Saturday, June 28, 2014

MIRLN --- 8-28 June 2014 (v17.09)

MIRLN --- 8-28 June 2014 (v17.09) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | LOOKING BACK | NOTES

Cybersecurity in the boardroom: the new reality for Directors (IAPP, 27 May 2014) - Not long ago, cybersecurity was a term rarely, if ever, heard in the boardroom. Rather, information security was deemed to be a risk managed solely by the chief information or technology officer. Those days are gone. With the litany of high profile cybersecurity hacks-and the potential resulting drop in shareholder value, regulatory inquiries and litigations which inevitably follow-cybersecurity has become an increasingly challenging risk that boards must address. The board's role in understanding and monitoring cybersecurity risk has been underscored by a new breed of lawsuits alleging boards were asleep at the switch in the face of a known danger. Target, for example, is now facing a shareholder derivative lawsuit-Case number 14-cv-14-cv-203-alleging Target's board members and directors breached their fiduciary duties to the company by failing "to maintain proper internal controls" related to data security and misleading affected consumers about the scope of the breach after it occurred. That complaint alleges Target was damaged by having to pay costs associated with the data breach, including expending money for credit monitoring services for affected customers, causing Target "to be exposed to millions of dollars of potential liability in class-action lawsuits," and through "substantial damage" to "the company's sales during the 2013 holiday season, its market capitalization, goodwill, consumer confidence and brand trust." It remains to be seen whether the lawsuits against directors and officers will succeed. Regardless of their outcomes, however, these suits highlight that the board plays a fundamental role in preventing and detecting risks associated with information security breaches. The board's role in cybersecurity was also emphasized by the SEC during its March 26 Cybersecurity Roundtable, where one of the key themes was the instrumental role the board of directors and senior management should play in leading an organization's cybersecurity preparedness and resilience to cybersecurity attacks. One roundtable panelist opined in that regard that senior management can play an important role in creating a cybersecurity culture that "starts at the keyboard" and in which cybersecurity is not seen as a technology issue for the IT department to resolve but a business issue in which all employees take action and understand their role in protecting their companies. While cybersecurity risk is often considered an intimidating area for directors to address due to its technical nature, it is important to remember that directors are not required to be experts in this area but are entitled to rely on management and outside experts for advice. In attempting to fulfill their fiduciary duties to the company by managing cybersecurity risks, the following are some guideposts for directors to follow: * * *

top

- and -

AIG, NACD, and ISA issue cyber-risk oversight guidance for corporate directors (GlobeNewswire, 11 June 2014) - Designed to provide corporate directors with expert guidelines to improve their cybersecurity oversight, American International Group (AIG) , the National Association of Corporate Directors (NACD) , and the Internet Security Alliance (ISA) today announced the release of the latest issue in NACD's Director's Handbook Series, Cyber-Risk Oversight. Access this new resource at www.NACDonline.org/Cyber . "Ninety percent of directors participating in our latest governance survey indicated they would like to improve their understanding of cybersecurity risk," said Ken Daly, NACD president and CEO. "This handbook provides boards with practical tools to do just that, including self-assessment questions for directors, sample board report dashboards, and guidelines for conversations with management." This unique publication is organized around five key principles and covers a wide spectrum of board-level considerations related to oversight of cybersecurity, including board composition, liability implications, disclosure issues, access to expertise, and risk appetite calibration. "Recent breaches in both the public and private sectors have put the issue of cybersecurity on every board's agenda," said Larry Clinton, president and CEO of ISA. "This handbook is a natural extension of ISA's mission to create private sector standards and practices that integrate both the technological and economic aspects of cybersecurity." Boards should adapt the recommendations set forth in the handbook based on their company's unique characteristics, including size, life-cycle stage, business strategy, industry sector, geographic footprint, and culture.

top

- and -

Why senior leaders are the front line against cyberattacks (McKinsey, June 2014) - The importance of cybersecurity is no secret to anyone who's opened a newspaper or attended a board meeting. So, senior executives may ask, what's the holdup? The answer is simple: understanding the issue is quite different from effectively addressing it. A number of structural and organizational issues complicate the process of implementing business-driven, risk-management-oriented cybersecurity operating models, and only sustained support from senior management can ensure progress and ultimately mitigate the risk of cyberattacks. * * * [ Polley : This McKinsey & Co report is quite useful.]

top

Health data breach victims have standing to sue says West Virginia Supreme Court (Nat'l Law Review, 3 June 2014) - The most common defense against class actions for data breach has itself been breached in a ruling last week by the West Virginia Supreme Court. The Court's opinion held that representatives of the class of medical clinic patients whose names, contact details, social security numbers and medical information had been accidentally posted to a publicly accessible web site had standing to sue the clinic notwithstanding that no class representative had established that anyone had actually accessed the mistakenly released information and no one had suffered any quantifiable economic loss as a result. The most frequently relied upon defense against suits for damages for a release of personal information is that the plaintiff or class of plaintiffs lack standing because the harm they suffered as a result of the breach is conjectural or speculative. The West Virginia case differs from other data breach standing cases in two respects: (i) it concerns health data, in addition to personal identifying information, and health data has the benefit of legal protections that other personal information does not enjoy; and (ii) West Virginia has a judicial history of allowing actions based upon an invasion of the right of privacy without proof of special economic (liquidated, out-of-pocket) damages. The Court said that while the mere risk of future identify theft alone does not constitute in injury in fact sufficient to confer standing, the plaintiffs also asserted causes of action for breach of physician-patient confidentiality and invasion of privacy, and that those claims were not hypothetical or speculative. The breach by a doctor of his duty of confidentiality to the patient is an independent basis of a tort claim that may result in damages for the loss of the confidential relationship. Likewise, under West Virginia law (and in a number of other states as well) an unwarranted invasion of personal privacy, which includes the appropriation of another's name or likeness or that places another in a false light before the public, is grounds for an action in tort against the perpetrator.

top

FAA orders Boeing to protect 737s from computer hackers (USA Today, 6 June 2014) - The Federal Aviation Administration is ordering Boeing to modify the technology aboard late-model 737 aircraft to prevent computer hackers from damaging the planes. The order published Friday in the Federal Register is effective immediately, although the agency allowed a comment period until July 21. The special conditions are urgent because the FAA is trying to avoid slowing down design and delivery of new planes, according to the agency. Doug Alder, a Boeing spokesman, said the special conditions will institutionalize actions that the manufacturer was already taken or planned, in line with similar protections for the 747-8, 777 and 787. The special conditions apply to these aircraft because their technology is connected more thoroughly than other planes with computer networks outside the aircraft, making the 737 more vulnerable, according to FAA. The plane's technology "may allow the exploitation of network security vulnerabilities resulting in intentional or unintentional destruction, disruption, degradation, or exploitation of data, systems and networks critical to the safety and maintenance of the airplane," the FAA said. The order from Jeffrey Duven, manager of FAA's certification services, calls for Boeing to "ensure that the airplanes' electronic systems are protected from access by unauthorized sources external to the plane, including those possibly caused by maintenance activity."

top

Cyberattack insurance a challenge for business (NYT, 8 June 2014) - Julia Roberts's smile is insured. So are Heidi Klum's legs, Daniel Craig's body and Jennifer Lopez's derrière. But the fastest-growing niche in the industry today is cyberinsurance. Specialized policies to protect against online attacks are offered by about 50 carriers, including big names like the American International Group, Chubb and Ace. As data breaches have become a reality of the business world, more companies are buying policies; demand increased 21 percent last year from 2012, according to Marsh, a risk management company and insurance broker. Yet companies say it is difficult to get as much coverage as they need, leaving them vulnerable to uncertain losses. The main problem is quantifying losses from attacks, because they are often intangible - lost sales or damage to a brand name, like the public relations disaster Target suffered after the breach of its point-of-sale systems late last year. "The losses that are more tangible and more readily quantifiable are the ones you'll be able to insure against more easily," said Ed Powers, who heads the online risk services practice at Deloitte & Touche, the accounting firm. "The ones that are less tangible and less quantifiable are more challenging, but those are often the bigger ones." At the same time, underwriters lack the data they need to figure out how likely it is that an attack will occur, or what it will cost. The problems companies face in getting insurance are illustrated by the situation Target faced last year. At the time of its breach, the retailer had cobbled together $100 million in coverage, on top of a $10 million deductible, according to regulatory filings. The coverage, which came from multiple carriers, will barely compensate for the $1 billion in losses some analysts are forecasting. Since the breach was discovered, the company has incurred $88 million in breach-related expenses, its filings say, and it expects insurance to cover $52 million of that.

top

- and -

The state of cyberinsurance (Bruce Schneier, 16 June 2014) - Good essay on the current state of cyberinsurance: So where does that leave the growing cyber insurance industry as it tries to figure out what losses it should cover and appropriate premiums and deductibles? One implication is that the industry faces much greater challenges than trying to quantify or cover intangible -- and perhaps largely imaginary -- losses to brands' reputations. In light of the evidence that these losses may be fairly short-lived, that problem pales next to the challenges of determining what should be required of the insured under such policies. Insurers -- just like the rest of us -- don't have a good handle on what security practices and controls are most effective, so they don't know what to require of their customers. If I'm going to insure you against some type of risk, I want to know that you're taking appropriate steps to prevent that risk yourself 00 installing smoke detectors or wearing your seat belt or locking your door. Insurers require these safety measures when they can because there's a worry that you'll be so reliant on the insurance coverage that you'll stop taking those necessary precautions, a phenomenon known as moral hazard. Solving the moral hazard problem for cyberinsurance requires collecting better data than we currently have on what works --and what doesn't -- to prevent security breaches.

top

Google books round 86: libraries win yet again (James Grimmelmann, 10 June 2014) - The Second Circuit's decision in Authors Guild v. HathiTrust is out. This, as a reminder, is the offshoot of the Google Books litigation in which the Authors Guild inexplicably sued Google's library partners. The trial judge, Harold Baer, held for the libraries in 2012 in a positively exuberant opinion: I cannot imagine a definition of fair use that would not encompass the transformative uses made by Defendants' MDP [Mass Digitization Project] and would require that I terminate this invaluable contribution to the progress of science and cultivation of the arts that at the same time effectuates the ideals espoused by the ADA. The Second Circuit's opinion drops the grand rhetoric, but otherwise the bottom line is basically the same: mass digitization to make a search engine is fair use, and so is giving digital copies to the print-disabled. The opinion on appeal is sober, conservative, and to the point; it is the work of a court that does not think this is a hard case. * * * These holdings merely affirm the District Court's conclusions, but they are still a big deal. The Second Circuit's decisions are binding precedent in New York, the nation's publishing capital, and are highly influential beyond. Five judges have now upheld the legality of scanning books to make a search engine; none have disagreed.

top

The Bank of England goes to cyber war (WSJ, 10 June 2014) - The Bank of England has launched a new cyber security strategy for financial institutions in the U.K., as the sector struggles to protect itself against the increased threat of cyber-attacks.

The framework, called CBEST, is based on penetration tests that mimic techniques and procedures used by cyber criminals to harm large financial organizations, such as banks and stock exchanges, our sister publication Financial News reports Tuesday.

The new strategy is based on real threat intelligence gathered about potential attacks to a specific financial institution. The intelligence is gathered through the monitoring of thousands of online sources, including hacker forums, blogs and chat rooms.

Research will be carried out on an ad hoc basis by cyber intelligence firms vetted by the Council for Registered Ethical Security Testers, or CREST, a non-profit representing the information security industry.

top

Comcast is turning the US into its own private hotspot (TechCrunch, 10 June 2014) - On paper it looks like a win-win: in the next few days, Comcast is quietly turning on public hotspots in its customers' routers , essentially turning private homes into public hotspots. Comcast customers get free Wi-Fi wherever there is a Comcast box and the company gets to build out a private network to compete with telecoms. Win-win. Fifty thousand users with Arris Touchstone Telephony Wireless Gateway Modems - essentially basic modems that cable providers drop off at your home - have already been turned into public hotspots in Houston, and there are plans to enable 150,000 more. Most subscribers will be enabled in the next few months. It's not like they didn't warn you. After all, news of this bold Xfinity Wifi project popped up months ago and began rolling out in 2013. But here's the problem: Comcast is essentially using your private residence as a corporate resource. They're using your electricity. They're using your Internet connection (although they claim they aren't) and they're opening up your private browsing to potential hackers. While Comcast will claim that these two streams are independent, there is nothing to stop a dedicated hacker from figuring out how to snoop data passing through the router. There is also nothing to stop someone from downloading illicit material, software, and other junk from your hotspot and then reporting you for theft or worse. Again, it's all ostensibly secure, but, like all things, it really isn't. Finally, it's also an opt-out solution, which means it is enabled by default and you, the consumer have to turn it off. But Comcast doesn't want that. "We encourage all subscribers to keep this feature enabled as it allows more people to enjoy the benefits of Xfinity Wi-Fi around the neighborhood," said a company spokesperson last year. Not convinced? Dwight Silverman offers instructions for turning it off .

top

- and -

New open-source router firmware opens your Wi-Fi network to strangers (ArsTechnica, 20 June 2014) - We've often heard security folks explain their belief that one of the best ways to protect Web privacy and security on one's home turf is to lock down one's private Wi-Fi network with a strong password. But a coalition of advocacy organizations is calling such conventional wisdom into question. Members of the "Open Wireless Movement," including the Electronic Frontier Foundation (EFF), Free Press, Mozilla, and Fight for the Future are advocating that we open up our Wi-Fi private networks (or at least a small slice of our available bandwidth) to strangers. They claim that such a random act of kindness can actually make us safer online while simultaneously facilitating a better allocation of finite broadband resources. The OpenWireless.org website explains the group's initiative. "We are aiming to build technologies that would make it easy for Internet subscribers to portion off their wireless networks for guests and the public while maintaining security, protecting privacy, and preserving quality of access," its mission statement reads. "And we are working to debunk myths (and confront truths) about open wireless while creating technologies and legal precedent to ensure it is safe, private, and legal to open your network." One such technology, which EFF plans to unveil at the Hackers on Planet Earth (HOPE X) conference next month, is open-sourced router firmware called Open Wireless Router. This firmware would enable individuals to share a portion of their Wi-Fi networks with anyone nearby, password-free, as Adi Kamdar , an EFF activist, told Ars on Friday. Home network sharing tools are not new , and the EFF has been touting the benefits of open-sourcing Web connections for years, but Kamdar believes this new tool marks the second phase in the open wireless initiative. Unlike previous tools, he claims, EFF's software will be free for all, will not require any sort of registration, and will actually make surfing the Web safer and more efficient. Open Wi-Fi initiative members have argued that the act of providing wireless networks to others is a form of "basic politeness… like providing heat and electricity, or a hot cup of tea" to a neighbor, as security expert Bruce Schneier described it.

top

In major privacy ruling, court says police need warrant to track phone users' location (GigaOM, 11 June 2014) - In a victory for privacy advocates, a federal appeals court in Florida ruled that law enforcement agents cannot force mobile carriers to turn over the location history of their customers without a search warrant. The case involved an appeal by Quartavius Davis, who was convicted by a jury for his role in a violent armed robbery spree targeting restaurants and gas stations. The evidence included location data gleaned from cellphone towers that showed Davis had been in proximity of the various businesses. In finding that the police should had obtained a warrant to obtain the location data, the 11th Circuit Court of Appeals unanimously ruled that the government violated Davis' Fourth Amendment right against unreasonable search and seizure. The case is groundbreaking because higher courts have yet to rule definitively on whether people have a privacy right in the location disclosed by their cell phones. Citing a recent Supreme Court case that suggested police in some cases need a warrant to track a suspect's automobile, the appeals court noted that a cell phone carries deeper privacy implications. The court also drew a firm line between what police must do to obtain call records from a phone company, which can share records without a warrant under the so-called "third-party doctrine," versus what is required to obtain a person's location. Declaring that a person's location is more analogous to the content of a phone call (for which police do need a warrant), the court stated that people can reasonable expect that their mobile carrier will not hand over a historic record of the places they have been. Finally, the case also highlights the ability of cellphone towers to observe and record a phone user's location. While the court acknowledged that the tower's do not disclose a person's precise location, it ruled that they reveal enough information to trigger the Fourth Amendment's privacy protection.

top

Amazon blocking Warner movies pre-orders in latest feud (Bloomberg, 11 June 2014) - Customers trying to pre-order films such as "The Lego Movie," "300: Rise of an Empire" and "Winter's Tale" are instead asked to sign up to be notified when the item becomes available. Digital downloads of the movies are available for purchase through Amazon Instant Video. The world's biggest online retailer is seeking concessions from Warner Bros. that would give it more of a margin on sales of DVDs and digital versions of its movies, said a person familiar with the matter, who asked not to be identified because the negotiations are private. Amazon is already in a standoff with Hachette Book Group over e-book pricing in a tussle that will help determine whether publishers can gain any leverage against the online retailer and biggest seller of e-books. To ratchet up pressure on Hachette, Amazon started delaying shipments and blocking some book pre-orders -- including big-name titles such as "The Silkworm," J.K. Rowling's new novel written under a pseudonym.

top

7 apps for cataloguing your home library (InsideHigherEd, 12 June 2014) - Summer is just around the corner, and I've been drawing up a list of all the things I'd like to accomplish before next academic year. It's a fine time to relax, to step back and reassess my existing workflow, and to reorganize. One of the projects I'm trying this summer? Cataloging my own library. Do you ever spend too long looking for a book that you just know you already have? Have you ever accidentally purchased a book twice? Sadly, I can answer "yes" to both of these questions. One of my problems is that I can never remember if I own a particular book, or if I've just checked it out of the library frequently enough that I think it's a permanent fixture in my personal collection. I also often struggle to remember if I own a book in hard copy or Kindle form. And one of my least favorite feelings is when I know that I've loaned a book to a friend or colleague, but I'm unable to remember which person borrowed it or when. So, inspired by fellow GradHacker Justin Dunnavant's post on using Goodreads to organize his library , I've decided that it's time to reorganize my own collection of books. My requirements: must be an iOS-friendly app, must be less than $5, and must allow me to track borrowing. Here are a few of the contenders I've been considering, for any of you who might be interested in doing the same * * *

top

Why online tracking is getting creepier (ProPublica, 12 June 2014) - The marketers that follow you around the web are getting nosier. Currently, many companies track where users go on the Web-often through cookies-in order to display customized ads. That's why if you look at a pair of shoes on one site, ads for those shoes may follow you around the Web. But online marketers are increasingly seeking to track users offline, as well, by collecting data about people's offline habits-such as recent purchases, where you live, how many kids you have, and what kind of car you drive. Here's how it works, according to some revealing marketing literature we came across from digital marketing firm LiveRamp: (1) A retailer-let's call it The Pricey Store-collects the e-mail addresses of its high-spending customers. (Ever wonder why stores keep bugging you for your email at the checkout counter these days?) (2) The Pricey Store brings the list to LiveRamp, which locates the customers online when the customers use their email address to log into a website that has a relationship with LiveRamp. (The identity of these websites is a closely guarded secret.) The website that has a relationship with LiveRamp then allows LiveRamp to "tag" the customers' computer with a tracker. (3) When those high-spending customers arrive at PriceyStore.com, they see a version of the site customized to "show more expensive offerings to them." (Yes, the marketing documents really say that.) Tracking people using their real names-often called "onboarding"-is a hot trend in Silicon Valley. In 2012, ProPublica documented how political campaigns used onboarding to bombard voters with ads based on their party affiliation and donor history. Since then, Twitter and Facebook have both started offering onboarding services allowing advertisers to find their customers online.

top

- and -

Facebook turns user tracking 'bug' into data mining 'feature' for advertisers (ZDnet, 17 June 2014) - Facebook announced changes to its privacy and advertising policies on its company blog last Thursday, extending Facebook's ability to track users outside of Facebook -- undoing previous assurances it "does not track users across the web." The press reports initially sounded like good news, announcing that Facebook would be "letting people better control their advertising preferences." Indeed, users will soon be able to click on a little arrow on an ad, which will show them a simplified version of Facebook's marketing dossier on them, and the user can check or un-check different advertising interests. Facebook also announced Thursday it will begin tracking its users' browsing and activities on websites and apps outside Facebook, starting within a few weeks. Facebook said it will begin to disregard its users' choice of using their in-browser "Do Not Track" setting: Soon, anyone who clicks "ask websites not to track me" in Safari (or any other browser) will be completely ignored by Facebook. Google and Yahoo already ignore people's Do Not Track settings; fortunately, Twitter, Microsoft and Pinterest still respect the browser setting.

top

Feds tell local law enforcement to remain silent about cellphone surveillance (ABA Journal, 13 June 2014) - The federal government is putting pressure on local law enforcement to keep quiet about its use of Stingray and other surveillance technology used to gather data off of mobile phones. The Associated Press reports that the Obama administration has taken the rare step of becoming actively involved with state records request cases and local criminal trials in an effort to keep details of its surveillance secret. As a result, the AP reports that police departments have either refused to turn over, or have heavily redacted, documents and materials relating to such surveillance. One well-known piece of technology used by cops is Stingray. The device gathers information off a mobile phone by impersonating a cell tower and getting a phone to transmit data to it. According to the AP, Stingray allows police to obtain data off a mobile phone without having to get the cooperation of a user's mobile carrier, like Verizon Wireless or AT&T. Several civil liberties groups have tried to get state and federal agencies to release more information about what kind of information they are taking. "These extreme secrecy efforts are in relation to very controversial, local government surveillance practices using highly invasive technology," said Nathan Freed Wessler, a staff attorney with the American Civil Liberties Union, to the AP. "If public participation means anything, people should have the facts about what the government is doing to them." The FBI is contesting a lawsuit filed in Tucson, Ariz, that seeks to force it to give up its information by claiming that such disclosures would "result in the FBI's inability to protect the public from terrorism and other criminal activity because through public disclosures, this technology has been rendered essentially useless for future investigations." [ Polley : see also Your Secret Stingray's No Secret Anymore: The Vanishing Government Monopoly Over Cell Phone Surveillance and Its Impact on National Security and Consumer Privacy (SSRN, by Stephanie Pell and Chris Soghoian, 15 May 2014)]

top

Companies involved in M&A activity more likely targets of cyberattacks (Cooley, 13 June 2014) - According to this article in the WSJ , companies involved in M&A activity had better make special efforts with regard to cybersecurity. In the course of the transaction, thieves may try to gain access to internal systems. extract negotiating positions or other information about the transaction, or make off with trade secrets or other inside information. Apparently, data thieves target companies engaged in M&A deals because, in light of the confusion that often surrounds M&A activity, employees are more vulnerable to cyberattacks. Employees of merged companies do not know who may be sending them emails and are more likely to open them. For example, in one case, cyberthieves went phishing by sending emails to employees of a newly acquired subsidiary announcing the acquisition. That email included malware that allowed the hackers to enter the company's network and steal proprietary data. Similarly, executives travelling for deal negotiations can also be a prime target for data thieves. To help address these risks, employees should be advised to be more cautious about opening emails when the company is going through a merger or acquisition. It may also be perilous for travelling executives to use Wi-Fi on mobile devices or plug into free Wi-Fi in hotels and public areas. In addition, companies should also "be careful not to link up their networks until the new network has been tested by the security team to make sure it's safe."

top

Apple starts letting Bitcoin transfer apps back into its app store (TechCrunch, 16 June 2014) - Apple's Bitcoin freeze appears to be thawing fast, with bitcoin wallet apps that offer the ability to transfer BTC now filtering back into the App Store. The move was picked up by Coindesk yesterday which noted that the Coin Pocket BTC wallet app was back in the store. The Coin Pocket app allows users to send and receive bitcoin from an iOS device, as well as offering an in-app QR code scanner; a private key sweep and encryption feature; and the ability to check bitcoin to USD conversion rates. Last year Apple was bumping bitcoin wallets from the App Store, taking a cautious approach to the virtual currency and enraging bitcoin enthusiasts in the process . Half a year on it looks like Cupertino is pulling the handbrake hard to make a sharp U-turn on BTC. As well as apps allowing BTC transfers others that allow in-app bitcoin purchases, such as eGifter, are also being let into the App Store, offering a channel for developers to circumvent Apple's 30% share of in-app purchases if their users are savvy enough to be able to pay with BTC. Despite Apple's prior freezing out of certain bitcoin apps, the arrival of an app like Coin Pocket which offers BTC transfer is not a huge surprise given that, at its WWDC developer conference earlier this month, Apple added a new rule to its developer agreement that sanctioned apps offering the transmission of "approved virtual currencies". [ Polley : I've installed Coin Pocket and am experimenting with Bitcoin; see also A beginner's guide to Bitcoin (Boing Boing, 4 June 2014)]

top

Nokia paid millions in ransom to stop release of signing key in 2007 (Ars Technica, 18 June 2014) - On Tuesday, MTV News in Finland reported for the first time that in 2007, Nokia paid millions of euros to someone who had acquired the Symbian encryption signing key to prevent its distribution. If released, that key would have allowed Nokia phones to accept non-authorized applications. At the time, Nokia was the world's leading smartphone manufacturer. After receiving the ransom demand, Nokia informed the National Bureau of Investigation , which appears to have orchestrated a surveillance operation. Nokia paid the multi-million euro ransom in cash, left in a bag at a parking lot near the Särkänniemi amusement park in the city of Tampere. As MTV News reported, "Police, however, lost track of the blackmailer and the money was gone. The case is still unsolved."

top

The GM lawyers were here (Corporate Counsel, 18 June 2014) - The deadly ignition switch fiasco at General Motors Co. has spawned a remarkable breadth of legal issues, ranging from the law department's role in recalls to the company's duty, if any, to compensate victims after it declared bankruptcy. Indeed, seldom has a legal department been thrust into such a high-profile role in a huge public controversy. The ignition switch debacle inevitably cast the legal team in a harsh light and led to the oft-repeated phrase: Where were the lawyers? Well, they were right here. GM's legal department has had three different, and impressive, leaders since the defective switch was uncovered. Any one of them might have led the company down a very different path, and perhaps saved lives along the way. But they didn't. Instead they allowed the company to waste nearly 10 years. That's 10 years of committee meetings and haggling and ignoring possible solutions. And 10 years of not issuing a recall while GM cars crashed and people died. * * * The company has suffered a massive blow to its reputation. It faces dozens of lawsuits carrying billions of dollars in potential liability. GM conducted an internal investigation, and a report was released in early June. At least four in-house lawyers, one a vice president, lost their jobs-though not general counsel Michael Millikin. No former or current GM lawyer responded to requests for comment for this story. The Valukas report made several recommendations to reform how the legal department works. The U.S. Department of Justice is conducting a criminal investigation, and several state attorneys general were also investigating the matter. * * * At the heart of it all is a legal department of about 200 attorneys who failed to communicate. And that's putting their failure in the best possible light. Some observers prefer the phrase "cover-up." At least one class action suit over the defect clearly points at the lawyers' role in not disclosing the truth during GM's 2009 bankruptcy proceedings. First the complaint offers a detailed timeline of GM actions, along with emails that show the company knew about the defect for over a decade. Then the complaint states that it is "inconceivable that individuals within GM's upper management and general counsel's office did not know about the ignition switch defect in GM vehicles, or the attendant contingent liabilities, when GM entered bankruptcy in June 2009." [ Polley : I was deputy GC in a similar-sized multinational; I'd have been fired if I hadn't know what my people were doing. It seems to me that Millikin should be fired if he knew, and fired if he didn't. In a related vein, see GM recalls: How General Motors silenced a whistle-blower (Bloomberg, 18 June 2014), and How GM's lawyers failed in their duties (NYT, 9 June 2014). Along with the Wal-Mart Mexico bribery/FCPA story from 2012, I can't think of more egregious examples of disastrous corporate culture.]

top

The strange demise of TrueCrypt and what it says about cybersecurity (Paul Rosenzweig on Lawfare, 18 June 2014) - A small earthquake happened at the end of May - a well-regarded, widely known encryption program called TrueCrypt shut its doors. For those who care about surveillance, encryption, and open-source methodologies, the change was abrupt and disturbing. It's the type of thing that goes unnoticed by the broader public, but has quiet effects that should not go unremarked. * * * What are we to make of all this? Well, for starters, I like a mystery as much as anyone and you have to admit this is a good one. Famous product all of a sudden pulled from the market. Why? Nobody knows. So it's just a good yarn … But beyond that, the episode re-emphasizes the challenge of an "open source" method of security. [Lawyerly footnote: There are some who dispute that TrueCrypt was truly open-source because it was licensed, so you couldn't modify it at will. I use the term here to mean that the code could be seen, reviewed, prodded, tested, and deconstructed.] As with Heartbleed , open source methods work only for as long as volunteers are willing to work on the project. I tend to think that you get what you pay for - and if nobody was paying the TrueCrypt developer(s) it is not at all surprising that he/they eventually just decided to find a better way to spend his time (heck, maybe he got married - or maybe she did …). Third, the incident serves to reemphasize how much the whole Snowden affair has disrupted settled expectations. Pre-Snowden, concerns over encryption were limited to a much smaller minority of folks and the demise of TrueCrypt would not have been accompanied by grim views of government enforcement. Today, those are common place. Finally, the episode serves to also illuminate how broken our system of security is. We can't trust the government to provide it; we can't trust private corporations to provide it; and we can't rely on the kindness of strangers to provide it either. Unless you are one of the rare individuals who can build and install their own encryption code (I am =not=!) you are inevitably reliant on somebody else for your security. Yet nobody is somebody you can trust. And that leaves us hopelessly vulnerable - not just to mistrusted governments but to malevolent actors across the globe. The Russian cyber gangs must rejoice at the demise of TrueCrypt. [ Polley : worth reading the whole post.]

top

Medtronic says was victim of cyber attack, lost patient records (Reuters, 20 June 2014) - Medtronic Inc, the world's largest stand-alone medical device maker, was the victim of a cyber attack and lost some patient records in separate incidents last year, it said in a regulatory filing on Friday. "Medtronic, along with two other large medical device manufacturers, discovered an unauthorized intrusion to our systems that was believed to originate from hackers in Asia," the company said in a 10-K filing with the U.S. Securities and Exchange Commission. Medtronic officials could not be reached to elaborate on the contents of the 10-K filing, which did not identify the other companies involved in the breach.

top

Scan license plates so you can text flirty messages to cute drivers with GM's new app (Digital Trends, 21 June 2014) - There are plenty of smartphone apps that make it easier to flirt and set up dates with strangers, but GM has an ace up its sleeve that may trump all of them. No, the car manufacturer isn't muscling its way into the dating game - at least not directly. But its China R&D team has developed an Android app that lets a driver scan a license plate in order to start texting the owner of that car. The romantic implications of DiDi Plate, a prototype app debuted earlier this month at the Telematics Detroit 2014 conference, are obvious enough, even to GM. A video demo at the conference run by John Du, director of GM's China R&D Division, even highlighted a scenario where a male driver scans the license plate in front of him in order to see that female driver's profile. He smoothly proceeds to tell her that he's going to a mountain and would like someone to go with, to which she responds, "OK, let's go together." However, there are other practical (and less creepy) uses for the app. For instance, the demo showed a driver whose car was blocked in a parking lot scanning the license plate of the inconveniently placed car and asking the owner to move their automobile. Du added that his team has found a way to make the prototype app work with Google Glass, which would make its uses more dynamic or unsettling, depending on how you view it.

top

Unblinking eyes track employees (NYT, 21 June 2014) - Advanced technological tools are beginning to make it possible to measure and monitor employees as never before, with the promise of fundamentally changing how we work - along with raising concerns about privacy and the specter of unchecked surveillance in the workplace. Through these new means, companies have found, for example, that workers are more productive if they have more social interaction. So a bank's call center introduced a shared 15-minute coffee break, and a pharmaceutical company replaced coffee makers used by a few marketing workers with a larger cafe area. The result? Increased sales and less turnover. Yet the prospect of fine-grained, digital monitoring of workers' behavior worries privacy advocates. Companies, they say, have few legal obligations other than informing employees. "Whether this kind of monitoring is effective or not, it's a concern," said Lee Tien, a senior staff lawyer at the Electronic Frontier Foundation in San Francisco. Sociometric Solutions is already working with 20 companies in the banking, technology, pharmaceutical and health care industries, involving thousands of employees. The workers must opt in to have their data collected. Mr. Waber's company signs a contract with each one guaranteeing that no individual data is given to the employer (only aggregate statistics) and that no conversations are recorded. "Privacy policy," Mr. Waber said, "is going to have to deal with the workplace and not just the consumer issues." The payoff for well-designed workplace monitoring, Mr. Waber said, can be significant. The underlying theme of human dynamics research is that people are social learners, so arranging work to increase productive face-to-face communication yields measurable benefits. For example, the company studied workers in Bank of America call centers and observed that those in tightknit communications groups were more productive and less likely to quit. To increase social communication, the shared 15-minute coffee break was introduced to the daily routine. Afterward, call-handling productivity increased more than 10 percent, and turnover declined nearly 70 percent, Mr. Waber said. Mr. Waber's company also provided the data-guided insight to help the pharmaceutical company increase sales with its new cafe area. At a tech company, his company found, workers who sat at larger tables in the cafeteria, thus communicating more, were more productive than workers who sat at smaller tables. Bryan Koop, a commercial office developer who has worked with Sociometric Solutions, points to the potential for more scientifically designed work environments. There are current fashions in office design, he said, that are assumed to increase productivity, like stationing workers at communal bench-style tables and constructing work cubicles with lower dividers. "We don't know if those tactics work," Mr. Koop said. "What we're starting to see is the ability to quantitatively measure things instead of just going by intuition."

top

State Department issues ITAR advisory opinion on cloud computing (Hogan Lovells, 24 June 2014) - In a recent advisory opinion related to an exemption under the International Traffic In Arms Regulations (ITAR), the State Department confirmed that a company could use a data security method called "tokenization" to protect export-controlled technical data stored in the cloud on servers located outside the United States, provided the company satisfied the conditions of the exemption and took "sufficient means" to prevent foreign persons from accessing such technical data. Although the advisory opinion is quite narrow in scope, it is the first publicly-available formal position from the State Department on the ITAR implications of cloud computing. The requesting company has posted a redacted version of the advisory opinion here , and the State Department has posted its clarification of the opinion - emphasizing the narrow scope of the opinion and taking issue with the company's initial press release characterizing the opinion - here . Given the agency's public objection to the company's original interpretation of the advisory opinion, exporters that use cloud-based services will need to continue to be very cautious about the storage of ITAR data on cloud-based servers and should consider seeking guidance from the State Department on these issues. [ Polley : Roland Trope spotted this caveat in the advisory opinion: "The advisory opinion is not intended to imply that 'sufficient means' to accomplish the requisite assurance levels exists today technologically, nor does it suggest that tokenization by itself could achieve that end" . Interesting.]

top

Did the Justices really understand Aereo? (LA Times editorial, 25 June 2014) - In siding with broadcasters against Aereo, a pay-TV service that lets subscribers watch local stations through the Internet, the Supreme Court resorted to a simple principle: If it looks like a duck and walks like a duck, the law should treat it as a duck, no matter what kind of creature it is. But in doing so, the court threw a legal shadow over a slew of other tech-driven companies. Writing for the court's majority, Justice Stephen G. Breyer pooh-poohed the technological distinctions between Aereo and cable TV. But as dissenting Justice Antonin Scalia observed, the majority glossed over a crucial detail: Aereo may be providing the equipment, but its customers are the ones transmitting the programs. By shifting responsibility for those transmissions to Aereo because it "looks like cable," Scalia wrote, the court threw into doubt a long-settled principle that technology providers don't violate copyrights just by enabling others to do so.

top

Over NSA worries, Germany ends government contract with Verizon (ArsTechnica, 26 June 2014) - Germany has opted not to renew its government contract with Verizon, citing concerns over spying by the National Security Agency. The contract will expire in 2015, and the move marks a rare concrete step from Berlin following the October 2013 revelations that the NSA was spying on Chancellor Angela Merkel. In a German-language statement (Google Translate) posted to the Ministry of the Interior's website, Berlin noted that it needs "an infrastructure with an increased level of security." Verizon has maintained the contract since 2010. "There are indications that Verizon is legally required to provide certain things to the NSA, and that's one of the reasons the cooperation with Verizon won't continue," Interior Ministry spokesman Tobias Plate told reporters , according to the Associated Press.

top

Law firms' own employees are among the major cyberthreats to be protected against (ABA Journal, 1 July 2014) - Law firms face an array of cyberthreats from foreign governments, competitors and hackers. And then there's the threat that has always existed in the offline world, but has migrated online: inside jobs-or what cybersecurity experts call extrusion. That threat comes from firm employees who may be disgruntled or who want to make a quick buck from selling private information. While there's no such thing as 100 percent protection against extrusion, to guard against it experts recommend tight background checks, formal written policies, perpetual vigilance, appropriate attention to technical considerations, and striking a balance between security and usability of the firm's files and data. While inside jobs may not be common, they do happen, says Edwin Reeser, an Altadena, California, sole practitioner who writes about law management issues. To start with, firms must perform background reviews and make judgments about a potential employee's reliability during the hiring process, says Alan Charles Raul, a Washington, D.C., partner at Sidley Austin and author of a chapter in The ABA Cybersecurity Handbook . "You need intake scrutiny," he says. Writing and disseminating formal policies helps ensure that honest personnel know to be aware of and report any suspicious activity, Raul says. Those policies should make clear that firms have the right to monitor their networks to enforce compliance and prevent wrongdoing, and that no expectation of privacy should exist in the use of the firm's network. "The formal, written policies are not necessarily going to deter the renegade," he says. "But by sensitizing all the honest employees, you do make the environment less hospitable for dishonest employees." [ Polley : I was co-editor of the mentioned Handbook, which is an ABA best-seller. The ABA is about to launch a follow-on cybersecurity curriculum for lawyers and law firms.]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

"Digital Evidence and the New Criminal Procedure" - 10 Years Later (Orin Kerr, 27 June 2014) - In Riley v. California , handed down on Wednesday, the Supreme Court blessed the creation of new Fourth Amendment rules to account for the new facts of computer search and seizure. In light of Riley , I hope readers won't mind me reposting an article that I first noted here at the blog a decade ago: Digital Evidence and the New Criminal Procedure , 105 Colum. L. Rev. 279 (2005). When I circulated a draft of this essay in 2004, some colleagues suggested that it was over-the-top to make the grand claim that computers would lead to a new set of criminal procedure rules. Helpful for law review placement, sure. But awfully unlikely to happen. A decade later, thanks to cases like Riley and Ganias , I'm hoping that the article comes off more as prescient than foolish. A bit dated, as a decade is like a century in Internet time. But hopefully more prescient than foolish. The abstract: This essay shows how existing rules of criminal procedure are poorly equipped to regulate the collection of digital evidence. It predicts that new rules of criminal procedure will evolve to regulate digital evidence investigations, and offers preliminary thoughts on what those rules should look like and what institutions should generate them. This Essay explores the dynamics of computer crime investigations and the new methods of collecting electronic evidence. It contends that the new dynamics demonstrate the need for procedural doctrines designed specifically to regulate digital evidence collection. The rules should impose some new restrictions on police conduct and repeal other limits with an eye to the new social and technological practices that are common to how we use and misuse computers. Further, the Essay suggests that we should look beyond the judiciary and the Fourth Amendment for the source of these new rules. While some changes can and likely will come from the courts, many more can come from legislatures and executive agencies that can offer new and creative approaches not tied directly to our constitutional traditions.

top

Notebooks to dial up built-in phones (CNET, 18 Feb 2004) -- Toward the end of the year, more people will be talking to their notebooks. Manufacturers plan to start selling notebooks with integrated Voice over Internet Protocol (VoIP) this year and plan later to offer notebooks with built-in cell phone capabilities, Anand Chandrasekher, vice president and general manager of the Intel Mobile Platforms Group, said in an interview. The phone module will also let people review incoming e-mail and calendar information while the notebook remains in sleep state. Thematically, these additional communications features are termed Extended Mobile Access (EMA).

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)