Saturday, August 09, 2014

MIRLN --- 20 July – 9 August 2014 (v17.11)

MIRLN --- 20 July - 9 August 2014 (v17.11) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | DIFFERENT | LOOKING BACK | NOTES

Law firms respond to security risks in client data (LTN, 7 July 2014) - In February 2013, Joe Patrice wrote in Above The Law that law firms were the " soft underbelly of American cybersecurity ." Today, it is safe to say that many law firms across the U.S., Canada and Europe take exception to that characterization. Why? In part due to the efforts of individual firms to adopt ISO 27001 security standards or implement more robust security programs, including information security education. Also in February 2013 the former special agent in charge of cyber and special operations with the FBI's New York office, Mary Galligan, stated " We have hundreds of law firms that we see increasingly being targeted by hackers ." There isn't one single law firm CIO or IT director who doesn't understand the weight of these statements. Many large law firms have actively engaged in internal and external initiatives to fight security threats. * * * Law firm clients in the financial services industry heavily scrutinize their outside counsel with vendor security audits. Governed by the Office of the Comptroller of Currency and the Federal Financial Institutions Examination Council in compliance with the Gramm-Leach-Bliley Act, all law firms who have financial institution clients are required to respond to a comprehensive security audit. The audit process is detailed, and in many cases includes questionnaires with several hundred questions, on-site interviews and or on-site physical security assessments covering everything from hard-copy file security to data center security.

top

Former hospital worker faces HIPAA charges (HealthcareInfoSec, 16 July 2014) - Federal prosecutors in Texas have taken the relatively uncommon move of pursuing criminal charges against an individual for alleged HIPAA violations. The case serves as a reminder that healthcare workers can potentially face prison time and hefty monetary fines for wrongful disclosures of patient data. The U.S. Department of Justice earlier this month announced the criminal indictment of Joshua Hippler, a 30-year-old former employee of an unnamed hospital in East Texas. The indictment, which was filed on March 26 in the U.S. district court in Tyler, Texas, but was sealed until July 3, charges Hippler with wrongful disclosure of individual identifiable health information, with the intent to sell, transfer and use for personal gain. The alleged criminal HIPAA violations began about Dec. 1, 2012, continuing through about Jan. 14, 2013, court documents says.

top

Meet Executive Order 12333: the Reagan rule that lets the NSA spy on Americans (Washington Post, 18 July 2014) - Even after all the reforms President Obama has announced, some intelligence practices remain so secret, even from members of Congress, that there is no opportunity for our democracy to change them. Public debate about the bulk collection of U.S. citizens' data by the NSA has focused largely on Section 215 of the Patriot Act, through which the government obtains court orders to compel American telecommunications companies to turn over phone data. But Section 215 is a small part of the picture and does not include the universe of collection and storage of communications by U.S. persons authorized under Executive Order 12333. From 2011 until April of this year, I worked on global Internet freedom policy as a civil servant at the State Department. In that capacity, I was cleared to receive top-secret and "sensitive compartmented" information. Based in part on classified facts that I am prohibited by law from publishing, I believe that Americans should be even more concerned about the collection and storage of their communications under Executive Order 12333 than under Section 215. Bulk data collection that occurs inside the United States contains built-in protections for U.S. persons, defined as U.S. citizens, permanent residents and companies. Such collection must be authorized by statute and is subject to oversight from Congress and the Foreign Intelligence Surveillance Court. The statutes set a high bar for collecting the content of communications by U.S. persons. For example, Section 215 permits the bulk collection only of U.S. telephone metadata - lists of incoming and outgoing phone numbers - but not audio of the calls. Executive Order 12333 contains no such protections for U.S. persons if the collection occurs outside U.S. borders. Issued by President Ronald Reagan in 1981 to authorize foreign intelligence investigations, 12333 is not a statute and has never been subject to meaningful oversight from Congress or any court. Sen. Dianne Feinstein (D-Calif.), chairman of the Senate Select Committee on Intelligence, has said that the committee has not been able to "sufficiently" oversee activities conducted under 12333. Unlike Section 215, the executive order authorizes collection of the content of communications, not just metadata, even for U.S. persons. Such persons cannot be individually targeted under 12333 without a court order. However, if the contents of a U.S. person's communications are "incidentally" collected (an NSA term of art ) in the course of a lawful overseas foreign intelligence investigation, then Section 2.3(c) of the executive order explicitly authorizes their retention. It does not require that the affected U.S. persons be suspected of wrongdoing and places no limits on the volume of communications by U.S. persons that may be collected and retained.

top

2014 Intelligence Authorization Act requires contractors to report cybersecurity breaches (Hogan Lovells, 18 July 2014) - [T]he president signed into law the Intelligence Authorization Act for Fiscal Year (FY) 2014 ( Pub. L. 113-126 ), which requires intelligence contractors with security clearances to promptly report network and information system penetrations and provide government investigators access to such systems. This new statutory cybersecurity reporting requirement for cleared intelligence contractors is largely consistent with a reporting requirement applicable to cleared U.S. Department of Defense (DoD) contractors under the National Defense Authorization Act (NDAA) for FY 2013. * * *

top

Net neutrality a key battleground in growing fight over encryption (InfoWorld, 21 July 2014) - Plans to favor some Internet packets over others threaten consumers' hard-won right to use encryption, a digital privacy advocate says. Activists and tech companies fended off efforts in the U.S. in the 1990s to ban Internet encryption or give the government ways around it, but an even bigger battle over cryptography is brewing now, according to Sascha Meinrath, director of X-Lab, a digital civil-rights think tank launched earlier this year. One of the most contested issues in that battle will be Net neutrality, Meinrath said. The new fight will be even more fierce than the last one, because Internet service providers now see dollars and cents in the details of packets traversing their networks. They want to charge content providers for priority delivery of their packets across the network, something that a controversial Federal Communications Commission proposal could allow under certain conditions. Encrypted traffic can't be given special treatment because it can't be identified, Meinrath said. That could eliminate a major revenue source for ISPs, giving them a strong reason to oppose the use of encrypted services and potentially an indirect way to degrade their performance, he said. Meinrath laid out parts of this argument in a recent essay in the June issue of Critical Studies in Media Communication , called "Crypto War II" and written with tech policy activist Sean Vitka. [ Polley : Others have reported seeing their Netflix speeds INCREASE when using VPN connections (which block your home ISP from seeing what kind of traffic you're running). Me, too. Interesting.]

top

What the Internet can see from your cat pictures (NYT, 22 July 2014) - Your cat may never give up your secrets. But your cat photos might. Using cat pictures - that essential building block of the Internet - and a supercomputer, a Florida State University professor has built a site that shows the locations of the cats (at least at some point in time, given their nature) and, presumably, of their owners. Owen Mundy, an assistant professor of art who studies the relationship between data and the public, created "I Know Where Your Cat Lives" as a way of demonstrating "the status quo of personal data usage by startups and international megacorps who are riding the wave of decreased privacy for all," Mr. Mundy wrote in a post about the site . Using images of cats uploaded to photosharing services, including Flickr, Twitpic and Instagram, Mr. Mundy extracted latitude and longitude coordinates that many modern cameras, especially those in smartphones, attach to each image. His site displays random images from a sample of one million of the many millions of pictures tagged with the word "cat" online. The images are displayed on a map using satellite imagery, with nearby cat photos also visible. Specific street addresses are not displayed, but the geographic information can leave few details to the imagination in rural areas .

top

Prosecutors are reading emails from inmates to lawyers (NYT, 22 July 2014) - The extortion case against Thomas DiFiore, a reputed boss in the Bonanno crime family, encompassed thousands of pages of evidence, including surveillance photographs, cellphone and property records, and hundreds of hours of audio recordings. But even as Mr. DiFiore sat in a jail cell, sending nearly daily emails to his lawyers on his case and his deteriorating health, federal prosecutors in Brooklyn sought to add another layer of evidence: those very emails. The prosecutors informed Mr. DiFiore last month that they would be reading the emails sent to his lawyers from jail, potentially using his own words against him. Jailhouse conversations have been many a defendant's downfall through incriminating words spoken to inmates or visitors, or in phone calls to friends or relatives. Inmates' calls to or from lawyers, however, are generally exempt from such monitoring. But across the country, federal prosecutors have begun reading prisoners' emails to lawyers - a practice wholly embraced in Brooklyn, where prosecutors have said they intend to read such emails in almost every case. The issue has spurred court battles over whether inmates have a right to confidential email communications with their lawyers - a question on which federal judges have been divided. [ Polley : This is only mildly nefarious - the jail/prison email systems carry ToS that abrogate confidentiality. Still. And, there have been cases involving private employers who've been prohibited from accessing/using emails between an employee and the employee's counsel, generally on the basis of superseding policy protecting attorney-client privilege.]

top

A plan to untangle our digital lives after we're gone (NPR, 23 July 2014) - Ancient peoples sent their dead to the grave with their prized possessions - precious stones, gilded weapons and terracotta armies. But unlike these treasures, our digital property won't get buried with us. Our archived Facebook messages, old email chains and even Tinder exchanges will hover untouched in the online cloud when we die. Or maybe not. Last week, the Uniform Law Commission drafted the Uniform Fiduciary Access to Digital Assets Act , a model law that would let relatives access the social media accounts of the deceased. A national lawyers' group, the ULC aims to standardize law across the country by recommending legislation for states to adopt, particularly when it comes to timely, fast-evolving issues. "Where you used to have a shoebox full of family photos, now those photos are often posted to a website," notes Ben Orzeske, legislative counsel at the ULC. That shoebox used to go to the executor of the deceased's will, who would open it and distribute its contents to family members. The will's author could decide what she wanted to give and to whom. The Uniform Fiduciary Access to Digital Assets Act aims to make the digital shoebox equally accessible. "This is the concept of 'media neutrality,' " Orzeske explained. "The law gives the executor of your estate access to digital assets in the same way he had access to your tangible assets in the old world. It doesn't matter if they're on paper or on a website." It turns out those terms-of-service agreements Internet users usually click through without reading include some strict rules: The small print on sites like Facebook and Google specifies that the user alone can access his or her account. But the ULC's proposed law would override those contracts, Orzeske said. [see also Tech seeks life after death for accounts (The Hill, 24 July 2014)]

top

After spoliation decision, businesses should reconsider limited-duration retention policies (Texas Lawyer, 23 July 2014) - In theory, businesses use limited-duration retention policies to minimize the financial burden associated with retaining and managing electronic data generated in the normal course of business. With respect to litigation, these businesses assume the risk that their retention policies comply with their duties to preserve evidence that may be material and relevant to a claim or defense. A recent decision by the Supreme Court of Texas may cause these businesses to reconsider this risk. The court's July 3 decision in Brookshire Brothers, Ltd. v. Aldridge changes the spoliation landscape under Texas law. According to Justice Debra Lehrmann's majority opinion, in a slip-and-fall case, the grocery store's surveillance camera captured the plaintiff's fall. At the time, the grocery store had a standard 30 day retention policy for surveillance footage. After learning of the plaintiff's injury, the grocery store recorded over all but an eight minute segment of the video, starting just before the plaintiff entered the store and concluding shortly after the fall. The trial court allowed the jury to hear evidence about the grocery store's failure to preserve a longer portion of the video, and the court ultimately provided a spoliation instruction to the jury. The Twelfth Court of Appeals in Tyler held that these decisions did not constitute an abuse of discretion. The Supreme Court of Texas disagreed and essentially adopted Justice James Baker's fourteen-year-old proposed spoliation framework from his concurring opinion in Trevino v. Ortega (1998). Trial courts will now be responsible for resolving spoliation issues because the court believes that such issues distract juries from the merits and unfairly prejudice juries towards alleged spoliators. Along these same lines, the general rule is that a trial court may no longer give a spoliation instruction, which is "tantamount to a death-penalty sanction," unless there is evidence of intentional spoliation. While these developments will change the manner in which spoliation issues are tried, the court's clarification of what constitutes "intentional" spoliation may have the furthest reaching consequences for corporate litigants. All nine justices agreed that intentional spoliation not only occurs when a party acts with the subjective purpose to conceal or destroy discoverable evidence, but also occurs when a party acts with "willful blindness" by allowing for the destruction of evidence without knowing whether it will be relevant and discoverable.

top

How should the law handle privacy and data security harms? (Dan Solove, 23 July 2014) - In three earlier posts, I've been exploring the nature of privacy and data security harms. In the first post, Privacy and Data Security Violations: What's The Harm? , I explored how the law often fails to recognize harm for privacy violations and data breaches. In the second post, Why the Law Often Doesn't Recognize Privacy and Data Security Harms , I examined why the law has struggled in recognizing harm for privacy violations and data breaches. In particular, I pointed out the "collective harm problem" -- that data harms are often caused by the combination of many actions by different actors over a long period of time, which makes it hard to pin the harm to a single wrongdoer. I also discussed the "multiplier problem" - that companies have data on so many people these days that an incident can affect millions of people yet cause each one only a small amount of harm. Adding it all up, however, could lead to catastrophic damages for a company. In the third post, Do Privacy Violations and Data Breaches Cause Harm? , I examined why the future risk of harm, often ignored by courts, really is harmful. I also pointed out that privacy violations and data breaches often cause harm not just to individuals, but also to society. In this post, I will discuss how the law should handle privacy and security harms. * * *

top

Cloud computing stymies digital forensics investigations (Nextgov, 24 July 2014) - In recent years, cloud computing has made the leap from an emerging technology to government mainstay, allowing agencies an IT avenue to share services, save money and increase efficiency. However, cloud computing still presents some major technical challenges in government, as illustrated by a recent draft report issued by the National Institute of Standards and Technology. Prepared by the NIST Cloud Computing Forensic Science Working Group, the report summarizes a staggering 65 challenges cloud computing presents to forensics investigators who sift through bits and bytes of digital evidence to solve crimes. The challenges are technical, legal and organizational, according to NIST's Martin Herman, co-chair of the working group. They can be further classified among nine categories, including architecture, data collection, analysis, standards, training and "anti-forensics" such as data hiding and malware. With cloud computing becoming more popular - many agencies, for example, now use cloud computing for email - scenarios in which the cloud might muck up an investigation are plentiful. For example, in a typical computer system, when a user deletes a file, the user isn't actually deleting the information -- only the digital "pointers" to the file, according to Herman. Data isn't really deleted until the physical hard drive or storage disk is overwritten with other data. Traditional forensics teams routinely recover files - including deleted files - using fairly well-known tools. Because the cloud can be a shared, multitenant environment, servers and storage devices can be shared among many different customers. That means, Herman said, there is a higher likelihood deleted data will be overwritten.

top

Court allows use of "stingray" cell tracking device in murder case (ArsTechnica, 24 July 2014) - The Supreme Court of Wisconsin has upheld the warrantless use of cell phone tracking devices, better known as "stingrays." In a narrow decision published on Thursday, the court found that while the Milwaukee police did not specifically have a warrant to use the stingray to locate a murder suspect, it did have a related judicial order that essentially served the same purpose. * * * Earlier this year, Wisconsin passed a new law that specifically requires a probable cause warrant in order to track someone's phone. That law was not in effect at the time of the 2009 murder.

top

Corporate firms not so spooked by NSA snoops (Corporate Counsel, 28 July 2014) - Corporate lawyers appear less troubled by former National Security Agency contractor Edward Snowden's government surveillance leaks, especially when compared with their colleagues who focus more on terrorism and criminal cases, according to a new report from leading civil liberties groups. At least some of this disparity seems to stem from the confidence major corporate law firms have in systems they've developed to protect their information from government spies, according to "With Liberty to Monitor All: How Large-Scale U.S. Surveillance Is Harming Journalism, Law and American Democracy," which Human Rights Watch and the American Civil Liberties Union released Monday. These firms have long feared government surveillance and have had the money to take steps intended to secure their info, the report said. An information security officer at an unnamed "major international firm" and a partner in the litigation department of an unidentified "large firm" reported that the U.S. government's extensive electronic surveillance doesn't change how their firms already defend against hackers or spying by foreign governments. For the report, Human Rights Watch interviewed 42 lawyers who represent clients on a variety of criminal and civil matters.

top

- but -

C-level execs concerned about cybersecurity, but not investing in it (InfoSecurity Magazine, 28 July 2014) - Cybersecurity concerns C-level execs more than concerns over their companies' reputations. However, many are unwilling to invest to assuage the worries; and many don't realize that a data breach could be the most costly reputational issue that a company can face. According to the Fifth Annual Board of Directors Survey from EisnerAmper, there is an ever-increasing concern over cyber-attacks among board members, particularly for public companies and not-for-profit organizations. However, both private companies and organizations with more than $1 billion in revenue felt they were more at risk from cybersecurity/IT than reputation issues. However, the survey also showed a lack of willingness and resources to address the fears. "Many respondents wrote in that they had no plans - or relatively unsophisticated plans - to protect their reputations [in a cyber-crisis]," the firm said. "Overwhelmingly, C-suite executives and the board were referenced as the go-to resources to execute a plan to preserve a company's reputation during a crisis." Crisis management, which could include plans on how to avert a substantial impact on an organization's reputation (including social media showdowns developing from any issue and risk listed - and then some), generated concern from only 31% of respondents - garnering a rank even lower than last year, when it included disaster recovery.

top

- and -

Homeland Security wants corporate board of directors more involved in cyber-security (Network World, 29 July 2014) - Setting corporate cyber-security policy and taking actions around it must be a top concern for the board of directors at any company, not just the information-technology division, the Department of Homeland Security (DHS) indicated as a high-level official there backed a private-sector effort to raise awareness at the board level. Andrew Ozment, assistant secretary, Office of Cybersecurity and Communications at DHS, today said DHS endorsed the principles spelled out in the "NACD Directors' Handbook on Cyber-Risk Oversight" published by the National Association of Corporate Directors , which has over 14,000 members who are directors for public, private and non-profit organizations. The DHS will include the NACD's handbook on the U.S. CERT website as a source of information for businesses. In any organization, the board of directors is there to oversee its general direction, including how well upper management is performing. With the news headlines pouring out about data breaches and cyber-espionage on a daily basis these days, "directors are very much aware of cyber-security," said Daly, but they struggle to know how to confront it in detail. The "Handbook on Cyber-Risk Oversight" insists that they should and must play a bigger role, spelling out five basic principles (see graphic, above) that first involve gaining in-depth understanding, then helping set an "enterprise-wide cyber-risk management framework" while also considering cyber-insurance might be worthwhile in order to cover the considerable costs that a data breach might entail.

top

- and -

SEC investigations spur debate over "materiality" of cyberattacks (WeComply, 30 July 2014) - Following a record year for data breach incidents - with eight breaches exposing over 10 million identities - the U.S. Securities and Exchange Commission (SEC) is closely scrutinizing how those breaches were handled. Multiple recently-opened SEC investigations are focusing on the data security processes companies had in place when the breaches occurred and how much they disclosed - or failed to disclose - to investors about them. Such investigatory actions are new for the SEC, which has previously focused on guiding public companies on how to defend against cyberthreats and disclose those risks to their investors. Now, however, the SEC is looking into events related to the data breaches, including how they occurred, the consequences, how each organization responded and - where asset values may have been affected by a breach - closely reviewing companies' internal controls. Enforcement action would not be unwarranted if the agency finds company disclosures were incomplete or misleading. One potential roadblock for regulators is that, while public companies are required to tell investors of any material events that may affect the investors' decision to buy or sell shares, there is no explicit requirement that they disclose cyberattacks. Previous SEC guidance addressed this issue by urging companies to disclose any material information on cyberattacks or risks, such as breaches that lead to stolen intellectual property or a significant increase in the amount spent to defend company information. However, "materiality" is often a matter of interpretation that varies according to the situation and parties involved. Consequently, whether companies should disclose such information, and what type of information should be disclosed remains a topic of debate among corporate attorneys, regulators and other interested parties. Many companies avoid disclosing breaches for fear of lawsuits. However, according to a recent study by security firm HBGary Inc., more than 70% of investors are interested in receiving more information about company cybersecurity practices. This pressure, together with an increase in the volume and frequency of cyberattacks and heightened regulatory scrutiny, may force many companies to change their disclosure policies if they wish to remain competitive and retain the public's trust.

top

Report says backlash from NSA's surveillance programs will cost private sector billions of dollars (TechDirt, 29 July 2014) - The Open Technology Institute has put together a thorough paper detailing the many adverse effects the NSA disclosures have had, both on American businesses inside and outside of the tech sector, as well as on Americans themselves. So, how much will the NSA leaks cost American businesses? It's tough to say. Although the OTI has done an incredible amount of research, it's difficult to pin down exact losses. Any time an American company has its bid denied by a foreign country, the NSA's actions have likely played some role. But this will very rarely be stated explicitly. This leads to a rather open-ended estimate of lost sales: Nearly 50 percent of worldwide cloud computing revenue comes from the United States, and the domestic market more than tripled in value from 2008 to 2014. However, within weeks of the first revelation, reports began to emerge that American cloud computing companies like Dropbox and Amazon Web Services were losing business to overseas competitors. The NSA's PRISM program is predicted to cost the cloud computing industry from $22 to $180 billion over the next three years.

top

- and -

US: surveillance harming journalism, law, democracy (Human Rights Watch, 28 July 2014) - Large-scale US surveillance is seriously hampering US-based journalists and lawyers in their work, Human Rights Watch and the American Civil Liberties Union said in a joint report released today. Surveillance is undermining media freedom and the right to counsel, and ultimately obstructing the American people's ability to hold their government to account, the groups said. The 120-page report, " With Liberty to Monitor All: How Large-Scale US Surveillance is Harming Journalism, Law, and American Democracy ," is based on extensive interviews with dozens of journalists, lawyers, and senior US government officials. It documents how national security journalists and lawyers are adopting elaborate steps or otherwise modifying their practices to keep communications, sources, and other confidential information secure in light of revelations of unprecedented US government surveillance of electronic communications and transactions. The report finds that government surveillance and secrecy are undermining press freedom, the public's right to information, and the right to counsel, all human rights essential to a healthy democracy.

top

Great privacy essay: Fourth Amendment doctrine in the era of total surveillance (NetworkWorld, 30 July 2014) - When you signed up with your ISP, or with a wireless carrier for mobile devices, if you gave it any thought at all when you signed your name on the contract, you likely didn't expect your activities to be a secret, or to be anonymous, but how about at least some degree of private? Is that reasonable? No, as the law currently suggests that as a subscriber, you "volunteer" your personal information to be shared with third-parties. Perhaps not the content of your communications, but the transactional information that tells things like times, places, phone numbers, or addresses; transactional data that paints a very clear picture of your life and for which no warrant is required. I'd like to direct your attention to an essay titled "Failing Expectations: Fourth Amendment Doctrine in the Era of Total Surveillance" by Olivier Sylvain , Associate Professor of Law at Fordham University School of Law. He said, "Today's reasonable expectation test and the third-party doctrine have little to nothing to offer by way of privacy protection if users today are at least conflicted about whether transactional noncontent data should be shared with third parties, including law enforcement officials." * * * Sylvain argues that "the reasonable expectation standard is particularly flawed if it has the effect of encouraging judges to seek guidance from legislatures on constitutional norms and principles. Judicial review is the vital antimajoritarian check against excessive government intrusions on individual liberty under our constitutional scheme. This is a responsibility that courts cannot pass off to the political branches when, as is the case today, most people expect that the cost of network connection is total surveillance."

top

Encrypt your phone calls with Signal for iPhone and RedPhone for Android (Lawyerist, 30 July 2014) - Security is getting simpler and easier, thanks to companies like Open Whisper Systems , which now has encrypted calling apps for both iPhone and Android. RedPhone for Android has been out for a while, and Signal is a brand-new encrypted calling app and service for iPhone . Both are free to download and use. Both apps are also open-source (you can find the code on Github ) so that anyone can audit the code to ensure it does what it is supposed to do. What they do is encrypt phone calls between Signal or RedPhone users. If someone were to gain access to your phone meta data, for example, all they would be able to see is that you called Whisper System's servers, which do not keep any logs. The call itself is encrypted and decrypted locally on your phone, which makes it extremely difficult for anyone to figure out how to listen in. Signal is a good-looking app that blends in well with iOS 7. (RedPhone just uses the default Android system dialer, so it does not change the look and feel of calls other than to add a RedPhone Call label to secure calls.) Signing up is as simple as providing your phone number, then confirming it with a code sent by text message. It's a convenient signup method that does away with usernames and passwords. After that, Signal works a lot like the regular iPhone phone app. You just have to launch Signal, instead, in order to make secure calls. The only real downside to Signal and RedPhone is that your friends need to have the app in order for you to call them securely. If you try to call someone who is not already registered with Signal, it will offer to invite them to Signal via text message. RedPhone works a bit differently, since it integrates with the Android dialer. RedPhone will let you call anyone, and it uses encryption whenever the person you call has RedPhone installed. [ Polley : I've installed Signal, and see that a few of my friends & colleagues already have it on their iPhones. Give it a try; give me a call.]

top

Port Authority claims ownership of NYC skyline (ArtNet News, 31 July 2014) - The Port Authority of New York and New Jersey (PA) is asserting its supposed right to images of the New York City skyline, issuing a cease-and-desist order against a china pattern from home goods store Fishs Eddy , reports the New York Times . "Your use of the Port Authority's assets on dinnerware and other items is of great concern to the Port Authority," wrote Veronica Rodriguez, a lawyer representing the PA, to the store on July 24. That kind of serious language certainly implies a greater threat than salt shakers and coffee mugs, and yet here we are, in a world where a government agency is seeking to prevent the artistic representation of the city's most iconic buildings. According to Rodriguez, the depiction of the new 1 World Trade Center building on the playful black-and-white " 212 New York Skyline " line of dinnerware could "evoke thoughts of the Port Authority, the twin towers, W.T.C. and the September 11th terrorist attacks." Fishs Eddy's " Bridge and Tunnel " collection of mugs, coasters, dish towels, and tote bags, which features the Lincoln and Holland Tunnels, has also been targeted by the PA. The sale of the goods, claims Rodriguez, "interferes with the Port Authority's control of its own reputation." The store has been ordered to stop selling the dishware in question and to "destroy all materials, documents and other items bearing the assets." Thanks to the sale of the 212 line, Rodriguez argues, Fishs Eddy is "unfairly reaping a benefit from an association with the Port Authority and the [9/11] attacks." It seems a fairly preposterous claim, especially considering that the only place in New York that artnet News associates with the Port Authority is that terrible bus terminal in Times Square.

top

Senate bill would offer tax incentives for sharing cyber-threat info (FCW, 31 July 2014) - Sen. Kirsten Gillibrand (D-N.Y.) introduced a bill July 31 that would provide tax credits for companies that join organizations dedicated to sharing cyber-threat information. The bill would encourage "businesses of all sizes" to join Information Sharing and Analysis Centers, Gillibrand's office said. ISACs are common mechanisms for information sharing and are often broken down by sector. Energy firms have the Electricity Sector ISAC, for example, while banks have the Financial Services ISAC. The bill has drawn early support from the National Health ISAC, NSS Labs and IBM, among other stakeholders. IBM Vice President of Governmental Programs Christopher Padilla said in a supportive letter to Gillibrand that the legislation would "help lower the costs of participating in sector-specific" ISACs. [ Polley : MIRLN normally doesn't run stories about potential laws (with this Congress, too much happens 'twixt cup and lip), but a potential explosion of sector-specific ISACs is starting, and probably would benefit from such encouragement.]

top

3D printing: Overcoming the legal and intellectual property issues (ZDnet, 1 August 2014) - When discussing 3D printing, few words are thrown around as frequently and casually as "disruptive." And while the term is widely overused in the startup world, when it comes to 3D printing and manufacturing this is an instance where the term actually applies. As far as the relationship between 3D printing and intellectual property rights, though, this might just be another developing chapter in the uneasy story of technology and IP. As it stands, there are numerous ways to violate intellectual property rights - be they copyrights, patents or trademarks. But the territory is so new, not much has been established regarding the repercussions of using a 3D printer for nefarious purposes. It's not even clear who might be liable. If someone starts printing and selling Mickey Mouse figurines, does Disney go after the person who printed one, the maker of the printer, the designer, the supplier of the material? According to Mark Schonfeld, attorney at the Boston-based firm Burns & Levinson, looking to similar technologies of the past might help determine what happens going forward. * * *

top

Are Internet domain names "property"? (David Post in the Washington Post, 1 August 2014) - An interesting lawsuit - Ben Haim et al. v Islamic Republic of Iran et al. - has been percolating through the federal system for the last few years, involving a group of plaintiffs who have received money judgments against the governments of Iran, Syria, and North Korea for injuries suffered in state-sponsored terror episodes. To satisfy the judgments, the plaintiffs have been on a campaign to seize assets - bank accounts, real property, etc. - located in the US belonging to those governments (with, apparently, some limited success). In the latest round, they requested, and the DC District Court issued, a series of "writs of attachment" against ICANN, the US-based manager of the global domain name system, ordering it to "hold" property in its control belonging to the defendant governments - specifically, the "country-code top-level domains" (ccTLDs) .IR (Iran), . SY (Syria), and .KP (North Korea) - pending final adjudication of plaintiffs' claims (so that the property would be available to satisfy the plaintiffs' previous judgments, should the court order its seizure and liquidation or transfer for that purpose). * * * [I] also agree with the somewhat narrower legal arguments that ICANN makes in its (very well-written) Motion to Quash the Writs of Attachment . A ccTLD is not "property"; even if you think its property, it's not property "belonging to" the defendant governments; even if you think it's property belonging to the defendant governments, it's not within ICANN's control; and even if you think it's property belonging to the defendant governments that is within ICANN's control, it's not "located in the United States" and therefore not subject to seizure by a US federal court.

top

More online publishers let readers fill the space (NYT, 1 August 2014) - To most English speakers, "platform" is a noun. But among news organizations, it is quickly becoming a verb. For publishers, the new meaning of "to platform" is something akin to: Take a traditional media company and add technology that allows readers to upload digital content as varied as links, text, video and other media. The result is a "publish first" model in which a lightly filtered, or unfiltered, stream of material moves from reader to reader, with the publication acting as a host and directing conversation but not controlling it. If it does not quite eliminate the middleman, it goes a long way toward reducing his role, and some media companies view it as a way to enhance their relationship with readers while increasing content production at minimal cost. Condé Nast Publications, for example, plans to allow a select group of writers to start posting on its Traveler website in mid-August as part of a series of experiments involving its magazines. At Time Inc., Entertainment Weekly has television fans posting updates on their favorite shows, and at Gawker, readers can engage with each other as well as with writers, completely uncensored. * * * [A]llowing readers to post their own description of a college sports game or a favorite recipe for chocolate cake is widely believed to make them more loyal and keep them on the site longer - something advertisers very much like to see. Yet knowing these advantages, established publications, particularly those specializing in news, have flinched at making it possible for outsiders to upload raw content for fear that the publications' reputations for reliability - which took decades to build - could be undermined easily. Sites that are pure platforms have certainly faced such missteps; Reddit found itself in trouble after the Boston Marathon bombing when some of its users pointed a suspicious finger at someone who turned out to be the wrong man. Longtime publishers have also feared the kind of uncensored vitriol that frequently develops on sites without monitors. The New York Times, for example, screens every comment on news stories for appropriate language before it is posted, but this is costly and time-consuming. * * * [T]echnology is improving and can increasingly be used to police commenting; algorithms, for example, can flag particularly pungent words. Moreover, established platforms have shown that there are ways to police comments that are fairly basic. Amanda Hesser, the co-founder of Food52, and a former New York Times reporter, said her site had successfully employed the simple tools of "likes" to ensure that better-quality content was seen by more readers. At SBNation, a sports fan site run by Vox, readers are encouraged to report commentators who are out of line. This and the increasingly tight budgets at publishers have left many feeling that they have little to lose.

top

Latest legal victory has LegalZoom poised for growth (ABA Journal, 1 August 2014) - In recent years, LegalZoom has faced lawsuits in eight states seeking to shut it down for violating state laws barring the unauthorized practice of law. But with a notable recent victory in South Carolina, and having fended off all but one of the other lawsuits, LegalZoom is anything but shutting down. To the contrary, LegalZoom, which began offering legal forms online in 2001, is poised to significantly broaden the range of services it offers consumers and small businesses. Already it has expanded into prepaid legal services, operating plans in 41 states and the District of Columbia. Now it is looking ahead to offering a continuum of products and services, from simple forms to full-fledged legal advice, with both lawyers and nonlawyers in the mix. The nub of complaints against LegalZoom is not the self-help documents it provides, but the way it provides them. At its website, customers buy documents to form a business, register a trademark, create a will and address other common legal needs. Questionnaires guide customers through creation of the document, after which LegalZoom employees review the answers for spelling, consistency and completeness. Some, including the North Carolina State Bar, maintain that these elements of guidance and review transform LegalZoom from simple document provider to legal adviser. In 2008 the North Carolina bar issued LegalZoom a cease-and-desist letter. The matter made its way to North Carolina business court where, last March, a judge put off deciding the UPL issue, saying he required additional evidence to fully understand LegalZoom's process for preparing complex documents. Two weeks earlier, the high court in neighboring South Carolina gave LegalZoom a green light to operate. Adopting the findings of a special referee it appointed to investigate the company, the court held that LegalZoom's practices "do not constitute the unauthorized practice of law." The referee compared the functionality of LegalZoom's software to a scrivener who transcribes information without giving advice or consultation: "LegalZoom's software acts at the specific instruction of the customer and records the customer's original information verbatim, exactly as it is provided by the customer. The software does not exercise any judgment or discretion, but operates automatically in the same fashion as a 'mail merge' program." Previously, LegalZoom settled UPL suits in California, Missouri and Washington. Lawsuits in Alabama and Ohio were dismissed. Besides North Carolina, the company still faces a challenge in Arkansas, where the matter is in arbitration.

top

Socrates takes a back seat to business and tech (NYT, 1 August 2014) - The students are pitching. On a spring afternoon at Michigan State University, 15 law students are presenting start-up proposals to a panel of legal scholars and entrepreneurs and an audience of fellow students. The end-of-semester event is one part seminar and one part " Shark Tank " reality show. The companies the students are describing would be very different from the mega-firms that many law students have traditionally aspired to work for, and to grow wealthy from. Instead, these young people are proposing businesses more nimble and offbeat: small, quick mammals scrambling underfoot in the land of dinosaurs. A few of them talk of outsourced services for larger law firms. Karen Francis-McWhite pitches one to help homesteaders claim properties for their own. Another would help immigrants file their taxes, an essential but frightening step to gaining citizenship. The tagline, delivered by its advocate, Giavanna Reeves: "Filing taxes should not make you feel blue when you've got a green card in line." The Entrepreneurial Lawyering Startup Competition, a showcase of the university's Reinvent Law Laboratory, is not an activity many practicing lawyers would recognize. But it might be the kind of broadened curriculum many of today's students need. "Legal education has been stronger on tradition than innovation," said Joan W. Howarth, dean of the Michigan State law school. "What we're trying to do is educate lawyers for the future, not the past." Like a number of law schools looking to the future of a challenging profession, this school is pushing its students to understand business and technology so that they can advise entrepreneurs in coming fields. The school wants them to think of themselves as potential founders of start-ups as well, and to operate fluidly in a legal environment that is being transformed by technology. Michigan State professors don't just teach torts, contracts and the intricacies of constitutional law. They also delve into software and services that sift through thousands of cases to help predict whether a client's case might be successful or what arguments could be most effective. They introduce their students to programs that search through mountains of depositions and filings, automating tasks like the dreary "document review" that was once the baptism of fire and boredom for young associates.

top

Google spotted explicit images of a child in a man's email and tipped off the authorities (Business Insider, 3 August 2014) - A Houston man has been arrested after Google sent a tip to the National Center for Missing and Exploited Children saying the man had explicit images of a child in his email, according to Houston police. The man was a registered sex offender, convicted of sexually assaulting a child in 1994, reports Tim Wetzel at KHOU Channel 11 News in Houston. "He was keeping it inside of his email. I can't see that information, I can't see that photo, but Google can," Detective David Nettles of the Houston Metro Internet Crimes Against Children Taskforce told Channel 11. After Google reportedly tipped off the National Center for Missing and Exploited Children, the center alerted police, who used the information to get a warrant.

top

Extracting audio from visual information (MIT News, 4 August 2014) - Researchers at MIT, Microsoft, and Adobe have developed an algorithm that can reconstruct an audio signal by analyzing minute vibrations of objects depicted in video. In one set of experiments, they were able to recover intelligible speech from the vibrations of a potato-chip bag photographed from 15 feet away through soundproof glass. In other experiments, they extracted useful audio signals from videos of aluminum foil, the surface of a glass of water, and even the leaves of a potted plant. The researchers will present their findings in a paper at this year's Siggraph, the premier computer graphics conference. Reconstructing audio from video requires that the frequency of the video samples - the number of frames of video captured per second - be higher than the frequency of the audio signal. In some of their experiments, the researchers used a high-speed camera that captured 2,000 to 6,000 frames per second. That's much faster than the 60 frames per second possible with some smartphones, but well below the frame rates of the best commercial high-speed cameras, which can top 100,000 frames per second. In other experiments, however, they used an ordinary digital camera. Because of a quirk in the design of most cameras' sensors, the researchers were able to infer information about high-frequency vibrations even from video recorded at a standard 60 frames per second. While this audio reconstruction wasn't as faithful as it was with the high-speed camera, it may still be good enough to identify the gender of a speaker in a room; the number of speakers; and even, given accurate enough information about the acoustic properties of speakers' voices, their identities. [ Polley : Spotted by MIRLN reader Mike McGuire ]

top

Parents can now choose baby names based on domain availability (Business Insider, 5 August 2014) - When naming a child, parents may turn to all sorts of places for inspiration. But as of Monday, they can tap into a valuable new tool called Awesome Baby Name that will suggest names based on domain availability.

top

NOTED PODCASTS

The Soft Underbelly of Corporate America? Law Firms and the Cybersecurity Threat Matrix (ILTA LegalSec Keynote, June 2014, by Chris Pearson; 63 mins) - Each day we hear about another data breach in the news. More personally identifiable information (PII) and account information is being siphoned out of respected companies. What about our intellectual property, our trade secrets and other business capital? Oftentimes, the easiest place to attack is when the data is outside the walls of the owner - in many cases at their law firm. During our keynote, we will walk through the cybersecurity threat matrix and its evolution, discuss how various state and federal laws drive forward controls that may or may not help protect our data, and the role of active defense and intelligence. Attendees will learn what programs and controls will position their firms for success in assurance reviews, certifications and competing for business. Together we will explore this topic - as you hear from someone who has worn the hats of law firm counsel, chief privacy officer, chief security officer and chief compliance officer - so we can operationalize against this threat. [ Polley : Toward the end, Pearson avers that hackers are targeting law firms that give advice to clients in the oil/gas business; I'm not surprised.]

top

National Security Agency Surveillance Programs (CSPAN, 18 July 2014; 73mins) - Former National Security Agency general Counsel Stewart Baker and open Internet advocates talked about the impact of NSA surveillance programs on U.S. commercial interests and global credibility. Other topics included legislative proposals such as the USA Freedom Act and the effects of NSA disclosure on the Internet, the technology sector, and Internet privacy. [ Polley : Stewart Baker is, I think, too single-minded about these issues, and I've come to disagree with him on almost all of them; Kevin Bankston articulates positions much closer to my views. Chris Hopfensperger rounds out the panel. At time-marker 69m17s Kevin crisply defines the current problem uncovered by Snowden disclosures; he's responding to Stewart's argument that "all's-well" with USG surveillance.]

top

-and -

Inside the NSA (The Long Now, 6 August 2014) - The NSA's failures are public headlines. Its successes are secret. These days America's National Security Agency lives at the intersection of two paranoias-governmental fears of attack and citizen fears about loss of privacy. Both paranoias were exacerbated by a pair of devastating attacks-9/11 and Edward Snowden. The agency now has to evolve rapidly while managing its normal heavy traffic of threats and staying ahead of the ever-accelerating frontier of cyber capabilities. In the emerging era of transparency, and in the thick of transition, what does the NSA look like from inside? Threats are daily, but governance is long term. At the heart of handling that balance is Anne Neuberger, Special Assistant to NSA Director Michael Rogers and Director of the Commercial Solutions Center. (Before this assignment she was Special Advisor to the Secretary of Navy; before that, in 02007, a White House Fellow.) She is exceptionally smart, articulate, and outspoken.

top

DIFFERENT

Jill Abramson's sad admission: "I don't think the press, in general, did publish any stories that upset the Bush White House" (Salon, 30 July 2014) - There are some singular features of our time - truly the time of the assassins, to take Henry Miller's phrase. The consolidated surveillance state confronts us. We recommit to honoring will above intelligence at the very moment history offers us an extraordinary chance to turn away from our 20th century lust for power. Another of these features - or a function of them, maybe - is the assassination of journalism as the essential infrastructure of our public space. I am not much for the "golden age" of anything, however often people get lost in such notions, but we have now not much more than the desiccated remains of whatever our press may once have been. Prompting these admittedly grim thoughts is a speech Jill Abramson recently gave . Abramson, the executive editor at the New York Times, was canned a couple of months ago and now takes to the lecture circuit before assuming duties as an adjunct in nonfiction at Harvard. Creative writing would have been the more sensible appointment. [ Polley : Off-topic for MIRLN, but I highly recommend this thoughtful, important piece. Spot-on, I think.]

top

The privatization of compliance (Bryan Cave, May 2014) - Achieving consistent legal compliance in today's regulatory environment is a challenge severe enough to keep compliance officers awake at night and one at which even well-managed companies regularly fail. But besides coping with governmental oversight and legal enforcement, companies now face a growing array of both substantive and process-oriented compliance obligations imposed by trading partners and other private organizations, sometimes but not always instigated by the government. Embodied in contract clauses and codes of conduct for business partners, these obligations often go beyond mere compliance with law and address the methods by which compliance is assured. They create new compliance obligations and enforcement mechanisms and touch upon the structure, design, priorities, functions and administration of corporate ethics and compliance programs. And these obligations are contagious: increasingly accountable not only for their own compliance but also that of their supply chains, companies must seek corresponding contractual assurances upstream. Compliance is becoming privatized, and privatization is going viral. * * * Private compliance pressures may originate from any point in the value chain: suppliers, customers, capital markets, insurers. Compliance officers may find themselves caught in the middle between demanding customers and reluctant suppliers, or, in the other direction, between manufacturers vitally interested in how their products reach market and resellers seeking the shortest route to revenue.3 They may be simultaneously pitted against their own colleagues in charge of operations, procurement, business acquisition and contracting. And unlike the Sentencing Guidelines and most other government leniency programs, many of the privatized compliance requirements are truly mandatory - at least if you want to do business with the other party. From Apple4 to Zoetis,5 major corporations are requiring their business associates to commit to third-party codes of conduct (P2P Codes) and related contract clauses. This trend signals a growing appreciation that enterprises across the value chain share one another's reputational and compliance risks, and that compliance processes play an important role in translating legal commands into lawful conduct. It reflects an awareness that if you are dependent on a business partner to keep you out of legal trouble, it might pay to take an interest in how they intend to accomplish that. * * * [ Polley : Spotted by MIRLN reader Gordon Housworth ]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

US anti-spam law fails to bite (BBC, 9 Feb 2004) -- US legislation designed to stem the tide of junk e-mails has had little impact on spam, say experts. US e-mail filtering firm Postini said the Can-Spam Act had only made a slight dent in the amount of unwanted mail. It found spam accounted for 79% of all e-mails it processed in January, down from 80% in December 2003. Critics of the US law had predicted it would do little to stop spam and may even encourage some businesses to start sending unsolicited messages.

top

Dreaming of a wireless world (ABA Journal, 4 June 2004) -- Go into just about any coffee shop, airport lounge or office building in a major city, and chances are you'll see people working online without wires. However, lawyers constitute one group of professionals that has not gotten on board with wireless technology. According to the ABA 2003 Legal Technology Survey, only 7 percent of respondents in the legal profession reported using any kind of wireless network. That includes wireless fidelity, or Wi-Fi, a popular technology that lets anyone with a properly configured laptop connect to the Internet through a wireless signal.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. McGuire Wood's Technology & Business Articles of Note

8. Steptoe & Johnson's E-Commerce Law Week

9. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

10. The Benton Foundation's Communications Headlines

11. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

No comments: