MIRLN --- 9-29 August 2015 (v18.12) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)
NEWS | RESOURCES | LOOKING BACK | NOTES
- GCs worry about cybersecurity but feel underprepared
- NIST's first cybersecurity practice guide: Securing electronic health records on mobile devices
- Citing twin law firm websites (1 real, 1 fake), bar group urges public to beware
- Early adopters take new .law domains
- The failure of crowdsourcing in law (so far, at least)
- Iowa to football fans: Please don't tweet at recruits
- In potential job threat to associates, 'artificially intelligent attorney' gets BigLaw gig
- Man charged with contempt of court for "liking" ex-girlfriend's Facebook photos
- A piece of Internet freedom, in the hands of an appeals court
- Nine people charged in largest known computer hacking and securities fraud scheme
- ACC sees need for better information governance
- Cyber-security is a hot topic at board meetings
- Companies hope cybersecurity experts in the boardroom can counter hacks
- Judge rules as unconstitutional New Hampshire law banning posting of voted ballots to social media
- Germans are so scared of surveillance they microwave their ID cards
- FinCEN rules commodity-backed token services are money transmitters
- Research examines blockchain securities under US commercial law
- Split works debate raises thorny issues for music companies
- Heightened risk of cyberattacks puts pressure on law firms to bolster defenses
- Cybersecurity data sharing is now available to law firms
- Law firms can now share cyber threats. But will they?
- Court provides guidance on how to effectively communicate online terms of service
- Yes, the appeals court got basically everything wrong in deciding API's are covered by copyright
- How Google could rig the 2016 election
- Location, sensors, voice, photos?! Spotify just got real creepy with the data it collects on you
- Spotify tries to put out a privacy fire
- BitTorrent tracker blocks Windows 10 users
- Why your doctor won't friend you on Facebook
- The FTC takes charge -- FTC v. Wyndham
GCs worry about cybersecurity but feel underprepared (Corporate Counsel 5 August 2015) - General counsel in a recent survey listed data privacy/security as one of their top concerns. But 60 percent said their companies still lack the proper preparation for a cyberbreach. The "General Counsel Data Survey," conducted in June by the Consero Group at one of its forums for Fortune 1000 GCs, showed that data privacy/security was listed a top priority among 21 percent of the GCs, just behind compliance and ethics at 27 percent. "The cybersecurity numbers caught my eye," said Paul Mandell, Consero's chief executive officer, partly because of the high-profile data breaches that have been in the news and partly because "the percentage of general counsel reporting cyberbreaches [in the survey] increased over last year ." "Cyberthreats pose perhaps the most destructive potential risk to these sophisticated global businesses," Mandell told CorpCounsel.com on Tuesday. "But the data indicate an alarming percentage of those huge companies remained unprepared." He said the issue is not a lack of awareness-GCs are very aware of the problem. "The bottom line is we need to speed up the efforts to address it," he said. Part of companies' slow reaction to cyberrisks, he suggested, is that the GCs think they do not have enough resources for the breadth and complexity of the problem.
NIST's first cybersecurity practice guide: Securing electronic health records on mobile devices (Ice Miller, 6 August 2015) - The National Institute of Standards and Technology (NIST) has released a draft of Securing Electronic Records on Mobile Devices, the institute's first practice guide in a series designed to help organizations improve cybersecurity. The guide demonstrates how health care providers can more securely share patient information using mobile devices such as tablets and smartphones. While the guide is not a guarantee of compliance, providers can use it to help implement relevant standards and best practices in the NIST Framework for Improving Critical Infrastructure Cybersecurity , and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. * * * To help providers keep pace with practice needs in the current threat landscape, NIST brought cybersecurity experts together with health care providers to create a virtual environment that simulated interaction between mobile devices and an EHR system. Using a hypothetical scenario in which a primary care physician uses her mobile device to perform such tasks as making referrals, adding information to the EHR, and e-prescribing, the team identified commercially available and open-source tools, consistent with cybersecurity standards and best practices, that can increase privacy and security and reduce risk.
Citing twin law firm websites (1 real, 1 fake), bar group urges public to beware (ABA Journal, 7 August 2015) - Add another law firm to the growing list of those whose partners have been horrified to discover that they have an Internet twin. For anyone who might happen to see both the Hughes Dowdall website for an actual Scottish law firm and the purported London-based Damian Alden Law Chambers site, the resemblance is striking. Both sites have the identical home page, except for the law firm details. And both show the same three photographs at the beginning of their "Our People" page. (The names are the same or similar for two of the three photos, but Hughes Dowdall senior partner Michael Foster is listed as "Damian Alden" on the fake site.) However, only the Hughes Dowdall website is for an actual law firm, the Law Society of Scotland has warned in a scam alert . On the "Damian Alden" site, "a fraudulent firm of solicitors have copied the website of a genuine firm and are using their names and photographs in an attempt to deceive potential clients," the bar group says. Such misappropriation of real law firms' website format and content is on the rise, bar groups say, and the Law Society of Scotland is urging potential clients to check lawyers' credentials rather than assuming that a seeming online lawyer is the real deal. Michael Foster, the Hughes Dowdall senior partner, told Scottish Legal News that his firm was appalled to learn that its website had been copied. "I am very concerned about this hijacking of our website and our personnel and the potential for damage to our hard-won reputation," he said. "It's horrifying to think an unsuspecting and entirely innocent member of the public could be conned and suffer loss as a result of this."
Early adopters take new .law domains (ABA Journal, 10 August 2015) - Some prominent BigLaw firms are among the early adopters of the new .law domain name extension. DLA Piper; Russell and Goldstein; and Skadden, Arps, Slate, Meagher & Flom have each already reserved their domain names. Minds + Machines, the owner of the .law domain extension, started taking orders July 30, the beginning of a 60-day "sunrise period." Firms who have registered their trademarks with the Internet Corporation for Assigned Names and Numbers - the nonprofit responsible for coordinating the monitoring and creation of naming conventions on the Internet-are eligible to participate in the sunrise period. Domain name registration will be available to credentialed members of the legal community Oct. 12. More information on the .law launch program is available at http://nic.law . Minds + Machines has partnered with ALM Media to advertise and market the domains. [ Polley : Seems like a waste of money to me, unless you're registering simply to preempt somebody else from getting "your" domain.law.]
The failure of crowdsourcing in law (so far, at least) (Robert Ambrogi, 10 August 2015) - Above are the slides from my July 20 presentation on crowdsourcing to the American Association of Law Libraries annual meeting. When I first suggested the title, I was sure the presentation would be a positive one, demonstrating the ways in which crowdsourcing and collaboration "are changing" legal research. I have long been a believer that crowdsourcing can help democratize legal research and enable free research sites to become more viable alternatives to paid sites. But as I dug deeper into my research for the presentation, my long-held fears about crowdsourcing were increasingly confirmed. It just has not ever worked well within the legal profession. Over the years, site after site has attempted to make a go at crowdsourcing. But they almost always fail. Why is that? I have a quote in one of my slides that may pretty well sum up the answer. It is from Apoorva Mehta , who is now a huge Silicon Valley success story as the founder of grocery-delivery service Instacart , but who, earlier in his career, attempted to start a legal networking and crowdsourcing site called Lawford (later called LegalReach). Asked later why Lawford failed, here is what he said : I didn't know anything about lawyers when we started. Turns out, they don't like technology, and they don't like to share things. Anyone who is considering starting a crowdsourced law site should take Mehta's quote, frame it and hang it above their desks. That said - and perhaps I am ever the optimist - but I do believe there is hope. Three sites, in particular, stand out to me as potential success stories in the small world of crowdsourced legal research. I'll get to those later in this post, but first let me recap some of the history as I presented it at AALL. * * *
Iowa to football fans: Please don't tweet at recruits (InsideHigherEd, 11 August 2015) - The University of Iowa on Monday instructed its fans and boosters to stop tweeting at prospective student athletes. "Hawkeye fans and boosters, please do not tweet at Hawkeye recruits," the athletic department's compliance office posted on its Twitter account . "Leave the recruiting to Iowa coaches!" It is against National Collegiate Athletic Association rules for athletic boosters to communicate with recruits over social media. Colleges also discourage fans from using social media to persuade prospective players to join a program, as the interaction can cause confusion or be seen as having received approval from an institution. In 2010, Indiana University fans who hoped to recruit high school basketball star Cody Zeller created a Facebook page that listed two team members as administrators. The university was forced to deny involvement in the campaign, saying the players were added as administrators without their permission. In recent years, several colleges -- including Florida Gulf Coast University , Tulane University and the University of Oklahoma -- have made similar pleas as Iowa's. Responding to Iowa's tweet, one fan questioned why supporters shouldn't contact recruits, tweeting, "Fans are some of the best recruiters out there, especially when the coaches can't, due to the NCAA." The fan has tweeted at several players in the last month, trying to convince them to play for Iowa's football team.
In potential job threat to associates, 'artificially intelligent attorney' gets BigLaw gig (ABA Journal, 11 August 2015) - First came the outsourcing of legal work once done by U.S. lawyers to cheaper foreign counterparts. Now, it appears, would-be BigLaw associates may also have to compete with artificial intelligence applications in the foreseeable future. Megafirm Dentons and some major U.S. law firms have agreed to train Ross, a so-called artificially intelligent attorney developed by students at the University of Toronto, in U.S. bankruptcy law, reports the Globe and Mail . Using IBM's Watson computer, which made headlines as a winning contestant on the TV show Jeopardy! in 2011, Ross scans documents and case law and offers answers to legal research questions. Although still under development, "what we are seeing is Ross grasping and understanding legal concepts and learning based on the questions and also getting user feedback. … Just like a human, it's getting its experience in a law firm and being able to learn and get better," Andrew Arruda told the newspaper. One of the U of T students who helped develop Ross, Arruda is now chief executive officer of Ross Intelligence, which is partnering with IBM, Dentons and other companies to take Ross to the next level. Once Ross masters bankruptcy law, the plan is to expand the machine's training into other practice areas. Although the app won't be able to handle the most complex legal problems, it is foreseeable that Ross will be able to perform routine legal research tasks at a lower cost than real attorneys, according to Arruda.
Man charged with contempt of court for "liking" ex-girlfriend's Facebook photos (Times Leader, 11 August 2015) - Clicking "Like" on Facebook landed a Jenkins Township man in hot water. Justin Bellanco, 26, of South Main Street, was arraigned Tuesday on a contempt of court charge when he allegedly violated a no-contact restraining order when he "liked" photos on April Holland's Facebook page. Holland, 24, of Pittston, obtained a protection from abuse order against Bellanco on July 28, claiming Bellanco has been stalking and harassing her and her friends, and threatened to shoot her knee cap to watch her suffer, according to her PFA application. Luzerne County Judge Lesa Gelb on Aug. 4 granted a restraining order against Bellanco, prohibiting him from having any contact with Holland for one year. Pittston police arrested Bellanco on Monday after Holland alleged he has been "liking" photos and videos she posted to her Facebook page, according to the criminal complaint.
A piece of Internet freedom, in the hands of an appeals court (Public Knowledge, 11 August 2015) - It may seem hard to believe that the future of the Internet is at the forefront of an " extremely boring case about invisible braces." But that's exactly what's happening with a case called ClearCorrect v. International Trade Commission , which was argued this morning before the Court of Appeals for the Federal Circuit. The International Trade Commission has power to stop importation of articles that infringe copyrights, patents, or other intellectual property rights. This case involves allegations of infringement over Invisalign-style plastic braces, but the interesting part is what "articles" are being imported. Not the plastic braces. Not even molds for the braces. The "imported articles" are electronic data files downloaded on the Internet. The ITC decided that its power over "importation of articles" extended to Internet transmissions, because downloading files is apparently an act of importation. Nonetheless, the idea that a little-known federal agency can block Internet data is concerning for open Internet advocates like us-and concerning for everyone else as well. The New York Times opposed the ITC's decision, deeming it "bound to hamper the exchange of ideas and information on the Internet." The Wall Street Journal characterized the case as a "clash over protecting a free-flowing Internet." A letter of twenty-eight organizations and law professors warned against "unintended but troubling possibilities that may result from the decision" comparable to the despised SOPA and PIPA bills.
Nine people charged in largest known computer hacking and securities fraud scheme (DoJ press release, 11 August 2015) - Nine people were charged in two indictments unsealed today in Brooklyn, New York, and Newark federal court with an international scheme to hack into three business newswires and steal yet-to-be published press releases containing non-public financial information that was then used to make trades that allegedly generated approximately $30 million in illegal profits. The defendants allegedly stole approximately 150,000 confidential press releases from the servers of the newswire companies. They then traded ahead of more than 800 stolen press releases before their public release, generating millions of dollars in illegal profits.
ACC sees need for better information governance (BloombergBNA, 11 August 2015) - The Association of Corporate Counsel on Tuesday announced the launch of an Information Governance committee to help educate in-house lawyers about data management, marking the first new committee for the legal group in nearly five years. The IG committee will be led by lawyers from Lockheed Martin, Occidental Petroleum, Physicians Insurance, Symantec and other companies and is planning a series of educational programs around data management. Many corporate law departments manage data on a piecemeal basis, if at all, according to committee chair L. Shawn Cheadle, general counsel, military space at Lockheed Martin Space Systems Company. The problem is that eDiscovery, cybersecurity, records retention, and various other data practices are all related, he said. "Information governance is not one of these areas alone," said Cheadle. "It's not privacy, it's not cybersecurity, it's not the EU law - it's all of these things. Often we're not really collaborating on them."
- and -
Cyber-security is a hot topic at board meetings (Baseline, 12 August 2015) - The boards of directors of public companies are increasingly making cyber-security a priority at their meetings, according to a study done in partnership between security company Veracode and the NYSE Governance Services. More than 80 percent of the nearly 200 directors of public companies surveyed said that cyber-security was discussed at nearly every board meeting. Some 78 percent of these respondents serve on from one to three executive boards. "I think a lot of other boards said, 'We better do some inspection on our cyber-security program because we don't want to be in the same situation,'" says Chris Wysopal, Veracode co-founder and chief information security officer (CISO). "I talked to a CISO who was told that at the next board meeting, he needed to do a two-hour update on their security program. Boards are feeling that they need to take some responsibility." Overall, the study shows that 66 percent of respondents did not have confidence that their companies were properly secured against cyber-attacks. These board members listed their top three security concerns as brand damage, breach costs and a lost competitive advantage. The study also shows that 70 percent of respondents have high-level concerns about the risks presented by third-party software in their supply chains. Companies are also realizing that attacks are occurring through break-ins at their suppliers. "There is awareness that attackers are finding a quicker way into an organization than attacking them directly," he says.
- and -
Companies hope cybersecurity experts in the boardroom can counter hacks (LA Times, 16 August 2015) - The board of directors at construction and engineering company Parsons Corp. needed to fill a seat two years ago. Naturally, they wanted someone with communication and leadership skills. They also needed someone new: an expert to help them battle computer hackers, cyberthieves, electronic spies, digital vandals and anybody else out to wreak havoc in a connected world. The privately held Pasadena firm's latest board member is Suzanne Vautrinot, a retired Air Force major general who helped create the Department of Defense's U.S. Cyber Command and led the Air Force's IT and online battle group. Parsons is at the forefront of a fast-expanding trend in corporate governance: the elevation of cybersecurity experts to the boardroom, a perch traditionally occupied by former CEOs and specialists in marketing and finance. In recent months, AIG, Blackberry, CMS Energy, General Motors and Wells Fargo have added a board member with computer-security knowledge. Delta Air Lines and Ecolab did the same in recent years. Data show that corporate boards have a long way to go. Just 11% of public-company boards queried this year reported a high-level understanding of cybersecurity, the National Assn. of Corporate Directors said. A review by the New York Stock Exchange and security firm Veracode found that two-thirds of board members questioned think their companies are ill-prepared for a cyberattack. Yet consulting firm PricewaterhouseCoopers reports that 30% of boards surveyed never talk about cybersecurity at all. David Burg, U.S. cybersecurity leader at PwC, said he's still receiving an "amazing" number of requests from boards for basic education. For example, PwC helps boards compare their company's security approach with competitors'. There's a big problem with the whole trend, though: a shortage of cyber-qualified board candidates. John Pironti, a risk and security advisor for the professional group ISACA, is urging his members to ask for more responsibilities during this "big hump of sensitivity," so they'll be primed for larger advisory roles in the future - including on boards of directors.
Judge rules as unconstitutional New Hampshire law banning posting of voted ballots to social media (MLPB, 12 August 2015) - In Rideout v. Gardner, United States District Court Judge Paul Barbadoro has ruled that a New Hampshire statute prohibiting individuals from posting images of their filled-in ballots on social media violates the First Amendment. The state attempted to justify the law as a content neutral restriction. After extensive discussion of the statute's legislative history, the judge examined it under strict scrutiny, noting that it banned posting of executed ballots, not of ballots that had not been filled in, as well as for other reasons. The judge ruled that the state could not meet the required burden. It could not demonstrate that a less restrictive alternative to meet its stated goal--that of preventing vote buying--was available. [ Polley : see related discussion from last year in MIRLN 17.16 here .]
Germans are so scared of surveillance they microwave their ID cards (WaPo, 14 August 2015) - When it comes to privacy, Germans can't take a joke. After it was revealed that the U.S. National Security Agency had intercepted calls in Germany, sales of old-school typewriters were reported to have skyrocketed, as some Germans assumed that sending letters might make communications surveillance harder for U.S. officials. It's not only American surveillance that Germans are concerned about, however. On Tuesday, a 29-year old man was arrested at Frankfurt Airport after authorities noticed that he had microwaved his German identification card, reported German news agency dpa. According to a police statement, the man was concerned that his privacy might be violated by the microchip that has been embedded in all German IDs since 2010. The man now faces either a fine or time in jail for the offense of illegally modifying official documents. According to German law, identification documents are state property.
FinCEN rules commodity-backed token services are money transmitters (CoinDesk, 14 August 2015) - The Financial Crimes Enforcement Network (FinCEN) has issued a new ruling applicable to US businesses seeking to tokenize commodities for blockchain-based trading. Despite being a response to a specific inquiry by an unnamed company, the letter could be read as broadly applicable to startups seeking to both custody physical assets and issue a digital asset for use in trading. Under such business models, FinCEN suggests startups would need to be licensed in all 50 states. The letter describes the company behind the submission as one that provides an "Internet-based brokerage service" that connects buyers and sellers of precious metals; buys and sells precious metals on its own account; holds precious metals for clients and issues "digital proof of custody" in the form of a token on the bitcoin blockchain. In this specific instance, FinCEN argues the company in question does not fall under an electronic currency or commodities trading exemption as it allows "unrestricted transfer of value from a customer's commodity position to the position of another customer or a third-party". The statement is the latest from FinCEN to clarify which types of US bitcoin services it considers money transmitters following similar declarations for bitcoin processors , escrow services and miners , among other groups.
- and -
Research examines blockchain securities under US commercial law (Coindesk, 27 August 2015) - Cryptosecurities and blockchain recordkeeping systems may not be subject to commercial transactions law under the US Uniform Commercial Code (UCC), according to new research from Cardozo Law. Penned by professor Jeanne Schroeder, the 60-page research paper , released this week, provides a wide-ranging overview of how bitcoin transactions, both financial and non-financial, would be governed by laws relating to the exchange of property across US states. The paper is the latest to highlight potential legal issues that could arise in disputes over ownership of cryptographic assets, such as bitcoin, following research by law firm Perkins Coie in January . At issue is that bitcoin does not fit the UCC 's definition of money and challenges conventional notions of custody. While the paper echoes many of Perkin Coie's conclusions, it is perhaps one of the first to speculate on how the UCC would apply to alternative uses of blockchains. For example, Schroeder cites decentralized application platform Ethereum and Overstock's tØ as a platform designed to enable the use of tokens outside of currency and payments.
Split works debate raises thorny issues for music companies (TechDirt, 14 August 2015) - Michael Corleone would understand. Just when music companies and their performance-rights organization (PROs) thought they were getting out from under supervision by the U.S. Department of Justice, the DOJ may be about to pull them back in. For some time now, the DOJ's Antitrust Division has been investigating whether to modify the special antitrust consent decrees that govern the two leading PROs: the American Society of Composers And Publishers (ASCAP) and Broadcast Music Inc. (BMI). These broad settlements, originally reached in 1941, were designed to prevent anti-competitive behavior by the music publishers and set the rules for how the PROs can operate. This includes licensing on non-discriminatory terms (preventing the PROs from blocking a radio station or music service from playing their songs). The consent decrees have been modified before; BMI's was amended in 1994 and ASCAP's in 2001. But some music publishers argue these agreements are showing their age. The publishers and the PROs are hoping (and expressly asking) the DOJ to agree with their view that, here in the Internet Era, digital music doesn't need so much government intervention. Some suggest the DOJ's antitrust lawyers have shown sympathy to arguments for a "partial withdrawal" of digital copyrights from the consent-decree framework. But new arrangements to replace that framework ultimately may pull the labels and PROs back in. Billboard reported recently that the DOJ may be considering revisions that impose an even tighter regulatory scheme. According to the report, the Justice Department circulated a letter letting ASCAP and BMI know it is considering allowing any single co-owner of a "split work" - also known as a "fractional, "co-authored" or "co-pub" composition - to issue a license for 100 percent of the work. This is in contrast to the current practice in the music industry, whereby everyone who has a piece of the copyright needs to agree to license the work. The music companies have let their resulting unhappiness be known, albeit only off-the-record.
Heightened risk of cyberattacks puts pressure on law firms to bolster defenses (Legaltech News, 14 August 2015) - As pressure to strengthen defenses against security breaches increases, organizations are in a race against the clock to shore up their resistances. Given the likelihood of an impending hack on the treasure trove of sensitive data they handle, this risk is further exaggerated for law firms. On a scale of one to 10, the risks law firms are facing are an 11, according to Daniel Solove, professor at George Washington Law School and organizer of the Privacy + Security Forum. Underscoring this urgency is data from Mandiant, a division of FireEye, which finds that 80 of the 100 biggest law firms in the U.S. have been hacked since 2011 (see infographic on next page.) Law firms have become a bigger target for cybercrime due to two main factors, according to Jeffrey Norris, CISSP, senior director of information security at LexisNexis. * * *
- and -
Cybersecurity data sharing is now available to law firms (NY Law Journal, 19 August 2015) - Law firms now have access to a platform that allows them to share data on cybersecurity threats anonymously. The Legal Services Information Sharing and Analysis Organization or LS-ISAO will announce its launch on Wednesday and will alert firms to potential cyber threats and vulnerabilities. The Financial Services Information Sharing and Analysis Center, also known as FS-ISAC, the financial industry's forum for cyber threat discussion, is providing guidance and support to the law firm service. Cindy Donaldson, FS-ISAC's vice president of products and services, said the center has been communicating with more than 180 law firms, and she expects more firms to express interest after the launch. She declined to say which firms or how many have applied and proven eligibility. Davis Polk & Wardwell is among the firms that applied. "Today, law firms are working pretty independently on fighting off the different attacks that are coming toward us," said John Kapp, Davis Polk's global director of information technology. He said the new cyber group "is a force multiplier when we can share information amongst ourselves anonymously and we can be aware of what attacks are happening against other law firms. We protect our law firm and vice versa." To become a member of the law firm forum, firms must submit an application, pay an $8,000 membership fee and meet eligibility criteria. The primary criteria is that a firm have the majority of its lawyers in the U.S., Canada or the United Kingdom, Donaldson said, adding that could change over time. Law firm members within the International Legal Technology Association and its cybersecurity focused component, LegalSEC, also played a significant role in working with FS-ISAC to establish the service. Law firm members of the service will receive email alerts and advisories on cyber threats and vulnerabilities, as well as physical threats such as weather events, for actionable intelligence in the hopes of preventing an attack. Firms will be able to submit information anonymously. [ see also Law firms form their own threat intel-sharing group (Dark Reading, 20 August, 2015)]
- and -
Law firms can now share cyber threats. But will they? (BloombergBNA, 21 August 2015) - Foley & Lardner is taking various measures to protect its servers against cyber thieves, including educating everyone at the firm, conducting audits and investing resources in protection, according to Chanley Howell, a partner who sits on the firm's cybersecurity committee. But it's not planning to join an alliance of law firms that plan to share information about cyber threats. "Our plate is pretty full," Howell told Big Law Business. "It's not on our agenda yet - I'll put it that way. If we start hearing clients recommend it, then we'll probably join." Jeremiah Buckley, founding partner of Buckley Sandler who has written about cyber risk with a particular focus on electronic signatures, said as a general rule law firms' efforts to beef up their cybersecurity has come in response to client pressure. In particular, clients in regulated industries, such as the financial services industry, have passed on pressure to protect against cyber risk by auditing their vendors including law firms, Sandler said. Buckley said his firm is not a member of the LS-ISAO. Sharing information about cyber threats opens new risks, namely that rival firms could exploit information about an attack to tarnish another firm's reputation, he explained. Even if shared anonymously, a law firm could do some digging and investigation to determine which of its competitors were subject to attacks, Buckley said.
Court provides guidance on how to effectively communicate online terms of service (InternetCases.com, 17 August 2015) - Are online terms of service provided via hyperlink in an email binding on the recipient of that email? The Second Circuit recently addressed that question, and the decision gives guidance on best practices for online providers. Plaintiff booked a trip to the Galapagos Islands using defendant's website. When she purchased her ticket, she got a booking information email, a confirmation invoice and a service voucher. One evening during the trip, a tour guide allegedly assaulted plaintiff. She sued defendant for negligently hiring and training that tour guide. Defendant moved to dismiss, pointing to language in the online terms and conditions that called for disputes to be heard in Canadian court. The district court dismissed the action, and plaintiff sought review with the Second Circuit. On appeal, the court affirmed. It held that defendant had reasonably communicated the forum selection clause to plaintiff by using hyperlinks and the appropriate language in the terms and conditions.
Yes, the appeals court got basically everything wrong in deciding API's are covered by copyright (TechDirt, 18 August 2015) - Copyright expert and professor Pam Samuelson, one of the most respected scholars of copyright law, has published a short paper explaining what she calls the "three fundamental flaws in CAFC's Oracle v. Google decision." As you may recall, that ruling was a complete disaster, overturning a lower court decision that noted that application programming interfaces (APIs) are not copyrightable, because Section 102 of the Copyright Act pretty clearly says that: In no case does copyright protection for an original work of authorship extend to any idea, procedure, process, system, method of operation, concept, principle, or discovery, regardless of the form in which it is described, explained, illustrated, or embodied in such work. But CAFC got super confused, and basically ignored 102 while misunderstanding what an API actually is. After the White House itself got confused , the Supreme Court refused to hear the case. This means that the CAFC ruling stays in place, despite it being at odds with lots of other courts. And this might not be a huge problem, since most copyright cases won't go to CAFC. The only reason the Oracle case went to CAFC was because it started out as a patent case, and CAFC gets all patent appeals, even if the appeal has nothing to do with patents. Except... of course, now there's incentive to toss in a bogus patent complaint along with a questionable "interface copyright" complaint just to get it into CAFC's jurisdiction. Samuelson's paper is a good read (and we'll get to it), but I'd actually argue it's a bit too tame, and leaves out the really fundamental flaw in the CAFC ruling and in the White House brief: these non-programmers don't realize that an API is not software. Almost all of the mistakes stem from this simple fact. They assume that an API is software. And this is highlighted very clearly in the CAFC ruling where they quote Pam Samuelson out of context and then completely miss what she's actually saying. Here's from that ruling: * * *
How Google could rig the 2016 election (Politico, 19 August 2015) - America's next president could be eased into office not just by TV ads or speeches, but by Google's secret decisions, and no one-except for me and perhaps a few other obscure researchers-would know how this was accomplished. Research I have been directing in recent years suggests that Google, Inc., has amassed far more power to control elections-indeed, to control a wide variety of opinions and beliefs-than any company in history has ever had. Google's search algorithm can easily shift the voting preferences of undecided voters by 20 percent or more-up to 80 percent in some demographic groups-with virtually no one knowing they are being manipulated, according to experiments I conducted recently with Ronald E. Robertson. Given that many elections are won by small margins, this gives Google the power, right now, to flip upwards of 25 percent of the national elections worldwide. In the United States, half of our presidential elections have been won by margins under 7.6 percent, and the 2012 election was won by a margin of only 3.9 percent-well within Google's control. What we call in our research the Search Engine Manipulation Effect (SEME) turns out to be one of the largest behavioral effects ever discovered. Our comprehensive new study , just published in the Proceedings of the National Academy of Sciences (PNAS), includes the results of five experiments we conducted with more than 4,500 participants in two countries. Because SEME is virtually invisible as a form of social influence, because the effect is so large and because there are currently no specific regulations anywhere in the world that would prevent Google from using and abusing this technique, we believe SEME is a serious threat to the democratic system of government.
Location, sensors, voice, photos?! Spotify just got real creepy with the data it collects on you (Forbes, 20 August 2015) - Music streaming market leader Spotify has decided that it wants to know a lot more about you. It wants to be able to access the sensor information on your phone so it can determine whether you're walking, running or standing still. It wants to know your GPS coordinates, grab photos from your phone and look through your contacts too. And it may share that information with its partners, so a whole load of companies could know exactly where you are and what you're up to. This has all been made apparent by a rather significant update to the Spotify privacy policy , pushed out to users today. Upon opening the Spotify app up this morning, your reporter was greeted with a request to agree to the new conditions. A quick comparison with the previous privacy policy using the Wayback Machine showed some major changes had been made.
- and, a day later -
Spotify tries to put out a privacy fire (ReCode, 21 August 2015) - No, Spotify doesn't want to root around your phone's address book, or your photos. That's the message the music service is sending out today - after clumsily suggesting otherwise earlier this week. "We should have done a better job in communicating what these policies mean and how any information you choose to share will - and will not - be used," the company says in a post attributed to CEO Daniel Ek. "We understand people's concerns about their personal information and are 100 percent committed to protecting our users' privacy and ensuring that you have control over the information you share." Ek's post - titled "Sorry!" - is a reaction to a reaction to new privacy terms Spotify began rolling out this week in different countries around the world. The terms vary a bit depending on the territory, but you can get a good sense of them here .
BitTorrent tracker blocks Windows 10 users (ZDnet, 24 August 2015) - Windows 10 is quickly gaining fans. Some of them, however, are growing distrustful of Windows 10's privacy settings . Some BitTorrent sites don't trust Windows 10 at all. So, at least one BitTorrent tracker, iTS, has blocked Windows 10 users from accessing torrents from their site. Others are considering banning Windows 10 users. In a YouTube video, iTS proclaimed that " Windows 10 is nothing more than a spy tool that will keep track of every action, email, conversation, video, picture, or anything else that you do on your computer." iTS based its position largely on Microsoft's new unified services and privacy agreements , specifically the clause which states that, "We may automatically check your version of the software and download software updates or configuration changes, including those that prevent you from accessing the Services, playing counterfeit games , or using unauthorized hardware peripheral devices." In addition, the BitTorrent sites administrators are concerned that even if you do lock Windows 10's privacy settings down, Windows 10 will still transmit some data to Microsoft. iTS might have been able to live with that, but it's who Microsoft shares your data with that brought it to the end of its rope. In a Reddit post, iTS states: " Microsoft decided to revoke any kind of data protection and submit whatever they can gather to not only themselves but also others. One of those is one of the largest anti-piracy company [sic] called MarkMonitor . Amongst other things Windows 10 sends the contents of your local disks directly to one of their servers. Obviously this goes way too far and is a serious threat to sites like ours which is why we had to take measures."
Why your doctor won't friend you on Facebook (NPR, 25 August 2015) - Doctors' practices are increasingly trying to reach their patients online. But don't expect your doctor to "friend" you on Facebook - at least, not just yet. Physicians generally draw a line: Public professional pages - focused on medicine, similar to those other businesses offer - are catching on. Some might email with patients. But doctors aren't ready to share vacation photos and other more intimate details with patients, or even to advise them on medication or treatment options via private chats. They're hesitant to blur the lines between personal lives and professional work and nervous about the privacy issues that could arise in discussing specific medical concerns on most Internet platforms. Some of that may eventually change. One group, the American College of Obstetricians and Gynecologists, broke new ground this year in its latest social media guidelines . It declined to advise members against becoming Facebook friends, instead leaving it to physicians to decide. But even the use of these professional pages raises questions: How secure are these forums for talking about often sensitive health information? When does using one complicate the doctor-patient relationship? Where should boundaries be drawn? For patients, connecting with a physician's office or group practice on Facebook can be a simple way to keep up with basic health news. It's not unlike following a favorite sports team, your child's middle school or the local grocery store. One Texas-based obstetrics and gynecology practice, for instance, uses a public Facebook page to share tips about pregnancy and childcare, with posts ranging from suggestions on how to stay cool in the summer to new research on effective exercise for post-birth weight gain. Practices have also been known to share healthy recipes, medical research news, and scheduling details for the flu shot season. Historically, professional groups including the American College of Physicians and American Academy of Family Physicians have advised against communicating through personal Facebook pages. The American Medical Association notes social media can be a valuable way to spread health information, but urged doctors in its 2010 guidelines to separate their personal and professional online identities to "maintain professional boundaries." * * *
The FTC takes charge -- FTC v. Wyndham (Paul Rosenzweig in Lawfare, 26 August 2015) - As Wells reported Monday, the Third Circuit has issued its decision in Federal Trade Commission v. Wyndham Worldwide Corp . Readers may recall the background of the case. Wyndham was hacked by a Russian criminal gang who stole a host of personally identifiable information maintained by Wyndham for its customers -- everyone, essentially, who ever stayed at the hotel chain. The FTC brought a suit against Wyndham with two allegations -- one (not terribly controversial legally) that Wyndham had misrepresented its cyber security practices. The other (much more controversial legally) alleging that the failure to take adequate cybersecurity measures was an "unfair business practice" subject to regulation by the FTC. Wyndham's principal argument in court was that reading "unfair business practices" to include inadequate or unreasonable cybersecurity measures was a bridge to far and that, as a result, the FTC was acting ultra vires . The Third Circuit decision is a resounding victory for the FTC. The court first determined that there was ample legal authority for the FTC to address cybersecurity practices as unfair. It then held, in a significant portion of the ruling, that the FTC's prior actions in respect of various consent decrees gave Wyndham ample notice of what constituted an inadequate program of cybersecurity (and, by inference, some indication of adequacy). This opinion is likely to be the most consequential cybersecurity opinion of a court this year or for the near future. Here are some of the implications: * * * [ Polley : good analysis of the implications.] * * * All of this means that the FTC now owns cybersecurity in the private sector. Which is an odd result. One would surely have thought that DHS (or DoD or DOJ or even the Department of Commerce) would have had a more salient role in defining standards for the private sector. But somehow, we've converted a consumer protection mandate into a cybersecurity obligation and assigned that role to an independent agency. Candidly, I don't think the FTC is up to the task -- not in terms of staffing nor in terms of expertise -- but we will soon see how that turns out.
RESOURCES
Free six-part course on encrypting email and securing your network sessions against snooping (Jeff Reifman on Tut+, July 2015) [ Polley : Spotted by MIRLN reader Mike McGuire ]
AI and Free Speech (MLPB, 18 August 2015)- Toni M. Massaro, University of Arizona College of Law and Helen L. Norton, University of Colorado School of Law, are publishing Siri-ously? in volume 110 of the Northwestern University Law Review (2015). Here is the abstract: Computers with communicative artificial intelligence are pushing First Amendment theory and doctrine in profound and novel ways. They are becoming increasingly self-directed and corporal in ways that may one day make it difficult to call the communication "ours" versus "theirs." This, in turn, invites questions about whether the First Amendment ever will (or ever should) protect AI speech or speakers even absent a locatable and accountable human creator. In this Essay, we explain why current free speech theory and doctrine pose surprisingly few barriers to this counterintuitive result; the elasticity of current theory and doctrine suggests that speaker humanness no longer may be a logically essential part of the First Amendment calculus. We further observe, however, that free speech theory and doctrine provide a basis for regulating, as well as protecting, the speech of nonhuman speakers to serve the interests of their human listeners should strong AI ever evolve to this point. Finally, we note that the futurist implications we describe are possible, but not inevitable. Indeed, contemplating these outcomes for AI speech may inspire rethinking of the free speech theory and doctrine that makes them plausible.
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
Will the UN run the internet? (CNET, 11 July 2005) -- An international political spat is brewing over whether the United Nations will seize control of the heart of the Internet. U.N. bureaucrats and telecommunications ministers from many less-developed nations claim the U.S. government has undue influence over how things run online. Now they want to be the ones in charge. While the formal proposal from a U.N. working group will be released July 18, it's already clear what it will contain. A preliminary summary of governmental views claims there's a "convergence of views" supporting a new organization to oversee crucial Internet functions, most likely under the aegis of the United Nations or the International Telecommunications Union. Beyond the usual levers of diplomatic pressure and public kvetching, Brazil and China could choose what amounts to the nuclear option: a fragmented root. At issue is who decides key questions like adding new top-level domains, assigning chunks of numeric Internet addresses, and operating the root servers that keep the Net humming. Other suggested responsibilities for this new organization include Internet surveillance, "consumer protection," and perhaps even the power to tax domain names to pay for "universal access." This development represents a grave political challenge to the Internet Corporation for Assigned Names and Numbers (ICANN), which was birthed by the U.S. government to handle some of those topics. A recent closed-door meeting in Geneva convened by the U.N.'s Working Group on Internet Governance offers clues about the plot to dethrone ICANN. As these excerpts from a transcript show, dissatisfaction and general-purpose griping is rampant * * *
Brit license plates get chipped (Wired, 9 August 2005) -- The British government is preparing to test new high-tech license plates containing microchips capable of transmitting unique vehicle identification numbers and other data to readers more than 300 feet away. Officials in the United States say they'll be closely watching the British trial as they contemplate initiating their own tests of the plates, which incorporate radio frequency identification, or RFID, tags to make vehicles electronically trackable.
NOTES
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/
4. NewsScan and Innovation, http://www.newsscan.com
5. Aon's Technology & Professional Risks Newsletter
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html
7. Steptoe & Johnson's E-Commerce Law Week
8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
9. The Benton Foundation's Communications Headlines
10. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top