Saturday, June 27, 2015

MIRLN --- 7-27 June 2015 (v18.09)

MIRLN --- 7-27 June 2015 (v18.09) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | RESOURCES | FUN | LOOKING BACK | NOTES

Lawyers may need to encrypt e-mail in especially risky or sensitive scenarios (Bloomberg, 20 May 2015) - Attorneys who handle divorce, employment and criminal defense matters may in some circumstances have a duty "to consider whether it is prudent to use encrypted email" to communicate with clients, the Texas bar's ethics committee concluded in April. The opinion addresses an issue that many experts have urged bar authorities to look at anew: whether technological changes and escalating concerns over computer hacking have made it necessary to revisit existing guidance on using e-mail to communicate with clients. "Having read reports about email accounts being hacked and the National Security Agency obtaining email communications without a search warrant, [inquiring] lawyers are concerned about whether it is proper for them to continue using email to communicate confidential information," the opinion states. The panel said that although it "has not addressed the propriety of communicating confidential information by email, many other ethics committees have [concluded that] except in special circumstances, the use of email, including unencrypted email, is a proper method of communicating confidential information." * * *

top

Protecting directors and officers from derivative liability arising from data breaches (Proskauer, 1 June 2015) - With data breaches affecting companies across virtually every industry, cyber security has remained front page news. Lawsuits brought by aggrieved consumers and financial institutions against companies that have suffered data breaches are not uncommon. Increasingly, companies are also being subjected to shareholder derivative suits against directors and officers alleging breach of fiduciary duty relating to a data breach. As a result, corporate boards should expect closer scrutiny of their actions regarding cybersecurity and data breaches. A proactive approach to risk management and insurance coverage may make the difference in minimizing exposure. * * * With data breaches showing no signs of slowing down, the attendant litigation can also be expected to continue. Following the data breach suffered by Target, a 2014 shareholder derivative action was filed against the company's board for failing to adequately attend to its cybersecurity. The lawsuit against Target alleges that the board's conduct caused the data breach, and challenges the board's subsequent containment, disclosure and analysis. In addition to the derivative action, a prominent proxy adviser also called for the ouster of Target's directors due to their perceived "failure…to ensure appropriate management of [the] risks" of Target's December 2013 cyber-attack ( reported by the Wall Street Journal ). As the available precedent confirms, perfect data security is not the standard. Instead, courts will look to verify that boards are taking steps to understand and protect against this very real threat. However, there are practical steps that companies can take, including: * * *

top

Russian billboard advertising contraband hides when it recognises cops (Naked Security, 1 June 2015) - Moscow's Don Giulio Salumeria promises "small islands of warm and sunny Italy," offering authentic Italian prosciutto, ricotta, mozzarella and tiramisu for sale in the cold lands of Russia. Fat lot of good any of it will do Muscovites, given that Russia has banned food imports from the European Union and the US. It's not that Don Giulio can't figure out how to import it, but the shop sure can't advertise those delicious imported foods. So what's a well-stocked salumeria to do? Pay an ad company to rig billboards with facial recognition that's been tweaked to spot the official symbols and logos on the uniforms worn by Russian police, that's what. As Adweek reports, an ad agency called The 23 created an outdoor ad that could apparently spot police uniforms. As police approached the ad, as you can see in this YouTube video , the billboard would switch from advertising a nice, fat wedge of Don Giulio Salumeria's imported cheese, rolling over instead to an ad for a nice, completely non-contraband Matryoshka doll shop. An ad that hides itself from the law is a clever stunt, albeit not too effective, as you can see from the police in the video, who had time to spot the ad for imported food before it scurried behind Matryoshka dolls. But what's more interesting than the effectiveness of this particular ad is the idea that billboards can use facial recognition to this degree as they tailor offerings. Gizmodo suggested that it's not much of a leap to imagine having your jacket's sports team logo recognized as you wait at the bus stop, so you can be target-marketed for your team's next big game...or to have your car make and model recognised and your daily commute crunched so that the ad makers could pitch getaway vacations at you...or how about a beverage vending machine that takes photos of people nearby, superimposes wigs on their heads and exhorts them to buy a drink, or even guesses those people's names and genders - the better to target-market at them.

top

Does a data breach cost an average of 58 cents a record -- or $154? (Network World, 5 June 2015) - Does a data breach cost an average of 58 cents a record -- or $154? That's a significant difference for companies preparing incident response plans, as well as for insurance companies, regulators, auditors and others looking to ensure that companies are adequately prepared or covered for such an event. Ponemon Institute's $154 number is based on an analysis of 350 companies that suffered breaches in 2014, and uses an analytical model based on the real costs of a breach that the company has been refining for a decade. Verizon's 58 cents calculation is based on 191 insurance claims filed in 2014, and this is the first year that Verizon has run these numbers. In addition to different data sources, Ponemon also includes indirect costs, while Verizon's does not. But Verizon's estimate seems unreasonably low, said Caleb Barlow, vice president at IBM Security. IBM sponsored this year's Ponemon report. At a minimum, a company with a data breach has to send out letters notifying customers that they were breached and pay for credit monitoring, he said. "Normally, Verizon does some great work," he said, "But we had to discount this because 58 cents doesn't even cover the cost of the postage and printing the letter." Companies usually don't have enough insurance coverage to cover the total cost of a breach, said Larry Ponemon, chairman and founder of the Ponemon Institution, and the insurance doesn't cover indirect costs or loss of business. For example, he said, Target's latest breach is estimated to cost the company over $1 billion, but it was only insured for $100 million. In general, he said, companies buy enough insurance to cover 50 percent of the value of their fixed assets -- but only 12 percent of the value of their digital assets, according to a study released last month by Ponemon and sponsored by Aon Plc, a global insurance brokerage.

top

The data that's collected from you when you're routed to a call center (Quartz, 5 June 2015) - "This call may be recorded for quality and training purposes." It's a familiar phrase, and one that people likely don't even notice anymore when they phone a call center. But companies are listening carefully to these recordings, trying to glean insights that can help them run their businesses more effectively. Sifting through hours upon hours of audio recordings is a laborious task. One company that helps automate the process is Santa Barbara, California-based Invoca. With its technology, the marketing firm has analyzed more than 100 million calls since 2008 and provides its clients with a trove of data. One of Invoca's clients, an unnamed satellite TV company, listens carefully for certain keywords. When someone calls in and mentions "sports package," for example, the company makes a note in the customer's file and tailors its marketing for that person accordingly. "Because it's said in a call, it's a huge buying signal you can capitalize on," says Christensen. Prospective customers who pick up the phone generally have higher purchasing intent. According to the company's data, 30% to 50% of phone calls lead to sales, compared with 2% for online leads. When sales reps lose a deal, they usually just chalk it up to the price and move on. "You never get insight into why people aren't buying," he says. But by scanning audio recordings, companies can track how often a competitor is mentioned in calls, and amend their strategies accordingly. Christensen says some companies are using Invoca to listen for specific keywords, such as confirmation number or email receipt, mentioned by the caller. The system can then tie in purchasing data, so customer service representatives don't have to wait for other departments to pull this information for them.

top

HackerOne connects hackers with companies, and hopes for a win-win (NYT, 7 June 2015) - In 2011, two Dutch hackers in their early 20s made a target list of 100 high-tech companies they would try to hack. Soon, they had found security vulnerabilities in Facebook, Google, Apple, Microsoft, Twitter and 95 other companies' systems. They called their list the Hack 100. When they alerted executives of those companies, about a third ignored them. Another third thanked them, curtly, but never fixed the flaws, while the rest raced to solve their issues. Thankfully for the young hackers, no one called the police. Now the duo, Michiel Prins and Jobert Abma, are among the four co-founders of a San Francisco tech start-up that aims to become a mediator between companies with cybersecurity issues and hackers like them who are looking to solve problems rather than cause them. They hope their outfit, called HackerOne, can persuade other hackers to responsibly report security flaws, rather than exploit them, and connect those "white hats" with companies willing to pay a bounty for their finds. In the last year, the start-up has persuaded some of the biggest names in tech - including Yahoo, Square and Twitter - and companies you might never expect, like banks and oil companies, to work with their service. They have also convinced venture capitalists that, with billions more devices moving online and flaws inevitable in each, HackerOne has the potential to be very lucrative. HackerOne gets a 20 percent commission on top of each bounty paid through its service.

top

Hacker can send fatal dose to hospital drug pumps (Wired, 8 June 2015) - When security researcher Billy Rios reported earlier this year that he'd found vulnerabilities in a popular drug infusion pump that would allow a hacker to raise the dosage limit on medication delivered to patients, there was little cause for concern. Altering the allowable limits of a particular drug simply meant that if a caregiver accidentally instructed the pump to give too high or too low a dosage, the pump wouldn't issue an alert. This seemed much less alarming than if the pumps had vulnerabilities that would allow a hacker to actually alter the dosage itself. Now Rios says he's found the more serious vulnerabilities in several models of pumps made by the same manufacturer, which would allow a hacker to surreptitiously and remotely change the amount of drugs administered to a patient. The vulnerabilities are known to affect at least five models of drug infusion pumps made by Hospira-an Illinois firm with more than 400,000 intravenous drug pumps installed in hospitals around the world.

top

US Justice Department selects Box for file sharing (Robert Ambrogi, 8 June 2015) - When it comes to identifying a group of lawyers who are particularly fussy about file security, it is hard to imagine a better example than the U.S. Department of Justice. These, after all, are the lawyers who handle the nation's most sensitive criminal and civil matters. For that reason, it is notable that the DOJ has awarded a contract to Box to serve as its platform for file sharing and information management, according to a recent announcement by Box. Box also received a DOJ authority to operate, which is essentially an IT certification of the security of a cloud-based product.

top

Surveillance Law and Surveillance Studies (Bruce Schneier, 8 June 2015) - Interesting paper by Julie Cohen: Abstract : The dialogue between law and Surveillance Studies has been complicated by a mutual misrecognition that is both theoretical and temperamental. Legal scholars are inclined to consider surveillance simply as the (potential) subject of regulation, while scholarship in Surveillance Studies often seems not to grapple with the ways in which legal processes and doctrines are sites of contestation over both the modalities and the limits of surveillance. Put differently, Surveillance Studies takes notice of what law does not -- the relationship between surveillance and social shaping -- but glosses over what legal scholarship rightly recognizes as essential­ -- the processes of definition and compromise that regulators and other interested parties must navigate, and the ways that legal doctrines and constructs shape those processes. This article explores the fault lines between law and Surveillance Studies and considers the potential for more productive confrontation and dialogue in ways that leverage the strengths of each tradition.

top

22 years after Verizon fiber promise, millions have only DSL or wireless (Ars Technica, 9 June 2015) - A 22-year-old Verizon promise to bring fiber Internet or "comparable technology" to its entire service area in Pennsylvania has instead left more than two million homes with nothing but slower DSL or wireless service. In 1993, Verizon predecessor Bell signed an agreement with state regulators in which it committed "to deploy the technologies necessary to provide universal broadband availability in 2015. In order to meet this commitment, Bell plans to deploy a broadband network using fiber optics or other comparable technology that is capable of supporting services requiring bandwidth of at least 45 megabits per second or its equivalent." In exchange, Verizon was allowed to charge higher phone rates. (More specifically, the company was freed from the restrictions of rate-of-return regulation.) But today, at least 2.1 million Pennsylvania households in Verizon's phone territory do not have access to the company's fiber network. "The fiber network is available to approximately 2.1 million premises (which includes residential and business). The vast majority of the remaining households have either DSL or wireless LTE broadband options available to them," a Verizon spokesperson told Ars this week. [ see also , NYC possible lawsuit: Verizon ordered to finish fiber build that it promised but didn't deliver (Ars Technica, 18 June 2015)]

top

House passes extension of Internet tax ban (The Hill, 9 June 2015) - The House on Tuesday passed a bill that would permanently extend a ban on state and local taxes on Internet access. Lawmakers approved the legislation on a voice vote, which would also ban discriminatory taxes on e-commerce. The ban, first passed in 1998, has required a series of extensions over nearly two decades. But Tuesday's proposal would put the law in place for the long term, removing any sunset date. The long-term extension is largely noncontroversial. The House bill sponsored by Judiciary Committee Chairman Bob Goodlatte (R-Va.) had 188 co-sponsors, and 50 senators are backing a similar bill in the Senate. The House easily passed the proposal last Congress, but it stalled in the Senate after some members attempted to tie the measure to a more controversial online sales tax bill, which would give states the power to collect a sales tax from businesses that don't have a physical presence in their boundaries. [ Polley : normally I don't post about pending legislation, but was impressed by this bill's permanent extension of the tax ban.]

top

One of the biggest security firms in the world admits it was hacked (Business Insider, 10 June 2015) - Russia-based Kaspersky Lab, one of the biggest and most well-known cybersecurity research firms in the world, has admitted to being hacked. In a blog post published earlier today , Kaspersky Lab CEO and founder Eugene Kaspersky wrote, "We discovered an advanced attack on our own internal networks. It was complex, stealthy, it exploded several zero-day vulnerabilities, and we're quite confident that there's a nation state behind it."

top

Airbus transport crash caused by "wipe" of critical engine control data (Ars Technica, 10 June 2015) - Airbus had already revealed that the fatal crash of an Airbus A400M military transport was caused by what was described as a "quality issue in the final assembly" of the electronic control units (ECU)-a fault in software configuration that led to a loss of control of the aircraft and resulted in the death of four crew members . Reuters reported additional details today provided by individuals familiar with the investigation into the crash, stating that a critical part of the configuration data in three of the aircraft's four ECUs-a file storing torque calibration parameters for each engine-was somehow "accidentally wiped" when the software was being installed. As a result, three of the aircraft's engines automatically shut down in flight. Citing a safety document shown to Reuters, Tim Hepher reported that the pilot of the A400M would not have gotten an alert about the missing data until the aircraft was already at an altitude of 400 feet. No cockpit alert about the data fault would appear while the aircraft was on the ground. According to Hepher's sources, the lack of a ground warning was an issue raised during a safety review last year, but "regulators approved it on the basis that the chances of failure were small and the installation procedure included extra checks," people familiar with the matter said.

top

Facial recognition technology is everywhere. It may not be legal. (WaPo, 11 June 2015) - Being anonymous in public might be a thing of the past. Facial recognition technology is already being deployed to let brick-and-mortar stores scan the face of every shopper, identify returning customers and offer them individualized pricing - or find "pre-identified shoplifters" and "known litigious individuals." Microsoft has patented a billboard that identifies you as you walk by and serves ads personalized to your purchase history. An app called NameTag claims it can identify people on the street just by looking at them through Google Glass. Privacy advocates and representatives from companies like Facebook and Google are meeting in Washington on Thursday to try to set rules for how companies should use this powerful technology. They may be forgetting that a good deal of it could already be illegal. There are no federal laws that specifically govern the use of facial recognition technology. But while few people know it, and even fewer are talking about it, both Illinois and Texas have laws against using such technology to identify people without their informed consent. That means that one out of every eight Americans currently has a legal right to biometric privacy. The Illinois law is facing the most public test to date of what its protections mean for facial recognition technology. A lawsuit filed in Illinois trial court in April alleges Facebook violates the state's Biometric Information Privacy Act by taking users' faceprints "without even informing its users - let alone obtaining their informed written consent." This suit, Licata v. Facebook , could reshape Facebook's practices for getting user consent, and may even influence the expansion of facial recognition technology. * * * Companies like Facebook and Google routinely collect facial recognition data from their users, too. Google's FaceNet algorithm can identify faces with 99.63 percent accuracy . Facebook's algorithm, DeepFace, gets a 97.25 percent rating. The FBI, on the other hand, has roughly 85 percent accuracy in identifying potential matches-though, admittedly, the photographs it handles may be harder to analyze than those used by the social networks.

top

FTC announces first consent order on misrepresentation in crowdsourcing (Covington, 11 June 2015) - The Federal Trade Commission ("FTC") announced today that it has entered into a proposed consent order against the founder of a failed Kickstarter project, marking the first time that the agency has taken a consumer protection action in the rapidly-emerging field of crowdsourcing. According to the complaint , the defendant, Erik Chevalier misused money raised through Kickstarter for personal expenses despite promises to use this money to develop a board game, or otherwise to return the contributions. While State Attorneys General have brought similar enforcement actions in the past against misrepresentations in crowdsourcing campaigns, this action breaks new ground for the FTC as part of its self-described efforts to "protect consumers taking advantage of new and emerging financial technology." Mr. Chevalier's campaign began in May 2012 when he pitched the idea of a Monopoly-like board game taking place in Atlantic City, where players take the role of H.P. Lovecraft's Great Old Ones laying waste to the city. The idea quickly garnered attention from the internet, raising $122,874 , almost four times the original funding goal. Backers were promised a copy of the completed board game, and those who pledged more were promised exclusive pewter figurines that could be used as game pieces. However, the project quickly ran into significant delays, and in June 2013, Mr. Chevalier announced that the project had been cancelled because the majority of the money had already been spent on game development with no end in sight. He also posted on Kickstarter that: "My hope is .[] to eventually refund everyone in full." Yet according to the FTC complaint , Erik Chevalier had actually used these funds for "miscellaneous personal equipment, rent for a personal residence, and licenses for a separate project," contrary to his representations to consumers. While the proposed consent order does not admit fault, Mr. Chevalier agreed to a judgment of $111,794 (suspended due to an inability to pay); a prohibition against using, disclosing, or benefiting from customer information obtained through the fundraising campaign; a promise to refrain from making misrepresentations to consumers in future projects, and an ongoing duty for compliance reporting and record keeping for the next 18 years.

top

Feds tighten restrictions on 3-D printed gun files online (Wired, 11 June 2015) - The notion of a 3-D printable gun has become the perfect flashpoint in a new conflict between digital arms control and free speech . Should Americans be allowed to say and share whatever they want online, even if that "speech" is a blueprint for a gun? The State Department has now answered that question with a resounding "no." In the last few days, the State Department has issued two new statements confirming its intention to act as gatekeeper for when Americans can legally publish online data that could allow someone to digitally fabricate a gun. And those statements outline how it plans to restrict those publications as a controlled "foreign export" of munitions. Earlier this week, the State Department sent a letter to the controversial gun access group Defense Distributed, confirming that it will require the group to get specific permission from the government before publishing its 3-D printable gun files online. That warning comes more than two years after the State Department sent Defense Distributed an initial letter telling it to take its gun files off its website pending a decision about their legality . And in a separate filing to the federal register last week, the State Department also wrote that it intends to require prior approval for the online publication of any "technical data" that, vaguely defined, would allow for the creation of weapons, an even broader swathe of files. The agency's statement warns that publishing those weapon files to the Internet, with its global connections, could amount to violating the International Trade in Arms Regulations (ITAR) by exporting controlled weapons data to a foreign country-hardly different, by its definition, from sending missile schematics to Iran.

top

Where cyber insurance underwriting stands today (Insurance Journal, 12 June 2015) - "You would think the first question to ask would be: Do insured parties understand the elements and limitations of coverage?" said Kevin Kalinich, speaking on cyber risk. "The real first question is: Do the insurance companies understand?" Kalinich, global practice leader for cyber/network risk, at consulting firm Aon Risk Services, was a panelist at the Standard & Poor's Ratings Services 2015 Insurance Conference this week in New York where experts stressed the importance of underwriters working together to gain a better understanding of the market so they can properly assess and price cyber risk. Demand for insurance covering cyber attacks is mounting and the risk is evolving rapidly, panelists noted. A number of U.S. insurers are testing the waters but panelists said that even the insurers with larger market shares have thus far been cautious due to the lack of actuarial data available in this nascent market. They have been writing policies with low limits and a slew of exclusions such as excluding damages resulting from data handled by an external contractor. Right now, a handful of players - American International Group Inc., ACE Ltd., Chubb Corp., Zurich Insurance Co. Ltd., and Beazley Group Ltd. - dominate the market for cyber insurance, but panelists said clients are looking to buy more coverage than insurers are willing to offer. As the market develops, providers will need some time to model risk sufficiently and to set premiums accordingly. This will remain difficult, Kalinich said, because the threat is evolving fast. He said two decades of reliable data are needed to feed models. "We're much farther along than we were two years ago; we have much better information now," he said. "But it's not a static model. It changes over time, and in two years it will be much better." Regulators have taken steps to guide insurers toward a consistent approach to the market. The National Association of Insurance Commissioners (NAIC) recently adopted guiding principles for insurers underwriting cyber risk. The NAIC is also developing a set of best practices for insurance company examiners to test protocols and processes, as well as a consumer bill of rights so that consumers know when data has been hacked. [ Polley : So far, the insurance industry has failed to provide the de facto best-practice development many had hoped would guide cyber-risk management ( compare, insurance-led development of fire safety codes in the early 20th century). Looks like it's going to take much longer.]

top

Cyberattacks are exploding and investors are cashing in (Business Insider, 15 June 2015) - The amount of sensitive data stored online has increased exponentially in recent years, and so has the number of attempts to steal that information. While this is a huge problem to both the government and private companies, for some it is an opportunity. "In May 2015, the Goldman Sachs Chief Information Security Officers (CISOs) survey found that almost 60% of respondents expected to boost security spending by at least 5%, with 20% budgeting increases greater than 15%," Goldman Sachs' David Kostin said in a note to clients. The value of good cybersecurity, and the bottom lines of companies offering it, has exploded. Goldman's ISE Cyber Security Index, a collection of 30 publicly traded cybersecurity companies, has grown 19% faster than the S&P 500 year-to-date, following a trend established the last few years. Companies in the index include FireEye, CyberArk Software, Infoblox, Palo Alto Networks, Fortinet, and AVG Technologies. "Since 2011, the total return of the index is 123pp higher than the S&P 500 (207% vs. 84%)," Kostin said. As you can see in the chart, the amount the stocks are outperforming the S&P coincides with the number of files exposed through cyberattacks. And sales for cybersecurity companies are expected to continue their meteoric rise.

top

Catching up on the OPM breach (Brian Krebs, 15 June 2015) - I heard from many readers last week who were curious why I had not weighed in on the massive (and apparently still unfolding) data breach at the U.S. Office of Personnel Management (OPM). Turns out, the easiest way for a reporter to make sure everything hits the fan from a cybersecurity perspective is to take a two week vacation to the other end of the world. What follows is a timeline that helped me get my head on straight about the events that preceded this breach, followed by some analysis and links to other perspectives on the matter.

top

Ethical responsibilities and information security (InsideCounsel, 16 June 2015) - The elephant in the room is: You will be hacked. This is the opinion of Mark Sangster, vice president of marketing at eSentire, who was speaking at the Mid-year Cybersecurity and Data Protection Legal Summit. He, along with Vince Polley , principal at KnowConnect, spoke during the panel "Protect Your Ethics - Infosec Responsibilities in the Attorney-Client Relationship." It's no surprise that cybercrime is big business. According to Sangster, estimates show that somewhere north of $500 billion are lost every year due to cybercrime. Hackers have easy access to cyber-weapons, need few skills, are highly motivated and face few consequences. These days, many threats come in the form of "spear-phishing," where criminals do research on you to send you personally specific messages that, when opened, unleash havoc on your network. Polley was a co-author of the ABA cybersecurity handbook, and stated flatly to the audience that "you've all been hacked." Though there has not yet been a single law firm that has admitted to being hacked, the fact of the matter is, hackers are targeting law firms, in real life and on "The Good Wife." Even some of the biggest security firms in the world themselves have been hacked. So the question is, what to do about it? Law firms are targets, Polley says, because they are soft and attractive targets will lots of confidential client information and little technological sophistication, representing a back door into client systems. Clients in highly regulated and vulnerable industries - such as medical, insurance and financial sectors - are going to law firms and auditing their security measures. In terms of ethics, the ABA Model Rules of Professional Conduct lay out several rules that apply - competence, confidentiality and supervision (1.1, 1.6 and 5), and there are common law requirements as well. Rule 1.1, comment 6, says that lawyers must remain up-to-date with the benefits and risks of technology. As Polley puts it, they must acquire it or hire it. State bars have been saying the same thing for years. [Polley : I'm not sure the quotes are precise, but the essence of the story is accurate. Email me if you'd like an annotated copy of the PPT I delivered there.]

top

EFF's 2015 data privacy report lauds Apple, Dropbox, slams Verizon (TechCrunch, 18 June 2015) - Digital rights organization the Electronic Frontier Foundation (EFF) has published its fifth annual Who has your back? report into online service providers' transparency and privacy practices when it comes to government requests for accessing user data. The organization notes a general transformation among major Internet players to be more transparent with users about data requests over the past four years. But for its latest report it's tightened evaluation criteria, arguing that "it's time to expect more from Silicon Valley". The report awards companies up to a maximum of five stars for performance in various areas, such as following what the EFF judges as "industry-accepted best practices"; telling users about government data demands; disclosing policies on data retention disclosing government content removal requests; and taking what it dubs a "pro-user" public policy position and specifically opposing government mandated backdoors in digital services.

top

Can liberal musicians stop Republicans from using their songs? (WaPo, 18 June 2015) - Neil Young's song "Rockin' In The Free World" was played Tuesday at Donald Trump's campaign announcement, and as has become standard operating procedure, Young's manager released a statement saying Trump wasn't authorized to use the song and that Young doesn't support Trump's candidacy. It's all very predictable, something we see played out over and over again in politics (mostly among Republican politicians and liberal musicians). What if a politician X was like, "You know what, I don't care what musician Y thinks; we're going to keep playing that song. Louder, even. We're going to blast it, on repeat, from Iowa to New Hampshire until I'm elected President of these United States!?" Despite the fact politicians usually stop playing songs when asked, they could fight it if they really wanted to. According to the ASCAP guidelines on using music in political campaigns , if campaigns obtain a public performance license from them or other performing rights organizations like BMI, they're in compliance with copyright law, which is why campaigns always first respond to statements from angry musicians by saying they were following the rules. But being in compliance with copyright rules doesn't mean musicians can't complain and even take legal action -- which is why the ASCAP advises campaigns get permission from artists' management and songwriters as well, to avoid all this. Per the ASCAP, musicians could seek recourse through their right to publicity (which public figures have for their image in some states), false endorsement (an argument that their work is being used to incorrectly imply support for something) or the Lanham Act (dealing with unauthorized use of a trademark leading to confusion). So there are legal grounds for them to fight the song's use. But there's not much precedent for that happening, because campaigns generally give in to musician's demands so quickly.

top

Secretive surveillance court skips talking to privacy advocates (National Journal, 19 June 2015) - The secretive court that oversees U.S. spying programs selected to not consult a panel of privacy advocates in its first decision made since the enactment earlier this month of major surveillance reform, according to an opinion declassified Friday. The Foreign Intelligence Surveillance Court opted to forgo appointing a so-called "amicus" of privacy advocates as it considered whether the USA Freedom Act could reinstate spying provisions of the Patriot Act even though they expired on June 1 amid an impasse in the Senate. The Court ruled that the Freedom Act's language-which will restore the National Security Agency's bulk collection of U.S. call data for six months before transitioning to a more limited program-could revive those lapsed provisions, but in assessing that narrow legal question, Judge Dennis Saylor concluded that the Court did not first need confer with a privacy panel as proscribed under the reform law. "The statute provides some limited guidance, in that it clearly contemplates that there will be circumstances where an amicus curiae is unnecessary (that is, 'not appropriate')," Saylor wrote . "At a minimum, it seems likely that those circumstances would include situations where the court concludes that it does not need the assistance or advice of amicus curiae because the legal question is relatively simple, or is capable of only a single reasonable or rational outcome." [ Polley : uh-oh… I think I'd prefer an amicus even when it's "simple" or there's only a "single reasonable or rational outcome." Think: Dick Cheney.]

top

Google Earth's digital tack, used to show location, wasn't hearsay, 9th Circuit rules (ABA Journal, 22 June 2015) - A "digital tack" on Google Earth used to pinpoint the location of an arrest isn't an inadmissible statement governed by hearsay rules, a federal appeals court has ruled. The San Francisco-based 9th U.S. Circuit Court of Appeals ruled in the case of a defendant, Paciano Lizarraga-Tirado, who claimed he was on the Mexican side of the border when he was arrested by Border Patrol agents for illegal re-entry into the United States, report the Wall Street Journal Law Blog and IDG News Service . An arresting agent recorded the coordinates of the arrest with a GPS device. At trial, prosecutors introduced evidence of the location by entering the GPS coordinates into Google Earth, creating a digital tack on Google Earth's satellite image. The tack was clearly north of the border. The appeals court considered Lizarraga-Tirado's objection under the hearsay rule, which generally bars out-of-court statements to prove the truth of the matter asserted. The rule defines a statement as a person's oral assertion, written assertion, or nonverbal conduct, if the person intended it as an assertion. A satellite image, absent any markers, makes no assertion and isn't hearsay, the court said in an opinion (PDF) by Judge Alex Kozinski. Because the tack was computer-generated rather than placed manually and labeled, it isn't an assertion made by a person and isn't hearsay, the court said. "Though a person types in the GPS coordinates," Kozinski wrote, "he has no role in figuring out where the tack will be placed. The real work is done by the computer program itself." Machine statements do raise evidentiary concerns, Kozinski said, but they should be addressed by the rules of authentication, not hearsay. A litigant seeking admission of Google Earth evidence over an objection would have to establish its reliability and accuracy, perhaps by testimony from a Google Earth programmer or perhaps by judicial notice, Kozinski said. The defendant in the case before the court had not raised an authentication objection.

top

ABA President pushes online models for civil disputes (DailyNews, 22 June 2015) - The president of the American Bar Association says the traditional method of providing pro bono legal services in civil matters to those who can't afford to pay for an attorney isn't working despite best efforts. And William C. Hubbard wants those in the legal system to work more with tech companies finding a demand for online dispute resolution programs. "Despite all of our best efforts, we have not closed this justice gap despite more pro bono work and more support," Hubbard told a group of 200 attorneys and judges Thursday, June 18, at the Tennessee Bar Association's annual meeting, held this year in Memphis. Hubbard cites a report from Modria.com , the online dispute resolution company that spun off from eBay and PayPal in 2011. Of 60 million annual disputes on eBay, 90 percent are resolved using software with no human intervention and the results are "almost never" appealed in court, according to Modria. While Modria's efforts and pitch are aimed at business disputes, Hubbard has already begun talking with the company and similar online companies. Modria cites property tax disputes in Nashville that are settled online among other uses and concludes "the next justice system will look more like ODR than the courts."

top

SEC hunts hackers who stole corporate emails to trade stock (Reuters/ReCode, 23 June 2015) - U.S. securities regulators are investigating a group of hackers suspected of breaking into corporate email accounts to steal information to trade on, such as confidential details about mergers, according to people familiar with the matter. The Securities and Exchange Commission has asked at least eight listed companies to provide details of their data breaches, one of the people said. The unusual move by the agency reflects increasing concerns about cyber attacks on U.S. companies and government agencies. It is an "absolute first" for the SEC to approach companies about possible breaches in connection with an insider trading probe, said John Reed Stark, a former head of Internet enforcement at the SEC. "The SEC is interested because failures in cyber security have prompted a dangerous, new method of unlawful insider trading," said Stark, now a private cyber security consultant. According to people familiar with the matter, the SEC's inquiry and a parallel probe by the U.S. Secret Service - which investigates cyber crimes and financial fraud - were spurred by a December report by security company FireEye about a sophisticated hacking group that it dubbed "FIN4." Since mid-2013, FIN4 has tried to hack into email accounts at more than 100 companies, looking for confidential information on mergers and other market-moving events. The targets include more than 60 listed companies in biotechnology and other healthcare-related fields, such as medical instruments, hospital equipment and drugs, according to the FireEye report. The SEC has asked companies for data on cyber intrusions or attempted intrusions, as well as information on the tactics that the unknown hackers used to lure employees into giving up email passwords, known as "spear phishing" or "credential harvesting," people familiar with the investigation said. As concerns about cyber security grew, the SEC in 2011 issued guidance for public companies on disclosing breaches. Companies are not required to disclose any breaches unless they are deemed to be "material" under federal securities laws. The probe is unusual for the SEC, which has typically searched for questionable trading activity in stocks and options when investigating insider trading cases, said Stark. The SEC only has the power to bring civil cases, so any possible criminal cases resulting from the probe would be brought by a federal prosecutor.

top

GCHQ asked court to let it infringe on anti-virus copyrights... for national security (TechDirt, 24 June 2015) - National security apparently means "securing" the nation at the expense of citizens' security. New Snowden documents published by The Intercept show massive amounts of dicking around in the coding of popular anti-virus software by the NSA and GCHQ. The list of antivirus products not affected would be much, much shorter than a list of those that have been. The GCHQ obtained a warrant to reverse engineer Kapersky products because it felt the company's software was "obstructing" its hacking attempts. Not only did the GCHQ seek permission to tear apart a legitimate security product for its own ends, but it also asked for an exception to UK copyright law in order to do so: GCHQ's success as an intelligence agency is founded on technical knowledge and creativity. In particular this may involve modifying commercially available software to enable interception, decryption and other related tasks, or "reverse engineering" software (this means to convert it from machine readable code into the original format, which is then comprehensible to a person). These actions, and others necessary to understand how the software works, may represent an infringement of copyright. The interference may also be contrary to, or inconsistent with, the provisions of any licensing agreement between GCHQ and the owners of the rights in the software. Recognizing this could potentially cause a problem if its efforts were discovered, GCHQ explicitly asked that it be granted permission to engage in copyright infringement in the name of national security. [ Polley : How far can a court go in "authorizing" otherwise unlawful activity? Transcend copyright law? Break into computers? Defraud? Steal? Torture?]

top

NOTED PODCASTS

Distributed and digital disaster response (Willow Brugh at Berkman, 10 March 2015; 59mins) - The citizen response to 2012's Hurricane Sandy was in many important ways more effective than the response from established disaster response institutions like FEMA. New York-based response efforts like Occupy Sandy leveraged existing community networks and digital tools to find missing people; provide food, shelter, and medical assistance; and offer a hub for volunteers and donors. In this talk Willow Brugh -- Berkman fellow and Professor of Practice at Brown University -- demonstrates examples ranging from Oklahoma to Tanzania where such distributed and digital disaster response have proved successful, and empowered citizens to respond in ways traditional institutions cannot. Find Willow's presentation deck here . [ Polley : Lots of stuff here on KM and knowledge sharing across time and across events/communities. This also implicates the question of meta-KM - i.e., knowledge sharing outside an "enterprise" and among/between ad hoc virtual teams.]

top

RESOURCES

Irving Younger's 10 Commandments Of Cross Examination (Lawyerist, 24 June 2015) - If you will put these suggestions to use, if you will cross-examine in accordance with these suggestions, I can virtually guarantee - not that you will be a brilliant cross-examiner, but that you won't be ashamed of yourself, you won't be a buffoon in that courtroom. Whenever you do not comply with them, you will regret it. Instantly. [ Polley : This is the classic; guaranteed to educate and entertain. Highly recommended.]

top

Privacy and Security Training Requirements (web compendium maintained by Prof. Dan Solove) - Many laws, regulations, and industry codes require privacy awareness training and/or data security awareness training. Here is a list of a number of these requirements: * * * Below is a brief description of each requirement with excerpts of the relevant provisions: * * *

top

The Legal Impact of Technology on M&A Transactions (Kaye Scholer white paper; undated) - Across the hundreds of M&A transactions that our firm has worked on in recent years, we and our clients have together explored and analyzed a relatively consistent set of diligence concerns. Increasingly, however, a new subject is beginning to interest dealmakers: the underlying technologies at each acquisition candidate and their related obligations and risk implications. This report, The Legal Impact of Technology on M&A, explores this important and still-evolving area of interest.

top

FUN

The Influence Of Immanuel Kant On Evidentiary Approaches In 18th-Century Bulgaria (Orin Kerr, June 2015) - Chief Justice Roberts has drawn attention to the influence of Immanuel Kant on evidentiary approaches in 18th- century Bulgaria. [fn omitted] No scholarship has analyzed Kant's influence in that context. This Article fills the gap in the literature by exploring Kant's influence on evidentiary approaches in 18th-century Bulgaria. It concludes that Kant's influence, in all likelihood, was none. [Kerr's explication of this tongue-in-cheek article is here .]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Plan to put company reports on the web (Reuters, 30 Nov 2005) -- Corporations would be allowed to post proxy statements and annual reports on Web sites, instead of sending them through the mail, under a plan proposed Tuesday by federal regulators. The Securities and Exchange Commission voted 5 to 0 to submit the plan to a 60-day public comment period, with a final vote by the commission expected later. Aimed at saving postage and printing costs, the so-called e-proxy measure is also seen as a way to cut the costs to shareholders of waging proxy contests. Under the proposed rule, investors would receive a postcard notice in the mail telling them that a proxy statement and annual report was available online. Investors wishing to continue receiving printed matter could request it. "Studies show that today 75 percent of Americans now have access to the Internet and this percentage is rising steadily," Christopher Cox, the S.E.C. chairman, said at a meeting. "The percentage of investors with Internet access is even higher." The proposal, if adopted early next year, would probably not be enacted in time for the 2006 proxy season but would come into play in 2007, said Alan L. Beller, director of the S.E.C.'s corporate finance division.

top

Sony's anti-file-sharing CD causes a firestorm of anger (Houston Chronicle, 8 Nov 2005) -- Since the dawn of file-sharing in the late 1990s, the music industry has struggled with keeping its wares from being traded freely. Recording labels have tried all kinds of approaches, from suing their own customers to Draconian copy protection to changing formats. The one that has worked the best - surprise! - has been to offer a low-cost way to buy music that allows users to do pretty much what they want to do with the tunes they purchase. It's almost as though there's a Good Side and a Dark Side to the musical force. Over time, you'd think the business would get that the Good Side will win more converts. That is, until you see something like the strange case of the Sony rootkit. On Halloween, a developer with an Austin-based software company posted on his blog a detailed report on a troubling discovery - a CD from Sony BMG had installed software on his PC that uses the same technique for hiding itself as the most pernicious type of spyware. Mark Russinovich of Sysinternals also discovered that the software, known as a rootkit, could then be used by the creators of viruses and worms to hide their own malicious payloads. A rootkit works at the very lowest levels of the Windows operating system to cloak files. Spyware purveyors use the technique to hide their code from programs designed to find and remove it. In Sony's case, the rootkit was part of a media player designed to restrict how a CD's tunes are played, stored to a computer's hard drive or copied, and was used to hide those files, making it difficult to get around the protection. The software was installed when the CD's buyers - in Russinovich's case, Van Zant's Get Right with the Man - first tried to play the disc on a PC. The disc can't be used in a PC without Sony's player. The rootkit hid the software by looking for a particular sequence of characters in the name. Any files that included the sequence were cloaked. Russinovich had to jump through hoops to find the software, trace its source and remove it. When he did, he found the process disabled his CD drives, which were no longer visible in Windows Explorer. His report, at www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html , concluded: "The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files ... will cripple their computer if they attempt the obvious step of deleting the cloaked files." http://www.chron.com/cs/CDA/ssistory.mpl/business/3445666

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, June 06, 2015

MIRLN --- 17 May - 6 June 2015 (v18.08)

MIRLN --- 17 May - 6 June 2015 (v18.08) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

PROGRAM ANNOUNCEMENT

Cybersecurity & Data Protection Legal Summit (ALM, et al.; NYC June 16, 2015) - The road has split with organizations choosing either proactive preparation or reactive crisis management to ongoing cyberattacks and threats. What road has your organization taken, and are you protected? To help answer these vital questions and more, the publishers of Corporate Counsel and Legaltech News are pleased to invite you to attend the Mid-Year Cybersecurity and Data Protection Legal Summit on Tuesday, June 16 at the Harvard Club of New York, NY. This event will provide a practical overview of the latest risk profiles, best practices, and evolving industry standards for data security and cyber protection. [ Polley : I'm presenting on "Protect Your Ethics: Infosec Responsibilities in the Attorney-Client Relationship" #CyberLaw15]

NEWS | RESOURCES | LOOKING BACK | NOTES

Creepy ads use litterbugs DNA to shame them publicly (Wired, 15 May 2015) - Next time you're about to toss a cigarette butt on the ground, consider this freaky fact: It takes less than a nanogram (or less than one billionth of the mass of a penny) of your dried saliva for scientists to construct a digital portrait that bears an uncanny resemblance to your very own face. For proof look to Hong Kong, where a recent ad campaign takes advantage of phenotyping, the prediction of physical appearance based on bits of DNA, to publicly shame people who have littered. If you walk around the city, you'll notice portraits of people who look both scarily realistic and yet totally fake. These techno-futuristic most-wanted signs are the work of ad agency Ogilvy for nonprofit Hong Kong Cleanup , which is attempting to curb Hong Kong's trash problem with the threat of high-tech scarlet lettering. It's an awful lot like the Stranger Visions project from artist Heather Dewey-Hagborg , who used a similar technique a couple years back to construct sculptural faces as a way to provoke conversation around what we should be using these biological tools for. In the case of Hong Kong's Face Of Litter campaign, the creative team teamed up with Parabon Nanolabs , a company out of Virginia that has developed a method to construct digital portraits from small traces of DNA. Parabon began developing this technology more than five years ago in tandem with the Department of Defense, mostly to use as a tool in criminal investigations. Parabon's technique draws on the growing wealth of information we have about the human genome. By analyzing saliva or blood, the company is able to make an educated prediction of what you might look like. Most forensic work uses DNA to create a fingerprint, or a series of data points that will give a two-dimensional look at an individual that can be matched to pre-existing DNA samples. "We're interested in using DNA as a blueprint," explains Steven Armentrout, founder of Parabon. "We read the genetic code." The DNA found on the Hong Kong trash is taken to a genotyping lab, where a massive data set on the litterbug is produced. This data, when processed with Parabon's machine-learning algorithms, begins to form a rough snapshot of certain phenotypes, or traits.

top

- and -

'Devious defecator' case tests genetics law (NYT, 29 May 2015) - Seven years ago, Congress prohibited employers and insurers from discriminating against people with genes that increase their risks for costly diseases, but the case that experts believe is the first to go to trial under the law involves something completely different: an effort by an employer to detect employee wrongdoing with genetic sleuthing. Amy Totenberg, the federal district judge in Atlanta who is hearing the case, called it the mystery of the devious defecator. Frustrated supervisors at a warehouse outside Atlanta were trying to figure out who was leaving piles of feces around the facility. They pulled aside two laborers whom they suspected. The men, fearing for their jobs, agreed to have the inside of their cheeks swabbed for a genetic analysis that would compare their DNA with that of the feces. Jack Lowe, a forklift operator, said word quickly spread and they became the objects of humiliating jokes. The two men were cleared - their DNA was not a match. They kept their jobs but sued the company. On May 5, Judge Totenberg ruled in favor of the laborers and set a jury trial for June 17 to decide on damages. She determined that even though the DNA test did not reveal any medical information, it nonetheless fell under the Genetic Information Nondiscrimination Act , or GINA. Atlas Logistics Group Retail Services, which operates the warehouse, has not decided whether to appeal, its lawyer, Dion Kohler, said. The company had contended that the test provided no medical information about the employees and that both kept their jobs and suffered no discrimination. The decision in this case means the scope of the law goes far beyond what Congress seems to have envisioned, legal experts said. Even if an employer, as in this case, did not seek an employee's DNA to look for medical conditions, it was getting a trove of data that it arguably should not have, said Jessica L. Roberts director of the Health Law and Policy Institute at the University of Houston Law Center. The judge, she said, ruled that "a genetic test is a genetic test is a genetic test."

top

Court won't force US to divulge secret strategy to cut mobile phone service (Ars Technica, 15 May 2015) - A federal appeals court won't force the US to disclose its clandestine plan to disable cell service during emergencies. That was the decision from the US Court of Appeals for the District of Columbia Circuit concerning Standard Operating Procedure 303. The court had taken the same position in February and agreed with the government's contention that the Freedom of Information Act (FOIA) allows the Department of Homeland Security to withhold documents if their exposure could "endanger" public safety. After the decision, the Electronic Privacy Information Center (EPIC), which brought the FOIA suit, had asked the court to revisit the issue in what is known as an en banc review. The appeals court declined (PDF) in a one-sentence order Wednesday. The privacy group had demanded the document way back in 2011 following the shuttering of cell service in the San Francisco Bay Area subway system to quell a protest. The DHS refused to divulge the documents associated with SOP 303, which the appeals court described as a "unified voluntary process for the orderly shut-down and restoration of wireless services during critical emergencies such as the threat of radio-activated improvised explosive devices."

top

Controversial 'Innocence of Muslims' ruling reversed by appeals court (Hollywood Reporter, 18 May 2015) - On Monday, the 9th Circuit Court of Appeals took another shot at Cindy Lee Garcia's dispute with Google over whether YouTube must remove Innocence of Muslims and chose to reverse its prior holding by deciding against a preliminary injunction. The actress claims that when she agreed to appear in the movie, she didn't know that she was signing up for an anti-Islamic film. She says she signed no waivers and held on to the copyright of her performance. After a trailer of the film was released and sparked worldwide protests, Garcia received death threats, and so she sent a takedown notice to YouTube. In February 2014, 9th Circuit chief judge Alex Kozinski stunned many in the industry by determining that Garcia could assert a copyright interest in her performance in the film and that a federal judge was wrong to find against her injunction motion. The decision caused an outcry, especially among tech companies who worried that the decision could empower bit performers and other contributors to copyrighted work to assert their own authorship rights and enjoin anything they didn't like. Today, after the case was reviewed by a fuller panel of judges en banc, the appeals court agrees that Kozinski's decision can't stand. As a result, Innocence of Muslims may soon reappear on YouTube. "In this case, a heartfelt plea for personal protection is juxtaposed with the limits of copyright law and fundamental principles of free speech," writes 9th Circuit judge M. Margaret McKeown. "The appeal teaches a simple lesson - a weak copyright claim cannot justify censorship in the guise of authorship." In setting up the analysis, McKeown speaks of why it's important that the legal standards be "demanding" upon someone seeking an injunction. She writes that Garcia not only show she's likely to succeed in her lawsuit, but that "the law and facts clearly favor her position." The difficulty in this case was attempting to figure out Garcia's copyright authority. Usually, actors sign release forms (or perform in a work-for-hire context) that take away the question altogether. When Kozinski previously decided that in the absence of such a release, Garcia could assert copyright on her performance, he did so upon the conclusion that an actor evinced sufficient creativity. The ruling seemed at odds with prior holdings - particularly Aalmuhammed v. Lee , which concerned the 1992 Spike Lee film Malcolm X and dealt with joint authorship of works "intended by everyone involved with it to be a unitary whole." McKeown notes that when the Copyright Office got its own chance to address Garcia's copyright registration on her performance, it rejected the application because "a motion picture is a single integrated work."

top

Clients demand more of firms on data security (Global Legal Post, 18 May 2015) - The increasing focus on data security and privacy, which permeates all levels of the business community, is starting to force the pace of change in the legal profession. David Ray, a Director with the Huron Consulting Group, highlights the efforts law departments, law firms, and other service providers are making to protect sensitive and confidential data. He says that 'By nature, the legal industry deals with a large amount of potentially sensitive information, and as a result, data privacy is becoming increasingly more important.' The legal profession has seen itself as 'somewhat immune to these issues. However, the increased overall focus on privacy and recent data breaches is affecting the legal sector just like any other. Law departments, law firms, and legal vendors are recognising this growing pressure and have started to make changes accordingly.' According to Mr Ray, a data privacy and security expert, the five biggest trends in data privacy in the legal industry are in the following areas: * * *

top

4 ways you are putting your clients' information at risk (Lawyerist, 19 May 2015) - A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. (Rule 1.6(c).) So what are reasonable efforts when it comes to your clients' information stored on your computer? You have to make an effort, obviously. But how much effort is so unreasonable that you don't have to make it? At a minimum, a reasonable effort has to mean taking advantage of the easy-to-use security features already available on your computer and device(s). Where the potential harm is great and the potential fix is cheap and easy to implement, it is also be a reasonable effort. With that in mind, here are four ways you may not be making a reasonable effort. * * *

top

US aims to limit exports of undisclosed software flaws (Reuters, 20 May 2015) - The U.S. Commerce Department proposed new export controls Wednesday that would treat unknown software flaws as potential weapons, a move aimed at reducing the security industry's aid to rival nations. The department said it was following through on an international commitment to address the evolution of warfare to include more technology. But some security researchers said the rules, which are subject to public comment for 60 days, would fail to curb the black market while hindering cross-border collaboration and sales of defensive products. The regulations are broadly written and cover what are known as "zero-day" flaws, or security vulnerabilities that the software vendors do not know about. Hackers and defense contractors often sell information about such flaws to government agencies or the maker of the software, and internal U.S. sales could continue. But sales of zero-day and supporting capabilities would be barred without special license outside of the United States, United Kingdom, Canada, Australia and New Zealand. [ Polley : This seems unwise. How will this be implemented/enforced? See also What is the US doing about Wassenaar, and why do we need to fight it? (EFF, 28 May 2015)]

top

Sixth Circuit creates circuit split on private search doctrine for computers (Orin Kerr on Volokh Conspiracy, 20 May 2015) - The Sixth Circuit handed down a new decision on computer search and seizure that may be the next computer search issue to make it to the Supreme Court. The issue: How does the private search reconstruction doctrine apply to computers? The new decision creates an apparent circuit split with the Fifth and Seventh Circuits. First, some context. Private parties acting on their own are not regulated by the Fourth Amendment. When a private party has conducted a prior search, the private party can reconstruct the search for the government without implicating the Fourth Amendment. The idea is that the private search has already shed the Fourth Amendment protection over what was searched, so that the government can ask the private party to redo the private party's search to show the police what the private party saw. Granted, if the officer asks the private party to conduct a new search that goes beyond the old one, then that can violate the Fourth Amendment. The new search that exceeds the old one is at the government's behest, and the new invasion of privacy triggers the Fourth Amendment. But just going over the old ground is permitted. The idea seems simple enough. But the application raises a puzzle: When a private party sees a file on a computer, what exactly has been searched for purposes of later reconstruction? I discussed this problem in my 2005 article, Searches and Seizures in a Digital World . The question is, what's the right measuring unit to use - the data, the file, the folder, the physical device, or something else? The issue is really important for computer searches, as it determines how much the government can search computers without a warrant after a private citizen finds evidence of crime on a computer and calls for help. The cases were already mixed in 2005, although at the time the Fifth Circuit was the only federal circuit court to weigh in. The Fifth Circuit had held that the unit was the physical computer, so that a private search of one file allowed the private party to turn over the entire computer to the government for a warrantless search. Since then, there have been some added cases. In 2012, the Seventh Circuit joined the Fifth Circuit by adopting the unit of the device. And last month, a cert petition was filed at the Supreme Court on this issue in Gunter v. United States . But I hadn't thought there was a particularly clear split. At least until this morning. This morning, the Sixth Circuit handed down a new case, United States v. Lichtenberger , that adopts the proper unit as data or a file instead of the physical device.

top

The legal industry is about to get Ubered hard (Lawyerist, 20 May 2015) - Adapt, move, or die." The Theory of Evolution teaches us that these are species' only three choices in the face of changing environments. These are also the three choices available to the species lawyericus attornius in the face of a legal environment being transformed by technology. "Law is an information technology-a code that regulates social life." Thus begins a new paper about how machines will transform the role of lawyers in the delivery of legal services. It's the academic equivalent of the canary in the coal mine for today's lawyers, and lays out how, when, and why the legal industry is due for a shakeup similar in size and scope to what happened to American newspapers when the internet rolled around. Moore's Law describes the exponential growth of computing power. But certain industries, like law, have not innovated in tandem with technological progress. Law, like ground transportation and telephony, will instead endure a major disruption. To avoid death, lawyers will need to move into the areas touched last by the tidal wave or adapt by learning how to utilize new tech. * * * But law, as authors John O. McGinnis & Russell G. Pearce point out, is about to get Ubered. Hard. Or, as they put it, innovation is causing the "weakening of lawyers' market power over providing legal services."

top

Fan streaming apps have sports world debating TV rights (CNBC, 21 May 2015) - Ask big names in the sports business what's on their mind, and live streaming by fans is one of the first things they'll mention. Television, with its ever-escalating contracts, increasingly finds itself competing against new technologies such as live-streaming apps Periscope and Meerkat that threaten to disrupt the entire business model. Even Internet giants like Google may be entering the space. (Periscope is owned by Twitter, and CNBC's parent company Comcast is an investor in Meerkat.) Broadcasters, sports executives and athletes the Sports Business Journal's 2015 Sports Business Awards in New York on Wednesday were of two minds when asked about fan streaming apps, with the old guard having bigger problems with the technology than the younger generation had. Dick Ebersol, a former chairman of NBC Sports, said that live streaming through apps like Periscope and Meerkat shouldn't be allowed. "I happen to think it's wrong," he said, arguing that consumers need to pay for what they are watching. "Are you going to let them steal the signal?" NHL Commissioner Gary Bettman said that the league isn't banning streaming apps for personal use but is serious about stopping commercial uses: "There is a difference between fan engagement and commercial exploitation; it's one we are going to have to be prepared to draw." Bettman reaffirmed the league's position that it won't let reporters use the apps at its matches. It has "notified our credential media holders that those apps are not OK to use under their credential. A fan experience is different than fan exploitation." Abe Madkour, executive editor of Sports Business Journal, predicted a 12- to 16-month time frame "before we start seeing changes on what's protected and what's blocked." "The people who own the intellectual property, the rights holders, will take a more active stance to protect their property," he said Last month, Major League Baseball's president of business and media, told CNBC last month that the league will not ban fans from using live-streaming apps at stadiums. Cris Collinsworth, a NBC broadcaster and former player, on Wednesday said he wondered when the rights bubble would burst. "I keep thinking we are going to reach a saturation point, and people are going to say enough football," he said, "but we're not even close to that. Everyone is begging for the next rights to the games." WNBA star player Swin Cash took a different approach, saying that fans were going to use the apps anyway. The leagues and owners need to figure out how to make it all work, she said.

top

Universities 'peculiar creatures' in cybersecurity world (NJLJ, 21 May 2015) - Cyberattacks targeting Rutgers University and Penn State University have brought the issue of cybersecurity close to home-but also served to reestablish that higher-education institutions are unique targets. "Universities are kind of peculiar creatures for cybersecurity," said Vincent Polley, an attorney based near Detroit who co-authored "The ABA Cybersecurity Handbook" and who heads technology consultancy KnowConnect. In the university structure-"a confederation of schools that are fairly loosely coordinated"-there's "frequently not a lot of top-down management," he said. "Add to that an environment where people are encouraged to experiment," and it's a dynamic that's "probably not replicated or experienced in any other environment, anywhere," he said. Scott Christie, a partner in the cybersecurity and data privacy practice at Newark's McCarter & English, called universities "relatively soft targets" when compared to other entities such as financial institutions. "Given the fact that it's in the university context, it relies upon the level of security that the school network administrators impose, which may or may not be the same as a non-university network," he said. What's frustrating about the Rutgers attack that began in March-as well as another attack at nearby Fairleigh Dickinson University (FDU) around the same time-is that neither appears to have relied specifically on network security weaknesses, attorneys and consultants said. Both universities, according to reports, experienced what are called distributed denial-of-service attacks (DDoS attacks), which seek to deluge the target's systems with requests-typically from outside machines, said Polley, former cochair of the information technology and security law practice group at Detroit-based Dickinson Wright.

top

NSA planned to hijack Google app store to hack smartphones (The Intercept, 21 May 2015) - The National Security Agency and its closest allies planned to hijack data links to Google and Samsung app stores to infect smartphones with spyware, a top-secret document reveals. The surveillance project was launched by a joint electronic eavesdropping unit called the Network Tradecraft Advancement Team, which includes spies from each of the countries in the "Five Eyes" alliance - the United States, Canada, the United Kingdom, New Zealand and Australia. The top-secret document, obtained from NSA whistleblower Edward Snowden, was published Wednesday by CBC News in collaboration with The Intercept . The document outlines a series of tactics that the NSA and its counterparts in the Five Eyes were working on during workshops held in Australia and Canada between November 2011 and February 2012. The main purpose of the workshops was to find new ways to exploit smartphone technology for surveillance. The agencies used the Internet spying system XKEYSCORE to identify smartphone traffic flowing across Internet cables and then to track down smartphone connections to app marketplace servers operated by Samsung and Google. As part of a pilot project codenamed IRRITANT HORN, the agencies were developing a method to hack and hijack phone users' connections to app stores so that they would be able to send malicious "implants" to targeted devices. The implants could then be used to collect data from the phones without their users noticing. Previous disclosures from the Snowden files have shown agencies in the Five Eyes alliance designed spyware for iPhones and Android smartphones, enabling them to infect targeted phones and grab emails, texts, web history, call records, videos, photos and other files stored on them. But methods used by the agencies to get the spyware onto phones in the first place have remained unclear. The newly published document shows how the agencies wanted to "exploit" app store servers - using them to launch so-called " man-in-the-middle " attacks to infect phones with the implants.

top

Think you don't need cyber insurance? Think again! (Bloomberg BNA, 22 May 2015) - Big Law is a big target for cyber thieves, experts warn. For starters, law firms are viewed by criminals as low-hanging fruit - because firms are perceived as having "relatively lax security as compared with their sophisticated corporate clients," said Roberta Anderson, a partner at K&L Gates, and co-founder of the firm's Cyber Law and Cybersecurity practice group. Big Law firms have treasure troves full of the exact kind of data that sophisticated cyber criminals seek: protected, personally identifiable information and protected health information. On top of that, "law firms typically are a repository for valuable corporate data, including intellectual property, such as patents and trade secrets, information about important M&A activity, and other sensitive data," said Anderson. "'Typically' is an interesting word in the world of cyber insurance because cyber insurance is the wild west of the insurance marketplace," said Scott Godes , a partner at Barnes & Thornburg. "Nonetheless, there is some standardization in terms of cartridges that are offered in a cyber insurance policy." Law firms should look for these coverages: * * *

top

- and -

Clueless clause: Insurer cites lax security in challenge to cottage health claim (Security Ledger, 26 May 2015) - In-brief: In what may become a trend, an insurance company is denying a claim from a California healthcare provider following the leak of data on more than 32,000 patients. The insurer, Columbia Casualty, charges that Cottage Health System did an inadequate job of protecting patient data. There wasn't anything particularly surprising about the news, in December, 2013, that confidential data on patients at Cottage Health System had been exposed on the Internet. Indeed, in light of subsequent attacks on healthcare industry firms like Athena (80 million records exposed) and Premera , the data leak at California-based Cottage, which involved 32,755 patients, looks like a rounding error. But the incident may prove to have an impact that far exceeds the number of individuals affected, now that Cottage's insurer, Columbia Casualty Insurance is denying an insurance claim linked to the breach and citing Cottage Health's lax security practices as the reason. In a complaint filed in U.S. District Court in California, Columbia alleges that the breach occurred because Cottage and a third party vendor, INSYNC Computer Solution, Inc. failed to follow "minimum required practices," as spelled out in the policy . Among other things, Cottage "stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who 'surfed' the Internet," the complaint alleges. Among the failures cited by Columbia were Cottage's "failure to continuously implement the procedures and risk controls identified in its application " for the coverage. Those controls include configuration and change management for its IT systems as well as regular patch management. Cottage also failed to regularly "re-assess its information security exposure and enhance risk controls" and to "deploy a system to detect unauthorized access or attempts to access sensitive information stored on its servers."

top

Security researchers start effort to protect 'smart' cities (NYT, 26 May 2015) - It's a brave new world when hackers step in to protect citizens because regulators are not getting the job done. Two years after President Obama signed an executive order setting voluntary guidelines that companies could follow to prevent cyberattacks - especially on critical infrastructure like dams and water treatment facilities - security experts have found that American critical infrastructure is still wide open to attack. The order was a weakened alternative to cybersecurity legislation that the White House tried and failed to push through Congress after Senate Republicans argued the minimum standards would be too onerous on the private sector. Last year, Cesar Cerrudo, an Argentine security researcher, began pointing out critical vulnerabilities in America's so-called smart cities, where wireless sensors control a growing portion of city infrastructure from traffic lights to water and waste management systems. One year later, Mr. Cerrudo discovered that little had been done to patch those basic vulnerabilities, even as cities around the world poured billions of dollars into bringing more of their basic infrastructure online. Without renewed focus on security, he and other researchers warn, those cities are just creating larger and larger targets for nation states and cyberterrorists. In response, on Tuesday, he and others from IOActive Labs; Kaspersky Lab, the Russian cybersecurity company; and a growing list of security experts will announce a new Securing Smart Cities initiative . Their goal is to bring private security researchers and public administrators together to set up basic cybersecurity checklists for smart cities, including properly installed encryption, passwords and systems that can be easily patched for security holes. They are also seeking to set up better security requirements and approval procedures for the vendors who install, monitor and oversee crucial systems. They want to track access to smart city systems; run regular tests to look for loopholes; and set up emergency response teams that can funnel reports of vulnerabilities from security researchers, coordinate patches and share that information with other cities. They also want to create manual overrides for all smart city systems, in the event they are compromised.

top

Let Oracle own APIs, Justice Dept tells top court in surprise filing (Fortune, 26 May 2015) - Many are uneasy about a court ruling that said Oracle can sue Google over copyrighted API's. Now, the White House has just sided with Oracle. The right of companies to use key elements of computer code, known as application programming interfaces (APIs), was cast deeper into doubt on Tuesday after the Justice Department urged the Supreme Court not to hear a controversial case that pits Google and a long list of supporters against Oracle. The news came after the Supreme Court asked the Obama Administration in January to weigh in on a lower court ruling last year that favored Oracle, and shocked many in the tech industry. The issue before the court is when, if at all, APIs can be protected by copyright. The outcome has serious repercussions not just for Google, but the entire software industry, since APIs act as a sort of lingua franca that allow different computer programs to deliver instructions to each other. In the case of Oracle and Google, the dispute turns on the search giant's use of certain Java APIs for its Android software. Java is a programming language that was developed by Oracle's predecessor, Sun Microsystems, and is widely used by software developers. Google, backed by tech trade groups and law professors, does not dispute that computer code can be copyrighted. The parties argue instead that Google only used a small portion of Oracle's Java Standard Library, and did so only in order to use common signposts or headers, rather than reinventing the instructions from scratch. The argument, in effect, is that developers should be able to use these small chunks of code, which serve as industry standards, free of copyright restrictions. U.S. District Judge William Alsup, a respected Silicon Valley judge, initially sided with Google in 2012 after teaching himself Java for the trial. He found that the APIs were functional, and fell on the wrong side of copyright law's "idea/expression dichotomy" and merger doctrine - these are rules that prevents copyright law from becoming too broad, and covering everyday things like menus and simple instructions. Last year, however, the U.S. Federal Circuit appeals court overturned that finding, and likened the Java APIs to Charles Dickens and other literary works. The ruling drew widespread scorn at the time: * * * [ Polley : See also Copyright on computer programs: Solicitor General argues that APIs are unquestionably copyright eligible (Patently-O, 29 May 2015)]

top

The invisible learners taking MOOCs (InsideHigherEd, 27 May 2015) - "Anyone, anywhere, at any point in time will be able to take advantage of high quality education." That could be a tagline from just about any enthusiast or provider of open online courses (often called MOOCs). The intention certainly seems laudable and, if not transformational, at least desirable. What are the caveats? Recent research suggests that the majority of people enrolled in these open online courses are highly educated . As far as US participants are concerned, a large percentage also live in high-income neighborhoods . And yet, despite the extensive research and data on open online courses, we really do not know much about these millions of learners engaged in everything from courses on computer science to poetry to physiotherapy to gender studies to bioinformatics. In fact, apart from a few anecdotes of extraordinary individuals who overcome insurmountable struggles to succeed (e.g., the exceptional Nigerian man who completed 250 courses ) or abstract descriptions of learners and their activity (e.g., " less than 10% complete courses ," " auditors ," or " latecomers ") these learners might as well be invisible. And thus, my fellow researchers and I are asking more questions. We want to better understand open courses and their learners (and their successes and their failures). How do these people experience open courses? Why they do they things that they do in these courses? We are currently in the midst of conducting the largest series of interview studies in open courses. Our research is motivated by the fact that very few commentators and researchers to date have paused to talk to learners and to listen to them describe their experiences and activities. In fact, what researchers know about MOOCs is largely the result of analyzing the data trails that learners leave behind as they navigate digital learning environments. * * *

top

Financial institutions claim Home Depot breach caused 'billions of dollars' in fraud losses (Atlanta Business Chronicle, 27 May 2015) - Financial institutions claim Home Depot's data breach caused total fraud losses "in the billions of dollars." In a consolidated complaint filed May 27 in federal court in Atlanta, more than 100 financial institutions state their case for why The Home Depot Inc. (NYSE: HD) is responsible for the massive data breach that the world's largest home improvement retailer suffered in 2014. The lawsuit takes direct aim at the company's former top executive and management, starting off with a quote from Home Depot's recently retired CEO Frank Blake , which states, "If we rewind the tape, our security systems could have been better...Data security just wasn't high enough in our mission statement." The complaint goes on to charge that "The data breach was the inevitable result of Home Depot's longstanding approach to the security of its customer's confidential data, an approach characterized by neglect, incompetence, and an overarching desire to minimize costs." The financial institutions claim they have incurred more than $150 million in costs just to reissue compromised cards, and that "industry sources further estimate that the total fraud losses for all financial institutions are in the billions of dollars." Claiming that Home Depot is still at risk of another data breach ("the risk of another such breach is real, immediate, and substantial," the financial institutions claim), the financial institutions are asking the court to order the company to implement a number of security improvements.

top

Average cost of data breach is $6.5M (SC Magazine, 27 May 2015) - In a year already characterized by data breaches at recognizable healthcare organizations, such as CareFirst BlueCross BlueShield, and at major government entities, including the IRS, it's no surprise that victims' personal information is a hot commodity. An annual study from the Ponemon Institute and IBM released on Wednesday found that the average cost per capita cost in a data breach increased to $217 in 2015 from $201 in 2014. Plus, the average total cost of a data breach increased to $6.5 million from $5.8 million the prior year. The cost per record takes into account indirect costs, such as abnormal turnover or churn of customers, as well as direct costs caused by the breach itself, including technology investment and legal fees. Only $74 was attributed to direct costs. The study also noted, however, that not all records are seen as equal when stolen. Health records have an average cost of $398 each, whereas retail records cost $189 each. See also Cost of data breaches increasing to average of $3.8 million, Ponemon study says (Reuters, 27 May 2015), and Ponemon: Data breach costs now average $154 per record (CSO Online, 27 May 2015) - * * * On average, it took respondents 256 days to spot a breach caused by a malicious attacker, and 82 days to contain it. Breaches caused by system glitches took 173 days to spot and 60 days to contain. Those caused by human error took an average of 158 days to notice, and 57 days to contain. * * *

top

Netflix now accounts for almost 37 percent of our Internet traffic (WaPo, 28 May 2015) - Netflix's share of Internet traffic is exploding. The streaming service now accounts for 36.5 percent of all bandwidth consumed by North American Web users during primetime, according to the Canada-based network firm Sandvine . That's way up from even last November , when Sandvine estimated Netflix's bandwidth footprint at 34.9 percent of Internet traffic. Sandvine's regular reports on Internet usage - based on traffic as it passes through its systems - have become a reliable indicator of which services are taking up the most bandwidth. Both the season five premiere of "Game of Thrones" and the most recent "Call of Duty" downloadable content led to massive spikes in data consumption, the latest report also finds.

top

Cybersecurity on the agenda for 80 percent of corporate boards (CSO, 28 May 2015) - Cybersecurity is a topic of discussion at most board meetings, according to a new survey of 200 corporate directors. The survey , conducted jointly by NYSE Governance Services and security vendor Veracode, revealed that more than 80 percent of board members say that cybersecurity is discussed at most or all board meetings. Specifically, 35 percent said that cybersecurity was discussed at every board meeting and 46 percent said it was discussed at most meetings. Only 10 percent said they discussed cybersecurity after an incident in their industry or at their company -- and only 1 percent said they never discussed cybersecurity at all. According to the survey, the board members held the CEO primarily responsible for cybersecurity, with the CIO as the second-most responsible executive. 66 percent of board members are not confident of their companies' ability to defend themselves against cyberattacks. Only 4 percent said they were "very" confident. And, despite this lack of confidence, security ranked second to last in priority when it comes to developing new products and services. The board members surveyed said that brand damage, data breach costs, and theft of intellectual property were the top concerns when it came to cybersecurity.

top

How law firms use Facebook and other data to track down medical victims (Bloomberg, 28 May 2015) - For ambulance chasers, persistence and a phone book just don't cut it anymore. Law firms, which once relied on television commercials, billboards, and cold calling numbers in the white pages to find plaintiffs for medical lawsuits, have begun to embrace technology. To locate their ideal pharma victims more quickly and at lower costs, they're using data compiled from Facebook, marketing firms, and public sources, with help from digital bounty hunters like Tim Burd. Burd is a devoted practitioner of the art of sales. His Skype username begins with the phrase made famous by Glengarry Glen Ross , a play about desperate real estate salesmen: "Always be closing." As chief executive officer of DigitizeIQ, Burd feeds demographic data from the U.S. Centers for Disease Control and Prevention into general marketing tools offered by Facebook to identify people most likely to be exposed to a particular drug or medical treatment. For example, Burd was hired for a lawsuit claiming a medical device used in hysterectomies, known as a laparoscopic power morcellator, causes ovarian cancer to spread in patients. The CDC says women over 55 are most likely to contract that kind of cancer. Burd says CDC data are especially powerful in combination "with Facebook, which is why we love it so much, because there's ovarian cancer support groups and stuff like that. So we target women in the country over the age of 55 that 'like' an ovarian cancer support group. That's a pretty targeted demographic." * * * The sophistication of newer plaintiff procurement techniques is leaving pharmaceutical companies inundated by mass tort lawsuits. Johnson & Johnson is facing more than 24,000 lawsuits over its vaginal mesh implants. A jury in California ordered the company on March 5 to pay $5.7 million to a woman who said one of its vaginal mesh implants eroded inside of her. In January, J&J lawyers told a federal judge that firms were violating medical data laws to track down plaintiffs. * * *

top

Proposed rule change to expand feds' legal hacking powers moves forward (Ars Technica, 29 May 2015) - A controversial proposed judicial rule change allowing judges to issue warrants to conduct "remote access" against a target computer regardless of its location has been approved by a United States Courts committee, according to the Department of Justice. Federal agents have been known to use such tactics in past and ongoing cases: a Colorado federal magistrate judge approved sending malware to a suspect's known e-mail address in 2012. But similar techniques have been rejected by other judges on Fourth Amendment grounds. If this rule revision were to be approved, it would standardize and expand federal agents' ability to surveil a suspect and to exfiltrate data from a target computer regardless of where it is. (Both the United States Army and the Drug Enforcement Administration are known to have purchased such exploits, most likely zero-days.) In the United States, federal warrants are issued by judges who serve one of the 94 federal judicial districts and are typically only valid for that particular jurisdiction. Typically those warrants are limited to the district in which they are issued. Peter Carr, a DOJ spokesperson, told Ars: "I am not aware of any data on the number of times this has been previously authorized." In February 2015, Richard Salgado, one of Google's top lawyers, wrote a blog post articulating the company's opposition to the move: "The implications of this expansion of warrant power are significant, and are better addressed by Congress." The rule change has a long way to go before becoming standard practice. It has to be approved later this year by the Judicial Conference, then be approved by the Supreme Court. If Congress does not intervene at that stage, it will take effect as of December 1, 2016.

Ad panel equates texts with prohibited direct solicitations (Florida Bar News, 1 June 2015) - The Standing Committee on Advertising has denied a law firm permission to send texts to potential clients. The committee reviewed proposals from the firm, which contended that texts are more akin to email than phone contacts, but the panel voted 6-1 against the idea. At issue was Bar Rule 4-7.18(a), which prohibits direct communication or solicitation of potential clients in person or via telephone, telegraph, or fax. Direct mail, including emails, are permitted if they follow the requirements in Rule 4-7.18(b), including that the message must be clearly labeled as an advertisement, the first line must advise the recipient to ignore the communication if he or she already has an attorney, and that it must give the sending attorney's qualifications and geographical address, among other things. Jacob Stuart, representing the petitioning firm, argued in this case the phone number is more like an email address in that it is used to deliver a text message that would otherwise comply with Bar rules for direct mail. Smartphone users, he added, use their mobile devices more to check email, send texts, and post to social media than they do to make actual phone calls. "The phone number has become an address," Stuart said. "It is simply the address for a variety of accounts, one of which is the phone." He said the firm planned to obtain phone numbers of those arrested or issued traffic citations from clerks, run them through a database that identifies those that are mobile devices, and then use a computer to send them text messages. Stuart said the practice would help bring legal services to low- and moderate-income people who rely primarily on their smartphones for information. Bar Ethics and Advertising Counsel Elizabeth Tarbert said a majority of Bar staff recommended against the text system. She noted that although the rule was written more than 20 years ago, before texts were possible and portable phones were in widespread use, the rule did not prohibit telephone "calls." Rather it prohibits the use of telephones, as well as telegraphs, faxes, and in-person appeals to make direct solicitations to potential clients. Those restrictions, she said, address "the urgency and intrusiveness" of the communication.

top

A new journal - dedicated to cybersecurity (Lawfare, 2 June 2015) - I'd like to announce the new Journal of Cybersecurity , an interdisciplinary journal encouraging submissions in all aspects of cybersecurity. This new journal will publish original research in the inherently interdisciplinary area of cybersecurity. While there are some meetings, including the Privacy Legal Scholars Conference and the Workshop in Economics of Information Security , that transcend the barriers between fields, there largely have not been academic journals that do so. By encouraging submissions in anthropological studies, human factors and psychology, computer science, legal aspects, political and policy perspectives, cryptography and computer security, strategy and international relations, security economics, and privacy, the Journal of Cybersecurity , seeks to provide a home for such interdisciplinary work. Journal of Cybersecurity is published by Oxford University Press . We're looking for papers that can be read at both the disciplinary and interdisciplinary level. Editors-in-chief are David Pym and Tyler Moore , and area editors include an international set of interdisciplinary characters, including yours truly (I'll be running the Political and Policy Perspectives section). Spread the word. And submit - we're eager for your work.

top

RESOURCES

Law Enforcement Access to Evidence in the Cloud Era (The Chertoff Group, 21 May 2015) - The Chertoff Group, a premier advisory firm focused on security and risk management, released a new white paper examining how our global Internet economy has created significant change when it comes to the nature of law enforcement activity. This paper - Law Enforcement Access to Evidence in the Cloud Era - outlines the challenges faced by law enforcement today as they seek to gather and collect evidence in a world where such proof is no longer largely discovered within a single jurisdiction. Instead, this data or proof is often collected, stored, and processed globally by transnational companies holding this information in the cloud. As a result, significant potential exists for the disruption of law enforcement activities because those who hold relevant evidence may be subject to conflicting legal obligations, unilateral actions by a single jurisdiction, and significant economic pressures. Authored by experts within The Chertoff Group, Law Enforcement Access to Data in the Cloud Era outlines the scope of the problem and surveys existing technical, legal, and policy conflicts. While it does not endorse a single solution, this paper identifies potential responses to the changing dynamic. White paper is here . [ Polley : Spotted by MIRLN reader Claude Baudoin ]

top

Government secrets under law, and government secrets about laws (MLPB, 20 May 2015) - Jonathan M. Manes, Yale Law School, has published Secret Law . Here is the abstract: Recent disclosures of the secret legal rules governing a variety of government programs - from electronic surveillance to targeted killing - have demonstrated that secret law not only exists, but is a regular feature of governance in this country, particularly in matters of national security. While the government is surely entitled to carry out certain functions in secret, the notion that the very rules that empower and constrain the government could themselves be secret is deeply unsettling, raising profound concerns about government's accountability, the public's role in a democracy, and the protection of individual liberties. While there is a significant literature on the government's authority to keep secrets in general, the government's power to keep the law itself hidden from the public is a special problem that has thus far received little scholarly attention. This Article is the first to offer a general examination of the phenomenon of secret law in the context of national security, describing its place in the existing transparency regime, providing an account of the competing normative commitments that animate debates about secret law's legitimacy, and offering proposals rein in the practice of secret law. The Article argues that existing institutional arrangements give the executive branch significant discretion to keep law secret. This creates an equilibrium that produces too much secret law, and fails to adequately account for strong countervailing interests in transparency. Drawing on contemporary examples of secret laws governing surveillance, watch-listing, and targeted killings, the Article proposes both institutional and substantive reforms that would result in a more defensible and stable legal equilibrium that produces fewer problematically secret laws. In particular, it argues that Courts should adopt a clear statement rule against secret law so that law must be disclosed unless secrecy is specifically authorized by Congress. Such a rule would result in a better accommodation between secrecy interests and transparency values by requiring inter-branch contestation and agreement on the scope of secret law. Moreover, a presumption against secret law is grounded in Constitution's text and structure, notably the Presentment and Journal Clauses, and the First Amendment. The full text is not [sic] available from SSRN. [ Polley : Really? Not available on SSRN? Pretty ironic, huh?]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

US Supreme Court reverses Grokster decision (BNA's Internet Law News, 28 June 2005) -- The US Supreme Court has ruled against file-swapping companies Grokster and StreamCast Networks in their high profile battle with the content industries. The court sought to leave the 1984 Sony Betamax decision untouched, but added the notion of active inducement. Although the 9-0 decision was a loss for Grokster, the court provided a potential roadmap for future P2P services by ruling that there is no liability for knowledge of potential or actual infringement; no liability for product support or technical updates, and (absent other evidence of intent) no liability for failure to take affirmative steps to prevent infringement. Decision at http://laws.findlaw.com/us/000/04-480.html

top

Google urged to drop reactor images (News.com.au, 8 August 2005) -- The head of Australia's nuclear energy agency has called on the owners of an internet satellite program to censor images of the country's only nuclear reactor. Australian Nuclear Science and Technology Organisation executive director Ian Smith said he would ask internet search engine Google to remove the Lucas Heights reactor from its Google Earth program. The online program combines satellite images with aerial photographs and maps to let users zoom in on almost any building in the world. While Google Earth "censors" the White House with blocks of colour over the roof and the nearby Treasury Department and Executive Office buildings, anyone with a computer and web connection can use the free program to see aerial shots of sensitive Australian sites such as the Lucas Heights reactor, the secret US spy base at Pine Gap, outside Alice Springs, and Parliament House in Canberra.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. top