Saturday, October 31, 2015

MIRLN --- 11-31 Oct 2015 (v18.15)

MIRLN --- 11-31 Oct 2015 (v18.15) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Cyberwar rules of engagement: Military, law bods mull update (The Register, 12 Oct 2015) - Plans are underway to update a putative Geneva convention for cyberwar, put together by experts in international law and backed by an Estonian-based NATO-run military think tank. The Tallinn Manual 2.0 is on track for publication in the second half of 2016, following a drafting conference of legal experts in the Estonian capital this week. The original manual provided a handbook on how principles of international law could be applied to conflict in cyberspace, which military strategists consider to be the fifth dimension of warfare (land, air, sea and space being the other four). The original Tallinn Manual on the International Law Applicable to Cyber Warfare ruled that the Stuxnet worm may have been "armed attack", as previously reported . Victims of similar future attacks would be legally clear to retaliate proportionately in the immediate aftermath of an assault as an act of self-defence, in order to frustrate follow-up assaults. If a hacker attack occurs after two countries become engaged in open conflict then the hackers behind the assault have effectively have joined hostilities as combatants. Furthermore hackers-for-hire are like mercenaries who "do not enjoy combat immunity or prisoner of war status," the first edition of the Tallinn Manual rules. Tallinn Manual 2.0 will expand the scope of the original manual to incorporate so-called peacetime international law, addressing incidents that states frequently face, such as human rights law, a particularly tawny subject. "The most difficult material proved to be international human rights law governing activities in cyberspace," said Liis Vihul, managing editor of the Tallinn Manual and legal researcher at the Tallinn-based the NATO Cooperative Cyber Defence Centre of Excellence. More specifically whether or not international human rights norms apply to activity such as the collection of metadata by the likes of the NSA and doubtless many of the more capable international signals intelligence agencies was debated by legal experts. "If the answer is yes, we then have to examine whether the state has actually violated the individual's rights," Vihul explained. "For instance, assuming the collection of metadata implicates human rights norms, under what circumstances is a state authorised to engage in such activities?" Other topics up for debate on the draft included sections on diplomatic law, the responsibility of international organisations, international telecommunications law, and peace operations. The Tallinn Manual 2.0, like its predecessor, aims to offer guidance on applying existing international norms to the cyberspace. Its rules and associated commentaries based on the consensus of an international group of legal experts. The Tallinn Manual process is funded, hosted and facilitated by the NATO Cooperative Cyber Defence Centre of Excellence. The final Tallinn Manual international group of experts meeting is scheduled for March 2016. More details on the Tallinn Manual 2.0 process and a short video featuring interviews with participants can be found here .

top

'Double-Dipping' with MOOCs (InsideHigherEd, 13 Oct 2015) - As massive open online course providers specialize in disciplines and delivery modes, universities are looking for new opportunities to experiment. The trend appears to be benefiting edX. Many colleges have "double-dipped" by joining both Coursera and edX, two major MOOC providers, since MOOCs went mainstream in 2012. For example, the California Institute of Technology, Rice University and the University of Toronto all partnered with Coursera in July 2012 and then joined edX in 2013. Similarly, Peking University in Beijing first partnered with edX in May 2013, then with Coursera three months later. But among colleges and universities in the U.S., movement from one MOOC platform to the next is a one-way street. According to an Inside Higher Ed analysis, at least 10 of the institutions that first partnered with Coursera have since joined edX. Not a single edX institution has gone the other way. After adding the University of Michigan to its list of charter members last week, edX has now recruited all of Coursera's earliest partners, including the University of Pennsylvania, which joined in June, and Princeton University, in September. Even Stanford University, where Coursera co-founders Daphne Koller and Andrew Ng are faculty members, has since 2013 been a major contributor to Open edX, the MOOC provider's open-source platform.

top

- and -

U of Florida cancels huge Pearson contract (InsideHigherEd, 22 Oct 2015) - The University of Florida on Wednesday announced that it is terminating a huge 11-year deal for Pearson to build and manage the university's online programs. The announcement came in an internal email obtained and published by Politico Florida . The email says the university will be better able to serve online students by including them in general university operations and obtaining some new specialized help for some areas, such as marketing. The size of the deal (Pearson could have earned $186 million if it met all goals) has made it a target of criticism from some on campus. The agreement included a provision stating that Florida could withdraw or renegotiate if certain goals weren't met. And out-of-state enrollment goals weren't met, giving the university the option it is now exercising. A month ago , both sides said they were in discussions that could have led to the agreement being modified, not ended.

top

Volkswagen: Where were the lawyers? (Paul Lippe, 13 Oct 2015) - With Volkswagen reeling from one of the worst corporate scandals of our time, let's consider the same question asked of Enron and other similar debacles: Where were the lawyers? According to the New York Times , Volkswagen said that 11 million of its diesel cars worldwide were equipped with software that was used to cheat on emissions tests. Volkswagen's conduct is quite egregious, a concerted fraud around the core value proposition of "clean diesel." Somebody at Volkswagen deliberately conspired to manipulate tests run by a multitude of government agencies to mask emissions. No wonder the potential consequences for Volkswagen are severe. * * * One tenet of the New Normal is that we've moved into a world of transparency where any improper action is almost certain to be revealed over time. So most of these shortcuts are unwise before they are unethical. But what most litigation and enforcement actions reveal is that most companies are relatively less transparent to themselves -the bad actions are not obvious when occurring, only in hindsight. And while most legal regimes attribute bad actions to the enterprise as a whole, the practical reality is the "company" may not really know. It's the responsibility of lawyers to bridge that gap. Which leads to the iconic DieselGate question: What did Volkswagen's lawyers know, and when did they know it? Perhaps there are seven possibilities: * * *

top

Copyright battle over sports clips plays out on Twitter (The Hill, 13 Oct 2015) - Twitter temporarily shut down a pair of prominent accounts run by sports news websites over the holiday weekend for posting short clips of NFL and college football highlights. Deadspin's account and one run by SB Nation were removed after receiving takedown notices under the Digital Millennium Copyright Act, a law that says websites cannot be liable for what their users post but which also requires those websites to remove infringing content when it is flagged. Deadspin's account was reinstated after being down for about two hours Monday evening, while the SB Nation account, @SBNationGIF, was still down Tuesday morning. The sharing of unauthorized sports highlights has been a point of past contention on social media platforms and how it relates to fair use. During the World Cup, a bot that automatically created and shared clips of every goal received takedown notices on Twitter and other social media sites at the time. SB Nation's account was suspended over college football GIFs, according to The Verge , a sister company of the sports website. Deadspin told media organizations it received 18 takedown notices from the NFL about 16 tweets that included GIFs of football highlights. After Twitter stripped the GIFs out of the tweets, the account was reinstated. Deadspin sent out a number of mocking tweets about NFL commissioner Roger Goodell after the dustup.

top

Buying a copy of The New York Times now gets you digital access for that day (The Verge, 14 Oct 2015) - The New York Times is launching a new experiment; buy a physical copy of the paper from any newsstand, and you'll be gifted full, unbridled access to NYTimes.com and the company's mobile apps for that same day. This marks the first time the Times is offering "day passes," as they're being called, and is meant to "provide newsstand customers with a similar benefit to that of home delivery subscribers." (Subscribing to the paper gets you 24/7 digital access.) It's also intended to showcase the worth of the Times' vast digital presence to people who've made reading the paper part of their daily routine. That said, it's not like the company is having trouble hooking online readers; earlier this year, the Times passed a significant milestone: 1 million digital-only subscribers. The process of redeeming a day pass is slightly convoluted, though. Within the Times you'll find a keyword. Text that keyword to a mobile shortcode, and a reply containing a link for digital access gets sent back. You'll need to register an account if you don't already have one, and unlimited digital access cuts off at 11:59PM ET sharp. After that, you're back to the 10 articles per day limit. If you're still unsure whether the Times is worth paying for, there's always the NYT Now iPhone app, which remains a fantastic way to keep up with breaking news - without any subscription. It's updated constantly with hand-picked articles and an informative Morning Briefing that preps you for that day's biggest stories.

top

Why attorneys dislike consumer reviews (Eric Goldman, 15 Oct 2015) - I recently read an article by Prof. Cassandra Burke Robertson (Case Law) entitled " Online Reputation Management in Attorney Regulation ." This article discusses two of my favorite topics: (1) why do professional service providers struggle with online reviews more than other marketplace vendors?, and (2) can we build a well-functioning ODR to extra-judicially redress problematic online reviews? If you're interested in online reviews, Section 230, the regulation of lawyers or ODR-and let's face it, if you read this blog, you probably are-I recommend this article to you. I've repeatedly written and spoken about the medical community's battles against patient reviews, such as this essay that inventories some factors explaining why doctors seem uniquely opposed to patient reviews. Prof. Robertson addresses the same basic question, except for lawyers instead of doctors, and she provides a psychology-based explanation. She points to three main factors: * * *

top

Why National CineMedia is saying 'no' to all political advertising (Adweek, 15 Oct 2015) - As the 2016 presidential election cycle comes around, ad dollars will soon be flying, with spending on TV ads predicted to reach more than $4 billion . But National CineMedia is walking away from that, designating its 1,600 theaters "politics-free zones." Cliff Marks, NCM's president of sales and marketing, told Adweek it's not an easy decision to forgo all that potential revenue but that the company wants to keep its theaters free from the "sea of negative ads" viewers will likely be inundated with over the next year. NCM's preshow program, FirstLook-which features entertainment content from ABC Networks, A+E Networks, CBS Entertainment, Disney, Hasbro, Microsoft, NBC, Nintendo, Turner Broadcasting System and Yahoo, along with national, regional and local advertising-reaches over 700 million moviegoers annually. NCM said its national reach and average weekly audience translates to a Nielsen rating north of 7.0 among the advertiser-coveted 18-to-49 demographic. (And there's no way for viewers to skip through commercials.) That would make NCM seem like an enticing place for presidential hopefuls to get their message out, but Marks said he doesn't want to be associated with a negative marketplace. "Nobody wants to walk away from what will surely be a $4 billion market," Marks said, adding that it's more important to keep the moviegoing experience entertaining and maintain a safe haven for NCM's other advertisers. "We think brands are going to get really sick of having their image and their brand projected next to these negative ads," he said. "How is anybody going to remember your brand and your message?"

top

- and -

Judge orders school to delete Facebook post about school board candidate (Ars Technica, 26 Oct 2015) - A judge ruled recently (PDF) that a post on a high school's Facebook page about a school board candidate in a neighboring school district constituted an illegal campaign contribution. Even though no money was given to the candidate, the judge ruled that the post's influence had intrinsic value.

top

Illinois adopts duty of technology competence; Is now 15th state to do so (Robert Ambrogi, 16 Oct 2015) - The Supreme Court of Illinois yesterday adopted the ethical duty of technology competence, making it the 15th state (by my count) to have adopted the 2012 amendment to the ABA Model Rules of Professional Conduct. The Illinois change mirrors the Model Rule and amends Comment 8 to Rule 1.1, Competence, to read (changed text is underlined): To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. The change becomes effective Jan. 1, 2016.

top

Cybersecurity is a board room issue (The Recorder, 16 Oct 2015) - This week, Palo Alto Networks paired up with the New York Stock Exchange to publish "Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers." The work of 35 contributors, it includes chapters on the Internet of Things, international regulation, steps to prevent a data breach, as well as how to respond to one. The book is meant to be used by corporations and government agencies. Fish & Richardson principal Gus Coldebella, who helped write several chapters for the book, spoke with The Recorder about the effort and the legal implications of security breaches. Coldebella served as the acting general counsel for the U.S. Department of Homeland Security from 2007 to 2009.

top

- and -

What cybersecurity questions are boards asking CISOs? (Security Intelligence, 23 Oct 2015) - "Increasingly, cybersecurity is becoming a top-of-mind issue for most CEOs and boards, and they are becoming more preemptive in evaluating cybersecurity risk exposure as an enterprisewide risk management issue, not limiting it to an IT concern." - Deloitte's " Cybersecurity: The changing role of audit committee and internal audit " As mentioned in a previous article , boards are feeling increased pressure from government regulators and shareholders regarding their role in the oversight of cyber risks. This article looks at the questions a CISO is likely to face when presenting to the board, as well as what directors are advised to ask CISOs about when it comes to cybersecurity. Boards have only recently taken on cyber risks in the boardroom. They are still looking to find the right fit for cyber risks within the board and its environment, as evidenced by ongoing arguments such as whether cyber risks should be a full-board issue or delegated to an audit or risk committee, and what amount of time boards should give to cyber issues. According to KPMG's latest report, " Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom ," the questions on directors' minds are: "Am I asking the right questions? How do I get comfortable? Are we doing enough? How do I know we are doing the right things? Are we making the right decisions?" The report goes on to list questions that boards are asking about cybersecurity oversight in general, including whether the CISO function is correctly positioned (i.e., not under the CIO), whether the CISO has direct reporting capability to the CEO, the frequency and quality of meetings and briefings where cyber risks are the primary topic. In particular, boards are concerned about their responsibilities to shareholders when it comes to cybersecurity. Notably, this includes whether boards themselves are asking the right questions and receiving quality answers and, most importantly - from a director's perspective, anyway - whether the board is being transparent enough in keeping shareholders informed about the organization's handling of cyber risks.

top

- and -

SEC may target CCOs on cybersecurity (Ride the Lightning, 26 Oct 2015) - Legaltech News (sub. req.) reported that two recent speeches by Securities and Exchange Commission (SEC) officials probably got the attention of every chief compliance officer (CCO). In the first, SEC Chief of Staff Andrew J. Donohue indicated that the SEC will continue to bring enforcement actions against CCOs for not addressing compliance issues, including cybersecurity. Donohue tempered his remarks by reiterating SEC Chair Mary Jo White's position that the SEC does "not bring cases based on second guessing compliance officers' good faith judgments." However, Donohue challenged compliance professionals to be "pro-active" in their work and pointed to three recent SEC enforcement actions against CCOs on the ground that they failed to implement compliance programs reasonably tailored to the specific needs of their firms. Two days after Donohue's speech, White announced: "While cybersecurity attacks cannot be entirely eliminated, it is incumbent upon private fund advisers to employ robust, state-of-the-art plans to prevent, detect, and respond to such intrusions." * * *

top

- and -

Is this the definitive cybersecurity guide? (Rich Santalesa at IAPP, 27 Oct 2015) - While many companies come up short on their cybersecurity programs or ability to safeguard data privacy, one area where no gap exists is in the number of security guidance documents-from industry groups, federal regulators, consultants, law firms and others. Joining this crowd of guidance through a partnership effort between the New York Stock Exchange, Palo Alto Networks Inc., Georgia Tech, the Internet Security Alliance and the Security Roundtable with their recently released, free 355-page Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers . The guide is available for free download in PDF, Kindle and EPub formats at SecurityRoundtable.org . But what does the hefty 355-page tome have to say that isn't covered already elsewhere or in more "persuasive" regulatory guidance for privacy professionals? For starters, there is a wealth of solid information, best practices, useful checklists and meaningful recommendations contained in the guide that any corporate director or officer would do well to absorb and implement. If they did, it'd make our daily challenges as privacy professionals a great deal easier-with most chapters taking the form of short chapters from four to six pages. The introductory 40-page section itself could serve a solid primer for corporate leadership and is both concise and specific enough to throw the fear of God into any reasonable board and C-level personnel on the importance of and effort required for solid cybersecurity. The remaining sections focus on cyber risk's importance to boards of directors; the risk posed to corporate structures by digital threats; best practices in designing threat-based approaches and breach prevention; the complexity of incident response issues; managing cybersecurity risks in supply chains and with third-party vendors (an increasingly important area for virtually every sector); notable legal and regulatory concerns; "investing" in cyber insurance and data security, and finally, the vital importance of employee education and clear internal communications on cyber risk matters.

top

Cyber criminals caused "substantial losses" to 50 law firms this year, SRA says (Legal Futures, 16 Oct 2015) - Cyber criminals have caused "substantial losses" to 50 law firms this year, ranging from £50,000 to £2m, the Solicitors Regulation Authority (SRA) has said. Steve Wilmott, director of intelligence and investigations at the SRA, said a further 20 firms had fallen victim to e-mail redirection scams since Christmas, involving "very substantial" amounts of money. Mr Wilmott said cyber criminals were becoming "very, very clever" and described how one firm, which lost over £2m, spent three hours on the phone with one of them.

top

- and -

ABA survey exposes law firm ignorance over information security (JD Journal, 21 Oct 2015) - The ABA's 2015 Legal Technology Survey contains 700 pages of data points regarding technology and security, and lays out one of the biggest vulnerabilities firms face: information security breaches. The survey also demonstrates most lawyers don't consider data security to be a major threat. Earlier this year Citibank warned that "it is reasonable to expect law firms to be targets of attacks by foreign governments and hackers because they are repositories for confidential data on corporate deals and business strategies." Specifically, firms with 100 lawyers or more serve as prime targets for data breach. Nevertheless, of those 880 lawyers surveyed, only 11.4 percent said their firms have cyber liability insurance. Eighty percent didn't even know if their firm had the coverage. Furthermore, 52 percent of firms with over 100 attorneys were ignorant as to whether a client had ever asked to verify security practices or conduct a security audit. According to attorney Vincent Polley, "There are two types of law firms: those that know they've been hacked and those that do not." Attorneys have inside information on mergers, patents, and other important business deals. Data breaches can be damaging and costly, and may even destroy attorney-client privilege. "There is no question that law firms are among the companies being targeted by cyber criminals," says Shane Sims, a director in PwC's Forensic Services Group. Mary Galligan, the former Special Agent in Charge of Cyber and Special Operations at the FBI's New York City office adds, "As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it's a much, much easier quarry." [ Polley : My quote was way out of context, but isn't far off the mark.]

top

Secret source code pronounces you guilty as charged (Ars Technica, 17 Oct 2015) - The results from a Pennsylvania company's TrueAllele DNA testing software have been used in roughly 200 criminal cases, from California to Florida, helping put murderers and rapists in prison. Criminal defense lawyers, however, want to know whether it's junk science. Defense attorneys have routinely asked, and have been denied, access to examine the software's 170,000 lines of source code in a bid to challenge the authenticity of its conclusions. The courts generally have agreed with Cybergenetics , the company behind TrueAllele, that an independent examination of the code is unwarranted, that the code is a proprietary trade secret, and disclosing it could destroy the company financially. A new challenge, pending before the California Supreme Court, concerns some of the company's latest conclusions. The results are evidence in a cold-case murder, yet they differ astronomically from traditional DNA testing. The dispute comes as secret code is creeping into our everyday life in what is known as the Internet of Things. It's in everything, from airplanes to refrigerators, medical devices, and even elevators, light fixtures, and cars.

top

Powerful fair use opinion from Second Circuit in Google Books case (David Post on Volokh Conspiracy, 17 Oct 2015) - In the latest installment of the long-running copyright litigation between the Authors Guild and Google over the Google Books project, the U.S. Second Circuit Court of Appeals has now held that Google's "copying" and "public distribution" of copyright-protected books to allow full-text searching through those works (and the display of "snippets" of text from the works) is protected as a noninfringing "fair use" under the Copyright Act. The opinion, by Judge Pierre N. Leval - the author of a highly influential law review article on the fair use doctrine ("Toward a Fair Use Standard," 103 Harv. L. Rev. 1105 (1990) ) and a number of important decisions (in the district court and CA2) on the scope of the doctrine - is well-crafted and quite persuasive. * * * [ Polley : see also Google's court victory is good for scholarly authors. Here's why. (Pam Samuelson in Chronicle of Higher Ed, 27 Oct 2015)]

top

OPM says it breaks encryption to monitor employees' browsing habit (NextGov, 19 Oct 2015) - The code-breaking National Security Agency and the recently hacked Office of Personnel Management have more in common than one would think. Both keep tabs on the Internet traffic of government workers to prevent malicious actors from penetrating U.S. networks. NSA breaks into the private communications of foreign adversaries for intelligence gathering. OPM officials peek at what their employees are browsing, because, increasingly the bad guys are using tainted websites as a launching pad, said Jeff Wagner, OPM director of security operations. Through a technique called "SSL decryption," the agency sees through secure online transactions between a worker's computer inside the agency firewall and an external website. "When I bring up SSL decryption -- first, it's always the 'How do you do it without the OGC getting mad at you?'-discussion, which is true," he said, using the abbreviation for Office of General Counsel. "You are going to get a lot of privacy questions." [ Polley : ya think? Such MiTM attacks are going on in many (most?) employer contexts.]

top

The Dos and Don'ts of researching judges and juries online (Lawyerist, 21 Oct 2015) - It makes sense to research potential jurors, and social media makes it easier than ever. But courts have only recently begun to issue guidance now that researching jurors and other courtroom players online is becoming an increasingly common practice. Researching judges, too, has its advantages. Some jurisdictions, like California, allow you to strike a judge once per case without establishing bias. Although there are limitations and technicalities on these rules, they can give you a say in who decides cases - making it important to know your judge. But even if you cannot strike a judge for any reason, wouldn't you want to know if the judge deciding your case despises loud yawns, sings the blues, or has a tendency to belt out show tunes while court is in session? * * * [Table of hyperlinked governing authorities] * * * Not only does online research give you a competitive advantage in the courtroom, you may have an ethical obligation to do it. One court has approved of using new technologies to research potential jurors. After the jury returned the verdict for the defendant in Johnson v. McCullough , the plaintiff's lawyer searched a litigation database and found a non-responsive juror had been a defendant in multiple debt collection cases and a personal injury case. The trial court granted the plaintiff's motion for a new trial and the Supreme Court of Missouri affirmed, encouraging reasonable efforts to use the Internet to research the litigation history of selected jurors and present any relevant information prior to trial. Many courts have given the green light to research opposing counsel, judges, juries, and others using social networks like Facebook, Twitter, Myspace, and Xanga (apparently, the last two are still a thing). However, you are generally prohibited from sending any type of connection request to the social media user you are researching. This means you cannot ask to connect or take any other action that tells account holders you are researching them. The American Bar Association issued a formal opinion strongly suggesting you should not request access to the social media accounts of jurors before or during a court proceeding. In Formal Opinion 466 , the ABA Standing Committee on Ethics and Professional Responsibility stated that any communication to a juror that requests access to information not made public is considered a prohibited ex parte communication under Model Rule 3.5(b) . Some courts have interpreted this to ban any contact that results in the notification of the social media account holder. However, courts have yet to reach a consensus on this issue Bar associations in Oregon , Kentucky , New Hampshire , and New York have all followed suit, giving the go-ahead to access to the public social media pages of jurors, witnesses, and other parties in pending cases. * * *

top

Regulators are fueling cyberinsurance demand, report says (Law360, 21 Oct 2015) - The ballooning number of companies turning to cyberinsurance to cover losses related to increasingly prevalent data breaches is likely to continue to expand as more regulators focus on the issue and underwriting standards become better defined, experts predicted in a report released Tuesday. In the white paper, titled "What Every Chief Information Security Officer Needs To Know About Cyber Insurance," attorneys, brokers and other industry experts offered corporate leaders involved in cyberinsurance decisions advice on topics ranging from how regulators and legislatures are dealing with the issue and lawyers' role in the process to the best practices for responding to breaches and choosing insurance coverage. "We have a lot of customers on the security side who are now getting involved in cyberinsurance and don't really have a good understanding of what that means," Bob Shaker, global leader of incident response operations for Symantec Corp., which organized and released the white paper, told Law360. "With all the questions we were getting, we thought it would be a good idea to get some thought leaders to write about different components of the industry in order to put those responsible for security in a better position to get the most from cyberinsurance that they can."

top

EU's top court rules that bitcoin exchange is tax-free (Bloomberg, 22 Oct 2015) - Bitcoin and other virtual currencies can be exchanged tax free, the European Union's top court said in a ruling that puts them on a more equal footing with traditional cash. Value added tax -- a type of sales levy -- needn't be applied because the business involves "the exchange of different means of payment," the EU Court of Justice in Luxembourg ruled Thursday. The case was triggered by a dispute in Sweden, where David Hedqvist set up a service for the exchange of mainstream money for bitcoin and vice versa.

top

- and -

A Bitcoin charm offensive on law enforcement (WaPo, 22 Oct 2015) - * * * As part of a wider effort to change Bitcoin's image in the minds of regulators and lawmakers, advocates of the technology have begun working with a group whose background and expertise make them well-respected within the Beltway: Federal law enforcement. The Justice Department, Secret Service and other agencies are beginning to understand how to use Bitcoin for forensics - tracking flows of digital money across borders and online wallets just as they do with government-backed dollars. And the companies that handle these online transactions want to help. So they've created a first-of-its-kind trade group, known as the Block Chain Alliance, to reach out to federal officials. The organization is designed as a one-stop shop where authorities who need a hand navigating the complex world of Bitcoin transactions can get advice and a steer in the right direction. Jerry Brito is the executive director of the Coin Center, and he helped bring together the 20-odd Bitcoin companies trying to build a relationship with governments both here and abroad.

top

US government says it's now okay to jailbreak your tablet and smart TV (The Verge, 27 Oct 2015) - The US Library of Congress today issued a set of exemptions to an infamous provision in the Digital Millennium Copyright Act (DMCA), establishing a victory for consumers who like to tinker with devices without running afoul of copyright law. The exemptions were far-reaching, extending from movie and television files used in an educational context for criticism to installing third-party software - in other words jailbreaking - tablets and smart TVs. The Library of Congress meets around every 36 months to decide new exemptions and re-establish previous exemptions to the DMCA's 1201 provision. That provision has made it illegal in the past to unlock your smartphone from its carrier or even to share your HBO Go password with a friend . It's designed to let corporations protect copyrighted material, but it allows them to crackdown on circumventions even when they're not infringing on those copyrights or trying to access or steal proprietary information. The exemptions, though they only last three years, are designed to remedy that. Yet regulators tend to leave out devices, like in 2012 when the group approved jailbreaking for smartphones but not tablets . This year the Library of Congress got together and established a handful of now well-known exemptions - like the ability to unlock your smartphone from its carrier - and a slew of new ones covering a range of devices. You can continue to unlock your smartphone and tablet, and the same now goes for Wi-Fi hotspots and wearable devices with cellular connections. As for jailbreaking, you can continue to do so with smartphones and now, for the first time, tablets and smart TVs as well. You're still not allowed to jailbreak e-readers, handheld gaming devices, or laptops and desktop computers. Video game consoles are also off limits, as the Library of Congress found that, "as in 2012, opponents provided substantial evidence that console jailbreaking is closely tied to video game piracy." Perhaps the most interesting new exemption allows for the tinkering of automotive software for the purpose of "good faith security research" and for "lawful modification." The ruling comes after a concerted effort from the Electronic Frontier Foundation, which filed for two exemptions that are now more relevant than ever in the wake of the Volkswagen emissions scandal .

top

Harvard law library readies trove of decisions for digital age (NYT, 28 Oct 2015) - Shelves of law books are an august symbol of legal practice, and no place, save the Library of Congress, can match the collection at Harvard's Law School Library. Its trove includes nearly every state, federal, territorial and tribal judicial decision since colonial times - a priceless potential resource for everyone from legal scholars to defense lawyers trying to challenge a criminal conviction. Now, in a digital-age sacrifice intended to serve grand intentions, the Harvard librarians are slicing off the spines of all but the rarest volumes and feeding some 40 million pages through a high-speed scanner. They are taking this once unthinkable step to create a complete, searchable database of American case law that will be offered free on the Internet, allowing instant retrieval of vital records that usually must be paid for. While Harvard's "Free the Law" project cannot put the lone defense lawyer or citizen on an equal footing with a deep-pocketed law firm, legal experts say, it can at least guarantee a floor of essential information. The project will also offer some sophisticated techniques for visualizing relations among cases and searching for themes. Complete state results will become publicly available this fall for California and New York, and the entire library will be online in 2017, said Daniel Lewis, chief executive and co-founder of Ravel Law, a commercial start-up in California that has teamed up with Harvard Law for the project. The cases will be available at www.ravellaw.com . Ravel is paying millions of dollars to support the scanning. The cases will be accessible in a searchable format and, along with the texts, they will be presented with visual maps developed by the company, which graphically show the evolution through cases of a judicial concept and how each key decision is cited in others. On Ravel sites currently available to the public, for example, a lawyer planning to challenge the 2010 Citizens United decision, which permitted corporations to make independent political expenditures, can enter "campaign finance" and see in schematic form the major cases at the district, appellate and Supreme Court levels that led up to the 2010 decision and the subsequent cases that cite it.

top

OK Google: Where do you store recordings of my commands? (NPR, 29 Oct 2015) - Sure, our smartphones know a lot about who we are. If you have an Android smartphone, you may not know that Google saves all of the voice commands you give it . They're archived online in your Google account. Google says it keeps the audio search information to improve its voice recognition. Android users can opt out, which keeps your recordings anonymous. (Apple also stores voice commands collected by Siri users , though they're not so obviously associated to users.) You can find your audio commands - as well as other histories, like all of the YouTube videos you've searched for and watched - by visiting your Google history page . You can disable this storage feature by managing your activity. Otherwise, you can look through and listen to your Google voice searches - all those times you said "OK Google" and asked for directions, set alarms, dictated texts and searched for answers to the many questions that pop in your head throughout the day.

top

Trading in IP addresses becomes a lucrative market (ABA Journal, 1 Nov 2015) - When clients approached Marc Lindsey in 2008 about a request from the American Registry for Internet Numbers to voluntarily give back unused IP addresses, he researched the issue. Then he advised his clients to hang on to them. That simple piece of advice saved clients a valuable asset and brought Lindsey into a lucrative niche market. "When the market appeared to be taking shape, we went back and proactively reached out to our clients early on to inform them that there's an opportunity to sell," says Lindsey, president and co-founder of Avenue4, a company specializing in buying and selling Internet Protocol addresses. "I advised them to keep their IP addresses when transferring assets and to exclude-or include for value-their IP addresses in corporate mergers, acquisitions and divestitures," he says. Lindsey estimates there are 800 million to 1 billion unused addresses in the Internet Protocol version 4 format available in the secondary market (not transferred through the American Registry for Internet Numbers). That creates a market of between $6.4 billion and $10 billion. Acknowledging difficulties in estimating prices and numbers of transfers, he says that in 2014 ARIN reported secondary-market transfers of just under 14 million IPv4 addresses. That might present a total value of trades in 2014 and 2015 of about $143 million, and "during that same period Avenue4 brokered and closed deals valued at more than $74 million."

top

RESOURCES

Employee Privacy (MLPB, 16 Oct 2015) - Steven L. Willborn, University of Nebraska, Lincoln, College of Law, is publishing Notice, Consent, and Non-Consent: Employee Privacy in the Restatement in volume 100 of the Cornell Law Review (2015). Here is the abstract: Privacy claims necessarily entail two determinations. First, the domains protected by privacy must be identified. What spaces, or thoughts, or data are legally protected as "private"? Second, what does it mean when something is within a domain protected as private? What limitations does that impose on others and to what extent can the privacy holder consent to waive her privacy protections? Both of these determinations are especially fraught when the issue is employee privacy. Employers have a great deal of control over the domains an employee can legitimately consider to be private. And when a domain is determined to be "private," employers have many ways to encourage employees to waive any privacy protections. The American Law Institute recently completed an effort to "restate" the common law of employment. This paper closely examines the Restatement of Employment Law's treatment of employee privacy. On the domains protected as private, the Restatement confers considerable authority on employers to expand and, more troublingly, to limit employee privacy rights. On the ability of employees to waive their privacy rights, the Restatement provides some new and innovative protections, but fails to emphasize the centrality of consent to the privacy regime.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Pentagon's urban recon takes wing (Wired, 29 Nov 2005) -- A leading defense contractor has successfully demonstrated a system that lets foot soldiers command unmanned aerial vehicles, or UAVs, to see real-time overhead images on their handheld computers while fighting in urban battle zones. Individual war fighters can receive video-surveillance data on a target of interest by moving a cursor over the subject, as part of a Northrop Grumman system to automate reconnaissance, surveillance and target acquisition, or RSTA, within urban environments. UAVs have already proven their worth in the kinds of urban battle zones that produce daily headlines out of Iraq -- places like Falluja and Najaf, where the drones can navigate the labyrinth of streets or stealthily peer into buildings. But ground troops don't currently have direct access to this surveillance and reconnaissance data, and they have no control of the aircraft that deliver it. That's what HURT, for Heterogeneous Urban RSTA, promises to change. Northrop demonstrated the system this fall on the former site of Georgia Air Force Base in Victorville, California, on a grid of abandoned streets and buildings used to train soldiers in urban combat. Two fixed-wing UAVs, a Raven and a Pointer, along with an Rmax rotorcraft, were put aloft under the control of the system. Participants on the ground were able to view wide-area surveillance of the battle zone on handheld monitors, but could also send one of the UAVs in for a closer look at a suspected enemy position by merely moving over the subject with their cursor.

top

U.S. cybersecurity due for FEMA-like calamity? (CNET, 7 Oct 2005) -- In the wake of Hurricane Katrina, the Federal Emergency Management Agency has been fending off charges of responding sluggishly to a disaster. Is the cybersecurity division next? Like FEMA, the U.S. government's cybersecurity functions were centralized under the Department of Homeland Security during the vast reshuffling that cobbled together 22 federal agencies three years ago. Auditors had warned months before Hurricane Katrina that FEMA's internal procedures for handling people and equipment dispatched to disasters were lacking. In an unsettling parallel, government auditors have been saying that Homeland Security has failed to live up to its cybersecurity responsibilities and may be "unprepared" for emergencies. "When you look at the events of Katrina, you kind of have to ask yourself the question, 'Are we ready?'" said Paul Kurtz, president of the Cyber Security Industry Alliance, a public policy and advocacy group. "Are we ready for a large-scale cyberdisruption or attack? I believe the answer is clearly no." The department, not surprisingly, begs to differ. "Cybersecurity has been and continues to be one of the department's top priorities," said Homeland Security spokesman Kirk Whitworth. But more so than FEMA, the department's cybersecurity functions have been plagued by a series of damning reports, accusations of bureaucratic bungling, and a rapid exodus of senior staff that's worrying experts and industry groups. The department is charged with developing a "comprehensive" plan for securing key Internet functions and "providing crisis management in response to attacks"--but it's been more visible through press releases such as one proclaiming October to be "National Cyber Security Awareness Month." Probably the plainest indication of potential trouble has been the rapid turnover among cybersecurity officials.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, October 10, 2015

MIRLN --- 20 Sept - 10 Oct 2015 (v18.14)

MIRLN --- 20 Sept - 10 Oct 2015 (v18.14) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Law firms in Florida can send text-message ads to prospective clients, state bar says (ABA Journal, 2 Sept 2015) - Rejecting a recommendation by an advertising subcommittee, the Florida Bar’s board of governors has OK’d the use of cellphone text messages for advertising law firm services to prospective clients. Florida is only the second state in the country to give the green light to lawyers to use texts for advertising purposes, the Daily Business Review reports. Ohio was the first. Text ads, which are considered by the bar to be simply another form of written advertising, must comply with the same legal ethics rules as other ads. Because texts have been deemed to fall within the existing scheme of bar advertising rules, the OK by the board of governors on July 24 was effective immediately and state supreme court approval is not required. Among the young lawyers who pushed for text-ad approval was Jacob Stuart Jr. of the Traffic Knights law firm in Orlando. He also has a software company, and he says his software can obtain cellphone numbers of Florida drivers who have been ticketed and determine whether they get free texts from their cell service providers. “There were 270,000 traffic tickets issued in Orange County last year, and 81 percent of those people did not have representation,” Stuart said. “There’s a market no one is touching, and it’s a market of working-class people.” Opponents argued unsuccessfully that text ads are more like prohibited phone calls to prospective clients.

top

Are Internet providers ripping off some of their biggest customers? This data may tell. (WaPo, 17 Sept 2015) - Federal regulators are finally releasing a huge trove of pricing and network data they’ve spent months collecting on the massive $40 billion market for business broadband, part of an effort to determine whether Internet providers such as Verizon and AT&T are charging hospitals, universities and other enterprises fairly for data and communications services. Most of us may be more familiar with the retail market for broadband, where Internet providers charge consumers a monthly fee for access to the Web. Although it’s more obscure, the business market for high-speed data is no less important: It’s what helps ATMs connect to your bank account, and how smaller cellular carriers like Sprint route your phone calls across the country. Even your office building might be a customer in this industry. Some firms argue that, just as in the residential broadband space, a lack of competition among Internet providers drives up prices. British Telecom, which reportedly serves some 75 percent of all Fortune 500 companies as a technology and networking provider, highlighted this issue in a recent Financial Times interview. “Almost all access is being provided by two companies and they have divided the country among themselves,” Bas Burger, the head of British Telecom’s Americas division, told the Times. Burger also called for the Federal Communications Commission to step up its regulation of business broadband, or what’s known in the telecom industry as the market for “special access.” AT&T, one of the biggest providers of special access, fired back last week with a blog post accusing BT of hypocrisy and trying to tilt the gigantic playing field in its favor. The data being released Thursday by the FCC will likely help economists and antitrust experts figure out just how much competition exists in the U.S. market for business broadband. The goal of the analyses, according to an FCC official, will be to develop a new agency formula that would help determine appropriate rates. In areas with numerous special access providers, regulations may be relaxed. In cities where competition is said to be lacking, regulations may be adjusted or increased. The commission is expected to come up with a concrete proposal next year based on feedback from outside experts and its own staff. Unfortunately, there’s no way for the general public to review the data, which is highly sensitive. Only analysts who’ve been specially cleared by the FCC will be able to access the information — which includes network maps, pricing information, and confidential company documents — from a secure facility.

top

Shake-up in legal research: Fastcase acquires Loislaw from Wolters-Kluwer (Robert Ambrogi, 21 Sept 2015) - The legal research company Fastcase has acquired one of its prime competitors among middle-market legal research providers, Loislaw . Fastcase has purchased Loislaw from Wolters Kluwer, which had acquired it in 2000 for $95 million. LoisLaw subscribers began receiving notices over the weekend informing them of the news. The letter stated that WK will sunset the Loislaw product effective Nov. 30, and that “we are collaborating with Fastcase so they can offer comparable subscription plans on the Fastcase platform, including Loislaw treatise libraries, at the same or lower prices as your current Loislaw subscription.” In an email, Deborah L. Sauer, executive director strategic communications at Wolters Kluwer Legal & Regulatory, said the deal stemmed from the continued evolution of WK’s business. In the continued evolution of our business we feel the time is right to further focus our investments in providing the highly valued expert interpretations, insight, guidance, and solutions that enable customers to enhance their decision quality, drive their workflows, and inform confident outcomes. For subscribers to Loislaw, a key feature has been access to Wolters Kluwer’s library of some 125 treatises in areas of law such as bankruptcy, business, employment, insurance, intellectual property, real estate and others. When they migrate to Fastcase, they will retain that access.

top

European court adviser calls trans-Atlantic data-sharing pact insufficient (NYT, 23 Sept 2015) - The laws governing companies that share online customer data between Europe and the United States may soon become a lot tougher. A legal position published in Luxembourg on Wednesday by a senior adviser to Europe’s highest court said that a trans-Atlantic “safe harbor” agreement allowing companies to ship people’s data between both regions did not provide sufficient checks on how that information may be used. The ruling by Yves Bot, the advocate general of the European Court of Justice, could have a significant impact on companies like Facebook and Google , which routinely move data about people’s online activities like social media postings and online search queries outside the 28-member bloc. “This could have a major economic impact on Europe and the U.S. if the court follows this opinion,” said Patrick van Eecke, a data protection lawyer at DLA Piper in Brussels. Although the opinion is nonbinding, the position of the senior adviser is often followed by the court. A final judgment is expected by the end of the year, though some analysts said a decision could come as early as next month.

top

- and -

Don’t strike down the Safe Harbor based on inaccurate views about US intelligence law (Peter Swire, 5 Oct 2015) - Important legal decisions should be based on an accurate understanding of the law and facts. Unfortunately, that is not the case for the Advocate General’s (AG’s) recent Opinion finding that the Safe Harbor agreement between the U.S. and the EU unlawful. As the U.S. Mission to the EU has also noted , the Opinion suffers from particular inaccuracies concerning the law and practice of U.S. foreign intelligence law, notably the PRISM program. It relies on these incorrect facts about PRISM to reach its conclusion, removing the factual basis for its overall findings. My comments here focus on the Opinion’s incorrect description of U.S. intelligence law and practice. In my experience as a scholar and practitioner in the field, the U.S. has far more extensive legal rules, oversight and other checks and balances on intelligence agencies than is generally true in E.U. member states. * * *

top

- and -

Europe-U.S. data transfer deal used by thousands of firms is ruled invalid (Reuters, 6 Oct 2015) - The EU’s highest court struck down a deal that allows thousands of companies to easily transfer personal data from Europe to the United States, in a landmark ruling on Tuesday that follows revelations of mass U.S. government snooping. Many companies, both U.S. and European, use the Safe Harbour system to help them get round cumbersome checks to transfer data between offices on both sides of the Atlantic. That includes payroll and human resources information as well as lucrative data used for online advertising, which is of particular importance to tech companies. But the decision by the Court of Justice of the European Union (ECJ) sounds the death knell for the system, set up by the European Commission 15 years ago.

top

Fifth Amendment protects passcode on smartphones, court holds (Orin Kerr in Volokh Conspiracy, 24 Sept 2015) - In a new case decided Wednesday, SEC v. Huang , a federal trial court in Pennsylvania held that the government can’t force a person to give up his passcode to his smartphone. I think the decision misses the mark, and I hope it is appealed. Here’s a rundown. First, the facts. The Securities and Exchange Commission (SEC) is investigating Bonan and Nan Huang for insider trading. The two worked at the credit card company Capital One as data analysts. According to the complaint , the two allegedly used their jobs as data analysts to figure out sales trends at major U.S. companies and to trade stocks in those companies ahead of announced company earnings. According to the SEC, they turned a $150,000 investment into $2.8 million. Capital One let its employees use company-owned smartphones for work. Every employee picked his own passcode, and for security reasons did not share the passcode with Capital One. When Capital One fired the defendants, the defendants returned their phones. Later, as part of the investigation, Capital One turned over the phones to the SEC. The SEC now wants to access the phones because it believes evidence of insider trading is stored inside them. But here’s the problem: The SEC can’t get in. Only the defendants know the passcodes. And the defendants have refused to disclose them. That brings us to the new decision. The SEC has asked the court for an order to compel Bonan and Nan Huang to each give up their passcodes to the Capital One phones they used so the SEC can bypass the passcode gate and search the phones. The defendants have opposed the request for an order on Fifth Amendment grounds. In their view, an order forcing them to give up the passcodes would force them to testify against themselves in violation of the privilege against self-incrimination. In the new ruling, the trial court agreed with the defendants and denied the SEC’s request. The opinion was written by Judge Mark Kearney , a relatively new district court judge. The most important part of the opinion is Judge Kearney’s approach to the “foregone conclusion” doctrine. The doctrine, introduced in Fisher v. United States , says that the Fifth Amendment doesn’t block complying with a court order when the testimonial part of complying with a court order is a foregone conclusion. In other words, if the government already knows the testimonial part of complying with the order, and they’re not seeking to prove it from the order, then you can’t use the Fifth Amendment to avoid compliance with the order. * * * [ Polley : This is a complex, evolving area. Prof Kerr’s thoughts here have drawn significant attention, and rebuttal. Stay tuned.]

top

ABA survey: Data breaches rising at large firms (BloombergBNA, 23 Sept 2015) - The number of security breaches continues to increase at the nation’s largest law firms, according to the American Bar Association’s 2015 Legal Technology Survey released this week. The survey found that firms with more than 100 lawyers experienced the most significant jump in reported breaches, which were defined as everything from a lost or stolen smartphone to a break-in or website exploitation. The chart below shows a more detailed breakdown: * * * Roughly 880 lawyers participated between January and May in the survey’s Technology Basics and Security section, from which the above information was drawn. In a follow up question, 71.4 percent of participants from a firm with 500 or more lawyers, and 66.7 percent from a firm with 100 or more lawyers said there was no significant business disruption or less. Five percent of the firms reported that the breach required their firm to notify clients, and three percent reported that a breach resulted in unauthorized access to client data. One of more interesting data points was how few attorneys concern themselves with cyber security. For instance, more than 80 percent of the survey respondents who hailed from a firm with more than 100 attorneys said they didn’t know if their firm had cyber liability insurance. Overall, among all respondents, only 11.4 percent said their firm had cyber liability insurance. Asked whether a client ever requested a security audit or asked their firm to verify security practices, roughly 52 percent of respondents from firms with 100 or more attorneys said they didn’t know. More generally, an even larger number of respondents didn’t know if their firm has ever had a full security assessment conducted by an independent third party — at firms with 100 to 499 attorneys, 57.6 percent didn’t know, and at firms with more than 500 attorneys, 77 percent didn’t know.

top

- and -

Lawyers’ use of email encryption remains dismally low, ABA survey says (Robert Ambrogi, 1 Oct 2015) - Only a third of lawyers use encryption when sending confidential or privileged documents to their clients. Instead, the great majority of lawyers rely on a confidentiality statement in the message body to protect the email’s privacy. According to the 2015 edition of the annual Legal Technology Survey Report , compiled by the American Bar Association’s Legal Technology Resource Center only 35% of lawyers use email encryption. That percentage has remained virtually unchanged over the last four years of the survey, even as understanding of the need for encryption has grown throughout the professional and business worlds. When the survey asked lawyers what security precautions they use when sending confidential or privileged communications to clients via email, the answer given by 71% of lawyers was that they rely on the confidentiality statement in the message body. I simply do not understand the logic of this. If the confidentiality statement is inside the email, then by the time anyone sees it, they’ve seen the email. It is akin to putting a note inside a box that says, “Do not open this box.” It gets worse. Of the lawyers who say they use encryption, fully a third cannot say what kind of encryption they use. Those who could say what type of encryption they use most commonly identified it as a general purpose software with encryption features that required the recipient to be sent a separate password. Lawyers in larger firms are most likely to use email encryption. More than half of lawyers in firms of 500 or more and 41% of lawyers in firms of 100-499 use it. Among solos, only 24% encrypt their emails. [ Polley : And I bet that most of these encryption “users” actually are using Opportunistic TLS encryption, which they’ve been told by their IT people is usually in effect; I’d be astonished if more than a vanishingly small percentage of lawyers are using other kinds of email encryption processes.]

top

- and -

Law firms lacking cybersecurity measures have ‘significant ground to make up’ (LegalTechNews, 1 Oct 2015) - Although cybersecurity concerns and discussions are forward facing in all industries today, companies still have significant room to improve existing practices, a new report finds. Protiviti’s ”2015 IT Security and Privacy Survey” revealed that one in three companies lacks policies for information security, data encryption and classification. Furthermore, many companies lack critical policies and an understanding of their data. Most have a “less-than-excellent” understanding of their most sensitive data and information (71 percent) and do not have strong awareness levels concerning potential exposures, the study showed. Law firms in particular are being targeted by attackers because sophisticated criminals are aware of the corporate sensitive data they hold, which could be used for financial gain, according to Scott Laliberte, managing director of Protiviti. “In my experience with law firms, I see a couple of trends: Law firms are starting to seek ISO 27000 certification as their partners and customers are expecting better security and they need a way to market/ show they have done so,” Laliberte told Legaltech News in an interview. “Historically law firms have not had strong security controls or programs. Many have significant ground to make up.”

top

No “going dark” in the city that never sleeps (Steptoe, 24 Sept 2015) - The New York State Department of Financial Services announced that it has achieved two goals that have eluded the FBI for years ‒ mandatory retention of electronic communications and key escrow encryption. The NYSDFS reached agreements with four bank ‒ Goldman Sachs, Deutsche Bank, Credit Suisse, and Bank of New York Mellon ‒ whereby the banks agreed to measures that will ensure law enforcement’s ability to access messages on the banks’ new Symphony Communications chat and messaging platform. Under the deal, Symphony will retain for seven years copies of all electronic communications sent through its platforms, and the banks will store copies of the decryption keys for their messages with independent custodians.

top

Taylor Swift cracks down on pirating “Periscope” fans (Torrent Freak, 25 Sept 2015) - Twitter’s live streaming app Periscope is causing headaches among copyright holders. Every week the company received hundreds of takedown notices, mostly from sports organizations including NFL, NBA, WWE and the Premier League, who don’t want the public to rebroadcast their events for free. Musicians appear to be less concerned by Periscope, except for Taylor Swift. In recent weeks Twitter has received dozens of notices asking the company to stop and remove live streams of Swift’s concerts. The videos, often shared by some of the most passionate fans, are seen as copyright infringement. Swift has surrounded herself with a dedicated enforcement team called TAS Rights Management who swiftly take them offline. * * * Taylor Swift is the only artist sending takedown notices to Periscope, from what we’ve seen. The vast majority of other complaints are sent on behalf of sports organizations such as the NFL, NBA, WWE, Premier League, Die Liga and the Rugby World Cup, which sell subscriptions and access to their live events.

top

Complex car software becomes the weak spot under the hood (NYT, 26 Sept 2015) - Shwetak N. Patel looked over the 2013 Mercedes C300 and saw not a sporty all-wheel-drive sedan, but a bundle of technology. There were the obvious features, like a roadside assistance service that communicates to a satellite. But Dr. Patel, a computer science professor at the University of Washington in Seattle, flipped up the hood to show the real brains of the operation: the engine control unit, a computer attached to the side of the motor that governs performance, fuel efficiency and emissions. To most car owners, this is an impregnable black box. But to Dr. Patel, it is the entry point for the modern car tinkerer — the gateway to the code. “If you look at all the code in this car,” Dr. Patel said, “it’s easily as much as a smartphone if not more.” New high-end cars are among the most sophisticated machines on the planet, containing 100 million or more lines of code. Compare that with about 60 million lines of code in all of Facebook or 50 million in the Large Hadron Collider. The unfolding scandal at Volkswagen — in which 11 million vehicles were outfitted with software that gave false emissions results — showed how a carmaker could take advantage of complex systems to flout regulations. Carmakers and consumers are also at risk. Dr. Patel has worked with security researchers who have shown it is possible to disable a car’s brakes with an infected MP3 file inserted into a car’s CD player. A hacking demonstration by security researchers exposed how vulnerable new Jeep Cherokees can be. A series of software-related recalls has raised safety concerns and cost automakers millions of dollars. Cars have become “sealed-hood entities with complicated computers and modules,” said Eben Moglen, a Columbia University law professor and technologist. “All of this is deeply nontransparent. And all of this is grounds for cheating of all sorts.” The increasing reliance on code raises questions about how these hybrids of digital and mechanical engineering are being regulated. Even officials at the National Highway Traffic Safety Administration acknowledge that the agency doesn’t have the capacity to scrutinize the millions of lines of code that now control automobiles. One option for making auto software safer is to open it to public scrutiny. While this might sound counterintuitive, some experts say that if automakers were forced to open up their source code, many interested people — including coding experts and academics — could search for bugs and vulnerabilities. Automakers, not surprisingly, have resisted this idea.

top

Firm’s sloppy cybersecurity results in SEC action, fine (ZDnet, 30 Sept 2015) - The Securities and Exchange Commission is the latest federal agency turning up the heat on companies whose lax cybersecurity has contributed to breaches of user data. The SEC’s action, along with those last month at the Federal Trade Commission and in federal courts, is starting to sketch out a pattern of dwindling tolerance for negligence by companies in protecting their computer systems. Last week, the SEC announced a settlement with St. Louis-based R.T. Jones Capital Equities Management, which lost the personally identifiable information (PII) of approximately 100,000 people. The more interesting twist is that the firm was charged even though several cybersecurity-consulting firms hired by R.T. Jones could not determine the extent of the breach or whether PII had been accessed or compromised. And to date, none of the victims have reported any financial harm as a result of the attack. Nevertheless, the SEC saw fit to charge R.T. Jones over its lax policies and procedures under the agency’s Regulation S-P Safeguards Rule adopted in 2000. The rule requires brokers, dealers, investment companies, and registered investment advisers to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” “While this enforcement is by no means the first under Regulation S-P against an investment advisor or company for failing to have a written information security program in place, it may mark a shift in the enforcement strategy at the SEC,” Jason Wool, an associate in the Cybersecurity Preparedness & Response Team at the law firm of Alston & Bird, wrote on the JD Supra Business Advisor web site . [ Polley : see also SEC’s regulatory action against R.T. Jones: Did the other cybersecurity shoe just drop? (Weil, 28 Sept 2015)]

top

Home Depot cyber attack costs could reach into the billions (Insurance Business, 1 Oct 2015) - The September data breach of Home Depot last year is now being used as an example of the astronomical expenses attached to cyber risk, at a time when few insurers are prepared to cover it. According to new data released by the retailer, the breach has already cost Home Depot $232 million and is anticipated – by some accounts – to reach into the billions before the episode is over. Much of this is driven by lawsuits, filed by small community banks and credit unions that were hit hard in the wake of the breach. These lawsuits accuse Home Depot of ignoring warnings from security experts that its computer systems were vulnerable to attack, prior to the theft of approximately 56 million sets of credit and debit card data. Ostensibly, Home Depot’s cyber insurance policy would offset a large portion of these costs. Regulatory filing submitted by the retailer, however, reveal that only $100 million of the breach was covered by insurance. And while this may be a lesson to insurance agents working with retailers to push for the purchase of more coverage, appropriately high limits are hard to come by. “If you’re a retailer, it’s hard to buy more than $125 million in coverage in today’s market,” Roberta Anderson, co-founder of the Cyber Law and Cybersecurity practice group at K&L Gates law firm, told the New York Times. “Obviously, the potential liability is so much more.”

top

- and -

Target’s bullseye gets a lot bigger (Steptoe, 8 Oct 2015) - The United States District Court for the District of Minnesota has given approval for hundreds of banks and credit unions to band together in a class action against Target Corporation over a 2013 hack that extracted the payment card data and personal information of over 40 million customers. In In re: Target Corporation Customer Data Security Breach Litigation , the financial institutions allege that they suffered injury in the form of having to replace payment cards, reimburse fraud losses, and take other remedial steps. The ruling will greatly increase the pressure on Target to settle the suit on terms more amenable to the banks, after a previous settlement effort assisted by Visa and MasterCard failed. This is apparently only the second data breach case brought by financial institutions that has reached the class certification stage, and so represents an important precedent.

top

ABA and Rocket Lawyer launch on-demand legal advice pilot program (ABA Journal, 1 Oct 2015) - The American Bar Association and Rocket Lawyer have launched a new pilot program that provides on-demand legal advice for small businesses. In a Thursday press release , the ABA and Rocket Lawyer announced that they have begun testing ABA Law Connect in Illinois, Pennsylvania and California. First announced in August 2014 , ABA Law Connect utilizes Rocket Lawyer’s cloud-based computing system to allow small-business owners or their representatives to pay $4.95 to post a legal question online and have an ABA member-lawyer answer it (plus a follow-up question). If they wish to enter into a formal attorney-client relationship afterward, they may do so. According to the ABA Law Connect website, the lawyers are in good standing with their state bars, have no disciplinary history and are covered by professional liability insurance. The pilot’s launch comes more than a year after the ABA and Rocket Lawyer first announced their intentions of entering into a joint-venture designed at providing low-cost legal advice for small businesses while giving ABA members access to a larger base of clients. “ABA Law Connect is an exciting opportunity for the ABA and Rocket Lawyer to assist small businesses, connecting them with ABA members, and represents one of many efforts by the ABA to improve access to legal services,” ABA President Paulette Brown said in the press release.

top

Stockton mayor was briefly detained on return flight from China (SFgate, 2 Oct 2015) - The mayor of Stockton was briefly detained and had two of his laptops and a cell phone confiscated by homeland security agents at the San Francisco International Airport earlier this week after returning from a trip to China, according to a statement by the mayor. Mayor Anthony R. Silva, who was elected in November 2012, had traveled to China for a mayor’s conference, he said in a statement. Upon his return home on Monday, Silva was briefly detained by Department of Homeland Security agents and had his belongings searched, he said. “A few minutes later, DHS agents confiscated all my electronic devices including my personal cell phone. Unfortunately, they were not willing or able to produce a search warrant or any court documents suggesting they had a legal right to take my property. In addition, they were persistent about requiring my passwords for all devices,” Silva said. Silva was not allowed to leave the airport until he gave his passwords to the agents, which the mayor’s personal attorney, Mark Reichel, claimed is illegal. He has yet to get the property returned, according to Reichel. The mayor said Reichel contacted the U.S. Attorney’s Office in Sacramento but was told that “we can neither confirm or deny if we have the mayor’s possessions.”

top

Scottrade alerts 4.6 million brokerage customers of breach (Wired, 2 Oct 2015) - Following news this week that hackers stole data on 15 million T-Mobile customers comes a new report that 4.6 million customers of the St. Louis-based brokerage firm Scottrade may have also been hit in a different breach. The retail brokerage firm disclosed to customers in an email today, and in a notice on its web site , that it suffered a database breach that occurred between late 2013 and early 2014, but the company only learned of it recently when law enforcement agents notified Scottrade that it was investigating a rash of breaches involving financial services firms, according to spokeswoman Shea Leordeanu. The company said that the thieves appeared to have access to the network for several months between late 2013 and February 2014. The breach went undetected until the FBI recently notified Scottrade in late August that it had been hacked, Leordeanu told WIRED. “They initially asked us to not share the information with our customers so that they could complete a part of their investigation,” she said. “We were then alerted last Friday that it was all right to begin notifying our clients and we began to do that as quickly as possible.” [ Polley : emphasis supplied.]

top

California libel protection now covers online publications (Columbia Journalism Review, 2 Oct 2015) - Here’s one for the changing-media-landscape file: California Gov. Jerry Brown signed a bill this week to update his state’s libel laws, bringing consistency to the treatment of print and online publications. “Our libel laws now rightly treat new media sources the same as traditional newspapers,” the bill’s sponsor said—appropriately enough—in a Facebook post . At issue was the state’s “libel retraction” statute. Dating back to 1931, the original law created a means to limit the damages available to a plaintiff in a libel case against a media defendant. Basically, it said damages would be limited if the defendant had published a retraction at the plaintiff’s request. The major catch: The statute applied only if the libelous material was published in a “newspaper” or a “radio broadcast.” A different statute clarified that “radio broadcast” included TV broadcast, but what about magazines and websites? In 2014, a state appeals court ruled that California’s retraction statute did not, in fact, apply to websites. The panel concluded: * * * [T]he new measure replaces the term “newspaper” with the phrase “daily or weekly news publication,” defined as “a publication, either in print or electronic form, that contains news on matters of public concern and that publishes at least once a week.”

top

- and -

California bans paparazzi from using drones to spy on celebrity homes (Mashable, 7 Oct 2015) - Following campaigns by several lawmakers and complaints from celebrities, California Gov. Jerry Brown signed legislation Tuesday prohibiting paparazzi from using drones to surveil private property. Through the new ban, “physical invasion of privacy” in the state has been redefined to include flying a drone over private land for the purpose of taking a picture or video, the Los Angeles Times reports . It closes a loophole in paparazzi legislation passed last year by prohibiting the flying of drones in the “airspace above the land of another” in order to “ peer into windows, capture goings on and otherwise spy on the private lives of public persons .”

top

Supreme Court plans to highlight revisions in its opinions (NYT, 5 Oct 2015) - The Supreme Court announced on Monday that it would disclose after-the-fact changes to its opinions, a common practice that had garnered little attention until a law professor at Harvard wrote about it last year. The court also took steps to address “link rot” in its decisions . A study last year found that nearly half of hyperlinks in Supreme Court opinions no longer work. And the court said it would bar “line standers” who hold places for lawyers eager to see high profile arguments. The move on editing is a major development. Though changes in the court’s opinions after they are issued are common, the court has only very seldom acknowledged them. Many of the changes fix spelling or factual errors. Others are more substantial, amending or withdrawing legal conclusions. Starting this term, a court statement said, “post-release edits to slip opinions on the court’s website will be highlighted and the date they occur will be noted.” * * * The court said it would also address what it called “the problem of ‘link rot,’ where Internet material cited in court opinions may change or cease to exist.” The court will now collect and post the materials it links to on a dedicated page on its site. The move seemed to have been prompted by news media coverage of a study showing that about half of 555 links in Supreme Court opinions did not work.

top

Winklevoss twins’ bitcoin site gets banking charter (The Hill, 5 Oct 2015) - New York’s top banking regulator on Monday granted a banking charter to bitcoin exchange Gemini, launched in January as a “hack-free” site. Tyler and Cameron Winklevoss, best known for their drawn-out lawsuit against Facebook founder Mark Zuckerberg, are behind the exchange, which gives people a platform to buy and sell the digital currency bitcoin. It’s the second virtual currency firm to receive a banking charter from the New York State Department of Financial Services (NYDFS). The watchdog approved a charter for ItBit in May, making it the first U.S. bitcoin exchange to be regulated as a bank. “We are continuing to move forward on licensing and chartering virtual currency firms,” said Anthony Albanese, acting superintendent of the NYDFS. “Smart, targeted regulation that helps protect consumers and prevent illicit activity is vital to the long-term future of this industry.” At Gemini’s launch , the Winklevoss twins said they intended to bring security and legitimacy to the virtual currency payment process, which has been rattled by a number of hacks and alleged fraud at major exchanges. “Our goal was simple: bring together the nation’s top security experts, technologists, and financial engineers to build a world-class exchange from the ground up with a security-first mentality,” Cameron Winklevoss said in a blog post. Financial regulators have not stood idly by. The NYDFS has moved to increase reporting requirements around the use of digital currency, which can be swapped for physical money or used to make purchases directly at an increasing number of retailers. The regulator in June issued its final BitLicense framework. Under the guidelines, financial firms handling bitcoins and other digital currencies will need to obtain a BitLicense from the NYDFS, ensure a strong cyber defense and maintain detailed records of all digital transactions. The banking overseer issued its first BitLicense in September to virtual currency firm Circle Internet Financial. It has received 25 applications in total.

top

The benefits of self-publishing electronic casebooks (Eric Goldman, 7 Oct 2015) - Recently, the Washington Journal of Law, Technology & Arts published an online symposium called “Disruptive Publishing Models.” The articles discuss different initiatives to disrupt the traditional model for publishing legal casebooks and how those initiatives are driving down students’ costs for law school teaching materials. My colleague Rebecca Tushnet (Georgetown Law) and I contributed an article to the symposium entitled “ Self-Publishing an Electronic Casebook Benefited Our Readers—And Us .” The article analyzes our experiences self-publishing our co-authored legal casebook, Advertising and Marketing Law: Cases and Materials , and it explains numerous reasons why self-publishing the book made more sense for us than pursuing the traditional publication process. The article abstract: Self-publishing our electronic casebook, Advertising and Marketing Law: Cases & Materials, wasn’t some grand ambition to disrupt legal publishing. Our goal was more modest: we wanted to make available materials for a course we strongly believe should be widely taught in law school. Electronic self-publishing advanced that goal in two key ways. First, it allowed us to keep the price of the materials low. Second, we bypassed gatekeepers who may have degraded the casebook’s content and slowed the growth of an advertising law professors’ community. Although my marketing of the book has consisted solely of announcing it on my blog and on email lists, I still view it as an ebook success story. Since I released the 2015 edition in July (and as of the date I made this post originally on Forbes), I’ve sold 94 PDFs, 20 Kindle versions and 66 print-on-demand editions (through CreateSpace) for total sales of 180 units [FN1]. This has generated total revenues of over $2,000 and net proceeds of well over $1,000. I expect these numbers to go up after another round of Spring semester adoptions and sales. By self-publishing the book, I get the many intangible benefits that Rebecca and I discuss in our article, plus an income supplement approaching $2,000 a year.

top

RESOURCES

Revenge pornography and the First Amendment (Media Law Prof Blog, 22 Sept 2015) - Andrew Koppelman, Northwestern University School of Law, is publishing Revenge Pornography and First Amendment Exceptions in the Emory Law Journal. Here is the abstract: The Supreme Court has recently declared that speech is protected by the First Amendment unless it is a type of communication that has traditionally been unprotected. If this is the law, then harms will accumulate and the law will be helpless to remedy them. A recent illustration is the new phenomenon of “revenge pornography,” which some states have attempted to prohibit. These prohibitions restrict speech on the basis of its content. Content-based restrictions (unless they fall within one of the categories of unprotected speech) are invalid unless necessary to a compelling state interest. The state’s interest in prohibiting revenge pornography, so far from being compelling, may not even be one that the state is permitted to pursue. The central harm that such a prohibition aims to prevent is the acceptance, by the audience of the speech, of the message that this person is degraded and appropriately humiliated because she once displayed her naked body to a camera. The harm, in other words, consists in the acceptance of a viewpoint. Viewpoint-based restrictions on speech are absolutely forbidden. Free speech is a complex cultural formation that aims at a distinctive set of goods. Its rules must be formulated and reformulated with those specific goods in mind. Pertinently here, one of those goods is a citizenry with the confidence to participate in public discussion. Traumatized, stigmatized women are not the kind of people that a free speech regime aims to create. Revenge pornography threatens to create a class chronically dogged by a spoiled social identity, and a much larger class of people who know that they could be subjected to such treatment without hope of redress. That state of affairs is directly contrary to the ideal of a regime in which everyone is empowered to participate in public discourse.

top

LOOKING BACK

(note: link-rot has affected about 50% of these original URLs)

iPod maps draw legal threats (Wired, 26 Sept 2005) -- Transit officials in New York and San Francisco have launched a copyright crackdown on a website offering free downloadable subway maps designed to be viewed on the iPod. IPodSubwayMaps.com is the home of iPod-sized maps of nearly two dozen different transit systems around the world, from the Paris Metro to the London Underground. The site is run by New Yorker William Bright, who said he fell into transit bureaucracy crosshairs after posting a digitized copy of the New York City subway system map on Aug. 9. “I got it on Gawker the day after it started, and the site exploded,” he said. More than 9,000 people downloaded the map, which was viewable on either an iPod or an iPod nano, before Bright received a Sept. 14 letter from Lester Freundlich, a senior associate counsel at New York’s Metropolitan Transit Authority, saying that Bright had infringed the MTA’s copyright and that he needed a license to post the map and to authorize others to download it.

top

History’s worst software bugs (Wired, 8 Nov 2005) -- Last month automaker Toyota announced a recall of 160,000 of its Prius hybrid vehicles following reports of vehicle warning lights illuminating for no reason, and cars’ gasoline engines stalling unexpectedly. But unlike the large-scale auto recalls of years past, the root of the Prius issue wasn’t a hardware problem -- it was a programming error in the smart car’s embedded code. The Prius had a software bug. With that recall, the Prius joined the ranks of the buggy computer -- a club that began in 1945 when engineers found a moth in Panel F, Relay #70 of the Harvard Mark II system.1The computer was running a test of its multiplier and adder when the engineers noticed something was wrong. The moth was trapped, removed and taped into the computer’s logbook with the words: “first actual case of a bug being found.” Sixty years later, computer bugs are still with us, and show no sign of going extinct. As the line between software and hardware blurs, coding errors are increasingly playing tricks on our daily lives. Bugs don’t just inhabit our operating systems and applications -- today they lurk within our cell phones and our pacemakers, our power plants and medical equipment. And now, in our cars. But which are the worst? It’s all too easy to come up with a list of bugs that have wreaked havoc. It’s harder to rate their severity. Which is worse -- a security vulnerability that’s exploited by a computer worm to shut down the internet for a few days or a typo that triggers a day-long crash of the nation’s phone system? The answer depends on whether you want to make a phone call or check your e-mail. [Editor in 2005: Fun story. The CIA-bug-in-Soviet-pipeline story (more at http://www.msnbc.msn.com/id/4394002 ), if true, isn’t the only case of such a plant.]

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word “MIRLN” in the subject line. Unsubscribe by sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon’s Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson’s E-Commerce Law Week

8. Eric Goldman’s Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation’s Communications Headlines

10. Readers’ submissions, and the editor’s discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top