MIRLN --- 1-29 Nov 2014 (v17.16) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)
NEWS | RESOURCES | LOOKING BACK | NOTES
- Software companies now on notice that encryption exports may be treated more seriously: $750,000 fine against Intel subsidiary
- First person passes the legal tech audit - no lawyers, yet
- Specialized cyber liability insurance policies proliferate as general liability insurers refuse coverage for data breaches
- Governments eager to help market for cyber insurance develop
- Who's minding best practices: A look at what it takes to secure a network
- It's illegal to share photos of your ballot online in many states. Here's why.
- Internet voting hack alters PDF ballots in transmission
- Germany's top publisher bows to Google in news licensing row
- British intelligence spies on lawyer-client communications, government admits
- US government planes collecting phone data, report claims
- The FBI impersonates the media: some of the rules governing cyber-subterfuge
- FBI agents pose as repairmen to bypass warrant process
- Efforts to protect US government data against hackers undermined by worker mistakes
- A hacker built a dark net version of the FBI tip line
- ISPs removing their customers' email encryption
- Tourists warned they are breaking the law because taking photos of the Eiffel tower at night or sharing images on Facebook is illegal
- DC Court rules that Top-Level Domain not subject to seizure
- Homeland Security alerts on end of Windows Server 2003 support
- Info on 8,000 Seattle Schools students improperly released
- ABA launches website to aid unaccompanied minors
- McPeak on social media & civil discovery
- Fitbit data now being used in the courtroom
- New crowdsourced law site is part of larger project to 'annotate the world'
- TRUSTe settles FTC charges it deceived consumers through its privacy seal program
- Getting your board's buy-in on cybersecurity
- There's a Commerce Department 'SWAT team' opening up government data
- OCDS - Notes on a standard
- The largest free collection of law reviews on the Web
- Gates goes open
- Lawsuits for HIPAA violations and beyond: a journey down the rabbit hole
- New AAA rules (and annual fees) may require you to change your terms of service
- Amnesty releases anti-spying program for activists
- Perfect 10 loses copyright suit against Usenet service provider
Software companies now on notice that encryption exports may be treated more seriously: $750,000 fine against Intel subsidiary (Goodwin Procter, 15 Oct 2014) - On October 8, 2014, the Department of Commerce's Bureau of Industry and Security (BIS) announced the issuance of a $750,000 penalty against Wind River Systems, an Intel subsidiary, for the unlawful exportation of encryption software products to foreign government end-users and to organizations on the BIS Entity List. Wind River Systems exported its software to China, Hong Kong, Russia, Israel, South Africa, and South Korea. BIS significantly mitigated what would have been a much larger fine because the company voluntarily disclosed the violations. We believe this to be the first penalty BIS has ever issued for the unlicensed export of encryption software that did not also involve comprehensively sanctioned countries ( e.g. , Cuba, Iran, North Korea, Sudan or Syria). This suggests a fundamental change in BIS's treatment of violations of the encryption regulations. Historically, BIS has resolved voluntarily disclosed violations of the encryption regulations with a warning letter but no material consequence, and has shown itself unlikely to pursue such violations that were not disclosed. This fine dramatically increases the compliance stakes for software companies - a message that BIS seemed intent upon making in its announcement. Encryption is ubiquitous in software products. Companies making these products should reexamine their product classifications, export eligibility, and internal policies and procedures regarding the export of software that uses or leverages encryption (even open source or third-party encryption libraries), particularly where a potential transaction on the horizon - e.g. , an acquisition, financing, or initial public offering - will increase the likelihood that violations of these laws will be identified.
First person passes the legal tech audit - no lawyers, yet (Lawyerist, 3 Nov 2014) - On the one hand, congrats are in order to Lore Mariano for being the first person to get a passing grade on the Legal Tech Audit . On the other hand, Mariano is not a lawyer. According to her LinkedIn profile, she is an IT consultant who "train[s] Colgate's worldwide legal staff to use legal applications for document and matter management."
Which means not a single lawyer has passed the test. I hope Casey Flaherty will update us when a lawyer finally does.
Specialized cyber liability insurance policies proliferate as general liability insurers refuse coverage for data breaches (King & Spalding, 3 Nov 2014) - Travelers Indemnity Company filed an action this month in the United States District Court for the District of Connecticut for a declaratory judgment that it is not obligated to defend or indemnify its policyholder, P.F. Chang's, for losses arising from the restaurant's recent data breach. P.F. Chang's card processing systems were compromised at about 33 restaurant locations from October 2013 through June 2014, resulting in the theft of customer data from credit and debit cards, including names, card numbers and expiration dates. Customers have filed three class actions seeking damages under a variety of contract, tort and consumer fraud claims. Travelers argues that the losses are not covered under the commercial general liability policies it issued to P.F. Chang's in 2013-14 because an electronic data breach does not constitute property damage or bodily injury under their insurance agreement, and the agreement expressly excludes "electronic media and records" from the definition of "property damage." P.F. Chang's is alleged to have a separate cyber liability insurance policy with a self-funded retention requirement. With data breaches becoming more common, the number and variety of specialized cyber insurance policies have proliferated. But these cyber policies may provide substantially less coverage than general liability policies. While cyber policies typically cover costs for customer notification, crisis management, litigation defense and regulatory responses, they do not generally cover intangible losses to reputation, brand or market share. Obtaining adequate coverage is difficult because cyber-related losses are hard to quantify-intangible losses are difficult to estimate, and there may be a lack of information to calculate the probability of a data breach. Even if the federal district court were to determine that P.F. Chang's commercial general liability policy covers its data breach, Travelers urges the court to construe the self-funded retention requirement in the cyber policy as modifying the restaurant's general policy, thus limiting any payouts to the terms of the cyber policy and restricting the more generous payouts of the general liability policy.
- and -
Governments eager to help market for cyber insurance develop (Nossaman, 12 Nov 2014) - With e-commerce projected to account for 10% of all retail sales or approximately $370 billion in sales by 2017 in the United States alone, it is easy to see why world governments are concerned with the potential threat to the ever growing and increasingly interconnected online marketplace. Indeed, if you run a simple Google search for "cyber insurance," the first hit is from the U.S. Department of Homeland Security . As recently as July 2014, the DHS published a report, Insurance for Cyber-Related Critical Infrastructure Loss . Not to be outdone by its progeny, the government of the United Kingdom weighed in on the issue, opining that cyber insurance was critical for online businesses and expressing its support for the growth of a cyber insurance market in a joint government and industry statement on the cyber insurance market . Given the projected trends in online retail sales for European countries and the US, it is easy to see why governments might be somewhat anxious to see a cyber insurance marketplace develop. As the joint statement posted by the United Kingdom Cabinet Office put it "[i]nsurers providing cyber breach and wider operational risk cover can play an integral role in driving improvements in cyber security risk management." The joint statement also noted that beyond helping insureds recover losses following a data breach, cyber insurance may provide insureds "front end risk analysis to gauge the organisation's exposure to cyber risk, and deliver rapid incident response services that are critical to minimising the impact of a breach." That the UK and US governments have expressed an interest in working with insurers to discuss the development of a cyber insurance market bodes well for the healthy and speedy development of such a marketplace. The DHS's report details some of the critical challenges in the development of a cyber insurance market, including "a lack of actuarial data; aggregation concerns; and the unknowable nature of all potential cyber threat vectors." While all insurable events have an inherently "unknowable nature" (otherwise you wouldn't have to ensure against them), the recognition of the challenges to gathering accurate actuarial data is significant.
Who's minding best practices: A look at what it takes to secure a network (InsideCounsel, 4 Nov 2014) - Most organizations have good intentions to follow "cybersecurity best practices," but the sticking point comes when deciding what these practices are and how they relate to individual businesses. While lawyers have an ethical duty to protect information under Rule 1.6: Confidentiality of Information and businesses that accept credit cards must comply with the Payment Card Industry Data Security Standard (PCI DSS) requirements , there is much more to securing a network than following best practices and requirements. Certainly following these practices is important, but following their intent is what makes the difference between protecting a business and performing perfunctory duties. Before the recent spate of breaches on some big-name retailers, you may have thought that with all the rules and regulatory requirements retailers are subject to under the Payment Card Industry Data Security Standards (PCI DSS) that their networks would be secure. However, the problem often lies with what these companies are not doing rather than what they are doing. While these companies may have "followed best practices," they may not have done what would have been best, either because of a lack on their end or on their adviser's end.
It's illegal to share photos of your ballot online in many states. Here's why. (Washington Post, 4 Nov 2014) - This Election Day, feel free to tell Facebook you voted. Get that jaunty little voting hat on Tumblr. Tweet it on the #election2014 hashtag. But unless you live in Wyoming, North Dakota or a small handful of other states , do not , for the love of democracy, share a photo of your ballot on social media. "Ballot selfies," as they've been dubbed, are still illegal in most of the country - and punishable by ballot invalidation, if not significant fines or jail time. So, in an age where ceaseless self-documentation has become the cultural norm, why do those laws exist in the first place? "It's a very unusual case," says Jeffrey Hermes, the deputy director of the Media Law Resource Center in New York. "Usually banning political speech would be a violation of the First Amendment. But with photography at polling places, there's an intersection of two fundamental aspects of democracy: freedom of speech and the integrity of the voting process." Hermes breaks it down this way: Suppose you were a nefarious character who wanted to skew the voting process in some way. You could buy votes, but you'd want proof that people actually voted like you told them to. You could mislead people who don't understand the voting process or don't speak English well. You could intimidate other voters into voting like you do. In these cases, photos from inside the voting booth would really help you, the nefarious character, perpetrate election fraud. And so, many states have just banned those photos categorically. In this narrow circumstance, they've indicated, there's something more essential to democracy than free speech.
- and -
Internet voting hack alters PDF ballots in transmission (Threat Post, 13 Nov 2014) - Threats to the integrity of Internet voting have been a major factor in keeping the practice to a bare minimum in the United States. On the heels of the recent midterm elections, researchers at Galois, a computer science research and development firm in Portland, Ore., sent another reminder to decision makers and voters that things still aren't where they should be. Researchers Daniel M. Zimmerman and Joseph R. Kiniry published a paper called " Modifying an Off-the-Shelf Wireless Router for PDF Ballot Tampering " that explains an attack against common home routers that would allow a hacker to intercept a PDF ballot and use another technique to modify a ballot before sending it along to an election authority. PDF ballots have been used in Internet voting trials in Alaska, and in New Jersey as an voting alternative for those displaced by Hurricane Sandy. The ballots are downloaded, filled out and emailed; the email is equivalent to putting a ballot into a ballot box. Election authorities then either print the ballots and count them by hand, or count them with an optical scanner. The Galois attack is by no means the only attack that threatens Internet voting; malware on a voter's machine could redirect traffic or cause a denial of service condition at the election authority. But the attack described in the paper is certainly a much more quiet attack that the researchers say is undetectable, even in a forensics investigation.
Germany's top publisher bows to Google in news licensing row (Re/Code, 5 Nov 2014) - Germany's biggest news publisher, Axel Springer, has scrapped a bid to block Google from running snippets of articles from its newspapers, saying that the experiment had caused traffic to its sites to plunge. Springer said a two-week-old experiment to restrict access by Google to its news headlines had caused Web traffic to its publications to plunge, leading it to row back and let Google once again showcase Springer news stories in its search results. Chief Executive Mathias Doepfner said on Wednesday that his company would have "shot ourselves out of the market" if it had continued with its demands for the U.S. firm to pay licensing fees. Springer, which publishes Europe's top-selling daily newspaper, Bild, said Google's grip over online audiences was too great to resist, a double-edged compliment meant to ram home the publisher's criticism of what it calls Google's monopoly powers. Publishers in countries from Germany and France to Spain have pushed to pass new national copyright laws that force Google and other web aggregators to pay licensing fees - dubbed the Google Tax - when it publishes snippets of their news articles. Under German legislation that came into effect last year, publishers can prohibit search engines and similar services from using their news articles beyond headlines. Last week, Spain's upper house passed a similar law giving publishers an "inalienable" right to levy such licensing fees on Google.
British intelligence spies on lawyer-client communications, government admits (GigaOM, 6 Nov 2014) - After the Snowden leaks, British lawyers expressed fears that the government's mass surveillance efforts could undermine the confidentiality of their conversations with clients, particularly when those clients were engaged in legal battles with the state. Those fears were well-founded. On Thursday the legal charity Reprieve, which provides assistance to people accused of terrorism, U.S. death row prisoners and so on, said it had succeeded in getting the U.K. government to admit that spy agencies tell their staff they may target and use lawyer-client communications "just like any other item of intelligence." This is despite the fact that both English common law and the European Court of Human Rights protect legal professional privilege as a fundamental principle of justice. Reprieve noted that the government had previously claimed three times that it could not disclose the information it has now disclosed (PDF) in heavily redacted form. According to that information, the acceptability of spying on lawyer-client communications is largely backed up by the Regulation of Investigatory Powers Act (RIPA), which was recently revised to allow surveillance of all sorts of online channels , as well as of phone calls and emails.
- and -
US government planes collecting phone data, report claims (BBC, 14 Nov 2014) - Devices that gather data from millions of mobile phones are being flown over the US by the government, according to the Wall Street Journal . The "dirtbox" devices mimic mobile phone tower transmissions, and handsets transmit back their location and unique identity data, the report claims. While they are used to track specific suspects, all mobile devices in the area will respond to the signal. The US Justice Department refused to confirm or deny the report. The Wall Street Journal said it had spoken to "sources familiar with the programme" who said Cessna aircraft fitted with dirtboxes were flying from at least five US airports. The department said that it operated within federal law.
The FBI impersonates the media: some of the rules governing cyber-subterfuge (Lawfare, 7 Nov 2014) - The developing story of the FBI's impersonation of journalists is, in a way, really the story of Timberline high school in Washington State. In June of 2007 Timberline had received a series of bomb threats, prompting a week of evacuations. The FBI and local law enforcement traced the problem to an anonymous account on the MySpace social media site. But the trail seemed to stop there, as investigators were unable to ascertain the identity of the person or persons behind the account. So the feds resorted to subterfuge. According to a letter sent from FBI Director James Comey to the editor of the New York Times , an undercover agent, relying on "an agency behavioral assessment that the anonymous suspect was a narcissist," "portrayed himself as an employee of The Associated Press" and sent the MySpace account a message via MySpace's internal communications channel. In the message, the agent apparently asked if the suspect would be willing to review a draft AP article about the threats and attacks, to be sure that the anonymous suspect was portrayed fairly. The message then linked to what seemed to be the draft Associated Press story . There was a catch. The AP story and link were fakes, and had been designed by the FBI to mimic the appearance and feel of a genuine AP article. That wasn't all either. The link also contained a particular kind of malware, meant to enable the FBI surreptitiously to uncover the location and IP address of the computer behind the anonymous MySpace account. The ruse worked. Upon receipt, the suspect clicked on the link, thereby unwittingly downloading the malware and revealing case-making investigative information to the FBI. He later pleaded guilty to making the bomb threats to Timberline. * * * Given these fierce reactions to the Timberline episode, an important question has again been raised: What rules apply to this sort of law enforcement trickery? Below, I overview two potentially relevant constraints: policies employed within the FBI itself, as well as Fourth Amendment limits set by courts. (To be clear, I do not mean to canvass every legal issue raised by the episode.) * * *
- and -
FBI agents pose as repairmen to bypass warrant process (Bruce Schneier, 26 Nov 2014) - This is a creepy story. The FBI wanted access to a hotel guest's room without a warrant. So agents broke his Internet connection, and then posed as Internet technicians to gain access to his hotel room without a warrant. From the motion to suppress : The next time you call for assistance because the internet service in your home is not working, the "technician" who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and -- when he shows up at your door, impersonating a technician -- let him in. He will walk through each room of your house, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside. He will have no reason to suspect you have broken the law, much less probable cause to obtain a search warrant. But that makes no difference, because by letting him in, you will have "consented" to an intrusive search of your home. Basically, the agents snooped around the hotel room, and gathered evidence that they submitted to a magistrate to get a warrant. Of course, they never told the judge that they had engineered the whole outage and planted the fake technicians. More coverage of the case here . This feels like an important case to me. We constantly allow repair technicians into our homes to fix this or that technological thingy. If we can't be sure they are not government agents in disguise, then we've lost quite a lot of our freedom and liberty.
Efforts to protect US government data against hackers undermined by worker mistakes (The Guardian, 10 Nov 2014) - A $10bn-a-year effort to protect sensitive government data, from military secrets to social security numbers, is struggling to keep pace with an increasing number of cyberattacks and is unwittingly being undermined by federal employees and contractors. Workers scattered across more than a dozen agencies, from the defense and education departments to the National Weather Service, are responsible for at least half of the federal cyberincidents reported each year since 2010, according to an Associated Press analysis of records. They have clicked links in bogus phishing emails, opened malware-laden websites and been tricked by scammers into sharing information. One was redirected to a hostile site after connecting to a video of tennis star Serena Williams. A few act intentionally, most famously former National Security Agency contractor Edward Snowden, who downloaded and leaked documents revealing the government 's collection of phone and email records. At a time when intelligence officials say cybersecurity trumps terrorism as the No1 threat to the US - and when breaches at businesses such as Home Depot and Target focus attention on data security - the federal government isn't required to publicize its own data losses. From 2009 to 2013, the number of reported breaches just on federal computer networks - the .gov and .mils - rose from 26,942 to 46,605, according to the US computer emergency readiness team. Last year, US-CERT responded to a total of 228,700 cyberincidents involving federal agencies, companies that run critical infrastructure and contract partners. That's more than double the incidents in 2009. And employees are to blame for at least half of the problems. Last year, for example, about 21% of all federal breaches were traced to government workers who violated policies; 16% who lost devices or had them stolen; 12% who improperly handled sensitive information printed from computers; at least 8% who ran or installed malicious software; and 6% who were enticed to share private information, according to an annual White House review.
A hacker built a dark net version of the FBI tip line (Motherboard, 11 Nov 2014) - A London-based programmer has set up a new hidden service for anyone using Tor to submit anonymous tips to the FBI. With the new .onion hidden service link ( http://tksgyw4u4t6peema.onion/ ), which accesses the FBI's tips page through a reverse proxy, Mustafa Al-Bassam told me in an IRC chat that he's engineered a "proof-of-concept," demonstrating how the bureau might go about setting up a more secure system for receiving crime tips. "Law enforcement won't be taken seriously in the debate about anonymity if all they show is a binary interest to prosecute criminals at all cost," said Al-Bassam, the youngest-ever-identified former member of the hacking group, LulzSec . "Tor has great utility for law enforcement who wish to receive crime tips from public."
ISPs removing their customers' email encryption (EFF, 11 Nov 2014) - Recently, Verizon was caught tampering with its customer's web requests to inject a tracking super-cookie . Another network-tampering threat to user safety has come to light from other providers: email encryption downgrade attacks. In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flag-called STARTTLS-from email traffic. The STARTTLS flag is an essential security and privacy protection used by an email server to request encryption when talking to another server or client.1 By stripping out this flag, these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. Some firewalls, including Cisco's PIX/ASA firewall do this in order to monitor for spam originating from within their network and prevent it from being sent. Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception. This type of STARTTLS stripping attack has mostly gone unnoticed because it tends to be applied to residential networks, where it is uncommon to run an email server2. STARTTLS was also relatively uncommon until late 2013 , when EFF started rating companies on whether they used it . Since then, many of the biggest email providers implemented STARTTLS to protect their customers. We continue to strongly encourage all providers to implement STARTTLS for both outbound and inbound email. Google's Safer email transparency report and starttls.info are good resources for checking whether a particular provider does. [ Polley : Many law firms use "opportunistic TLS" to encrypt email transmissions; this flag-stripping may disable such protections.]
Tourists warned they are breaking the law because taking photos of the Eiffel tower at night or sharing images on Facebook is illegal (Daily Mail, 12 Nov 2014) - Lit up at night, the Eiffel Tower is one of the most iconic sights in the world. It's an image that embodies the French capital. But an obscure clause in EU copyright rules means that taking and sharing photos of the tower taken in the evening is actually a violation that could land tourists with a fine. The Eiffel Tower was built in 1889 which means that it falls within the public domain, so tourists can snap away liberally during the day. But the impressive lights that illuminate the attraction at night are technically an art work, so 'reproducing' requires the permission of the artist. It also means that it is technically illegal to share images of the Eiffel Tower on social media sites such as Facebook. While the EU's 2001 information society directive says photographs of architectural works in public spaces can be taken free of charge, the clause is optional. Countries including Italy, Belgium and France opted out of transposing it into national law. 'The lightshow is protected by copyright,' Dimitar Dimitrov, a policy expert for the European Wikimedia chapters in Brussels, said. On its website, the Eiffel Tower confirms that uses of photographs are subject to certain restrictions.
DC Court rules that Top-Level Domain not subject to seizure (David Post on the Volokh Conspiracy, 13 Nov 2014) - As I mentioned several months ago , a group of plaintiffs, having obtained judgments in US courts against the government of Iran, has been seeking to satisfy those judgments via writs of attachment - court-ordered seizures - of property belonging to the Iranian government. This can be a relatively straightforward process when applied to bank accounts, real estate, or tangible personal property - the usual targets of seizure orders. But the plaintiffs here sought to seize the .ir top-level domain - the ccTLD ("country-code top level domain," as distinguished from the "generic top-level domains" like .com, .org, and the like) associated with Iran. This is, plaintiffs asserted, property belonging to the Iranian government, held here in the U.S. by ICANN, the US-based administrator of the global Domain Name System (DNS), on whom the writ of attachment was served. * * * On Monday, Judge Lamberth of the DC District Court wisely dismissed the writs of attachment, holding that the ccTLD was not "property subject to attachment in the District of Columbia." This is the right result for many reasons - not least of which is that the DNS is a public resource of enormous value on which a substantial amount of the world's trade and commerce and entertainment and communication now takes place, and the notion that pieces of it are available to satisfy private judgments would wreak havoc on the public Internet. Judge Lamberth didn't feel the need to go into all that - his ruling rests on the narrower (but perhaps more stable) ground that the "property" right in a ccTLD is "inextricably bound to" and "cannot be conceptualized apart from" the services provided by the ccTLD manager and the root zone administrator and the rest of the DNS, and as such can't be attached or seized (under the general rule that services are not attachable or seizable). Good stuff.
Homeland Security alerts on end of Windows Server 2003 support (ZDnet, 13 Nov 2014) - An alert from US-CERT (the Computer Emergency Readiness Team) warns of dangerous consequences for organizations that continue to run Windows Server 2003 R2. Microsoft has scheduled the end of support for this operating system on July 14, 2015. This applies to both the initial and R2 editions of Windows Server 2003. Although it was released over 11 years ago, Windows Server 2003 remains popular. Redmond Magazine cites Microsoft as saying that as of July of this year there were 24 million instances of Windows Server 2003 running on 12 million physical servers globally. In North America there are 9.4 million instances and, worldwide, Windows Server 2003 still constitutes 39 percent of the Windows Server installed base. After July 14, 2015 (a Patch Tuesday) these servers will no longer receive security updates or assisted technical support. Microsoft has been conducting their own campaign to get customers to upgrade. As with Windows XP, organizations can pay Microsoft for an extension of support.
Info on 8,000 Seattle Schools students improperly released (Seattle Times, 14 Nov 2014) - A law firm contracting with Seattle Public Schools improperly released confidential information about thousands of students as part of a lawsuit over special-education services, prompting an apology from the district and a request for the man who received the records to delete or return them. Sam Morley, the legal guardian of a student, alerted district officials on Tuesday that he had received, via email, documents with information about individual students, including whole special-education plans, disciplinary records, student test scores and transportation records with students' names and home addresses. By Morley's count, he received confidential information about more than 8,000 students, including what appears to be the entire caseload for a special-education manager at Roosevelt High School. The district's lawyer, Ron English, responded to Morley with an email assuring him that his case would no longer be handled by the firm, Preg O'Donnell & Gillett, which has offices in Seattle, Portland and Anchorage. "Protection of student privacy is of critical importance, and the disclosures by our outside law firm are not acceptable," English wrote. "Although I have not had time to confirm the exact details of the disclosure as you describe them below, I have confirmed that disclosures did occur on a broad scale." The law firm did not respond to emails from The Seattle Times seeking comment. The school district is asking for assistance from the U.S. Department of Education to investigate how it happened. [ Polley : This is perhaps the first time a law firm had been publicly tagged for a security problem, but won't be the last. The first firms to suffer this kind of publicity will lose clients-as apparently here-but eventually a "new normal" will emerge.]
ABA launches website to aid unaccompanied minors (VOXXI, 14 Nov 2014) - Child advocates have for months voiced concerns about unaccompanied minors not having an attorney by their side in immigration court, and now the American Bar Association is stepping in to help. The group launched a website this week as a resource for attorneys who want to volunteer their time to help unaccompanied minors navigate through the immigration system. The goal is to get more attorneys to provide unaccompanied minors with legal representation on a pro bono basis. "The ABA steps up when justice is at stake," American Bar Association President William C. Hubbard said in a statement. "We support legal representation for unaccompanied children in the U.S. immigration court system. We are acting not only out of concern for the welfare of these children, but also because all parties benefit when vulnerable children are competently represented by counsel in adversarial proceedings." The website is dubbed the Immigrant Child Advocacy Network . It was put together by the American Bar Association's working group on unaccompanied minors in collaboration with partner organizations, like Kids in Need of Defense and the American Immigration Lawyers Association. The website provides links to resources and training materials on issues related to legal representation of children. It also provides a calendar of ongoing pro bono training opportunities and a list of legal providers who are looking for volunteers to assist children.
McPeak on social media & civil discovery (Legal Theory Blog, 14 Nov 2014) - Agnieszka McPeak (University of Toledo College of Law) has posted Social Media Snooping and Its Ethical Bounds (Arizona State Law Journal, 2014 Forthcoming) on SSRN. Here is the abstract: Social media has entered the mainstream as a go-to source for personal information about others, and many litigators have taken notice. Yet, despite the increased use of social media in informal civil discovery, little guidance exists as to the ethical duties - and limitations - that govern social media snooping. Even further, the peculiar challenges created by social media amplify ambiguities in the existing framework of ethics rules and highlight the need for additional guidance for the bench and bar. This article offers an in-depth analysis of the soundness and shortcomings of the existing legal ethics framework, including the 2013 revisions to the American Bar Association's model rules, when dealing with novel issues surrounding informal social media discovery. It analyzes three predominant ethics issues that arise: (1) the duty to investigate facts on social media, (2) the no-contact rule and prohibitions against deception, and (3) the duty to preserve social media evidence. While the first two issues can be adequately addressed under the existing framework, the rules fall short in dealing with the third issue, preservation duties. Further, even though the existing ethics rules can suffice for the most part, non-binding, supplemental guidelines, or "best practices," should be created to help practitioners and judges navigate the ethical issues created by new technology like social media.
Fitbit data now being used in the courtroom (Forbes, 16 Nov 2014) - Personal injury cases are prime targets for manipulation and conjecture. How do you show that someone who's been in a car accident can't do their job properly, and deserves thousands of dollars in compensation? Till now lawyers have relied on doctors to observe someone for half an hour or so and give their, sometimes-biased opinion. Soon, they might also tap the wealth of quantifiable data provided by fitness trackers. A law firm in Calgary is working on the first known personal injury case that will use activity data from a Fitbit to help show the effects of an accident on their client. The young woman in question was injured in an accident four years ago. Back then, Fitbits weren't even on the market, but given that she was a personal trainer, her lawyers at McLeod Law believe they can say with confidence that she led an active lifestyle. A week from now, they will start processing data from her Fitbit to show that her activity levels are now under a baseline for someone of her age and profession. The lawyers aren't using Fitbit's data directly, but pumping it through analytics platform Vivametrica, which uses public research to compare a person's activity data with that of the general population.
New crowdsourced law site is part of larger project to 'annotate the world' (Law Sites, 17 Nov 2014) - There is something very fitting in the fact that a site that started out deciphering rap lyrics is now turning its attention to making sense of the law. The site, Law Genius , is the newest member of the larger Genius network of crowdsourced community sites, all of which grew out of the original site, Rap Genius , which was started in 2009 for the purpose of listing and annotating rap lyrics. Soon, users started using the site to annotate all sorts of other stuff, from the collected works of Shakespeare to the roster of the 1986 New York Mets to the warnings on the back of a Tylenol bottle . Last July, the site officially relaunched as Genius, becoming a hub for a range of communities devoted to topics such as rock, literature, history, sports, screen and tech. All are united by the site's overarching goal, "to annotate the world." Genius breaks down text with line-by-line annotations, added and edited by anyone in the world. It's your interactive guide to human culture. Now law is the latest addition to this ambitious effort at global annotation. It is an effort to crowdsource statutes, case law and other legal news. At the helm of the project, as executive editor of Law Genius, is Christine Clarke, a 2010 graduate of Yale Law School who practiced plaintiff-side employment law in Manhattan before joining Law Genius full time. At Law Genius, any registered user can add text and annotate any text. Other users can vote up or down on annotations, or add their own suggestions to the annotations. As you view text, any portion that is highlighted has an annotation. Click on the highlighted text to view the annotation. To add your own annotation, just highlight a selection of text.
TRUSTe settles FTC charges it deceived consumers through its privacy seal program (FTC, 17 Nov 2014)) - TRUSTe, Inc., a major provider of privacy certifications for online businesses, has agreed to settle Federal Trade Commission charges that it deceived consumers about its recertification program for company's privacy practices, as well as perpetuated its misrepresentation as a non-profit entity. TRUSTe provides seals to businesses that meet specific requirements for consumer privacy programs that it administers. TRUSTe seals assure consumers that businesses' privacy practices are in compliance with specific privacy standards like the Children's Online Privacy Protection Act (COPPA) and the U.S.-EU Safe Harbor Framework. The FTC's complaint alleges that from 2006 until January 2013, TRUSTe failed to conduct annual recertifications of companies holding TRUSTe privacy seals in over 1,000 incidences, despite providing information on its website that companies holding TRUSTe Certified Privacy Seals receive recertification every year. In addition, the FTC's complaint alleges that since TRUSTe became a for-profit corporation in 2008, the company has failed to require companies using TRUSTe seals to update references to the organization's non-profit status. Before converting from a non-profit to a for-profit, TRUSTe provided clients model language describing TRUSTe as a non-profit for use in their privacy policies. The proposed order announced today will help ensure that TRUSTe maintains a high standard of consumer protection going forward. Under the terms of its settlement with the FTC, TRUSTe will be prohibited from making misrepresentations about its certification process or timeline, as well as being barred from misrepresenting its corporate status or whether an entity participates in its program. In addition, TRUSTe must not provide other companies or entities the means to make misrepresentations about these facts, such as through incorrect or inaccurate model language.
Getting your board's buy-in on cybersecurity (Computerworld, 18 Nov 2014) - You don't want your first discussion about cybersecurity with your company's board of directors to happen post-breach. Start educating the board now. Explain the scope and components of a comprehensive security program, and be clear about how far your company's program falls short of optimal effectiveness. The board members need to understand that, at a minimum, a good cybersecurity program should include processes to manage patches, review logs, force secure passwords and train staff not to open emails from Nigerian princes. They probably also need to be educated about the policies and procedures that have to be put in place just to meet the security regulations and standards of legislation such as Sarbanes-Oxley, HIPAA and Gramm-Leach-Bliley and industry initiatives such as PCI and EMV. They need to know that you recognize the dangers of collecting and storing data that's subject to regulation and will do so only when there is no other option. And they need to see how the procedures controlling all these processes have been thoroughly documented and are regularly tested. But those are just the basics. A truly comprehensive cybersecurity program involves much more, and you need to make your board aware of what those things are, so that it can assure that sufficient resources are allocated. Some of the things to consider undertaking and funding are these: * * * Most importantly, both IT and the board should not delude themselves that a breach won't happen to them. As Joseph Demarest, assistant director of the FBI's cyberdivision, said at a recent cybersecurity conference, "You're going to be hacked. Have a plan."
There's a Commerce Department 'SWAT team' opening up government data (Washington Post, 18 Nov 2014) - Launched in 2009, Data.gov was one of the Obama administration's flagship efforts to produce a more open government. But though the site is full of raw data, Secretary of Commerce Penny Pritzker suggests it's not nearly as useful as it could be. Data.gov was supposed to hold heaps of data created by the federal government as it goes about its day-to-day business, boosting government transparency. And it's worked in some cases. National Oceanic and Atmospheric Administration data stored on the site has given birth to scores of weather apps and countless meteorologists' careers, for example. But in a visit to the D.C. start-up hub 1776 on Monday, Pritzker said that one of the surprises of becoming secretary of commerce last year was finding that the department didn't have all that much to show for the great heaps of data it had shoveled onto the site. The Data.gov team housed at the U.S. General Services Administration "called us up and said you haven't been contributing appropriately," Pritzker said. "And so we dumped our 39,000 data sets on Data.gov" -- from lists of people banned from exporting products from the United States to statistics on shark death rates in the Florida commercial fishing industry . But that is not enough, she said. "The point is just dumping data sets out there is not useful," said Pritzker. "What we need to do is to figure out a strategy." Pritzker said the department is pulling together a "SWAT team" with help from U.S. Chief Technology Officer Megan Smith to determine "the most exciting" things they can do with the data stored on the site during what remains of the Obama administration's tenure.
- and -
OCDS - Notes on a standard (Berkman's Tim Davies, 19 Nov 2014) - Today sees the launch of the first release of the Open Contracting Data Standard (OCDS) . The standard, as I've written before , brings together concrete guidance on the kinds of documents and data that are needed for increased transparency in processes of public contracting, with a technical specification describing how to represent contract data and meta-data in common ways. The video below provides a brief overview of how it works (or you can read the briefing note ), and you can find full documentation at http://standard.open-contracting.org . * * *
- and -
The largest free collection of law reviews on the Web (Law Sites, 24 Nov 2014) - I try to cover sites here soon after they launch, but every so often I miss one. In this case, I missed a big one. Launched in August 2013, Law Review Commons is the largest open-access law review portal on the web. It provides access to more than 200 law reviews containing more than 150,000 articles. The oldest law reviews in its collection date back to 1852. The site currently includes law reviews from law schools such as Berkeley, Boston College, Cornell, Chicago, Pennsylvania, Villanova and Yale. Missing from the collection are several top-tier schools such as Harvard, Stanford and Columbia. A search function enables you to find articles on the site. The search is not full text, but rather searches fields such as title, abstract, subject, author, institution, document type and publication name. You can also browse and find law reviews in several ways. A master list arranges all law reviews by their law school. You can also browse law reviews alphabetically by title, by the subject they cover, or by specific works and authors within a subject area. The actual articles are in PDF format. One other feature of the site is a world map showing readership in real time. As articles are downloaded, the location of the downloader is shown on the map and a text box displays the reader's location in the world and the title of the download.
- and -
Gates goes open (InsideHigherEd, 24 Nov 2014) - The Bill & Melinda Gates Foundation will require grant recipients to make their research publicly available online -- a multibillion-dollar boost to the open access movement. The sweeping open access policy, which signals the foundation's full-throated approval for the public availability of research, will go into effect Jan. 1, 2015, and cover all new projects made possible with funding from the foundation. The foundation will ease grant recipients into the policy, allowing them to embargo their work for 12 months, but come 2017, "All publications shall be available immediately upon their publication, without any embargo period." "We believe that our new open access policy is very much in alignment with the open access movement which has gained momentum in recent years, championed by the NIH, PLoS, Research Councils UK, Wellcome Trust, the U.S. government and most recently the WHO," a spokeswoman for the foundation said in an email. "The publishing world is changing rapidly as well, with many prestigious peer-reviewed journals adopting services to support open access. We believe that now is the right time to join the leading funding institutions by requiring the open access publication of our funded research." The foundation explained the broad outlines of the open access policy in a five-point list posted to its website. All reports, along with their underlying data, will be published under a Creative Commons (or equivalent) license, tagged with metadata and placed in repositories to ensure they are discoverable.
Lawsuits for HIPAA violations and beyond: a journey down the rabbit hole (Prof. Dan Solove, 18 Nov 2014) - At first blush, it seems impossible for a person to sue for a HIPAA violation. HIPAA lacks a private cause of action. So do many other privacy and data security laws, such as FERPA, the FTC Act, the Gramm-Leach-Bliley Act, among others. That means that these laws don't provide people with a way to sue when their rights under these laws are violated. Instead, these laws are enforced by agencies. But wait! Stop the presses! A recent decision by the Connecticut Supreme Court has concluded that people really can sue for HIPAA violations. As I will explain later, this is not a radical conclusion . . . though the implications of this conclusion could be quite radical and extend far beyond HIPAA. A number of folks have blogged about this case, but not many have explored the depths of this rabbit hole. Let's start with the Connecticut Supreme Court decision, and then follow the White Rabbit. * * * [ Polley : As usual, it's worth reading the rest of Prof. Solove's posting.]
New AAA rules (and annual fees) may require you to change your terms of service (Baer Crossey, 19 Nov 2014) - The American Arbitration Association (AAA) now requires businesses to notify the AAA of their intent to use AAA arbitration in standard consumer contracts and to pay fees to review the arbitration agreement; otherwise, the AAA can refuse the arbitration. On September 1, 2014, the AAA released new arbitration rules and supplemental procedures governing standard, business-to-consumer contracts for personal or household products and services (such as terms of service for websites and mobile apps). As part of the new rules, companies that require (or intend to require) AAA arbitration in their standard, consumer agreements must: (1) Notify the AAA at least 30 days before the planned effective date of the contract, and (2) Pay AAA to review and register the arbitration clause to ensure the clause's compliance with the Consumer Due Process Protocol and AAA Consumer Arbitration Rules. The new fees involve nonrefundable upfront and yearly recurring costs. If a company registers its clause in 2014, the fee is $650, which covers 2014 and 2015. Renewal fees for subsequent years are currently $500 per year. If a standard, consumer contract has an un-reviewed (and unpaid) provision providing for AAA arbitration, the company may seek expedited review of the clause upon a demand for arbitration, but the expedited review costs an additional $250. Furthermore, the AAA may refuse to take the arbitration if it determines that clause is not in material compliance with the Consumer Due Process Protocol or the Consumer Arbitration Rules. Given how recently the new rules have been released, there isn't much historical experience to determine how frequently or under what circumstances the AAA will refuse to take arbitrations.
Amnesty releases anti-spying program for activists (BBC, 19 Nov 2014) - Amnesty International has released a program that can spot spying software used by governments to monitor activists and political opponents. The Detekt software was needed as standard anti-virus programs often missed spying software, it said. Amnesty said many governments used sophisticated spying tools that could grab images from webcams or listen via microphones to monitor people. "These spying tools are marketed on their ability to get round your bog-standard anti-virus," said Tanya O'Carroll, an adviser on technology and human rights at Amnesty International. The makers of spying software did extensive testing to ensure that the way they infected and lurked on a computer did not trigger security alerts, she added. Detekt has been developed over the past two years to spot the few telltale signs spying programs do leave. The intense scan it carries out on a hard drive means a computer cannot be used while Detekt is running. Four separate rights groups - Amnesty International, the Electronic Frontier Foundation, Privacy International and Digitale Gesellschaft - have worked together to create the spyware spotter, which is available free of charge. The first version of Detekt has been written to run on Windows computers because the people most often being monitored use that software, said Ms O'Carroll.
Perfect 10 loses copyright suit against Usenet service provider (Eric Goldman, 25 Nov 2014) - Giganews acts as a USENET service provider. Perfect 10 is the litigious pornographer that has helped define Internet copyright law for the last 15 years. It sued Giganews because Perfect 10's copyrighted images are distributed on USENET. After over three years of pointless litigation, the district court finally put a stop to the lawsuit (in an oddly formatted opinion divided into 3 separate memos). The court rejected Giganews' direct infringement for lack of "volition." The question remains: what does "volition" mean in this context? I've always found the term ambiguous. This ruling is perhaps the most explicit I've seen suggesting that volition is really about something like proximate causation * * * I've added this passage to my Internet Law reader because I think it's the most helpful statement of "volition"/"causation" I've seen to date, even though it's still hardly clear. At minimum, it provides a doctrinal hook (however ambiguous) to channel copyright lawsuits against service providers away from direct infringement and into contributory or vicarious infringement. Naturally, a USENET service provider lacks the requisite causation for USENET content-especially content that wasn't originated by the USENET's own subscribers. But I think this language could be read more broadly to apply to web hosting.
RESOURCES
Information Security and Cyber Liability Risk Management (report by Zurich, Oct 2014) - If there was any doubt as to the existence of a data security epidemic, 2014 likely changed that. This is the year that it became abundantly clear that no business, government, or individual was immune to the threat of an attack. With massive data breaches affecting some of the nation's largest retailers, nation-states being accused of stealing corporate trade secrets, and private celebrity photos being hacked, 2014 has been chock- full of cyber related headlines. Cybercriminal tactics continued to evolve and the ability to execute attacks became easier. For many companies, being involved in a cyber event went from a question of "if " to "how bad." Small and midsize businesses increasingly realized that they are highly vulnerable. Information security risks have become a risk management focus for more organizations. Thanks largely to a number of high profile retail breaches, 2014 also has been the year that executives and board members began to view cyber risks more seriously. [ Polley : Short, interesting report. Shows high level of concern/attention by C-level executives and by Boards. Suggests that most companies think IT (38%) is responsible for managing the compliance issues, with the GC's office second (21%).]
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
Online voting canceled for Americans overseas (New York Times, 6 Feb 2004) -- Citing security concerns, the Department of Defense yesterday canceled plans to use an electronic voting system that would have allowed Americans overseas to cast votes over the Internet in this year's elections. The system, the Secure Electronic Registration and Voting Experiment, or Serve, was developed with financing from the Defense Department. The decision was announced in a memorandum from Deputy Defense Secretary Paul D. Wolfowitz to David S. C. Chu, under secretary of defense for personnel and readiness. Paraphrasing the memorandum, a Department of Defense spokeswoman said: "The department has decided not to use Serve in the November 2004 elections. We made this decision in view of the inability to ensure legitimacy of votes, thereby bringing into doubt the integrity of the election results." The memorandum says efforts will continue to find ways to cast ballots electronically for Americans overseas and to use Serve for testing and development. The Defense Department move is a significant setback for proponents of various electronic voting initiatives. Efforts to move the nation beyond the problems with paper ballots and hanging chads in the 2000 presidential election include the increased use of touch-screen voting systems and experiments like Saturday's Democratic caucuses in Michigan, which will allow Internet voting. But those initiatives come at a time of increased public distrust of high-tech voting. Critics of touchscreen voting machines, for example, argue that the technology creates a "black box" that allows no independent verification of votes unless a validation tool like a paper receipt system is used.
Reuters defines fair use for bloggers (TechLawAdvisor.com, 1 April 2004) -- Rafat Ali, of PaidContent.org, wondered aloud about what Reuters deal with Fast (to go after copyright infringers online) meant last week for bloggers. Michael Salk, VP at Reuters Media was kind enough to provide a response. Reuters Position on Linking From Blogs: "Infringements of our copyright does not include where bloggers quote from and link back to our original story, or where sites display a headline and link back to reuters.com."
NOTES
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/
4. NewsScan and Innovation, http://www.newsscan.com
5. Aon's Technology & Professional Risks Newsletter
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html
7. Steptoe & Johnson's E-Commerce Law Week
8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
9. The Benton Foundation's Communications Headlines
10. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top