used clothes hangers to break into cars may soon be a thing of the past. Nearly half the 89,000 vehicles broken into in London last year were hacked with electronic gadgets, according to London's Metropolitan Police . The hackers appear to be targeting higher-end cars, which commonly have more than 50 low-powered computers installed on board. "Car crime is no longer the preserve of the opportunist but a more targeted activity towards prestige brands which are stolen to order," said Andrew Smith, managing director at Cobra UK . Thieves are hacking into these on-board computers using cell-phone-sized electronic devices originally designed for locksmiths. One of the most prevalent of these devices can trick a car - "spoofing" - into thinking the owner's electronic key is present by using radio transmitters that intercept key signals. Another type of hacking device can gain access to a car's on-board diagnostic unit remotely, which allows thieves to program a blank key to control the engine control unit. The whole operation takes less than 10 seconds. The devices can apparently be purchased on the internet, primarily from websites located in Bulgaria, according to Sky News . Video tutorials for using the device are also available online.

top

Schneier on hoarding v. patching vulnerabilities (Jack Goldsmith in Lawfare, 20 May 2014) - Bruce Schneier has a very good piece on whether the USG should "stockpile Internet vulnerabilities or disclose and fix them." Part of his answer: If vulnerabilities are sparse, then it's obvious that every vulnerability we find and fix improves security. We render a vulnerability unusable, even if the Chinese government already knows about it. We make it impossible for criminals to find and use it. We improve the general security of our software, because we can find and fix most of the vulnerabilities. If vulnerabilities are plentiful-and this seems to be true-the ones the U.S. finds and the ones the Chinese find will largely be different. This means that patching the vulnerabilities we find won't make it appreciably harder for criminals to find the next one. We don't really improve general software security by disclosing and patching unknown vulnerabilities, because the percentage we find and fix is small compared to the total number that are out there. But while vulnerabilities are plentiful, they're not uniformly distributed. There are easier-to-find ones, and harder-to-find ones. Tools that automatically find and fix entire classes of vulnerabilities, and coding practices that eliminate many easy-to-find ones, greatly improve software security. And when person finds a vulnerability, it is likely that another person soon will, or recently has, found the same vulnerability. Heartbleed, for example, remained undiscovered for two years, and then two independent researchers discovered it within two days of each other. This is why it is important for the government to err on the side of disclosing and fixing.

top

California urges websites to disclose online tracking (NYT, 21 May 2014) - Every major Internet browser has a feature that lets you tell a website that you don't want it to collect personal information about you when you visit. And virtually every website ignores those requests. Tracking your online activities - and using that data to tailor marketing pitches - is central to how Internet companies make money. Now California's attorney general, Kamala D. Harris, wants every site to tell you - in clear language - if and how it is respecting your privacy preferences. The guidelines , published on Wednesday, are intended to help companies comply with a new state privacy law that went into effect on Jan. 1. That law requires sites to prominently disclose all their privacy practices, including how they respond to "do not track" requests. The California guidelines for the Jan. 1 privacy law are voluntary. Other efforts to establish more binding privacy protections - either through federal or state laws or through industry self-regulation - have failed to win enough support to pass. Jeff Rabkin, special assistant attorney general on technology and privacy matters, said that Ms. Harris's office would review companies' privacy policies and work with them to make sure they followed the new law. Those who don't comply will receive 30-day warnings before facing potential litigation from the state.

top

US companies hacked by Chinese didn't tell investors (Bloomberg, 21 May 2014) - Three U.S. public companies identified as Chinese hacking victims didn't report the theft of trade secrets and other data to investors, despite rules designed to disclose significant events. Two of the companies -- aluminum maker Alcoa Inc. (AA) and metals supplier Allegheny Technologies Inc. (ATI) -- said the thefts weren't "material" to their businesses and therefore don't have to be disclosed under Securities and Exchange Commission rules designed to give investors information that may affect share prices. "The question is would an investor have cared if Chinese hackers broke into a company and were messing around the place?" Jacob Olcott, a principal focusing on cybersecurity at Good Harbor Security Risk Management LLC in Washington, said in a phone interview. "As an investor, show me the evidence that you reviewed this thoroughly." Scott Kimpel, a lawyer who previously worked on disclosure rules as a member of the SEC's executive staff, said there is "a gray area where a lot of the companies are not perfectly clear on what they should be disclosing." [ Polley : In early 2011 at least one oilfield company also decided that a cyberattack wasn't "material" - see Exxon, Shell, BP Said to Have Been Hacked Through Chinese Internet Servers in Mirln 14.03 ]

top

- and -

Investors couldn't care less about data breaches (Bloomberg, 23 May 2014) - On May 21, EBay revealed that it had suffered a cyber attack and data security breach, and users' information-names, account passwords, e-mail addresses, physical addresses, phone numbers, and birth dates-was exposed to hackers. While security experts, the news media, and actual EBay users may have all been alarmed, the stock investors weren't. EBay's stock finished trading virtually unchanged that day, dropping all of 8 pennies to $51.88. That's been the trend among companies that have suffered cyber attacks-the stock market practically ignores them. Consider Target and its own well-publicized data breach that happened back in December. Target's stock didn't really move at all. Investors sent a clear message they didn't care. The stock fell several weeks later, in January, only after the company cut its earnings forecast. Even so, the stock rebounded in the next six weeks. Target shares have been falling since last year, for a lot of reasons unrelated to the data breach. Poonam Goyal, an analyst for Bloomberg Industries, says: "There is softness in the industry. Lower-income customers are struggling, and you're seeing weakness with competitors like Wal-Mart and other department stores." She also points out that Target isn't the hot company it was a few years ago, as a lot of other companies have adjusted their tactics-focusing on price, rotating smart designers, and being a haven for treasure hunters. "Target was different before, but what about now?" In addition, its Canadian expansion "has a long, long way to go. They have issues in consumer perception there." Goyal's analysis suggests Target would have been under pressure-regardless of the data breach. Compare that with T.J.Maxx, which had a data breach affecting 94 million customers in 2007. Its stock similarly dropped about 12 percent in two months, only to completely recover a couple of months later. In fact, that bottoming out turned out to be a great buying opportunity in the stock. There was no long-term damage to the company's fortunes-in the years following, share prices surged to five times the pre-breach levels. Another big company with a recent problem was JPMorgan Chase, which revealed in December that 465,000 customers were at risk of having their data compromised. Despite being such a large number in absolute terms, it only represented 2 percent of the 25 million who had that particular UCard product-barely enough to move the needle on the overall business or reputation of the bank. Not surprisingly, JPM stock was back to flat in two weeks. Adobe Systems announced a data breach in October that affected 38 million users-including 3 million encrypted customer credit card records. The stock kept moving like nothing happened. It was at $52 then, and now it's at $62. Punishment? No.

top

- contra view -

Cybersecurity securities class actions are coming: predictions, analysis, and practical guidance (Lane Powell, 20 May 2014) - Last fall, I wrote about board oversight of cybersecurity and derivative litigation in the wake of cybersecurity breaches. I plan to update my thoughts later this year, after we see developments in the recently filed Target and Wyndham derivative actions, and learn the results of the 2014 installment of Carnegie Mellon's bi-annual CyLab Governance of Enterprise Security Survey , which explores oversight of cybersecurity by boards of directors and senior management. In this post, I'd like to focus on cybersecurity disclosure and the inevitable advent of securities class actions following cybersecurity breaches. In all but one instance (Heartland Payment Systems), cybersecurity breaches, even the largest, have not caused a stock drop big enough to trigger a securities class action. But there appears to be a growing consensus that stock drops are inevitable when the market better understands cybersecurity threats, the cost of breaches, and the impact of threats and breaches on companies' business models. When the market is better able to analyze these matters, there will be stock drops. When there are stock drops, the plaintiffs' bar will be there. And when plaintiffs' lawyers arrive, what will they find? They will find companies grappling with cybersecurity disclosure. Understandably, most of the discussion about cybersecurity disclosure focuses on the SEC's October 13, 2011 "CF Disclosure Guidance: Topic No. 2" (" Guidance ") and the notorious failure of companies to disclose much about cybersecurity, which has resulted in a call for further SEC action by Senator Rockefeller and follow-up by the SEC , including an SEC Cybersecurity Roundtable on March 24, 2014. But, as the SEC noted in the Guidance, and Chair White reiterated in October 2013, the Guidance does not define companies' disclosure obligations. Instead, disclosure is governed by the general duty not to mislead, along with more specific disclosure obligations that apply to specific types of required disclosures. * * *

top

Gates: French cyber spies stealing U.S. technology (Politico, 22 May 2014) - Washington made clear this week that China is America's biggest cyber nemesis, at least in terms of the theft of U.S. intellectual property. So who's next? Not Russia, nor North Korea, according to former Defense Secretary Robert Gates. It's France - one of America's closest allies. "There are probably a dozen or 15 countries that steal our technology in this way," Gates said in an interview the Council on Foreign Relations posted online Thursday. "In terms of the most capable, next to the Chinese, are the French - and they've been doing it a long time." "For years," Gates said, "French intelligence services have been breaking into the hotel rooms of American businessmen and surreptitiously downloading their laptops, if they felt those laptops had technological information or competitive information that would be useful for French companies. But the U.S. government doesn't do that kind of thing, Gates said, although he acknowledged that "it's hard for people to believe this. You'll have to take my word for it. We are nearly alone in the world in not using our intelligence services for competitive advantage for our businesses."

top

Disney decides to 'Let It Go' when it comes to copyright infringement (InsideCounsel, 23 May 2014) - If you have kids - or a pair of ears, I suppose - you have likely heard the infectious song "Let It Go" from the mega-hit movie "Frozen." The animated movie, based on the Hans Christian Andersen tale "The Snow Queen," has won Academy Awards, raked in hundreds of billions of dollars worldwide, and sent toes-a-tappin' with an Oscar-winning song. These days, though, whenever something in popular culture is well known, it becomes fuel for the content creation fire. People from all over the world have taken copyrighted content from "Frozen," like the hit song, and posted images and videos that infringe on Disney's intellectual property. On YouTube, one can find versions of "Let It Go" that are sing-alongs, mashups, covers and parodies. Some of these videos have racked up millions of pageviews. So, why isn't the Mouse House apoplectic over the clear infringement of its intellectual property ? There was a time when Disney's leadership viewed YouTube as an opportunity for fans to engage in mass piracy. Disney's own efforts to establish an online presence have been lukewarm until recently. In March of this year, it purchased Maker Studios, a company that produces YouTube videos, tapping into amateur creators to provide content. This acceptance of the popularity of fan-created content as a way to expand the brand and engage fans does not mean that Disney's position on copyright infringement has softened completely. The company has fought to extend the copyright of its most iconic creation, Mickey Mouse, lobbying Congress to extend the copyright protection period another 20 years.

top

The NYTimes innovation report and higher ed (InsideHigherEd, 26 May 2014) - Perhaps the most important document that we should read and discuss on campus says nothing at all about higher ed. It is the leaked 96 page New York Times Innovation report , called Strengthening Our Newsroom: Digital First, written by 10 Times employees. From what I can tell the Times has not published the report on its website, or released it in an easy to ready e-book format. This is a shame, as the report demonstrates a company culture that is secure and resilient enough to critique its own organizational structure and honest enough own up to some critical weaknesses and shortcomings. Releasing the report would have been the smartest thing to do in the face of the Jill Abramson firing and the leadership shuffle at the paper. The authors of the report argue that the Times is failing in its mission to serve its readers because it has not embraced the potential of digital platforms. That the print first culture and organizational structure at the Times has resulted in digital journalism being a "bolt on" to a paper driven organizational structure. That the world's best journalism is only one part of the equation, as journalism that does not reach a critical mass of citizens due to a failure to embrace digital platforms and to practice best digital practices will ultimately have little positive social impact. We can argue about both the diagnosis and the recommendations found in the Times Innovation Report.

top

Laying out the role of the computer forensics neutral expert (InsideCounsel, 27 May 2014) - When discovery in litigation involves the inspection of computer systems, setting out reasonable and effective protocols often involves a neutral expert in computer evidence. Working for the court, oftentimes at the direction of a special master, the neutral expert will engage with both parties, and often with computer forensics experts, to craft a reasonable inspection protocol. The challenge is to achieve consensus on the approach to preserving, performing analysis and review, and then producing relevant data. Protecting the producing party's privacy/privilege while identifying only data that is responsive to the inspection demand must be balanced with the requesting party's goal of finding all relevant evidence. Considering technology, discovery and forensic tools, and any agreements by the parties, the neutral expert must propose or assist with crafting an inspection protocol the parties to the litigation can agree to. Depending on the type of litigation, a company's most sensitive data may be at issue and subject to discovery. Adequate review is hindered if full access to the relevant sources of data is not provided. Establishing the provenance of important documents, examining versions of source code, recovering evidence of the use of external media or the transfer of proprietary data can only be accomplished through the proper preservation and analysis of the right data sources. Conference calls to meet and confer to identify relevant sources and confirm preservation are crucial early in the inspection process. The neutral expert can work with the party's IT administrators or consulting computer forensics expert(s) to map the sources of potentially relevant data. The potential evidence sought may inform what type of analysis is relevant. Some issues will involve common data sources, such as laptop and desktop user computers, email and shared network data. Other issues may require the examination of other sources of data, such as client relationship management (CRM) data or a source code revision control system. Whether the issue in the litigation involves allegations stemming from the use of a former employer's client list or the alleged theft of IP, the neutral expert may need to take into account these additional data sources and prepare a reasonable review protocol. In cases involving the review and production of sensitive data, the consulting and neutral experts sometimes need to come up with a more elaborate protocol to address all the parties' concerns. On a number of occasions, setting up a "clean room" with restricted access, no outside network connectivity and computer workstations for experts from both sides has been necessary. Protocols for the review and identification of relevant data are established. Procedures for turning over responsive data and the work product of subject matter experts are also spelled out. In these cases, the neutral expert will facilitate the work of other experts and the production of data among the parties.

top

Advisory group opposes re-election of most of Target's board (NYT, 28 May 2014) - An influential shareholder advisory group said that most of Target's board did not deserve to be re-elected, directly linking what it said was a lack of adequate oversight by the board to the extensive breach of customer data late last year. The move was unusual for the advisory group, Institutional Shareholder Services, which said that seven of Target's 10 board members deserved to be voted against. An I.S.S. spokesman said that so far this year, the firm has recommended shareholders vote against the majority of board members only 11 times - out of 421 companies it has assessed in the Standard & Poor's 500-stock index. In outlining its reasons this week for seeking to overturn much of the board's composition, I.S.S. said that members of the board's audit committee and corporate responsibility committees had failed to provide adequate risk oversight, and that changes the committees made since the breach were "largely reactionary in nature." "The data breach revealed that the company was inadequately prepared for the significant risks of doing business in today's electronic commerce environment," the I.S.S. report said. "It appears that failure of the committees to ensure appropriate management of these risks set the stage for the data breach, which has resulted in significant losses to the company and its shareholders." On Wednesday, Target called risk oversight "a full board responsibility," rather than the purview of just a few members. It also defended its data security standards before its system was breached - despite the fact that many experts have said the company failed to put in place certain important security measures, and even ignored the warnings of its own security system during the breach.

top

- and -

Target gives a defense of its efforts on security (NYT, 2 June 2014) - In advance of next week's annual shareholders' meeting, Target on Monday defended its management and oversight of customer data despite the extensive hacking it experienced last year. In a letter to shareholders filed with the Securities and Exchange Commission, Roxanne Austin, the interim chairwoman of Target's board, listed steps the company had taken toward increasing information security since the breach last year, and she described the security apparatus in place before the attack. "Breaches are occurring across the economy and are affecting a wide range of victims including the U.S. government, the technology and defense industries and more traditional companies, like retailers," the letter said. "Your board fully recognizes the importance of its oversight responsibilities in this area. Under the board's leadership and oversight, Target took significant action to address evolving cybercrime risks before the breach."

top

- and -

US companies seek cyber experts for top jobs, board seats (Reuters, 30 May 2014) - Some of the largest U.S. companies are looking to hire cybersecurity experts in newly elevated positions and bring technologists on to their boards, a sign that corporate America is increasingly worried about hacking threats. JPMorgan Chase & Co, PepsiCo Inc, Cardinal Health Inc, Deere & Co and The United Services Automobile Association (USAA) are among the Fortune 500 companies seeking chief information security officers (CISOs) and other security personnel to shore up their cyber defenses, according to people with knowledge of the matter. While a CISO typically reports to a company's chief information officer (CIO), some of the hiring discussions now involve giving them a direct line to the chief executive and the board, consultants and executives said. "The trend that we are seeing is that organizations are elevating the position of the CISO to be a peer of the CIO and having equal voice associated with resource priorities and risk decisions," said Barry Hensley, executive director at Dell SecureWorks' Counter Threat Unit. As companies look for CISOs, many boards are seeking directors with technology know-how so that they can better understand cyber risks. Matt Aiello, co-head of the cyber practice at Heidrick & Struggles, said he is seeing "unprecedented" demand for CIOs to serve on boards. "Boards don't feel they have the right expertise to draw upon. It is not that they don't understand it is a risk; they don't want to blunder uninformed into it," said David DiBari, managing partner at the law firm Clifford Chance in Washington.

top

Cybercrime is on the rise, survey says (LA Daily News, 28 May 2014) - The hackers are winning, according to a survey of 500 executives of U.S. businesses, law enforcement services and government agencies released Wednesday. The 12th annual survey of cybercrime trends found that online attackers determined to break into computers, steal information and interfere with business are more technologically advanced than those trying to stop them. The survey was co-sponsored by San Jose, California-based business consulting firm PwC, the U.S. Secret Service, the CERT Division of Carnegie Mellon University's Software Engineering Institute and CSO security news magazine. Three out of four respondents said they had detected a security breach in the past year, and the average number of security intrusions was 135 per organization, the survey found. "Despite substantial investments in cybersecurity technologies, cyber criminals continue to find ways to circumvent these technologies in order to obtain sensitive information that they can monetize," Ed Lowery, who heads the U.S. Secret Service's criminal investigative division, said in a written statement. Lowery said companies and the government need to take "a radically different approach to cybersecurity," which goes beyond antivirus software, training employees, working closely with contractors and setting up tighter processes. The top five cyberattack methods reported in the survey were malware, phishing, network interruption, spyware and denial-of-service attacks. And 28 percent of respondents said the attackers were insiders, either contractors or current and former employees or service providers, according to the survey.

top

BYOD? No problem. (InsideHigherEd, 29 May 2014) - Forget the device -- protect the data. That's the core of Temple University's new data policy, which some chief information officers are praising for emphasizing security in the bring-your-own-device era. "All members of the University community have a responsibility to protect the confidentiality, integrity, and availability of data generated, accessed, modified, transmitted, stored or used by the University, irrespective of the medium on which the data resides and regardless of format (e.g., in electronic, paper or other physical form)," the policy , enacted this January, reads. At Temple, IT officers are less concerned with protecting the myriad devices on campus than the data they access. The policy splits data into three categories -- unrestricted, sensitive and confidential, designated by green, yellow and red lights -- and creates a set of protocols to ensure the information is accessed responsibly based on its classification. Larry Brandolph, chief information security officer and an associate vice president at Temple, said the policy change was brought on by a rush of faculty members, researchers and staffers asking which cloud services they could use for which purposes. "We started looking at this saying, 'Where should people really be allowed to store data?'" Brandolph said. "Then it became more of a conversation not about where to store data, but what type of data we can store where."

top

Disconnect? File-sharing security survey highlights (Attorney at Work, 29 May 2014) - It's no surprise that small firms are the most vulnerable when it comes to online risk. Less time, less money and less staff to keep abreast of threats. What's surprising, though, is how little law firms do to protect clients' privileged information when collaborating electronically. Recently released results from the LexisNexis Law Firm File Sharing in 2014 survey show that despite a growing awareness of new collaboration tools - along with the dangers of compromising client data- there is a real "disconnect" between security fears and the measures law firms actually take to secure confidential information. The smaller the firm, the more vulnerable - or lax. "Law firms are caught in a bit of a bind because their clients demand a simple way to collaborate, but the risks, as this survey found, are exceptionally high," says Christopher T. Anderson , Sr. Product Manager with LexisNexis.

top

Public.resource.org sued (again) for publication of a document incorporated into federal regulations (TechDirt, 29 May 2014) - Carl Malamud's project -- the freeing of laws, codes and regulations via Public Resource -- has seen him and his site sued multiple times for copyright infringement. This includes lawsuits brought by state governments who somehow believe state laws can't be distributed without their permission. Other entities, like air conditioning contractors and sheet metal manufacturers, have also gone to court to defend their "right" to keep rules and regulations that impact millions of Americans safely locked up behind high-priced paywalls. Malamud's response has been to point out that a) state laws shouldn't be locked up, even the annotated versions stocked by LexisNexis, and b) federally mandated standards that apply to contractors shouldn't be either, even if those creating the documents are commercial enterprises. In the latter case, federal mandates make these documents of public interest, seeing as they apply to millions of Americans, even if somewhat more indirectly. Now, Malamud is being sued by the three organizations (two of which are nonprofits) behind the "Standards for Educational and Psychological Testing." Here's what these standards are designed to do, according to the filing: The Standards are designed to apply to professional test developers, sponsors, publishers, and users by providing criteria for the evaluation of tests, testing practices, and the effects of test use. The Standards have been used to develop testing guidelines for such activities as college admissions, personnel selection, test translations, test user qualifications, and computer-based testing.

top

- and -

Who owns the law? Technology reignites the war over just how public documents should be (ABA Journal, 1 June 2014) - These days the smallest and most exclusive piece of real estate in Washington, D.C., is the sliver of common ground that exists between congressional Democrats and Republicans. But during a January hearing before the U.S. House of Representatives Judiciary Committee on the scope of copyright protection laws, Democrats and Republicans were in broad agreement on an issue that was seemingly settled long ago: No one can own the law. But technology and a growing privatization of the law-making process have stirred up the debate once again. Huge amounts of formerly stored-in-print material-including laws, court and administrative rulings, and regulations from governments, standards bodies and myriad other organizations-are now digitized, which means printing costs and access issues should be minimal. Many of these documents are legally enforceable; some are standards that are legally binding; and others provide information that would normally be publicly available, though in the past you might have had to go to a clerk's office or library and pay for copies. But the end of print and ink does not mean the end of all costs. And the debate has divided those who call for free access for all in all cases and the legal research firms (established and startup) who say legal documents can be misleading or meaningless without the context, organization and analysis that someone has to be paid to provide. These issues have set off battles between legal information giants like West and LexisNexis and upstart competitors seeking access to court records. And they have inspired lawsuits, including a fight between three professional standards organizations and one crusader for free access to public information. Sitting at the witness table at the House committee meeting was that crusader, Carl Malamud . He is an open-source activist and the founder of Public.Resource.org . His group is funded through donations and grants, and it recently turned to crowdfunding through Kickstarter to support the conversion of 28,040 public safety standards into HTML files. Malamud was on hand to detail the latest skirmishes in his 20-year fight for free and open access to the law.

top

Quantifying privacy: A week of location data may be an 'unreasonable search' (NYT, 31 May 2014) - When does the simple digital tracking of your location and movements - the GPS bleeps from most of our smartphones - start to be truly revealing? When do the data points and inferences that can be drawn from it strongly suggest, say, trips to a psychiatrist, a mosque, an abortion clinic, a strip club or an AIDS treatment center? The answer, according to a new research paper , is about a week, when the data portrait of a person becomes sufficiently detailed to qualify as an "unreasonable search" and a potential violation of an individual's Fourth Amendment rights. The research paper, a collaboration of computer scientists and lawyers, wades into the debate over the legal and policing implications of modern data collection and analysis technology. It explores what in legal circles is called the "mosaic theory" of the Fourth Amendment, which essentially states that when linked and analyzed by software, a much richer picture emerges from combined information than from discrete data points. "It's not the direct observation," said Steven M. Bellovin, one of the paper's co-authors and a computer science professor at Columbia University, a computer security and privacy expert and a former chief technologist of the Federal Trade Commission. "It's what can be inferred." The 74-page paper, "When Enough Is Enough: Location Tracking, Mosaic Theory, and Machine Learning," has been published in the current edition of the New York University Journal of Law and Liberty. Its co-authors, in addition to Mr. Bellovin, are: Renee M. Hutchins, an associate professor at the University of Maryland Carey School of Law; Tony Jebara, an associate professor of computer science at Columbia, and a machine learning expert; and Sebastian Zimmeck, a Ph.D. candidate in computer science at Columbia, who is also a lawyer. [ Polley : "mosaic" authority Orin Kerr offers this response: No, machine learning doesn't resolve how the mosaic theory applies (Volokh Conspiracy, 3 June 2014)]

top

NSA collecting millions of faces from web images (NYT, 31 May 2014) - The National Security Agency is harvesting huge numbers of images of people from communications that it intercepts through its global surveillance operations for use in sophisticated facial recognition programs, according to top-secret documents. The spy agency's reliance on facial recognition technology has grown significantly over the last four years as the agency has turned to new software to exploit the flood of images included in emails, text messages, social media, videoconferences and other communications, the N.S.A. documents reveal. Agency officials believe that technological advances could revolutionize the way that the N.S.A. finds intelligence targets around the world, the documents show. The agency intercepts "millions of images per day" - including about 55,000 "facial recognition quality images" - which translate into "tremendous untapped potential," according to 2011 documents obtained from the former agency contractor Edward J. Snowden. While once focused on written and oral communications, the N.S.A. now considers facial images, fingerprints and other identifiers just as important to its mission of tracking suspected terrorists and other intelligence targets, the documents show. It is not clear how many people around the world, and how many Americans, might have been caught up in the effort. Neither federal privacy laws nor the nation's surveillance laws provide specific protections for facial images. Because the agency considers images a form of communications content, the N.S.A. would be required to get court approval for imagery of Americans collected through its surveillance programs, just as it must to read their emails or eavesdrop on their phone conversations, according to an N.S.A. spokeswoman. Cross-border communications in which an American might be emailing or texting an image to someone targeted by the agency overseas could be excepted. Vanee M. Vines, the agency spokeswoman * * * added that the N.S.A. did not have access to photographs in state databases of driver's licenses or to passport photos of Americans, while declining to say whether the agency had access to the State Department database of photos of foreign visa applicants. She also declined to say whether the N.S.A. collected facial imagery of Americans from Facebook and other social media through means other than communications intercepts. The N.S.A. achieved a technical breakthrough in 2010 when analysts first matched images collected separately in two databases - one in a huge N.S.A. database code-named Pinwale, and another in the government's main terrorist watch list database, known as Tide - according to N.S.A. documents. That ability to cross-reference images has led to an explosion of analytical uses inside the agency. The agency has created teams of "identity intelligence" analysts who work to combine the facial images with other records about individuals to develop comprehensive portraits of intelligence targets. The agency has developed sophisticated ways to integrate facial recognition programs with a wide range of other databases. It intercepts video teleconferences to obtain facial imagery, gathers airline passenger data and collects photographs from national identity card databases created by foreign countries, the documents show. They also note that the N.S.A. was attempting to gain access to such databases in Pakistan, Saudi Arabia and Iran. The documents suggest that the agency has considered getting access to iris scans through its phone and email surveillance programs. But asked whether the agency is now doing so, officials declined to comment. The documents also indicate that the N.S.A. collects iris scans of foreigners through other means. The N.S.A. can now compare spy satellite photographs with intercepted personal photographs taken outdoors to determine the location. One document shows what appear to be vacation photographs of several men standing near a small waterfront dock in 2011. It matches their surroundings to a spy satellite image of the same dock taken about the same time, located at what the document describes as a militant training facility in Pakistan.

top

- and -

India's big brother project (Boston Review, 19 May 2014) - India's Unique Identity (UID) project is already the world's largest biometrics identity program, and it is still growing. Almost 600 million people have been registered in the project database, which collects all ten fingerprints, iris scans of both eyes, a photograph, and demographic information for each registrant. Supporters of the project tout the UID, which is run by a government agency, as a societal game changer. The extensive biometric information collected, they argue, will establish the uniqueness of each individual, eliminate fraud, and provide the identity infrastructure needed to develop solutions for a range of problems. Detractors see these claims as hype , pointing out that despite the potential benefits, critical concerns remain about the UID's legal and physical architecture as well as about unforeseen risks associated with the linking and analysis of personal data.

top

Who has your back? Protecting your data from government requests (EFF, June 2014) - In this fourth-annual report, EFF examines the publicly-available policies of major Internet companies-including Internet service providers, email providers, mobile communications tools, telecommunications companies, cloud storage providers, location-based services, blogging platforms, and social networking sites-to assess whether they publicly commit to standing with users when the government seeks access to user data. The purpose of this report is to allow users to make informed decisions about the companies with whom they do business. It is also designed to incentivize companies to adopt best practices, be transparent about how data flows to the government, and to take a stand for their users' privacy in Congress and in the courts whenever it is possible to do so. Full report here . Reports for 2011 , 2012 , and 2013 .

top

Here's the first US Ambassador to take the oath of office on an e-reader (Business Insider, 2 June 2014) - Suzi LeVine, the new U.S. Ambassador to Switzerland and Liechtenstein, became the first ambassador to take the oath of office on an E-reader last week. The State Department released on Monday a photo of LeVine's swearing-in ceremony, during which she took the oath of office through a copy of the U.S. Constitution on an E-reader. The State Department said LeVine chose to take the oath of office on an E-reader. She was sworn in by Vice President Joe Biden during a White House ceremony.

top

FCC comment page buckles to its knees after John Oliver asks everyone to comment (TechDirt, 3 June 2014) - On Monday morning, we wrote about John Oliver's brilliant report on net neutrality, which ended with a stirring "call to action" for internet commenters to tell the FCC why it should preserve a free and open internet. Many of our commenters noted that the FCC comment page that Oliver pointed to, FCC.gov/comments , appeared to be down for most of the day, either suggesting wonderful irony or that Oliver's call to action has been monumentally successful. The FCC has put up some tweets in which it apologizes for technical difficulties, without explaining why they were occurring beyond "heavy traffic." Some of us quickly speculated that the two things were related, while some publications have simply assumed without question that it was Oliver's pleas that brought the system down . To some extent I hope that's the case, though I do fear a bit the kinds of comments people might be leaving. Either way, the irony of the FCC having trouble under heavy loads concerning net neutrality was not lost on many people, who didn't miss the opportunity to tweet some replies mocking the whole net neutrality proposal. [ Polley : If you haven't seen it, watch the 13minute Oliver clip - before it gets taken down. Substantive and funny - fabulous!]

top

DMLP announcement: A new report on media credentialing in the United States (Berkman's DMLP, 3 June 2014) - The Digital Media Law Project at Harvard University's Berkman Center for Internet & Society and the Journalist's Resource project at Harvard's Shorenstein Center on Media, Politics and Public Policy are pleased to release a new report: Who Gets a Press Pass? Media Credentialing Practices in the United States . Media credentials have long played a critical role in newsgathering in the United States, allowing journalists to gain special access to places and events denied to the general public. There are, however, many inconsistencies among regulatory standards for the issuance of credentials, and many circumstances where the decision of whether and how to issue credentials is left up to individual agencies with no regulatory guidance at all. Moreover, upheaval in the journalism industry has introduced new actors in the journalism ecosystem, complicating decisions by government agencies and private gatekeepers about who should be entitled to special access. Who Gets a Press Pass? presents a first-of-its-kind analysis of this complex environment, exploring media credentialing practices in the United States through a nationwide survey of more than 1,300 newsgatherers.

top

NOTED PODCASTS

Apocalyptic Planet: field guide to the everending Earth (Craig Childs at the Long Now Foundation, July 2013; 90 minutes) - "This Earth is a story teller," Childs began. "And it is not a stable place to live. It is always ending. We think of endings as sudden, but it is always a process." For his book Apocalyptic Planet he sought out some of the world's most terminal-feeling places, where everything is reduced to fundamental elements in total upheaval or total stasis, and a visitor is overwhelmed by the scale and power of a planet going about its planetary business. [ Polley : this has nothing to do with the law, or IT. But it's staggering in scope and language and experience. Well worth your time.]

top

RESOURCES

Sexting, Social Media, and the Law (MLPB, 20 May 2014) - JoAnne Sweeny, University of Louisville School of Law has published Sexting and Freedom of Expression: A Comparative Approach in volume 102 of the Kentucky Law Journal (2013/2014). Here is the abstract: According to a recent poll, one in four American teens could be legally labeled a child pornographer. Nearly thirty percent of teens in this poll admitted to engaging in "sexting," which may expose them to criminal prosecution under existing child pornography laws. "Sexting" is the modern term given to "the practice of sending or posting sexually suggestive text messages and images, including nude or semi-nude photographs, via cellular telephones or over the Internet." It is an increasingly popular practice in the United States and abroad and, according to current child pornography laws, can result in teens serving long prison sentences and having to register as sex offenders. Download the text from SSRN at the link.

top

Copyright and Privacy (MLPB, 30 May 2014) - Pamela Samuelson, University of California, Berkeley, School of Law, is publishing Protecting Privacy Through Copyright Law? in Visions of Privacy in the Modern Age (Marc Rotenberg, ed.; 2014). Here is the abstract: A quartet of recent copyright cases have extended protection to privacy and other personal interests of individuals depicted in copyrighted works. Victims of so-called revenge porn are also relying on copyright to protect their privacy interests. This short essay revisits the seminal Warren and Brandeis article on "The Right to Privacy," which relied heavily on copyright cases to support the notion that privacy interests were and should be legally protectable. It asks whether Warren and Brandeis would have approved of this renewed direction for copyright law.

top

Framing the Law & Policy Picture: A Snapshot of K-12 Cloud-Based Ed Tech & Student Privacy in Early 2014 (Harvard, 3 June 2014) - Abstract: A growing number of primary and secondary (K-12) school systems nationwide are adopting cloud-based educational technologies ("ed tech"), tools which "enable the transition of computing resources-including information processing, collection, storage, and analysis-away from localized systems (i.e., on an end user's desktop or laptop computer) to shared, remote systems (i.e., on servers located at a data center away from the end user accessible through a network)" in the course of educational and / or academic administrative work. Cloud-based ed tech possesses unique innovative potential that can best be unlocked when the opportunities it presents are considered alongside the importance of protecting student privacy. This paper, building upon findings of the ongoing Student Privacy Initiative under the auspices of the Berkman Center for Internet & Society at Harvard University, provides a snapshot of key aspects of a diverse-and heated-law, policy, and implementation debate that is taking place in the rapidly evolving cloud-based ed tech landscape. It aims to provide policy and decision-makers at the school district, local government, state government, and federal government levels with greater information about and clarity around the avenues available to them in evaluating privacy options. This analysis focuses on three overarching questions: who in the educational system should make cloud-based ed tech decisions; when is parental consent needed for the adoption of these technologies; and how can data transferred, stored, and analyzed through these products be kept secure and, as necessary, de-identified?

top

A beginner's guide to Bitcoin (Boing Boing, 4 June 2014) - Bitcoin is a peer-to-peer network, a set of protocols (standards for interoperability), client interfaces (called wallets) and a currency that operates on top of all of those technologies. The bitcoin system allows any person to send or receive a fraction of a bitcoin (the currency unit) to another person, anywhere in the world. The bitcoin system operates on the Internet without the need for banks or bank accounts and allows people to send money like they send email. * * * [ Polley : useful explication, spotted by MIRLN reader Mike McGuire ]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

A move to block Gmail service (Wired, 13 April 2004) -- A California state senator said Monday that she was drafting legislation to block Google's free e-mail service, Gmail, because it would place advertising in personal messages after searching them for keywords. "We think it's an absolute invasion of privacy. It's like having a massive billboard in the middle of your home," said Sen. Liz Figueroa (D-Fremont). "We are asking them to rethink the whole product." In late March, the world's leading Web search company announced plans to launch Gmail -- a service that would offer users 1 GB of free storage, more than 100 times the storage offered by other free services from Yahoo and Microsoft. But in return for the extra storage, users would agree to let Google's technology scan their incoming e-mail, then deliver targeted ads based on keywords in the messages. For instance, a user receiving a message about a friend's flu symptoms might also receive ads for cold and flu remedies. Gmail is now being tested with a limited number of users. Privacy advocates are assailing Gmail even before its formal launch. Google faces heavy opposition in Europe, where privacy laws are stricter than they are in the United States.

top

A quiet revolt puts costly journals on web (New York Times, 26 June 2004) - When Dr. Miguel Nicolelis, a neurobiologist at Duke University, decided to release a groundbreaking study in an upstart online journal, his colleagues were flabbergasted. The research, demonstrating how brain implants enabled monkeys to operate a robotic arm, was a shoo-in for acceptance in premier journals like Nature or Science. "Usually you want to publish your best work in well-established journals to have the widest possible penetration," Dr. Nicolelis said. "My idea was the opposite. We need to open up the dissemination of scientific results." The journal Dr. Nicolelis chose - PLoS Biology, a publication of the Public Library of Science - aims to do just that by putting peer-reviewed scientific papers online free, at the Web site www.plosbiology.org. The high subscription cost of prestigious peer-reviewed journals has been a running sore point with scholars, whose tenure and prominence depend on publishing in them. But since the Public Library of Science, which was started by a group of prominent scientists, began publishing last year, this new model has been gaining attention and currency within academia.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top