Saturday, September 19, 2015

MIRLN --- 30 August - 19 Sept 2015 (v18.13)

MIRLN --- 30 August - 19 Sept 2015 (v18.13) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | LOOKING BACK | NOTES

Technology, the law, and you: BYOD (Network World, 20 July 2015) - For a long time, it seemed that, like death and taxes, BYOD was inescapable. The issue wasn't that employees wanted to use their personal smartphones on your network, it's that they were definitely going to do so whether you like it or not. But there are consequences to the convenience and lack of up-front costs associated with BYOD, due largely to the fact that security gets substantially more complicated - both for private employee data and for sensitive corporate information. Consequently, companies are getting a lot more cautious about BYOD - one recent study found a spike in businesses imposing outright bans on personal device use, as the risk of data breaches and lawsuits becomes more evident. ( Read more about the study here .) Alfred Yen, associate dean of faculty at Boston College Law School, said that the major worry is security. "Foreign devices could easily be used (wittingly or unwittingly) to bring in viruses or malware that causes a network security breach, allowing company information to be stolen," he told Network World . But those security concerns work both ways, Yen added. "As a BYOD user (and I think most people are in one way or another), I worry about employer intrusion on my machines," he said. "The employer can monitor what is on my device, potentially compromising my privacy, or maybe ask for access to it in circumstances I'm not comfortable with." Clear, digestible policies are a business' first line of defense against legal trouble stemming from employee-owned devices, the professor argued. * * * [ Polley : Littler's BYOD white-paper from 2012 was the best around, back in the day. Probably still is.]

top

Target: SEC won't penalize it over 2013 data breach (StarTribune, 25 August 2015) - The Securities and Exchange Commission decided not to penalize Target Corp. for the 2013 cyberattack that led to the exposure of millions of customers' data, the company said Tuesday. The agency was one of several governmental entities to investigate the retailer in the wake of the attack, one of the largest against a U.S. company. In its quarterly results document, filed with the SEC and published by the agency on the Internet for investors to see, Target said the investigation ended during the May-to-July period. It said the SEC "does not intend to recommend an ­enforcement action against us." That removes one potential liability for Target over the data breach. The company continues to be under investigation from state attorneys general and private litigators over the episode and may face costs from penalties or settlements tied to them. In Tuesday's filing, the company said it now estimates paying $264 million in breach-related costs, ranging from litigation claims to the expenses it experienced for fixing systems and sending out information at the time of the attack. That's up from its previous estimate of $252 million. About $90 million has been covered by Target's insurers.

top

Cyber risk now a big cause for concern in Bermuda (Bermuda Reinsurance Mag, 26 August 2015) - Cyber risk has emerged from nowhere to be ranked as the number three most worrying risk in Bermuda for re/insurance industry professionals. It had never previously been cited as a concern in the annual PWC/CFSI Insurance Banana Skins survey before its appearance this year. Market conditions were seen as the greatest risk or 'Banana Skin' in Bermuda, followed by regulation then cyber risk. Arthur Wightman, PwC Bermuda leader and Insurance leader, said: "As an industry that handles large amounts of other people's money and personal data, insurers are prime targets. As a result cyberattacks and data breaches are seen as especially urgent by the industry both from the standpoint of a threat but also as an opportunity. "With material losses now in the billions, the demand for insurance to cover cyber risk has risen considerably."

top

Law firm makes a case for security certification (CIO, 28 August 2015) - International law firm Shook, Hardy & Bacon touts more than its legal skills to current and potential clients: It also pitches its ability to protect sensitive client information from cyberattacks. A key selling point is Shook's recently earned ISO 27001 certification for information security management. "We wanted to make sure we had the processes in place so [clients] had confidence that we were doing the best we could," says the firm's chair, John Murphy. Organizations have ample reason to seek reassurances that their business partners are doing enough to protect their data. In a recent PricewaterhouseCoopers survey, 61 percent of 1,322 global CEOs polled listed cyberattacks as a key threat to their organizations' growth prospects. That's up from 48 percent in 2014. Meanwhile, a study by the Ponemon Institute pegs the average total cost of a data breach at $3.79 million. John Anderson, Shook's CIO, sought the ISO certification in 2013 at the urging of the firm's information governance committee. "We wanted a methodology and a framework that ensures we're using best practices for information security. And, secondly, we wanted third-party verification that proved our commitment to information security to external parties," Anderson says. According to Anderson, Shook spent about $30,000 in 2013 and another $30,000 in 2014 on consultants and auditors to earn the certification; that's on top of additional cybersecurity-related spending to support the firm's security strategy. Murphy says certification has strengthened Shook's position in the legal market. He says prospective legal clients ask the firms they're evaluating about their data security policies and procedures; some even specifically ask firms whether they have the ISO certification. [ Polley : I think it's a mistake for any firm to trumpet their ISO capabilities: first, it elevates their visibility to potential attackers ( a la waving a red cape at a bull); second, ISO capabilities only reflect that there's a process in place, and say little about how effective the process is.]

top

- and -

Cybersecurity - is your firm ready for a hack? (California Lawyer, August 2015) - Law firms are the perfect target for hackers, says Vincent Polley, whose extensive background in cybersecurity includes co-authoring the American Bar Association Cybersecurity Handbook: A Resource for Attorneys, law Firms and Business Professionals, published in 2013. "Lawyers have really high value data," Polley says. And they're soft targets. "Law firms are not IT-focused," he explains. "The attorney who is striving to provide clients with the best service and the best access possible is not necessarily thinking about how the firm's data is vulnerable and how it is being protected." Mark Sangster, vice president of corporate and public affairs at eSentire, which works closely with law firms, says that small and medium size law firms are often less protected than they need to be. "One misunderstanding we see often is that smaller law firms don't believe they need as much security as larger law firms," he says. "They will literally have a firewall and an anti-virus program and think that's enough."

top

- and -

Law firms to spend $6.9m to keep client data secure (BloombergBNA, 9 Sept 2015) - Law firms this year will typically spend more than $6.9 million on information security, or 1.92 percent of their gross annual revenues, a recently released survey of big law firms said. Client demands and obligations to protect data fueled investment decisions, cited by 59 percent of respondents in the Chase Cost Management (CCM) survey report released Aug. 27. According to the report, more than 21 percent of law firms are strengthening in-house security skills. Approximately 12 percent of respondents cited the following security investment priorities: identifying gaps through internal and external security assessments; transferring risk with new or updated cyber-liability insurance policies; and training attorneys and staff on electronic communications risks and best practices for identifying phishing e-mails. Michael J. McGuire, chief information security officer at Littler Mendelson PC in Minneapolis, told Bloomberg BNA Sept. 1 that while his firm "does not release financial data in the press, I can tell you that we invest heavily in resources to ensure that we are constantly enhancing and improving the security of our data." The typical survey respondent was a chief information officer or information technology director at an Am Law 200 firm with 827 full-time attorneys and staff and more than $363 million in gross annual revenues. A quarter of respondents said their firm's 2015 operating budget for information security and compliance investments is $5 million. Fifty percent said the operating budget ranged between $500,000 and $4.9 million, and 25 percent said the operating budget ranged between $75,000 and $499,000. The average amount spent is $8,440 per full-time equivalent employee, the survey report said. Nearly three-quarters of law firms invested in some level of cyber-liability insurance, according to the report. The report, "What Price Peace," is available for download after registration at http://ccmchase.com/cybersecurity-report-download/ . [ Polley : horribly misleading headline.]

top

US smartphone users accessing 9.7 Gb in monthly wireless data usage (Telecompetitor, 31 August 2015) - Combined data traffic streaming over cellular and Wi-Fi networks exploded between 2H 2013 and 1H 2015, rising over threefold, according to Strategy Analytics' Telemetry Intelligence Platform. Monthly wireless data usage for U.S. smartphone users averaged 9.7 GB during 1H'15 . Only 1.6 GB/month (17 percent of total data) crossed over cellular networks, Strategy Analytics highlights in a press release. [ Polley : another bad headline.]

top

Maker Spaces (InsideHigherEd, 2 Sept 2015) - Experiential education is all the rage. No longer confined to internships or study abroad, it now includes service learning opportunities, freshman research experiences, and, most ambitiously, project-based learning at all levels of the curriculum. A growing number of campuses have created special "maker spaces" for innovative projects. UCLA's Institute for Digital Research and Education has its "Technology Sandbox," a computing facility where innovators can work collaboratively on projects involving computer modeling, GIS, web authoring, web programming, graphics, animation, image processing, compression and archiving. Columbia University's Butler Library has created a Digital Humanities Center, where faculty and students can incorporate computer-based textual, bibliographic, image, and video information into their research and teaching. The University of Michigan has instituted the Digital Innovation Greenhouse, the Learning, Education, and Design (LED) Lab, and the Digital Education and Innovation Lab. But the curricular implications of the innovation incubator and accelerator notion have not yet been fully embraced. To be sure, a growing number of programs, particularly in engineering, are integrating hands-on problem solving into their curriculum. Cookie cutter lab experiments are giving way to clinics where students engage in collaborative projects. I would suggest that many smart, driven students, brimming with exciting ideas, might benefit enormously if they had the opportunity to pursue ambitious technology-enhanced projects as part of their formal education and received the kinds of multidisciplinary support and mentoring they need to bring these projects to fruition.

top

Cell phone users can plead the Fourth (Steptoe, 3 Sept 2015) - The U.S. Court of Appeals for the Fourth Circuit ruled, in U.S. v. Graham , that historic cell-site location information collected by the government is protected by the Fourth Amendment and the government must therefore procure a warrant to obtain it from a cell carrier. Graham follows on the heels of a similar decision, In Re: Application for Telephone Information Needed for a Criminal Investigation , by Lucy Koh, a U.S. District Judge in San Jose. These rulings have major privacy implications for cell-service carriers and the public, and are the latest installments in a series of conflicting rulings over warrantless searches of cell-phone location data.

top

Morgan Stanley survives FTC investigation (Steptoe, 3 September 2015) - A letter released by the Federal Trade Commission announced the closure of its investigation into whether Morgan Stanley Smith Barney LLC engaged in unfair or deceptive data security practices by failing to secure account information related to Morgan Stanley's Wealth Management clients. The FTC ended the investigation but asserted that the decision "should not be construed as a determination that a violation did not occur." It seems that even when a company beats the rap, the Commission is loathe to acknowledge it.

top

- and -

SEC to conduct second round of cybersecurity examinations (Nat'l Law Review, 16 Sept 2015) - On September 15, 2015, the Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) issued a Risk Alert announcing its second round of examinations of registered investment advisers and broker-dealers under its cybersecurity examination initiative. The OCIE's cybersecurity examination initiative was launched in April 2014 to assess cybersecurity preparedness in the securities industry and gather information on common practices and trends among registered firms. In its first round of examinations, the OCIE interviewed key personnel and reviewed documents of over 100 registered investment advisers and registered broker-dealers. Findings from this first round of examinations were released in February 2015. Whereas the first round of examinations consisted primarily of interviews and document reviews, the OCIE expects that the second round of examinations will involve more testing to assess implementation of a firm's procedures and controls. The examinations are expected to focus on the following key areas: * * * Registered investment advisers and broker-dealers should note that the areas of focus highlighted in the Risk Alert are not exhaustive and that OCIE examiners may select other areas of focus based on risks identified during the course of examinations. To assist firms in evaluating their cybersecurity preparedness, the OCIE has included a sample document request as an appendix to its Risk Alert. This latest announcement reaffirms the SEC's continued focus on cybersecurity preparedness. Registered investment advisers and broker-dealers should evaluate their cybersecurity policies and procedures, as well as their implementation, in light of the Risk Alert and the sample document request. We note that the National Futures Association has also recently proposed cybersecurity requirements for its members.

top

Justice Department: Agencies need warrants to use cellphone trackers (WaPo, 3 Sept 2015) - The Justice Department announced a policy Thursday that will require its law enforcement agencies to obtain a warrant to deploy cellphone-tracking devices in criminal investigations and inform judges when they plan to use them. The new policy, announced by Deputy Attorney General Sally Quillian Yates, should increase transparency around the use of the controversial technology by the FBI and other Justice Department agencies. It imposes the highest legal standard for the device's use and a uniform standard across the department. The policy change is an acknowledgment by the Justice ­Department that the use of the devices - sometimes called StingRays, the name of one popular model - raises serious privacy concerns. But the policy does not apply to state and local agencies, which continue to use the tracking technology, often without expressly informing a judge and obtaining a warrant based on probable cause. And some lawmakers have raised concerns about whether exceptions to the warrant requirement are too broad. The new policy waives the warrant requirement for exigent circumstances. These include the need to protect human life "or avert serious injury," prevent the imminent destruction of evidence, the hot pursuit of a fleeing felon, or the prevention of escape by a convicted fugitive from justice. Under the new policy, data gathered by authorities must be deleted as soon as the suspect's phone is located, or if they fail to locate it, all data gathered must be deleted at least once a day. In cases in which officials know where a suspect is but do not know his or her phone number, they may set up a simulator nearby to try to identify through patterns over time the suspect's phone. In those cases, the data gathered must be disposed of either when they've located the phone or at least once every 30 days. Authorities must also keep data that could help prove a suspect's innocence. [ Polley : That last sentence gives me pause. Full DoJ policy guidance here .]

top

Chrysler catches flak for patching hack via mailed USB (Wired, 3 Sept 2015) - Six weeks after hackers revealed vulnerabilities in a 2014 Jeep Cherokee that they could use to take over its transmission and brakes, Chrysler has pushed out its patch for that epic exploit. Now it's getting another round of criticism for what some are calling a sloppy method of distributing that patch: On more than a million USB drives mailed to drivers via the US Postal Service. Security pros have long warned computer users not to plug in USB sticks sent to them in the mail-just as they shouldn't plug in thumb drives given to them by strangers or found in their company's parking lot-for fear that they could be part of a mass malware mailing campaign. Now Chrysler is asking consumers to do exactly that, potentially paving the way for a future attacker to spoof the USB mailers and trick users into installing malware on their cars or trucks. "An auto manufacturer is basically conditioning customers into plugging things into their vehicles," says Mark Trumpbour, an organizer of the New York hacker conference Summercon whose sister-in-law's husband received the USB patch in the mail Thursday. "This could have the potential to backfire at some point in the future."

top

- and -

Files on Seagate wireless disks can be poisoned, purloined - thanks to hidden login (The Register, 7 Sept 2015) - CERT.org has reported Seagate wireless hard drives include " undocumented Telnet services " accessible with a hard-coded password. This allows "unrestricted file download capability to anonymous attackers with wireless access to the device." And another flaw makes it possible to upload anything into the devices' default file-sharing directory. The wireless hard drives pack a hard disk and Wi-Fi controller into a small package. Seagate markets the products as a great way for several portable hand-held devices to access content, most often in a home environment. The devices are, however, effectively a small network-attached storage device: there's every chance more than a few are doing duty as a de facto file server in very small businesses. The three flaws present in the device mean that anyone on your network - or who can reach it from the outside - armed with the default password of "root" and enough savvy to try the username "root" can download the entire contents of the Seagate devices, then upload malware into them.

top

FCC accused of locking down Wi-Fi routers, but the truth is a bit murkier (Ars Technica, 4 Sept 2015) - The Federal Communications Commission is considering new restrictions that would make it harder for users to modify Wi-Fi routers, sparking controversy and an apparent misunderstanding over the FCC's intentions. The FCC's stated goal is to make sure routers and other devices only operate within their licensed parameters. Manufacturers release products that are certified to operate at particular frequencies, types of modulation, and power levels but which may actually be capable of operating outside of what they've been certified and tested to do. The extra capabilities can sometimes be unlocked through software updates issued by the manufacturer, or by software made by third parties. Lots of users install open source firmware on routers to get a better user interface and better functionality than what is provided by the vendor, and the wording of the FCC's proposal has some worried that such software will effectively be outlawed. The FCC's proposals would ideally prevent interference in wireless networks while not infringing upon the rights of users, and the FCC says making third-party router firmware illegal is not the intention. A proposed rulemaking was issued July 21, kicking off a public comment period, whose deadline has already been extended from September 8 to October 9 because groups including the Consumer Electronics Association said they needed more time to study the issue. The rules would apply not just to routers but also to smartphones and other devices with radios enabling either cellular or Wi-Fi transmissions.

top

US counter-intel czar to hack victims: "raise shields" against spearphishing (Ars Technica, 9 Sept 2015) - In a presentation at the Intelligence & National Security Summit here today, the director of the National Counterintelligence and Security Center (NCSC) announced a "new counterintelligence campaign" focused on reducing the potential security damage done by the Office of Personnel Management data breaches. Called Know the Risk, Raise Your Shield , the campaign's opening salvo is a pair of spear-phishing awareness videos, urging people not to click on those links. * * * As part of a response to the breach, in addition to the credit protection and other measures being offered to victims by the OPM, the NCSC is trying to prevent even further breaches that use information gleaned from OPM background investigation records and other data. "We need to be upfront about what we can do to help the victims of this breach and future victims, "Evanina explained. And spear phishing attacks are one of the most likely way those victims would be targeted, both by criminals, and foreign adversaries seeking to get more intelligence data-as happened in the recent attack on the Joint Chiefs of Staff administrative e-mail network, which used faked e-mails from a bank used by many service members. "91 percent of the breaches we've seen in the last few years have emanated from spear phishing," Evanina noted. "Our adversaries do not need to use sophisticated attacks-it all starts with e-mails."

top

Is it OK to shoot down a drone over your backyard? (Bruce Schneier on CNN, 9 Sept 2015) - Last month, a Kentucky man shot down a drone that was hovering near his backyard. WDRB News reported that the camera drone's owners soon showed up at the home of the shooter, William H. Merideth: "Four guys came over to confront me about it, and I happened to be armed, so that changed their minds," Merideth said. "They asked me, 'Are you the S-O-B that shot my drone?' and I said, 'Yes I am,'" he said. "I had my 40 mm Glock on me and they started toward me and I told them, 'If you cross my sidewalk, there's gonna be another shooting.'" Police charged Meredith with criminal mischief and wanton endangerment. This is a trend. People have shot down drones in southern New Jersey and rural California as well. It's illegal, and they get arrested for it. Drones have attempted to deliver drugs to prisons in Maryland , Ohio and South Carolina -- so far. There have been many near-misses between drones and airplanes. Many people have written about the possible terrorist uses of drones. Defenses are being developed. Both Lockheed Martin and Boeing sell anti-drone laser weapons. One company sells shotgun shells specifically designed to shoot down drones. Other companies are working on technologies to detect and disable them safely. Some of those technologies were used to provide security at this year's Boston Marathon. Law enforcement can deploy these technologies, but under current law it's illegal to shoot down a drone, even if it's hovering above your own property. In our society, you're generally not allowed to take the law into your own hands. You're expected to call the police and let them deal with it. There's an alternate theory, though, from law professor Michael Froomkin. He argues that self-defense should be permissible against drones simply because you don't know their capabilities. We know, for example, that people have mounted guns on drones, which means they could pose a threat to life. Note that this legal theory has not been tested in court. Increasingly, government is regulating drones and drone flights both at the state level and by the FAA . There are proposals to require that drones have an identifiable transponder , or no-fly zones programmed into the drone software. Still, a large number of security issues remain unresolved. How do we feel about drones with long-range listening devices , for example? Or drones hovering outside our property and photographing us through our windows?

top

Does your e-commerce marketplace need an EU payments licence? (Anthony Olsen, 10 Sept 2015) - The proliferation of online marketplace businesses demonstrate their popularity, both with their users - as well as investors who have been able to capitalise on their large margin potential. Many marketplace operators intermediate the payments between their customers, which is a useful means of controlling the risk on their platforms, together with ensuring they can easily collect their own fees. However, by a marketplace 'touching the funds' of its users in the EU, it runs the risk of carrying out regulated payment services and there isn't a consistent view among EU regulators as to whether such business models can rely upon exclusion(s) to fall outside the scope of requiring a payment institution licence. My latest post of emoneyadvice.com examines the above issue with a specific review of the ability of marketplaces to rely upon the 'Commercial Agent Exclusion' under the PSD. The note also looks at how this issue is developing with the proposed PSD2.

top

Legal competence in the digital age (Lawyerist, 10 Sept 2015) - As technological competence becomes integral to being a lawyer, the ABA and individual states are tackling what it means for a lawyer to be tech-savvy enough to be competent. The ABA put its thoughts on the subject in comment 8 to Model Rule 1.1. States have made their decrees by adopting that comment, modifying other rules, or taking directed action at technological competence. In the end, the basic tenet by which to practice is clear: you cannot meet the ethical obligations of the profession in today's world without knowing the basics of technology. Model Rule 1.1 , Competence, states, "A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation." Bringing in the issue of technology, comment 8 to Rule 1.1 states: To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. Model Rule 1.1 has been adopted by 49 states (all but California), but the comments are not always incorporated. States are slowly integrating comment 8, including Arizona, Arkansas, Connecticut, Idaho, Kansas, Louisiana, Massachusetts, Minnesota, New York, Ohio, Pennsylvania, Utah, West Virginia and Wyoming. Many states have not modified their rules since comment 8 was adopted by the ABA, so it is likely only a matter of time before this list grows. Beyond Model Rule 1.1, many states have delved into the world of technology on the specific topics of cloud computing and metadata , both of which can get very complicated, hence the need (and permission by ethics regulators) for lawyers to ask experts or more tech-savvy lawyers to help. The ABA maintains lists of current ethics opinions from individual states on these subjects. In between the Model Rule comment on competence and the detailed ethics opinions on cloud computing and metadata falls the idea that attorneys must possess general technological competence in order to meet their ethical obligations - not because the rules have changed but because the world has changed. * * * In Delaware, the Supreme Court set up its Commission on Law & Technology in 2013 for the purpose of issuing guidance on the use of technology in the practice of law. The guidance issued so far includes Leading Practice papers on multiple computing subjects, including "Basic Skills." In the Basic Skills section is guidance on selecting operating systems and hardware while conforming to the Rules of Professional Conduct; it does not get much more basic than purchasing hardware. [ Polley : worthwhile reading.]

top

First library to support TOR anonymous internet browsing effort stops after DHS email (TechDirt, 11 Sept 2015) - Since Edward Snowden exposed the extent of online surveillance by the U.S. government, there has been a surge of initiatives to protect users' privacy. But it hasn't taken long for one of these efforts - a project to equip local libraries with technology supporting anonymous Internet surfing - to run up against opposition from law enforcement. In July, the Kilton Public Library in Lebanon, New Hampshire, was the first library in the country to become part of the anonymous Web surfing service Tor . The library allowed Tor users around the world to bounce their Internet traffic through the library, thus masking users' locations. Soon after state authorities received an email about it from an agent at the Department of Homeland Security. After a meeting at which local police and city officials discussed how Tor could be exploited by criminals, the library pulled the plug on the project. Deputy City Manager Paula Maville said that when she learned about Tor at the meeting with the police and the librarians, she was concerned about the service's association with criminal activities such as pornography and drug trafficking. "That is a concern from a public relations perspective and we wanted to get those concerns on the table," she said. Faced with police and city concerns, library director Fleming agreed to turn off the Tor relay temporarily until the board could reconsider. "We need to find out what the community thinks," he said. "The only groups that have been represented so far are the police department and city hall." Fleming said that he is now realizing the downside of being the first test site for the Tor initiative. "There are other libraries that I've heard that are interested in participating but nobody else wanted to be first," he said. "We're lonesome right now."

top

Family of Marcel Duchamp gets 3D print design for Duchamp chess set removed back into history over copyright (TechDirt, 11 Sept 2015) - Intellectual property is often times used to censor others or control that which should otherwise be free. Sometimes it does this for arguably valid reasons. And sometimes it does so in ways so laughably and obviously against the intention of intellectual property protections that it would make you laugh if you weren't too busy yelling in anger. This story is about an example of the latter. Marcel Duchamp was first and foremost a French-American artist. He painted and sculpted, composed music, and constructed kinetic works of art. He was also an avid player of chess, going so far at one point as to fashion his own chess set personally from wood while in Buenos Aires. This chess set, originally thought to be lost to the world but now confirmed to be part of a privately-owned collection, survived until recently only in archival photographs of the man and his chess pieces. Until, that is, Scott Kildall and Bryan Cera used the photograph to come up with the Readymake: Duchamp Chess Set , which would allow a person to 3D-print Duchamp's chess set for themselves. Kildall and Cera then uploaded the 3D files to Thingiverse and made them available for all to download. The duo's project generated some press after they uploaded it and the two were particularly thrilled to see a discussion emerge between artists and technologists about just what could be done in 3D printing material generated form archival photos. Unfortunately, the project also struck a nerve with the Duchamp Estate. On September 17th, 2014, we received a cease and desist letter from a lawyer representing the heirs of Marcel Duchamp. They were alleging intellectual property infringement on grounds that they held a copyright to the chess pieces under French law. * * *

top

How the government surveils cellphones: A primer (The Atlantic, 11 Sept 2015) - Last week, the state of cellphone tracking became slightly more confusing. The U.S. Department of Justice announced that, except in emergency situations, federal agents would now seek warrants before using "Stingrays." Stingrays are devices that mimic cellphone towers and can pinpoint a phone's physical location or record which number they're calling. For people who follow the issue closely, like the ACLU, the news was welcome if limited. But for many, it made the situation around cellphone surveillance even trickier than it was before. How many different ways can the government surveil cellphones? What can each method do? Here's a primer. * * *

top

Wall Street banks reach deal with regulators on data retention (NYT, 14 Sept 2015) - Four of Wall Street's biggest banks on Monday agreed to cooperate with New York regulators and retain copies of communications sent through the messaging platform known as Symphony. The New York State Department of Financial Services was concerned that the platform would allow traders to delete or encrypt information that could be used to track evidence of rigging schemes among traders at various banks. Messaging in chat rooms is believed to have figured prominently in schemes to manipulate global exchange rates and benchmark interest rates. Deutsche Bank, Goldman Sachs, Credit Suisse and Bank of New York Mellon have agreed to keep copies of all electronic communication sent through the Symphony platform to and from one another for seven years. They have also agreed to store the duplicate copies of decryption keys for messages with independent custodians. The agreement essentially nullifies a feature initially marketed by Symphony that allowed for "guaranteed data deletion."

top

Appeals court strikes a blow for fair use in long-awaited copyright ruling (ArsTechnica, 14 Sept 2015) - The US Court of Appeals for the 9th Circuit today issued a ruling that could change the contours of fair use and copyright takedown notices. In an opinion (PDF) published this morning, the three-judge panel found that Universal Music Group's view of fair use is flawed. The record label must face a trial over whether it wrongfully sent a copyright takedown notice over a 2007 YouTube video of a toddler dancing to a Prince song. That toddler's mother, Stephanie Lenz, acquired pro bono counsel from the Electronic Frontier Foundation. The EFF in turn sued Universal in 2007, saying that its takedown practices violated the Digital Millennium Copyright Act. The judges ruled today that copyright holders "must consider the existence of fair use before sending a takedown notification." Universal's view that fair use is essentially an excuse to be brought up after the fact is wrong, they held. UMG's view of fair use solely as an "affirmative defense" is a misnomer. "Fair use is uniquely situated in copyright law so as to be treated differently than traditional affirmative defenses," wrote US Circuit Judge Richard Tallman for the majority.

top

Sedona publishes draft cross-border e-discovery guide for in-house counsel (Ride the Lightning, 15 Sept 2015) - Gotta love The Sedona Conference. Everyone I know is confused about cross-border e-discovery issues. So thanks to Working Group 6 on International Electronic Information Management, Discovery and Disclosure (WG6) for its work on a new guide released for public comment titled Practical In-House Approaches for Cross-Border Discovery and Data Protection ("Practical Approaches") . It is free to download the guide. Comments are due by December 15, 2015 and may be sent to comments@sedonaconference.org. A final version of the guide is expected early in 2016.

top

Nine of world's biggest banks join to form blockchain partnership (Reuters, 15 Sept 2015) - Nine of the world's biggest banks including Goldman Sachs and Barclays have joined forces with New York-based financial tech firm R3 to create a framework for using blockchain technology in the markets, the firm said on Tuesday. It is the first time banks have come together to work on a shared way in which the technology that underpins bitcoin - a controversial, web-based "crytocurrency" - can be used in finance. The new project, the result of more than a year's worth of consultations between R3, the banks and other members of the financial industry, will be led by R3 CEO David Rutter, formerly CEO of electronic trading at ICAP Electronic Trading, one of the world's largest interdealer brokers. "We held several roundtables...to deeply consider what the possible implications of the blockchain were, and what it could possibly do to save money, and time, and to create a better paradigm for the world of Wall Street and finance," Rutter told Reuters on Tuesday. Those that have signed up to the initiative so far are JP Morgan, State Street, UBS, Royal Bank of Scotland, Credit Suisse, BBVA and Commonwealth Bank of Australia. Rutter said the initial focus would be to agree on an underlying architecture, but it had not yet been decided whether that would be underpinned by bitcoin's blockchain or another one, such as one being built by Ethereum, which offers more features than the original bitcoin technology. Once that had been agreed on, Rutter said, the first use of the technology might be the issuance of commercial paper on the blockchain. "I think that these technologies will probably be post-trade," he said. "I think savings are in the settlement side, in post-trade, in issuance, but not in exchange trading or OTC trading any time in the near future." He added that R3 will soon announce a few more banks joining the project.

top

- and -

Bitcoin is officially a commodity, according to US regulator (Bloomberg, 17 Sept 2015) - Virtual money is officially a commodity, just like crude oil or wheat. So says the Commodity Futures Trading Commission (CFTC), which on Thursday announced it had filed and settled charges against a Bitcoin exchange for facilitating the trading of option contracts on its platform. "In this order, the CFTC for the first time finds that Bitcoin and other virtual currencies are properly defined as commodities," according to the press release. While market participants have long discussed whether Bitcoin could be defined as a commodity, and the CFTC has long pondered whether the cryptocurrency falls under its jurisdiction , the implications of this move are potentially numerous. By this action, the CFTC asserts its authority to provide oversight of the trading of cryptocurrency futures and options, which will now be subject to the agency's regulations. In the event of wrongdoing, such as futures manipulation, the CFTC will be able to bring charges against bad actors. If a company wants to operate a trading platform for Bitcoin derivatives or futures, it will need to register as a swap execution facility or designated contract market, just like the CME Group. And Coinflip-the target of the CFTC action-is hardly the only company that provides a platform to trade Bitcoin derivatives or futures.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Study shows online citations don't age well (Chronicle of Higher Education, 14 March 2005) - A study conducted by two academics at Iowa State University has shown a remarkably high rate of "decay" for online citations. Michael Bugeja, professor of journalism and communication, and Daniela Dimitrova, assistant professor of communication, looked at five prestigious communication-studies journals from 2000 to 2003 and found 1,126 footnotes that cite online resources. Of those, 373 did not work at all, a decay rate of 33 percent; of those that worked, only 424 took users to information relevant to the citation. In one of the journals in the study, 167 of 265 citations did not work. Bugeja compared the current situation to that of Shakespearean plays in the early days of printing, when many copies of plays were fraught with errors due to the instability of the printing medium. Anthony T. Grafton, a professor of history at Princeton University and author of a book on footnotes, agreed that citation decay is a real and growing problem, describing the situation as "a world in which documentation and verification melt into air." (sub. req'd) [ Polley in 2015: guess what? This story URL is broken.]

top

Lawyer vs. lawyer over web site (ABA Journal, 13 May 2005) -- One New York personal injury law firm is suing another personal injury firm in the state, alleging a Web site noting a state bar panel's probe of the first firm violates the state's civil rights act. According to the lawsuit, the firm Moran & Kufta of Rochester posted a headline with a hyperlink on its Web site that told readers that Cellino & Barnes, with offices in Buffalo and Rochester, was being investigated by the New York State Bar Association grievance committee. The headline in question was part of the "Hot Topics" portion of Moran & Kufta's Web site. It referred readers to a March 11 story in The Buffalo News, "Cellino & Barnes Investigated," and added: "State Court to Rule on Complaints by Former Clients." That Web site has since been taken down. On April 18, Cellino & Barnes filed suit in the Supreme Court of New York in Erie County. The suit named James J. Moran and the law firm as defendants, and alleges Moran & Kufta violated section 50 of the New York Civil Rights Law. That law provides in part: "A person, firm or corporation that uses for advertising purposes, or for the purposes of trade, the name, portrait or picture of any living person without having first obtained the written consent of such person … is guilty of a misdemeanor." [ Polley : URL also broken.]

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top