MIRLN --- 11-31 Oct 2015 (v18.15) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)
NEWS | RESOURCES | LOOKING BACK | NOTES
- Cyberwar rules of engagement: Military, law bods mull update
- 'Double-Dipping' with MOOCs
- U of Florida cancels huge Pearson contract
- Volkswagen: Where were the lawyers?
- Copyright battle over sports clips plays out on Twitter
- Buying a copy of The New York Times now gets you digital access for that day
- Why attorneys dislike consumer reviews
- Why National CineMedia is saying 'no' to all political advertising
- Judge orders school to delete Facebook post about school board candidate
- Illinois adopts duty of technology competence; Is now 15th state to do so
- Cybersecurity is a board room issue
- What cybersecurity questions are boards asking CISOs?
- SEC may target CCOs on cybersecurity
- Is this the definitive cybersecurity guide?
- Cyber criminals caused "substantial losses" to 50 law firms this year, SRA says
- ABA survey exposes law firm ignorance over information security
- Secret source code pronounces you guilty as charged
- Powerful fair use opinion from Second Circuit in Google Books case
- OPM says it breaks encryption to monitor employees' browsing habit
- The Dos and Don'ts of researching judges and juries online
- Regulators are fueling cyberinsurance demand, report says
- EU's top court rules that bitcoin exchange is tax-free
- A Bitcoin charm offensive on law enforcement
- US government says it's now okay to jailbreak your tablet and smart TV
- Harvard law library readies trove of decisions for digital age
- OK Google: Where do you store recordings of my commands?
- Trading in IP addresses becomes a lucrative market
Cyberwar rules of engagement: Military, law bods mull update (The Register, 12 Oct 2015) - Plans are underway to update a putative Geneva convention for cyberwar, put together by experts in international law and backed by an Estonian-based NATO-run military think tank. The Tallinn Manual 2.0 is on track for publication in the second half of 2016, following a drafting conference of legal experts in the Estonian capital this week. The original manual provided a handbook on how principles of international law could be applied to conflict in cyberspace, which military strategists consider to be the fifth dimension of warfare (land, air, sea and space being the other four). The original Tallinn Manual on the International Law Applicable to Cyber Warfare ruled that the Stuxnet worm may have been "armed attack", as previously reported . Victims of similar future attacks would be legally clear to retaliate proportionately in the immediate aftermath of an assault as an act of self-defence, in order to frustrate follow-up assaults. If a hacker attack occurs after two countries become engaged in open conflict then the hackers behind the assault have effectively have joined hostilities as combatants. Furthermore hackers-for-hire are like mercenaries who "do not enjoy combat immunity or prisoner of war status," the first edition of the Tallinn Manual rules. Tallinn Manual 2.0 will expand the scope of the original manual to incorporate so-called peacetime international law, addressing incidents that states frequently face, such as human rights law, a particularly tawny subject. "The most difficult material proved to be international human rights law governing activities in cyberspace," said Liis Vihul, managing editor of the Tallinn Manual and legal researcher at the Tallinn-based the NATO Cooperative Cyber Defence Centre of Excellence. More specifically whether or not international human rights norms apply to activity such as the collection of metadata by the likes of the NSA and doubtless many of the more capable international signals intelligence agencies was debated by legal experts. "If the answer is yes, we then have to examine whether the state has actually violated the individual's rights," Vihul explained. "For instance, assuming the collection of metadata implicates human rights norms, under what circumstances is a state authorised to engage in such activities?" Other topics up for debate on the draft included sections on diplomatic law, the responsibility of international organisations, international telecommunications law, and peace operations. The Tallinn Manual 2.0, like its predecessor, aims to offer guidance on applying existing international norms to the cyberspace. Its rules and associated commentaries based on the consensus of an international group of legal experts. The Tallinn Manual process is funded, hosted and facilitated by the NATO Cooperative Cyber Defence Centre of Excellence. The final Tallinn Manual international group of experts meeting is scheduled for March 2016. More details on the Tallinn Manual 2.0 process and a short video featuring interviews with participants can be found here .
'Double-Dipping' with MOOCs (InsideHigherEd, 13 Oct 2015) - As massive open online course providers specialize in disciplines and delivery modes, universities are looking for new opportunities to experiment. The trend appears to be benefiting edX. Many colleges have "double-dipped" by joining both Coursera and edX, two major MOOC providers, since MOOCs went mainstream in 2012. For example, the California Institute of Technology, Rice University and the University of Toronto all partnered with Coursera in July 2012 and then joined edX in 2013. Similarly, Peking University in Beijing first partnered with edX in May 2013, then with Coursera three months later. But among colleges and universities in the U.S., movement from one MOOC platform to the next is a one-way street. According to an Inside Higher Ed analysis, at least 10 of the institutions that first partnered with Coursera have since joined edX. Not a single edX institution has gone the other way. After adding the University of Michigan to its list of charter members last week, edX has now recruited all of Coursera's earliest partners, including the University of Pennsylvania, which joined in June, and Princeton University, in September. Even Stanford University, where Coursera co-founders Daphne Koller and Andrew Ng are faculty members, has since 2013 been a major contributor to Open edX, the MOOC provider's open-source platform.
- and -
U of Florida cancels huge Pearson contract (InsideHigherEd, 22 Oct 2015) - The University of Florida on Wednesday announced that it is terminating a huge 11-year deal for Pearson to build and manage the university's online programs. The announcement came in an internal email obtained and published by Politico Florida . The email says the university will be better able to serve online students by including them in general university operations and obtaining some new specialized help for some areas, such as marketing. The size of the deal (Pearson could have earned $186 million if it met all goals) has made it a target of criticism from some on campus. The agreement included a provision stating that Florida could withdraw or renegotiate if certain goals weren't met. And out-of-state enrollment goals weren't met, giving the university the option it is now exercising. A month ago , both sides said they were in discussions that could have led to the agreement being modified, not ended.
Volkswagen: Where were the lawyers? (Paul Lippe, 13 Oct 2015) - With Volkswagen reeling from one of the worst corporate scandals of our time, let's consider the same question asked of Enron and other similar debacles: Where were the lawyers? According to the New York Times , Volkswagen said that 11 million of its diesel cars worldwide were equipped with software that was used to cheat on emissions tests. Volkswagen's conduct is quite egregious, a concerted fraud around the core value proposition of "clean diesel." Somebody at Volkswagen deliberately conspired to manipulate tests run by a multitude of government agencies to mask emissions. No wonder the potential consequences for Volkswagen are severe. * * * One tenet of the New Normal is that we've moved into a world of transparency where any improper action is almost certain to be revealed over time. So most of these shortcuts are unwise before they are unethical. But what most litigation and enforcement actions reveal is that most companies are relatively less transparent to themselves -the bad actions are not obvious when occurring, only in hindsight. And while most legal regimes attribute bad actions to the enterprise as a whole, the practical reality is the "company" may not really know. It's the responsibility of lawyers to bridge that gap. Which leads to the iconic DieselGate question: What did Volkswagen's lawyers know, and when did they know it? Perhaps there are seven possibilities: * * *
Copyright battle over sports clips plays out on Twitter (The Hill, 13 Oct 2015) - Twitter temporarily shut down a pair of prominent accounts run by sports news websites over the holiday weekend for posting short clips of NFL and college football highlights. Deadspin's account and one run by SB Nation were removed after receiving takedown notices under the Digital Millennium Copyright Act, a law that says websites cannot be liable for what their users post but which also requires those websites to remove infringing content when it is flagged. Deadspin's account was reinstated after being down for about two hours Monday evening, while the SB Nation account, @SBNationGIF, was still down Tuesday morning. The sharing of unauthorized sports highlights has been a point of past contention on social media platforms and how it relates to fair use. During the World Cup, a bot that automatically created and shared clips of every goal received takedown notices on Twitter and other social media sites at the time. SB Nation's account was suspended over college football GIFs, according to The Verge , a sister company of the sports website. Deadspin told media organizations it received 18 takedown notices from the NFL about 16 tweets that included GIFs of football highlights. After Twitter stripped the GIFs out of the tweets, the account was reinstated. Deadspin sent out a number of mocking tweets about NFL commissioner Roger Goodell after the dustup.
Buying a copy of The New York Times now gets you digital access for that day (The Verge, 14 Oct 2015) - The New York Times is launching a new experiment; buy a physical copy of the paper from any newsstand, and you'll be gifted full, unbridled access to NYTimes.com and the company's mobile apps for that same day. This marks the first time the Times is offering "day passes," as they're being called, and is meant to "provide newsstand customers with a similar benefit to that of home delivery subscribers." (Subscribing to the paper gets you 24/7 digital access.) It's also intended to showcase the worth of the Times' vast digital presence to people who've made reading the paper part of their daily routine. That said, it's not like the company is having trouble hooking online readers; earlier this year, the Times passed a significant milestone: 1 million digital-only subscribers. The process of redeeming a day pass is slightly convoluted, though. Within the Times you'll find a keyword. Text that keyword to a mobile shortcode, and a reply containing a link for digital access gets sent back. You'll need to register an account if you don't already have one, and unlimited digital access cuts off at 11:59PM ET sharp. After that, you're back to the 10 articles per day limit. If you're still unsure whether the Times is worth paying for, there's always the NYT Now iPhone app, which remains a fantastic way to keep up with breaking news - without any subscription. It's updated constantly with hand-picked articles and an informative Morning Briefing that preps you for that day's biggest stories.
Why attorneys dislike consumer reviews (Eric Goldman, 15 Oct 2015) - I recently read an article by Prof. Cassandra Burke Robertson (Case Law) entitled " Online Reputation Management in Attorney Regulation ." This article discusses two of my favorite topics: (1) why do professional service providers struggle with online reviews more than other marketplace vendors?, and (2) can we build a well-functioning ODR to extra-judicially redress problematic online reviews? If you're interested in online reviews, Section 230, the regulation of lawyers or ODR-and let's face it, if you read this blog, you probably are-I recommend this article to you. I've repeatedly written and spoken about the medical community's battles against patient reviews, such as this essay that inventories some factors explaining why doctors seem uniquely opposed to patient reviews. Prof. Robertson addresses the same basic question, except for lawyers instead of doctors, and she provides a psychology-based explanation. She points to three main factors: * * *
Why National CineMedia is saying 'no' to all political advertising (Adweek, 15 Oct 2015) - As the 2016 presidential election cycle comes around, ad dollars will soon be flying, with spending on TV ads predicted to reach more than $4 billion . But National CineMedia is walking away from that, designating its 1,600 theaters "politics-free zones." Cliff Marks, NCM's president of sales and marketing, told Adweek it's not an easy decision to forgo all that potential revenue but that the company wants to keep its theaters free from the "sea of negative ads" viewers will likely be inundated with over the next year. NCM's preshow program, FirstLook-which features entertainment content from ABC Networks, A+E Networks, CBS Entertainment, Disney, Hasbro, Microsoft, NBC, Nintendo, Turner Broadcasting System and Yahoo, along with national, regional and local advertising-reaches over 700 million moviegoers annually. NCM said its national reach and average weekly audience translates to a Nielsen rating north of 7.0 among the advertiser-coveted 18-to-49 demographic. (And there's no way for viewers to skip through commercials.) That would make NCM seem like an enticing place for presidential hopefuls to get their message out, but Marks said he doesn't want to be associated with a negative marketplace. "Nobody wants to walk away from what will surely be a $4 billion market," Marks said, adding that it's more important to keep the moviegoing experience entertaining and maintain a safe haven for NCM's other advertisers. "We think brands are going to get really sick of having their image and their brand projected next to these negative ads," he said. "How is anybody going to remember your brand and your message?"
- and -
Judge orders school to delete Facebook post about school board candidate (Ars Technica, 26 Oct 2015) - A judge ruled recently (PDF) that a post on a high school's Facebook page about a school board candidate in a neighboring school district constituted an illegal campaign contribution. Even though no money was given to the candidate, the judge ruled that the post's influence had intrinsic value.
Illinois adopts duty of technology competence; Is now 15th state to do so (Robert Ambrogi, 16 Oct 2015) - The Supreme Court of Illinois yesterday adopted the ethical duty of technology competence, making it the 15th state (by my count) to have adopted the 2012 amendment to the ABA Model Rules of Professional Conduct. The Illinois change mirrors the Model Rule and amends Comment 8 to Rule 1.1, Competence, to read (changed text is underlined): To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. The change becomes effective Jan. 1, 2016.
Cybersecurity is a board room issue (The Recorder, 16 Oct 2015) - This week, Palo Alto Networks paired up with the New York Stock Exchange to publish "Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers." The work of 35 contributors, it includes chapters on the Internet of Things, international regulation, steps to prevent a data breach, as well as how to respond to one. The book is meant to be used by corporations and government agencies. Fish & Richardson principal Gus Coldebella, who helped write several chapters for the book, spoke with The Recorder about the effort and the legal implications of security breaches. Coldebella served as the acting general counsel for the U.S. Department of Homeland Security from 2007 to 2009.
- and -
What cybersecurity questions are boards asking CISOs? (Security Intelligence, 23 Oct 2015) - "Increasingly, cybersecurity is becoming a top-of-mind issue for most CEOs and boards, and they are becoming more preemptive in evaluating cybersecurity risk exposure as an enterprisewide risk management issue, not limiting it to an IT concern." - Deloitte's " Cybersecurity: The changing role of audit committee and internal audit " As mentioned in a previous article , boards are feeling increased pressure from government regulators and shareholders regarding their role in the oversight of cyber risks. This article looks at the questions a CISO is likely to face when presenting to the board, as well as what directors are advised to ask CISOs about when it comes to cybersecurity. Boards have only recently taken on cyber risks in the boardroom. They are still looking to find the right fit for cyber risks within the board and its environment, as evidenced by ongoing arguments such as whether cyber risks should be a full-board issue or delegated to an audit or risk committee, and what amount of time boards should give to cyber issues. According to KPMG's latest report, " Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom ," the questions on directors' minds are: "Am I asking the right questions? How do I get comfortable? Are we doing enough? How do I know we are doing the right things? Are we making the right decisions?" The report goes on to list questions that boards are asking about cybersecurity oversight in general, including whether the CISO function is correctly positioned (i.e., not under the CIO), whether the CISO has direct reporting capability to the CEO, the frequency and quality of meetings and briefings where cyber risks are the primary topic. In particular, boards are concerned about their responsibilities to shareholders when it comes to cybersecurity. Notably, this includes whether boards themselves are asking the right questions and receiving quality answers and, most importantly - from a director's perspective, anyway - whether the board is being transparent enough in keeping shareholders informed about the organization's handling of cyber risks.
- and -
SEC may target CCOs on cybersecurity (Ride the Lightning, 26 Oct 2015) - Legaltech News (sub. req.) reported that two recent speeches by Securities and Exchange Commission (SEC) officials probably got the attention of every chief compliance officer (CCO). In the first, SEC Chief of Staff Andrew J. Donohue indicated that the SEC will continue to bring enforcement actions against CCOs for not addressing compliance issues, including cybersecurity. Donohue tempered his remarks by reiterating SEC Chair Mary Jo White's position that the SEC does "not bring cases based on second guessing compliance officers' good faith judgments." However, Donohue challenged compliance professionals to be "pro-active" in their work and pointed to three recent SEC enforcement actions against CCOs on the ground that they failed to implement compliance programs reasonably tailored to the specific needs of their firms. Two days after Donohue's speech, White announced: "While cybersecurity attacks cannot be entirely eliminated, it is incumbent upon private fund advisers to employ robust, state-of-the-art plans to prevent, detect, and respond to such intrusions." * * *
- and -
Is this the definitive cybersecurity guide? (Rich Santalesa at IAPP, 27 Oct 2015) - While many companies come up short on their cybersecurity programs or ability to safeguard data privacy, one area where no gap exists is in the number of security guidance documents-from industry groups, federal regulators, consultants, law firms and others. Joining this crowd of guidance through a partnership effort between the New York Stock Exchange, Palo Alto Networks Inc., Georgia Tech, the Internet Security Alliance and the Security Roundtable with their recently released, free 355-page Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers . The guide is available for free download in PDF, Kindle and EPub formats at SecurityRoundtable.org . But what does the hefty 355-page tome have to say that isn't covered already elsewhere or in more "persuasive" regulatory guidance for privacy professionals? For starters, there is a wealth of solid information, best practices, useful checklists and meaningful recommendations contained in the guide that any corporate director or officer would do well to absorb and implement. If they did, it'd make our daily challenges as privacy professionals a great deal easier-with most chapters taking the form of short chapters from four to six pages. The introductory 40-page section itself could serve a solid primer for corporate leadership and is both concise and specific enough to throw the fear of God into any reasonable board and C-level personnel on the importance of and effort required for solid cybersecurity. The remaining sections focus on cyber risk's importance to boards of directors; the risk posed to corporate structures by digital threats; best practices in designing threat-based approaches and breach prevention; the complexity of incident response issues; managing cybersecurity risks in supply chains and with third-party vendors (an increasingly important area for virtually every sector); notable legal and regulatory concerns; "investing" in cyber insurance and data security, and finally, the vital importance of employee education and clear internal communications on cyber risk matters.
Cyber criminals caused "substantial losses" to 50 law firms this year, SRA says (Legal Futures, 16 Oct 2015) - Cyber criminals have caused "substantial losses" to 50 law firms this year, ranging from £50,000 to £2m, the Solicitors Regulation Authority (SRA) has said. Steve Wilmott, director of intelligence and investigations at the SRA, said a further 20 firms had fallen victim to e-mail redirection scams since Christmas, involving "very substantial" amounts of money. Mr Wilmott said cyber criminals were becoming "very, very clever" and described how one firm, which lost over £2m, spent three hours on the phone with one of them.
- and -
ABA survey exposes law firm ignorance over information security (JD Journal, 21 Oct 2015) - The ABA's 2015 Legal Technology Survey contains 700 pages of data points regarding technology and security, and lays out one of the biggest vulnerabilities firms face: information security breaches. The survey also demonstrates most lawyers don't consider data security to be a major threat. Earlier this year Citibank warned that "it is reasonable to expect law firms to be targets of attacks by foreign governments and hackers because they are repositories for confidential data on corporate deals and business strategies." Specifically, firms with 100 lawyers or more serve as prime targets for data breach. Nevertheless, of those 880 lawyers surveyed, only 11.4 percent said their firms have cyber liability insurance. Eighty percent didn't even know if their firm had the coverage. Furthermore, 52 percent of firms with over 100 attorneys were ignorant as to whether a client had ever asked to verify security practices or conduct a security audit. According to attorney Vincent Polley, "There are two types of law firms: those that know they've been hacked and those that do not." Attorneys have inside information on mergers, patents, and other important business deals. Data breaches can be damaging and costly, and may even destroy attorney-client privilege. "There is no question that law firms are among the companies being targeted by cyber criminals," says Shane Sims, a director in PwC's Forensic Services Group. Mary Galligan, the former Special Agent in Charge of Cyber and Special Operations at the FBI's New York City office adds, "As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it's a much, much easier quarry." [ Polley : My quote was way out of context, but isn't far off the mark.]
Secret source code pronounces you guilty as charged (Ars Technica, 17 Oct 2015) - The results from a Pennsylvania company's TrueAllele DNA testing software have been used in roughly 200 criminal cases, from California to Florida, helping put murderers and rapists in prison. Criminal defense lawyers, however, want to know whether it's junk science. Defense attorneys have routinely asked, and have been denied, access to examine the software's 170,000 lines of source code in a bid to challenge the authenticity of its conclusions. The courts generally have agreed with Cybergenetics , the company behind TrueAllele, that an independent examination of the code is unwarranted, that the code is a proprietary trade secret, and disclosing it could destroy the company financially. A new challenge, pending before the California Supreme Court, concerns some of the company's latest conclusions. The results are evidence in a cold-case murder, yet they differ astronomically from traditional DNA testing. The dispute comes as secret code is creeping into our everyday life in what is known as the Internet of Things. It's in everything, from airplanes to refrigerators, medical devices, and even elevators, light fixtures, and cars.
Powerful fair use opinion from Second Circuit in Google Books case (David Post on Volokh Conspiracy, 17 Oct 2015) - In the latest installment of the long-running copyright litigation between the Authors Guild and Google over the Google Books project, the U.S. Second Circuit Court of Appeals has now held that Google's "copying" and "public distribution" of copyright-protected books to allow full-text searching through those works (and the display of "snippets" of text from the works) is protected as a noninfringing "fair use" under the Copyright Act. The opinion, by Judge Pierre N. Leval - the author of a highly influential law review article on the fair use doctrine ("Toward a Fair Use Standard," 103 Harv. L. Rev. 1105 (1990) ) and a number of important decisions (in the district court and CA2) on the scope of the doctrine - is well-crafted and quite persuasive. * * * [ Polley : see also Google's court victory is good for scholarly authors. Here's why. (Pam Samuelson in Chronicle of Higher Ed, 27 Oct 2015)]
OPM says it breaks encryption to monitor employees' browsing habit (NextGov, 19 Oct 2015) - The code-breaking National Security Agency and the recently hacked Office of Personnel Management have more in common than one would think. Both keep tabs on the Internet traffic of government workers to prevent malicious actors from penetrating U.S. networks. NSA breaks into the private communications of foreign adversaries for intelligence gathering. OPM officials peek at what their employees are browsing, because, increasingly the bad guys are using tainted websites as a launching pad, said Jeff Wagner, OPM director of security operations. Through a technique called "SSL decryption," the agency sees through secure online transactions between a worker's computer inside the agency firewall and an external website. "When I bring up SSL decryption -- first, it's always the 'How do you do it without the OGC getting mad at you?'-discussion, which is true," he said, using the abbreviation for Office of General Counsel. "You are going to get a lot of privacy questions." [ Polley : ya think? Such MiTM attacks are going on in many (most?) employer contexts.]
The Dos and Don'ts of researching judges and juries online (Lawyerist, 21 Oct 2015) - It makes sense to research potential jurors, and social media makes it easier than ever. But courts have only recently begun to issue guidance now that researching jurors and other courtroom players online is becoming an increasingly common practice. Researching judges, too, has its advantages. Some jurisdictions, like California, allow you to strike a judge once per case without establishing bias. Although there are limitations and technicalities on these rules, they can give you a say in who decides cases - making it important to know your judge. But even if you cannot strike a judge for any reason, wouldn't you want to know if the judge deciding your case despises loud yawns, sings the blues, or has a tendency to belt out show tunes while court is in session? * * * [Table of hyperlinked governing authorities] * * * Not only does online research give you a competitive advantage in the courtroom, you may have an ethical obligation to do it. One court has approved of using new technologies to research potential jurors. After the jury returned the verdict for the defendant in Johnson v. McCullough , the plaintiff's lawyer searched a litigation database and found a non-responsive juror had been a defendant in multiple debt collection cases and a personal injury case. The trial court granted the plaintiff's motion for a new trial and the Supreme Court of Missouri affirmed, encouraging reasonable efforts to use the Internet to research the litigation history of selected jurors and present any relevant information prior to trial. Many courts have given the green light to research opposing counsel, judges, juries, and others using social networks like Facebook, Twitter, Myspace, and Xanga (apparently, the last two are still a thing). However, you are generally prohibited from sending any type of connection request to the social media user you are researching. This means you cannot ask to connect or take any other action that tells account holders you are researching them. The American Bar Association issued a formal opinion strongly suggesting you should not request access to the social media accounts of jurors before or during a court proceeding. In Formal Opinion 466 , the ABA Standing Committee on Ethics and Professional Responsibility stated that any communication to a juror that requests access to information not made public is considered a prohibited ex parte communication under Model Rule 3.5(b) . Some courts have interpreted this to ban any contact that results in the notification of the social media account holder. However, courts have yet to reach a consensus on this issue Bar associations in Oregon , Kentucky , New Hampshire , and New York have all followed suit, giving the go-ahead to access to the public social media pages of jurors, witnesses, and other parties in pending cases. * * *
Regulators are fueling cyberinsurance demand, report says (Law360, 21 Oct 2015) - The ballooning number of companies turning to cyberinsurance to cover losses related to increasingly prevalent data breaches is likely to continue to expand as more regulators focus on the issue and underwriting standards become better defined, experts predicted in a report released Tuesday. In the white paper, titled "What Every Chief Information Security Officer Needs To Know About Cyber Insurance," attorneys, brokers and other industry experts offered corporate leaders involved in cyberinsurance decisions advice on topics ranging from how regulators and legislatures are dealing with the issue and lawyers' role in the process to the best practices for responding to breaches and choosing insurance coverage. "We have a lot of customers on the security side who are now getting involved in cyberinsurance and don't really have a good understanding of what that means," Bob Shaker, global leader of incident response operations for Symantec Corp., which organized and released the white paper, told Law360. "With all the questions we were getting, we thought it would be a good idea to get some thought leaders to write about different components of the industry in order to put those responsible for security in a better position to get the most from cyberinsurance that they can."
EU's top court rules that bitcoin exchange is tax-free (Bloomberg, 22 Oct 2015) - Bitcoin and other virtual currencies can be exchanged tax free, the European Union's top court said in a ruling that puts them on a more equal footing with traditional cash. Value added tax -- a type of sales levy -- needn't be applied because the business involves "the exchange of different means of payment," the EU Court of Justice in Luxembourg ruled Thursday. The case was triggered by a dispute in Sweden, where David Hedqvist set up a service for the exchange of mainstream money for bitcoin and vice versa.
- and -
A Bitcoin charm offensive on law enforcement (WaPo, 22 Oct 2015) - * * * As part of a wider effort to change Bitcoin's image in the minds of regulators and lawmakers, advocates of the technology have begun working with a group whose background and expertise make them well-respected within the Beltway: Federal law enforcement. The Justice Department, Secret Service and other agencies are beginning to understand how to use Bitcoin for forensics - tracking flows of digital money across borders and online wallets just as they do with government-backed dollars. And the companies that handle these online transactions want to help. So they've created a first-of-its-kind trade group, known as the Block Chain Alliance, to reach out to federal officials. The organization is designed as a one-stop shop where authorities who need a hand navigating the complex world of Bitcoin transactions can get advice and a steer in the right direction. Jerry Brito is the executive director of the Coin Center, and he helped bring together the 20-odd Bitcoin companies trying to build a relationship with governments both here and abroad.
US government says it's now okay to jailbreak your tablet and smart TV (The Verge, 27 Oct 2015) - The US Library of Congress today issued a set of exemptions to an infamous provision in the Digital Millennium Copyright Act (DMCA), establishing a victory for consumers who like to tinker with devices without running afoul of copyright law. The exemptions were far-reaching, extending from movie and television files used in an educational context for criticism to installing third-party software - in other words jailbreaking - tablets and smart TVs. The Library of Congress meets around every 36 months to decide new exemptions and re-establish previous exemptions to the DMCA's 1201 provision. That provision has made it illegal in the past to unlock your smartphone from its carrier or even to share your HBO Go password with a friend . It's designed to let corporations protect copyrighted material, but it allows them to crackdown on circumventions even when they're not infringing on those copyrights or trying to access or steal proprietary information. The exemptions, though they only last three years, are designed to remedy that. Yet regulators tend to leave out devices, like in 2012 when the group approved jailbreaking for smartphones but not tablets . This year the Library of Congress got together and established a handful of now well-known exemptions - like the ability to unlock your smartphone from its carrier - and a slew of new ones covering a range of devices. You can continue to unlock your smartphone and tablet, and the same now goes for Wi-Fi hotspots and wearable devices with cellular connections. As for jailbreaking, you can continue to do so with smartphones and now, for the first time, tablets and smart TVs as well. You're still not allowed to jailbreak e-readers, handheld gaming devices, or laptops and desktop computers. Video game consoles are also off limits, as the Library of Congress found that, "as in 2012, opponents provided substantial evidence that console jailbreaking is closely tied to video game piracy." Perhaps the most interesting new exemption allows for the tinkering of automotive software for the purpose of "good faith security research" and for "lawful modification." The ruling comes after a concerted effort from the Electronic Frontier Foundation, which filed for two exemptions that are now more relevant than ever in the wake of the Volkswagen emissions scandal .
Harvard law library readies trove of decisions for digital age (NYT, 28 Oct 2015) - Shelves of law books are an august symbol of legal practice, and no place, save the Library of Congress, can match the collection at Harvard's Law School Library. Its trove includes nearly every state, federal, territorial and tribal judicial decision since colonial times - a priceless potential resource for everyone from legal scholars to defense lawyers trying to challenge a criminal conviction. Now, in a digital-age sacrifice intended to serve grand intentions, the Harvard librarians are slicing off the spines of all but the rarest volumes and feeding some 40 million pages through a high-speed scanner. They are taking this once unthinkable step to create a complete, searchable database of American case law that will be offered free on the Internet, allowing instant retrieval of vital records that usually must be paid for. While Harvard's "Free the Law" project cannot put the lone defense lawyer or citizen on an equal footing with a deep-pocketed law firm, legal experts say, it can at least guarantee a floor of essential information. The project will also offer some sophisticated techniques for visualizing relations among cases and searching for themes. Complete state results will become publicly available this fall for California and New York, and the entire library will be online in 2017, said Daniel Lewis, chief executive and co-founder of Ravel Law, a commercial start-up in California that has teamed up with Harvard Law for the project. The cases will be available at www.ravellaw.com . Ravel is paying millions of dollars to support the scanning. The cases will be accessible in a searchable format and, along with the texts, they will be presented with visual maps developed by the company, which graphically show the evolution through cases of a judicial concept and how each key decision is cited in others. On Ravel sites currently available to the public, for example, a lawyer planning to challenge the 2010 Citizens United decision, which permitted corporations to make independent political expenditures, can enter "campaign finance" and see in schematic form the major cases at the district, appellate and Supreme Court levels that led up to the 2010 decision and the subsequent cases that cite it.
OK Google: Where do you store recordings of my commands? (NPR, 29 Oct 2015) - Sure, our smartphones know a lot about who we are. If you have an Android smartphone, you may not know that Google saves all of the voice commands you give it . They're archived online in your Google account. Google says it keeps the audio search information to improve its voice recognition. Android users can opt out, which keeps your recordings anonymous. (Apple also stores voice commands collected by Siri users , though they're not so obviously associated to users.) You can find your audio commands - as well as other histories, like all of the YouTube videos you've searched for and watched - by visiting your Google history page . You can disable this storage feature by managing your activity. Otherwise, you can look through and listen to your Google voice searches - all those times you said "OK Google" and asked for directions, set alarms, dictated texts and searched for answers to the many questions that pop in your head throughout the day.
Trading in IP addresses becomes a lucrative market (ABA Journal, 1 Nov 2015) - When clients approached Marc Lindsey in 2008 about a request from the American Registry for Internet Numbers to voluntarily give back unused IP addresses, he researched the issue. Then he advised his clients to hang on to them. That simple piece of advice saved clients a valuable asset and brought Lindsey into a lucrative niche market. "When the market appeared to be taking shape, we went back and proactively reached out to our clients early on to inform them that there's an opportunity to sell," says Lindsey, president and co-founder of Avenue4, a company specializing in buying and selling Internet Protocol addresses. "I advised them to keep their IP addresses when transferring assets and to exclude-or include for value-their IP addresses in corporate mergers, acquisitions and divestitures," he says. Lindsey estimates there are 800 million to 1 billion unused addresses in the Internet Protocol version 4 format available in the secondary market (not transferred through the American Registry for Internet Numbers). That creates a market of between $6.4 billion and $10 billion. Acknowledging difficulties in estimating prices and numbers of transfers, he says that in 2014 ARIN reported secondary-market transfers of just under 14 million IPv4 addresses. That might present a total value of trades in 2014 and 2015 of about $143 million, and "during that same period Avenue4 brokered and closed deals valued at more than $74 million."
RESOURCES
Employee Privacy (MLPB, 16 Oct 2015) - Steven L. Willborn, University of Nebraska, Lincoln, College of Law, is publishing Notice, Consent, and Non-Consent: Employee Privacy in the Restatement in volume 100 of the Cornell Law Review (2015). Here is the abstract: Privacy claims necessarily entail two determinations. First, the domains protected by privacy must be identified. What spaces, or thoughts, or data are legally protected as "private"? Second, what does it mean when something is within a domain protected as private? What limitations does that impose on others and to what extent can the privacy holder consent to waive her privacy protections? Both of these determinations are especially fraught when the issue is employee privacy. Employers have a great deal of control over the domains an employee can legitimately consider to be private. And when a domain is determined to be "private," employers have many ways to encourage employees to waive any privacy protections. The American Law Institute recently completed an effort to "restate" the common law of employment. This paper closely examines the Restatement of Employment Law's treatment of employee privacy. On the domains protected as private, the Restatement confers considerable authority on employers to expand and, more troublingly, to limit employee privacy rights. On the ability of employees to waive their privacy rights, the Restatement provides some new and innovative protections, but fails to emphasize the centrality of consent to the privacy regime.
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
Pentagon's urban recon takes wing (Wired, 29 Nov 2005) -- A leading defense contractor has successfully demonstrated a system that lets foot soldiers command unmanned aerial vehicles, or UAVs, to see real-time overhead images on their handheld computers while fighting in urban battle zones. Individual war fighters can receive video-surveillance data on a target of interest by moving a cursor over the subject, as part of a Northrop Grumman system to automate reconnaissance, surveillance and target acquisition, or RSTA, within urban environments. UAVs have already proven their worth in the kinds of urban battle zones that produce daily headlines out of Iraq -- places like Falluja and Najaf, where the drones can navigate the labyrinth of streets or stealthily peer into buildings. But ground troops don't currently have direct access to this surveillance and reconnaissance data, and they have no control of the aircraft that deliver it. That's what HURT, for Heterogeneous Urban RSTA, promises to change. Northrop demonstrated the system this fall on the former site of Georgia Air Force Base in Victorville, California, on a grid of abandoned streets and buildings used to train soldiers in urban combat. Two fixed-wing UAVs, a Raven and a Pointer, along with an Rmax rotorcraft, were put aloft under the control of the system. Participants on the ground were able to view wide-area surveillance of the battle zone on handheld monitors, but could also send one of the UAVs in for a closer look at a suspected enemy position by merely moving over the subject with their cursor.
U.S. cybersecurity due for FEMA-like calamity? (CNET, 7 Oct 2005) -- In the wake of Hurricane Katrina, the Federal Emergency Management Agency has been fending off charges of responding sluggishly to a disaster. Is the cybersecurity division next? Like FEMA, the U.S. government's cybersecurity functions were centralized under the Department of Homeland Security during the vast reshuffling that cobbled together 22 federal agencies three years ago. Auditors had warned months before Hurricane Katrina that FEMA's internal procedures for handling people and equipment dispatched to disasters were lacking. In an unsettling parallel, government auditors have been saying that Homeland Security has failed to live up to its cybersecurity responsibilities and may be "unprepared" for emergencies. "When you look at the events of Katrina, you kind of have to ask yourself the question, 'Are we ready?'" said Paul Kurtz, president of the Cyber Security Industry Alliance, a public policy and advocacy group. "Are we ready for a large-scale cyberdisruption or attack? I believe the answer is clearly no." The department, not surprisingly, begs to differ. "Cybersecurity has been and continues to be one of the department's top priorities," said Homeland Security spokesman Kirk Whitworth. But more so than FEMA, the department's cybersecurity functions have been plagued by a series of damning reports, accusations of bureaucratic bungling, and a rapid exodus of senior staff that's worrying experts and industry groups. The department is charged with developing a "comprehensive" plan for securing key Internet functions and "providing crisis management in response to attacks"--but it's been more visible through press releases such as one proclaiming October to be "National Cyber Security Awareness Month." Probably the plainest indication of potential trouble has been the rapid turnover among cybersecurity officials.
NOTES
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/
4. NewsScan and Innovation, http://www.newsscan.com
5. Aon's Technology & Professional Risks Newsletter
6. Crypto-Gram, http://www.schneier.com/crypto-gram.html
7. Steptoe & Johnson's E-Commerce Law Week
8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
9. The Benton Foundation's Communications Headlines
10. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top