Saturday, December 17, 2016

MIRLN --- 27 Nov - 17 Dec 2016 (v19.17)

MIRLN --- 27 Nov - 17 Dec 2016 (v19.17) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | LOOKING BACK | NOTES

ANNOUNCEMENTS

[Sad] Note to Readers (Steptoe, 1 Dec 2016) - After nearly 18 years, E-Commerce Law Week will cease publication after this week. It's been a pleasure. [Polley : I was so sorry to read this; I've loved their droll, concise, informative weekly e-newsletter; if anybody has substitute-candidates to suggest, I'm all ears. In the meantime, hats-off and thanks to ECLW authors/producers Sally Albertazzi, Stewart Baker, and Mike Vatis.]

top

NEWS

ABA House is asked to accredit program that certifies lawyers as privacy law specialists (ABA Journal, 15 Nov 2016) - A program that certifies lawyers as privacy law specialists is expected to go before the ABA House of Delegates in February. The International Association of Privacy Professionals administers the certification program. If the ABA House approves accreditation, lawyers who meet the IAPP's standards could hold themselves out as privacy law specialists without violating state ethics rules that are based on the ABA model rules. Bloomberg BNA has a story . Recognition of the privacy law specialty could benefit both consumers and lawyers, according to Hofstra University law professor Ellen Yaroshefsky. "I think it's advantageous both to lawyers seeking to obtain business but also hopefully to clients who want to reach out to the most sophisticated lawyer they can find," Yaroshefsky told Bloomberg BNA. "Particularly because cyber and security and intellectual property are rapidly expanding fields, there is a perceived need to have a recognized specialty." Fourteen certification programs administered by seven private organizations are currently accredited by the ABA, according to Martin Whittaker, senior counsel for the ABA Center for Professional Responsibility. About a dozen state entities also certify specialties. The ABA Model Rules of Professional Conduct provide that lawyers shouldn't state or imply they are certified as specialists in a particular field of law unless they have been certified as specialists by a group that is approved by the appropriate state authority or that is accredited by the ABA. The IAPP certification program would require lawyers to pass the group's exam; pass a separate exam on legal ethics related to the practice of privacy law; and prove substantial involvement in the privacy law area for three years.

top

The secret agenda of a Facebook quiz (NYT, 19 Nov 2016) - Do you panic easily? Do you often feel blue? Do you have a sharp tongue? Do you get chores done right away? Do you believe in the importance of art? If ever you've answered questions like these on one of the free personality quizzes floating around Facebook, you'll have learned what's known as your Ocean score: How you rate according to the big five psychological traits of Openness, Conscientiousness, Extraversion, Agreeableness and Neuroticism. You may also be responsible the next time America is shocked by an election upset. For several years, a data firm eventually hired by the Trump campaign, Cambridge Analytica, has been using Facebook as a tool to build psychological profiles that represent some 230 million adult Americans. A spinoff of a British consulting company and sometime-defense contractor known for its counterterrorism "psy ops" work in Afghanistan, the firm does so by seeding the social network with personality quizzes. Respondents - by now hundreds of thousands of us, mostly female and mostly young but enough male and older for the firm to make inferences about others with similar behaviors and demographics - get a free look at their Ocean scores. Cambridge Analytica also gets a look at their scores and, thanks to Facebook, gains access to their profiles and real names. Cambridge Analytica worked on the "Leave" side of the Brexit campaign. In the United States it takes only Republicans as clients: Senator Ted Cruz in the primaries, Mr. Trump in the general election. Cambridge is reportedly backed by Robert Mercer , a hedge fund billionaire and a major Republican donor; a key board member is Stephen K. Bannon, the head of Breitbart News who became Mr. Trump's campaign chairman and is set to be his chief strategist in the White House. In the age of Facebook, it has become far easier for campaigners or marketers to combine our online personas with our offline selves, a process that was once controversial but is now so commonplace that there's a term for it, "onboarding." Cambridge Analytica says it has as many as 3,000 to 5,000 data points on each of us, be it voting histories or full-spectrum demographics - age, income, debt, hobbies, criminal histories, purchase histories, religious leanings, health concerns, gun ownership, car ownership, homeownership - from consumer-data giants.

top

FINRA fines Lincoln Financial sub $650,000 for cybersecurity shortcomings (Bracewell, 22 Nov 2016) - A Lincoln Financial Group subsidiary agreed to pay $650,000 to the Financial Industry Regulatory Authority (FINRA) to resolve allegations that it failed to implement sufficient security policies to protect confidential customer information after its web-based customer account database was hacked in 2012. The 2012 breach came on the heels of a $600,000 fine, imposed by FINRA in 2011, for lax security measures relating to its customer database. * * *

top

Ohio imposes tax on online retailers with no physical presence in state (Morgan Lewis, 22 Nov 2016) - The Ohio Supreme Court recently ruled that Ohio may impose its commercial activity tax (CAT) on out-of-state companies that sell products and services to Ohio customers-even if the companies have no physical presence in the state-if such companies have taxable gross receipts sitused to Ohio of at least $500,000. This ruling is yet another example of the increasing willingness of states to extend taxing jurisdiction to nonresident taxpayers that have business, but no physical presence, in a state. On November 17, a split Ohio Supreme Court held that the physical presence standard does not extend to a "business-privilege tax"-even if that tax is measured by receipts from sales of tangible personal property (similar to a sales tax). In a 5-2 decision, the Ohio high court held that "although a physical presence in the state may furnish a sufficient basis for finding a substantial nexus, Quill's holding that physical presence is a necessary condition for imposing the tax obligation does not apply to a business-privilege tax. . ." Rather, since the CAT is imposed only on retailers with at least $500,000 in Ohio receipts, the Ohio Supreme Court held that dollar "limit" is sufficient to establish the required substantial nexus for the imposition of a business-privilege tax. The dissenting judges in the case, by contrast, argued that the silence of the US Congress on nexus issues means that Quill's "physical presence" requirement should still apply, and that only the US Congress or the US Supreme Court can establish a new rule to determine substantial nexus. The tenor of the dissenting judges' opinion could signal that this decision may be appealed to the US Supreme Court.

top

Uber begins background collection of rider location data (TechCrunch, 28 Nov 2016) - Imagine you're on your way to a therapy appointment in a downtown high-rise. You hail an Uber and enter a nearby coffee shop as your destination so you can grab a snack before the appointment. In the car, you scroll through Instagram and check your email. You get out, buy your coffee, and walk around the corner to your therapist's office. If you installed the latest app update, Uber has been tracking your location the entire time. The app update (it's 3.222.4, for those keeping track) changes the way Uber collects location data from its users. Previously, Uber only collected location information while a user had the app open - now, Uber asks users to always share their location with the ride-hailing company. Uber says that, even though it can harvest your location constantly while its app is running in the background on your phone, it won't use that capability. Instead, Uber claims it just needs a little bit more location data to improve its service, and it has to ask for constant access because of the way device-level permissions are structured. Specifically, Uber wants access to a rider's location from the moment she requests a ride until five minutes after the driver drops her off, even if the app is not in the foreground of her phone. Previously, Uber would not collect a rider's background location during the trip, or her location after drop-off. The company will use this information to improve drop-offs and pick-ups, which have consistently been a pain point for Uber and other ride-hailing services. The most common reason for riders and drivers to contact each other is to communicate their location when the app does not provide an accurate pinpoint, and Uber hopes to cut down on confusion during pick-up. Uber also wants to track how often riders cross the street directly after a drop-off, which the company believes could indicate a safety hazard. Riders shouldn't have to dart through traffic to get to their destination, a spokesperson explained, and tracking a user after drop-off can help the company detect whether the driver dropped their passenger off in a risky place.

top

- and -

New site visualises how you rode with Uber in 2016 (Mashable, 15 Dec 2016) - The folks at Uber have made " Year with Uber ", a data visualisation site that offers a view of your Uber riding pattern for the year. The site, which went live Thursday, asks you to log in, then presents you with information about your rides on the platform in 2016 via a click-through slideshow. * * * Alas, the site is only live for riders in Southeast Asian cities such as Singapore, Kuala Lumpur, Bangkok, Jakarta and Manila -- for now. Uber says it'll roll out to more countries progressively.

top

The surprising implications of the Microsoft/Ireland warrant case (Orin Kerr, 29 Nov 2016) - The Justice Department filed a petition for rehearing last month in the Microsoft/Ireland warrant case . Although I'm skeptical that rehearing will be granted, the Justice Department's petition includes some fascinating updates about the practical effect of the Second Circuit's decision. I looked into the Justice Department's allegations on my own, and I was able to get a better sense of what was happening. At the very least, it suggests that the Microsoft case is having some surprising implications. And in some cases, the result seems to be a significant mess. The Second Circuit's decision held that warrants for customer email are unenforceable when the provider opted to store emails on a server outside the United States. The statute only has territorial effect, the Second Circuit reasoned, and that means it doesn't apply to foreign-stored email. Treating the statute as a way to get email rather than a means of limiting access to email, the court ruled that the government couldn't use a domestic warrant to compel the disclosure of emails stored abroad. But here's the twist. The court's decision assumed that Internet providers knew where its customer emails were located and that emails could be accessed from those places. The Second Circuit's opinion therefore left the government with some options. In particular, the government could pursue foreign legal process through Mutual Legal Assistance Treaties for email that was stored abroad. It turns out that this assumption isn't necessarily right. And that is creating some significant headaches. Here's what the Justice Department says in its petition for rehearing: Unlike Microsoft, some major providers cannot easily determine where customer data is physically stored, and some store different parts of customer content data in different countries. Major U.S.-based providers like Google and Yahoo! store a customer's email content across an ever-changing mix of facilities around the world. To the extent content is stored abroad by the provider at the moment the warrant is served, the Opinion has now placed it beyond the reach of a Section 2703 warrant, even when the account owner resides in the United States and the crime under investigation is entirely domestic. At least in the case of Google, the information is also currently beyond the reach of a Mutual Legal Assistance Treaty request or any foreign law enforcement authority, because only Google's U.S.-based employees can access customer email accounts, regardless of where they are stored; indeed, Google cannot reliably identify the particular foreign countries where a customer's email content may be stored. Thus, critical evidence of crimes now rests entirely outside the reach of any law enforcement anywhere in the world, and the randomness of where within an intricate web of servers the requested content resides at a particular moment determines its accessibility to law enforcement.

top

Rule would treat email like other forms of 'instant' service (Florida Bar, 1 Dec 2016) - After the Bar Board of Governors balked at giving its endorsement, the Rules of Judicial Administration has altered a proposed procedural rule amendment affecting response times when documents are served via email. The Appellate Court Rules Committee also altered its request to be exempted from the proposed change, and instead suggests changes within the appellate rules. The board, at its July 29 meeting, considered amendments to the Civil Procedure Rules, the Rules of Judicial Administration, and the Appellate Court rules. The civil rule amendments corrected references to the Rules of Judicial Administration on email service. The RJA amendments removed email service from a subdivision that allowed five additional days for responding to service by regular U.S. Mail and removed email from a section that said email service would be treated as service via U.S. Mail for time computation purposes - which adds five days to those allowable times. Those changes would treat email like other forms of "instant" service such as fax, hand delivery, or service through the court system's statewide e-filing portal. When email service was first addressed in the rules several years ago, committee members said treating it as U.S. Mail delivery would encourage lawyers to use email service because of the extra response time it allowed. But they also said that extra time would likely be removed once email service was widely used. The appellate rule amendment specified that service by email in appellate matters be treated as service by U.S. Mail for time computations and exempted appellate email service from the time reductions in the RJA amendments. Board members said they were concerned that removing the five extra days could lead to "gamesmanship" with delivery of documents late in the day or before weekends to shorten the response time. They also expressed unease that exempting the appellate rules from the change would lead to inconsistency among rules. In response, the Appellate Court Rules Committee, when it met in October during the Bar's Fall Meeting, dropped its request for a blanket exemption. Instead the committee went through its rules and added to the computation of response time in more than 30 places where it felt more time was needed. That was approved by a 35-0 vote. The Rules of Judicial Administration Committee, which also met at the Fall Meeting, reaffirmed removing the extra five days from time computations with email service but also specified that the time computation would not begin until the day after the service, not counting weekends or holidays. Committee members, saying that would address the "gamesmanship" issues, approved that 34-0. The revised rules are expected to be presented to the board again at its January 20 meeting in Tallahassee.

top

Misconfigured drive exposes locations of explosives used by oil industry (SC Magazine, 5 Dec 2016) - Oil company Allied-Horizontal Wireline Services (AHWS) are reported to have misconfigured a storage device, which has resulted in the leak of the locations where it stores the explosives it uses. The company uses explosives to complete an oil-drilling process known as "perforation," which it is licenced to do by the US federal government. The device, exposed by security researcher Chris Vickery in October, also reportedly contained thousands of credentials of staff who work for the organisation and a variety of AHWS employee information. Alongside, other files showed the company's contracts with other oil companies, such as BP and Exxon.

top

Subscription surges and record audiences follow Trump's election (Columbia Journalism Review, 6 Dec 2016) - When CBS chairman Les Moonves said in February that the Donald Trump phenomenon "may not be good for America, but it's damn good for CBS," he likely didn't imagine his comment would apply to the entire news industry come December. While many in the media have expressed concerns over the impact a Trump administration could have on press freedoms, the president-elect's influence already is boosting news organizations' bottom lines. The New York Times said it signed up 10,000 new subscribers per day several times since the election, and the past few weeks recorded a 10-fold increase in new subscriptions over the same period last year. "Often after an election you expect a lull," Times president and CEO Mark Thompson said on Monday at the UBS Global Media & Communications conference in Manhattan. "We're not seeing that, we're seeing a surge." Thompson attributed the rise in subscriptions to "a dramatic increase in the willingness to pay for serious, independent journalism." He also said reaching the Times' goal of 10 million paid subscribers-up from 2.6 million today, about 1.5 million of which are digital-only-"is very possible for us." Most of the new subscribers are digital, though some opted for the Times in print. The company noted the increases are net of cancellations. He said consumers are more willing to pay for online content, driven by an acceptance of monthly fees for services like Netflix. While the Times holds a unique place in the media landscape, other major players across the industry have reported similar audience and subscription bounces. The LA Times saw a 60 percent increase in new digital subscriptions in the weeks following the election, a spokeswoman told CJR. For the month of November, the paper added more than four times as many new subscribers as it did during the same period in 2015. And the LA Times was not the only outlet in the publicly traded Tronc Inc. newspaper chain to report subscription increases; CNBC reported the chain saw an average gain in digital subscribers of 29 percent across its newspapers, which also include the Chicago Tribune and the Hartford Courant . While the Washington Post hasn't yet released specific numbers, a representative from the paper told CJR the Post has seen "a steady increase in subscriptions over the course of this year." The Wall Street Journal in the days after the election reported a 300 percent spike in new subscriptions.

top

T-Mobile announces Digits: one phone number for all your devices (The Verge, 7 Dec 2016) - T-Mobile just revealed its answer to AT&T's NumberSync technology, which lets customers use one phone number across all their connected devices. T-Mobile's version is called Digits and it will launch in a limited, opt-in customer beta beginning today before rolling out to everyone early next year. "You can make and take calls and texts on whatever device is most convenient," the company said in its press release. "Just log in and, bam, your call history, messages and even voicemail are all there. And it's always your same number, so when you call or text from another device, it shows up as you." When it leaves beta, Digits will cost an extra monthly fee, but T-Mobile isn't revealing pricing today. "This is not going to be treated as adding another line to your account," said COO Mike Sievert. "Expect us to be disruptive here." And while its main feature is one number for everything, Digits does offer T-Mobile customers another big perk: multiple numbers on the same device. This will let you swap between personal and work numbers without having to maintain separate lines and accounts. You can also give out an "extra set" of Digits in situations where you might be hesitant to give someone your primary number; this temporary number forwards to your devices like any other call. You can have multiple numbers for whatever purposes you want, based on T-Mobile's promotional video.

top

China stole data from major US law firms (Fortune, 7 Dec 2016) - A series of security breaches that stuck prestigious law firms last year was more pervasive than reported and was carried out by people with ties to the Chinese government, according to evidence seen by Fortune. The incidents involved hackers getting into the email accounts of partners at well-known firms, and then relaying messages and other data from the partners' in-boxes to outside servers. In the case of one firm, the attacks took place over a 94 day period starting in March of 2015, and resulted in the hackers stealing around seven gigabytes of data, according to information obtained by Fortune . That figure would typically amount to tens or hundreds of thousands of emails. The information also revealed the thefts took place in one hour increments, and that the hackers returned repeatedly in search of new information. News of the law firm breaches surfaced earlier this year when the Wall Street Journal reported that hackers had penetrated the computer networks of Cravath Swaine & Moore, Weil Gotshal & Manges and other unidentified firms. The clients of these firms include many of the world's biggest companies, and they are privy to sensitive corporate information. The earlier news of the law firm breaches did not say who conducted the hacking, but Fortune has obtained reliable information that indicates the breach took place as part of a larger initiative by the Chinese government. This initiative also saw the hackers target big U.S. companies, including a major airline. The evidence obtained by Fortune did not disclose a clear motive for the attack but did show the names of law firm partners targeted by the hackers. The practice areas of those partners include mergers and acquisitions and intellectual property, suggesting the goal of the email theft may indeed have been economic in nature.

top

- and -

Chicago law firm accused of lax data security in lawsuit (Bloomberg, 9 Dec 2016) - A federal judge on Friday unveiled a long sealed proposed class-action complaint that accused the law firm, Johnson & Bell, of failing to take adequate steps to protect the data on its servers. The case is currently proceeding in confidential arbitration and the complaint was filed in April by the plaintiff's firm Edelson P.C. on behalf of two of Johnson & Bell's onetime clients, Jason Shore, a California resident, and Coinabul, a Wyoming limited liability company. Johnson & Bell is a Chicago-based firm with about 100 attorneys and was ranked as the 385th largest law firm in the country, according to The American Lawyer. The complaint refers to Johnson & Bell "as a data breach waiting to happen" and claims the firm marketed itself as using top data security to protect its clients' information but in fact had numerous lapses, including - according to the complaint - an online time-keeping system that had not been updated in 10 years. Jay Edelson, the founder of Edelson P.C., said his firm has been conducting a wide-ranging investigation of law firms, and that he anticipates other judges may soon unseal lawsuits his firm filed against other law firms. The unsealed suit accused Johnson & Bell of using several internet-accessible computer networks, such as time-keeping system and its email system, which had not been updated with security patches. The case is Shore et al v. Johnson & Bell, filed in N.D. of Illinois, 16-4363. Read the complaint, via Bloomberg Law here .

top

Terror scanning database for social media raises more questions than answers (Motherboard, 9 Dec 2016) - On Monday, Facebook, Microsoft, Twitter, and YouTube announced a new partnership to create a "shared industry database" that identifies "content that promotes terrorism." Each company will use the database to find "violent terrorist imagery or terrorist recruitment videos or images" on their platforms, and remove the content according to their own policies. The exact technology involved isn't new. The newly announced partnership is likely modeled after what companies already do with child pornography. But the application of this technology to "terrorist content" raises many questions. Who is going to decide whether something promotes terrorism or not? Is a technology that fights child porn appropriate for addressing this particular problem? And most troubling of all-is there even a problem to be solved? Four tech companies may have just signed onto developing a more robust censorship and surveillance system based on a narrative of online radicalization that isn't well-supported by empirical evidence. Many companies-for example, Verizon, which runs an online backup service for customers' files- use a database maintained by the National Center for Missing and Exploited Children (NCMEC) to find child pornography . If they find a match, service providers notify the NCMEC Cyber Tipline, which then passes on that information to law enforcement. The database doesn't contain images themselves, but rather, hashes-digital fingerprints that identify a file. This means that service providers can scan their servers without "looking" at anyone's files. Thanks to PhotoDNA, a technology donated by Microsoft, the hashes are made using biometric information inside the photos and videos , meaning that cropping or resizing the files won't necessarily change the hash value being used. Monday's announcement marks the first time companies have sought to use this kind of technology to combat "terrorist content online." It's an odd match. The hash matching system appealed to many aspects of the fight against child pornography. For one thing it allowed companies to scan for files without finding out anything about non-matching files-so, arguably, without violating anyone's privacy, except with respect to possession of child porn. It also protected people from having to look at child porn in order to identify it-the very act of looking at child porn so it can be removed from the internet can be traumatic to the employees who are policing content on platforms. Neither of these specific upsides to the hash identification system seem to apply to "terrorist content," since the partnership appears to be aimed at publicly posted social media. (I asked Facebook via email whether the hash identification system would be applied to private messages between users, but did not hear back from the company). Furthermore, the companies have stated in their press release that a person on the other end will be looking at the content before taking it down. The press release implies, but does not explicitly say, that matching hits will not be provided to government officials, the way that hits for child pornography are. * * *

top

Google just published eight National Security Letters (TechCrunch, 13 Dec 2016) - Google dropped a single National Security Letter into its most recent transparency report without much fanfare, but today the company published eight more NSLs in an attempt to shed more light on government surveillance of Google users. The eight letters published today were sent to Google from FBI offices across the country. Cumulatively, the NSLs seek broad access to content for around 20 user accounts. The usernames of the targets are redacted, although the FBI does not require it. A Google spokesperson said the usernames were redacted to protect user privacy and that the targeted individuals had been notified. The NSLs were sent to Google over a five-year period, from 2010 to 2015, with the majority coming from the Charlotte, North Carolina field office of the FBI. Others came from Florida, Arizona, New York and California. NSLs have historically been issued with interminable gag orders preventing tech companies from discussing the letters or their contents, but the passage of the USA Freedom Act last year allowed companies to begin disclosing the letters. Yahoo became the first major tech company to disclose NSLs it received from the FBI, publishing three in June . Since then, Google and the Internet Archive have followed suit. Google has fought to make the letters public in part because the FBI can issue them without prior judicial oversight. Many tech companies have argued that, given the wealth of information held in their users' accounts, the data should not be subject to a secret search without the approval of a court. Over the past several years, Google challenged 19 NSLs in court and last year won the right to tell WikiLeaks employees that their data had been requested. Soon, Google will establish a home for its NSL disclosures as part of its transparency report, Salgado said. In the meantime, you can read the eight letters here .

top

GT partners with law firm to offer cyber security audits (CCH Daily, 13 Dec 2016) - Grant Thornton UK has teamed up with international law firm Lewis Silkin to launch a new data and cyber security audit service, which the firms say will help global organisations ensure they are compliant and minimise risks in the face of increasing data breach risk and regulation. The new service, called DataCheckPoint. Is based on an eight stage process including audits incorporating a new scoping and gap analysis methodology which caters for innovative reporting and effective compliance implementation programmes. Grant Thornton says the new service is designed to help clients prepare for the implementation of the general data protection regulation (GDPR) and the security of network and information systems directive (NIS Directive). Both pieces of legislation come into force from May 2018.

top

iPhone user can be forced to produce the passcode to his phone, court rules (Orin Kerr, 14 Dec 2016) - I have blogged a few times about the Fifth Amendment limits of forced decryption, especially in light of a case pending on the issue in the Third Circuit. Although that federal case is still pending, the Florida Court of Appeals (Second District) has handed down a new decision, State v. Stahl , on the same issue. Stahl holds that the government can force an iPhone user to hand over the passcode to unlock the phone so long as the government can show that the user knows the passcode. I think Stahl is correct, and I thought I would explain the case and its reasoning. The facts of Stahl are simple. Stahl has been arrested for allegedly surreptitiously taking pictures up the skirt of a female shopper in a clothing store. The police seized Stahl's iPhone 5, which they think he used to take the pictures. The police have a warrant to search the phone for the images he took to prove his crime. They can't get into the phone, however, because it is locked. The police asked Stahl for the passcode to his iPhone, but he refused to provide it. The government then sought an order compelling Stahl to produce the passcode. The issue in the case is whether the Fifth Amendment bars the order. The trial court concluded that it did because the government did not satisfy the foregone conclusion doctrine. Specifically, the government did not show with reasonable particularity what the contents of the phone were. The Court of Appeals disagreed, ruling that the Fifth Amendment doesn't bar the order under the foregone conclusion doctrine because it's the foregone knowledge of the password, not the contents of the phone, that matter. Here's the analysis from Judge Black : * * *

top

Google just dodged a privacy lawsuit by scanning your emails a tiny bit slower (The Verge, 14 Dec 2016) - Yesterday, Google tentatively agreed to a series of changes in the way it collects data from Gmail, as part of a proposed settlement in Northern California District Court. If the court approves the settlement, Google will eliminate any collection of advertising-specific data before an email is accessible in a user's inbox. The result likely won't be noticeable to users, but it represents a real change to the way Google's systems work, brought about after a voluntary settlement rather than a legal ruling. The case, called Matera vs. Google , began in September 2015, when plaintiffs alleged the email scanning violated California and federal privacy law, calling it "the twenty-first-century equivalent of AT&T eavesdropping on each of its customers' phone conversations, or of the postal service taking information from private correspondence." The suit was specifically brought on behalf of non-Gmail users, who haven't agreed to have their emails scanned under Google's Terms of Service. Because Gmail's ad-targeting system draws on every email a Gmail user receives, it inevitably catches some messages from non-Gmail addresses. Scans that take place before emails are available to the user are particularly sensitive, since they're not yet part of Gmail's inbox. In real terms, that gap lasts only a few milliseconds, but plaintiffs argued it still constituted a breach of both the federal Electronic Communications Privacy Act and the California Information Privacy Act. The fix for Google was simple enough: close the gap. Google will still preemptively scan emails for malware and spam filtering, but any advertising-specific scans will be reserved until the email is accessible to the user. Reached by The Verge , Google declined to comment, but confirmed that the settlement would result in concrete technical changes once approved. The plaintiffs lawyers did not respond to a request for comment. That might seem like a minor distinction, but it's one that's increasingly troublesome for email companies - and lucrative for plaintiffs. Yahoo settled a similar lawsuit in January of this year, agreeing to delay its ad-scanning systems and pay up to $4 million in fees to the attorneys who filed the case. Google has also agreed to pay any costs associated with this week's settlement, including up to $2.2 million in attorney fees and $2,000 for each of the class representatives.

top

Digital Millennium Copyright Act - DMCA agent revamp, act now (Hogan Lovells, 14 Dec 2016) - Online Service Providers (OSPs) must register under a new electronic system by December 31, 2017 but can, and should, as soon as possible. The U.S. Copyright Office has ditched the scanned paper system for registration of DMCA Agents. OSPs seeking safe harbor protections may now register using the new electronic system, which launched December 1, 2016. Only OSPs (e.g. providers of online services or network access including sites that allow posting of user-generated content) that have registered by December 31, 2017 will continue to have Section 512 protection. Since 2011 the Copyright Office has been considering revision of the DMCA Agent system, part of the Digital Millennium Copyright Act , enacted by Congress back in 1998, which enables online services providers to limit their liability for copyright infringement committed by their users. A condition of this "safe harbor" is that the OSP must designate an agent for receiving infringement claims both on the OSP's own website and through the Copyright Office's public directory of designated agents. Adapting to today's realities, the system will now be fully electronic. The new system completely replaces the former paper-based system - a reform that will be implemented by amending 37 CFR part 201.38 (full text here ). The change enables service providers to submit designated agent information more efficiently, the Copyright Office to load the information loaded more quickly, and the public to search it more easily, Filing fees have been reduced from the minimum $105 to a flat fee of $6 per designation (for each filing or amendment). Automated reminders will simplify keeping contact information up-to-date. The designation will now automatically expire after three years unless it is either renewed or confirmed to be still accurate. Online Service providers must submit new designations through the electronic system by December 31, 2017. The Office will no longer accept paper designations. Paper designations filed before December 1, 2016 will continue to satisfy the legal obligations of section 512 until the December 31, 2017 transition deadline. * * *

top

Germany-wide consortium of research libraries announce boycott of Elsevier journals over open access (BoingBoing, 15 Dec 2016) - Germany's DEAL project, which includes over 60 major research institutions, has announced that all of its members are canceling their subscriptions to all of Elsevier's academic and scientific journals, effective January 1, 2017. The boycott is in response to Elsevier's refusal to adopt "transparent business models" to "make publications more openly accessible." Elsevier is notorious even among academic publishers for its hostility to open access, but it also publishes some of the most prestigious journals in many fields. This creates a vicious cycle, where the best publicly funded research is published in Elsevier journals, which then claims ownership over the research (Elsevier, like most academic journals, requires authors to sign their copyrights over, though it does not pay them for their writing, nor does it pay for their research expenses). Then, the public institutions that are producing this research have to pay very high costs to access the journals in which it appears. Journal prices have skyrocketed over the past 40 years. No one institution can afford to boycott Elsevier, but collectively, the institutions have great power. The high price-ticket on journals means that the entire customer base for them is institutions, not individuals, and the increasing prices have narrowed the field of institutions that can afford to participate -- but that has also narrowed the number of institutions that need to cooperate to cripple Elsevier and bring it to heel. Even so, this kind of boycott was unimaginable until recently -- but the rise of guerrilla open access sites like Sci-Hub mean that researchers at participating institutions can continue to access Elsevier papers by other means.

top

Evernote's new privacy policy lets staff read customers' notes 'to improve the service' (MacRumors, 15 Dec 2016) - Some users of Evernote have threatened to stop using the note-taking service after the company announced a new privacy policy scheduled to go into effect on January 23 that allows employees to read customers' notes. The policy changes are related to machine learning algorithms, says Evernote, which are being tested on user content that the company has accumulated since going into operation. Specifically, Evernote explained that staff may need to read customer notes in order to ensure the algorithms are working as they should. The latest update to the Privacy Policy allows some Evernote employees to exercise oversight of machine learning technologies applied to account content. While our computer systems do a pretty good job, sometimes a limited amount of human review is simply unavoidable in order to make sure everything is working exactly as it should. In describing this position more succinctly, Evernote's privacy policy states that employees will look at notes "for troubleshooting purposes or to maintain and improve the Service". But some users are concerned about the vague wording of the clause, which journalist Stacy-Marie Ishmael has called " so broad as to be all inclusive ". Meanwhile, some users have taken to social media to join a growing chorus of revolt. Evernote says that only a limited number of employees who have undergone background checks will be able to access note content and that users can encrypt notes to prevent staff from reading them. But while users can opt out of having their notes reviewed for machine learning purposes, Evernote can still access content for other reasons, including violations of terms of service, to protect the rights, property, or personal safety of Evernote and its users, or to comply with law enforcement requests, warrants, or court orders. Users can read more about the new changes to Evernote's privacy policy here .

top

- and -

Evernote backs off from privacy policy changes, says it 'messed up' (ComputerWorld, 16 Dec 2016) - Evernote has reversed proposed changes to its privacy policy that would allow employees to read user notes to help train machine learning algorithms. CEO Chris O'Neill said the company had " messed up, in no uncertain terms ." The move by the note-taking app follows protests from users, some of whom have threatened to drop the service after the company announced that its policy would change to improve its machine learning capabilities by letting a select number of employees, who would assist with the training of the algorithms, view the private information of its users. The company claims 200 million users around the world. The machine learning technologies would make users more productive as they would allow the automation of functions now done manually, like creating to-do lists or putting together travel itineraries, O'Neill had said earlier on Thursday in defense of the proposed changes. Evernote employees would only see random content in snippets to check that the features are working properly but they wouldn't know who it belongs to, and personal information would be masked, he added. The changes to the privacy policy were to come into effect on Jan. 23.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Blog-aholics (The Atlantic, Jan/Feb 2006) -- Most of us will admit to wasting some time at work. But three new studies suggest that more time is lost now than ever before. According to a survey by the magazine Advertising Age, a leading culprit is Weblogs. The survey indicates that one in four U.S. workers reads blogs regularly while at work, losing, on average, some nine percent of the workweek. This amounts to 551,000 years of labor lost in 2005 alone. If only the bloggers whose words seem so compelling were the ones sending us e-mail: 34 percent of workers surveyed by Information Mapping, Inc. reported wasting thirty to sixty minutes a day trying to interpret "ineffectively" written messages. A third study offers comfort-or at least a way to pass the buck for all the lost time. Having examined productivity in nine countries, it concludes that 37 percent of the time spent at work is wasted-but that poor management and inadequate supervision are largely to blame.

top

Accessibility lawsuit against Target can proceed (ComputerWorld, 8 Sept 2006) -- A federal judge in San Francisco ruled Wednesday that a lawsuit filed against Minneapolis-based Target Corp. by the National Federation of the Blind (NFB) regarding the accessibility of the retailer's Web site can move forward. According to the NFB, the ruling sets a precedent establishing that retailers must make their Web sites accessible to the blind under the Americans with Disabilities Act (ADA). "This ruling is a great victory for blind people throughout the country," said NFB President Marc Maurer. "We are pleased that the court recognized that the blind are entitled to equal access to retail Web sites." When asked if the NFB would file lawsuits against other online retailers and sites, spokesman John Pare said, "You probably could imagine that we would."

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, November 26, 2016

MIRLN --- 6-26 Nov 2016 (v19.16)

MIRLN --- 6-26 Nov 2016 (v19.16) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Understanding footnote 14: NSA lawyering, oversight, and compliance (Lawfare, 7 Oct 2016) - In 2009, the government notified the Foreign Intelligence Surveillance Court (FISC) of a serious issue in the design and description of the National Security Agency's (NSA) Business Records metadata program. In short, the NSA had implemented a part of that program using an erroneous interpretation of the term "archived data" that appeared in the court's order. An inadvertent mistake in later reports to the FISC concealed the fact of the misinterpretation, which was incorporated into multiple reports over time. Readers are likely aware of the incident, which has become a persistent reference point for NSA's most ardent critics. One such critic recently pointed to a FISC memorandum referencing the episode as evidence that "NSA lawyers routinely lie, even to the secret rubber stamp FISA court"; another cited it in claiming DOJ's attorneys made "misleading claims about the intent and knowledge NSA had about the phone and Internet dragnets" and that "NSA had basically willfully treated FISA-collected data under the more lenient protection regime of EO 12333." These allegations are false. And by insisting that government officials routinely mislead and lie, these critics are missing one of the most important stories in the history of modern intelligence oversight. As people who served in the NSA during and after the time of this particular incident, we seek to offer a fuller account of this episode. [ Polley : On 14 Nov Bruce Schneier wrote about this story: "Former NSA attorneys John DeLong and Susan Hennessay have written a fascinating article describing a particular incident of oversight failure inside the NSA. Technically, the story hinges on a definitional difference between the NSA and the FISA court meaning of the word "archived." (For the record, I would have defaulted to the NSA's interpretation, which feels more accurate technically.) But while the story is worth reading, what's especially interesting are the broader issues about how a nontechnical judiciary can provide oversight over a very technical data collection-and-analysis organization -- especially if the oversight must largely be conducted in secret. In many places I have separated different kinds of oversight: are we doing things right versus are we doing the right things? This is very much about the first: is the NSA complying with the rules the courts impose on them? I believe that the NSA tries very hard to follow the rules it's given, while at the same time being very aggressive about how it interprets any kind of ambiguities and using its nonadversarial relationship with its overseers to its advantage. The only possible solution I can see to all of this is more public scrutiny. Secrecy is toxic here."]

top

Adobe Voco 'Photoshop-for-voice' causes concern (BBC, 7 Nov 2016) - Adobe unveiled Project Voco last week. The software makes it possible to take an audio recording and rapidly alter it to include words and phrases the original speaker never uttered, in what sounds like their voice. One expert warned that the tech could further undermine trust in journalism. Another said it could pose a security threat. However, the US software firm says it is taking action to address such risks. At a live demo in San Diego on Thursday, Adobe took a digitised recording of a man saying "and I kissed my dogs and my wife" and changed it to say "and I kissed Jordan three times". The edit took seconds and simply involved the operator overtyping a transcript of the speech and then pressing a button to create the synthesised voice track. "We have already revolutionised photo editing. Now it's time for us to do the audio stuff," said Adobe's Zeyu Jin, to the applause of his audience. He added that to make the process possible, the software needed to be provided with about 20 minutes-worth of a person's speech.

top

Lawyers may not use 'web bugs' to track email sent to opposing counsel, ethics opinion says (ABA Journal, 8 Nov 2016) - Lawyers should not plant "web bugs" to track the location and use of emails sent to opposing counsel, according to an Alaska ethics opinion. The Alaska Bar Association Ethics Committee is the second bar panel to address the issue, according to the ABA BNA Lawyers' Manual on Professional Conduct . An ethics opinion by the New York State Bar Association also found web bugs are not ethically permissible. The Oct. 26 opinion by the Alaska ethics committee said web bugs in emails can track a variety of information. They can be used to learn when and how often an email was opened, how long it was reviewed, how long an attachment was reviewed, whether the email or attachment was forwarded, and the rough geographical location of the recipient. Web bugs can reveal information that interferes with the lawyer-client relationship and the preservation of client confidences, the ethics opinion said. Seeking to invade the lawyer-client relationship through web bugs, even if the web bug is disclosed, violates ethics rules barring lawyers from engaging in misrepresentation and deceit, according to the opinion. The ethics opinion provides two examples of how web bugs can intrude on the attorney-client relationship.

top

- and -

Beware of sites importing your contacts, and watch your social media comments, ethics opinions say (ABA Journal, 21 Nov 2016) - The ethics committee of the District of Columbia Bar is advising lawyers about some social media dangers in two ethics opinions released this month. Many issues addressed in the opinions have been widely explored in ethics opinions in other jurisdictions, but a couple of topics haven't gotten much treatment in prior opinions, according to the ABA BNA Lawyers' Manual on Professional Conduct . The D.C. opinions are here and here . One "apparently novel warning" is about lawyers who take positions on legal issues when blogging or tweeting, according to the ABA BNA Lawyer's Manual. The ethics opinion says a lawyer's positions on social media could be adverse to the interest of a client, inadvertently creating a conflict. Those online positions could violate a D.C. ethics rule that prevents lawyers from representing clients if their professional judgment will be, or reasonably may be, adversely affected by a lawyer's own financial, property or personal interest, the ethics opinion says. Another new topic addressed is about the danger of allowing social media websites such as LinkedIn to access email contacts. Such access can allow a social media site to suggest potential connections with people the lawyer may know who are already members of the website, or to invite nonmembers to join and connect with the lawyer, explains D.C. Bar Ethics Opinion 370 . "However, in many instances, the people contained in a lawyer's address book or contact list are a blend of personal and professional contacts," according to the opinion. "Contact lists frequently include clients, opposing counsel, judges and others whom it may be impermissible, inappropriate or potentially embarrassing to have as a connection on a social networking site. … For attorneys, these connection services could potentially identify clients or divulge other information that a lawyer might not want an adversary or a member of the judiciary to see or information that the lawyer is obligated to protect from disclosure."

top

How Facebook, Twitter helped lead Trump to victory (AdAge, 9 Nov 2016) - America just endured its first presidential election in which the majority of the electorate got its news from social media. And the outcome is already prompting soul searching by the companies that shaped it. Facebook will have to contend with mounting dissatisfaction over its role as the most widely used news filter in history. Forty-four percent of American adults get their media through the site, many consuming news from partisan sources with which they agree. The proliferation of fake news on Facebook has also been a problem: false stories about the Clinton family committing murder and Huma Abedin being a terrorist flew fast and furious despite refutations from responsible news organizations. Those stories shaped public opinion, said Ed Wasserman, the dean of the University of California, Berkeley Graduate School of Journalism. "This is a landmark," he said. "Trump was able to get his message out in a way that was vastly influential without undergoing the usual kinds of quality checks that we associate with reaching mass public. You had a whole set of media having influence without really having authority. And the media that spoke with authority, the authority that comes after careful fact checking, didn't really have the influence."

top

- and -

This analysis shows how fake election news stories outperformed real news on Facebook (Buzzfeed, 16 Nov 2016) - In the final three months of the US presidential campaign, the top-performing fake election news stories on Facebook generated more engagement than the top stories from major news outlets such as the New York Times, Washington Post, Huffington Post, NBC News, and others, a BuzzFeed News analysis has found. During these critical months of the campaign, 20 top-performing false election stories from hoax sites and hyperpartisan blogs generated 8,711,000 shares, reactions, and comments on Facebook. Within the same time period, the 20 best-performing election stories from 19 major news websites generated a total of 7,367,000 shares, reactions, and comments on Facebook. (This analysis focused on the top performing link posts for both groups of publishers, and not on total site engagement on Facebook. For details on how we identified and analyzed the content, see the bottom of this post. View our data here .) Up until those last three months of the campaign, the top election content from major outlets had easily outpaced that of fake election news on Facebook. Then, as the election drew closer, engagement for fake content on Facebook skyrocketed and surpassed that of the content from major news outlets. [ Polley : see also Call it a 'crazy idea,' Facebook, but you need an executive editor (Margaret Sullivan in WaPo, 20 Nov 2016)]

top

- and -

Tens of thousands join 'Lawyers of the Left' Facebook group, sign Bannon protest letter (ABA Journal, 22 Nov 2016) - A law professor and a legal marketer apparently struck a chord when they appealed to lawyers disappointed in the election results and with a key appointment by Donald Trump. Nearly 120,000 people had joined an invitation-only Facebook group called Lawyers of the Left as of Monday morning, Robert Ambrogi reports for Above the Law . More than 10,000 lawyers signed a letter within 48 hours that objected to the appointment of Breitbart News chief Stephen Bannon as chief White House strategist. Above the Law reports on Traci Feit Love, the Harvard law graduate and legal marketer who created the Facebook group, while Bloomberg Big Law Business spoke with a law professor who wrote the protest letter. Legal marketer Traci Feit Love says her initial goal was to find 150 lawyers to join her Facebook group. Her idea, she wrote, was hatched after she saw Facebook posts from lawyers who proposed positive action after the election. "I thought to myself: Why not create a small Facebook group where those action-minded lawyers could really start making a difference?" Love wrote. One of the Facebook group's initial plans is to coordinate among members attending the Women's March on Washington on the day after the inauguration. University of Denver law professor Nancy Leong wrote the protest letter with colleagues Lindsey Webb and Robin Walker Sterling. Her goal was to get a couple hundred lawyers to view and repost the letter. More than 10,000 lawyers had signed the letter in less than 48 hours. The letter calls on Congress to ask Trump to rescind Bannon's appointment.

top

- and -

Call to Action lets you phone your Congressperson with just a tap (TechCrunch, 22 Nov 2016) - The U.S. election has inspired more people to become politically involved, and one of the most practical and direct ways to have an impact is to directly call your Congressperson to have your voice heard. However scouring .gov websites can be a little frustrating, and today's current crop of online resources for reaching Congress are often poorly designed or hard to locate. A new online application , Call To Action , wants to help. With a simple user interface that's accessible via the desktop or mobile web, Call To Action has a singular purpose: it makes it easy to find your representatives and place a phone call to their office. It even provides simple scripts to help you get started. However, Call To Action doesn't currently take a political position, nor is it associated with any political action groups. As evidenced by its purple color scheme, its main goal is to simply make reaching out to your House reps more accessible. When you launch the Call To Action website, you're prompted to enter in your home address, and the app will then locate your Congressional representative. As the website explains, because Congressional representatives serve fewer constituents than a Senator, calls to reps are more likely to be answered and hold more relative weight. Remarkably, Call To Action was a weekend project build by a team of ten, some friends and some strangers. Zack Shapiro, an iOS developer previously from Splash, had originally tweeted out the idea, and expressed his interest in building such a utility.

top

Yahoo admits some employees knew of massive hack in 2014 (CNET, 9 Nov 2016) - As any investigator can tell you, it's not just what you knew, but when you knew it. On Wednesday, Yahoo admitted that not long after a hack in 2014 some of its employees were aware a state-sponsored hacker had breached its network. The revelation is sure to cast a larger shadow over Verizon's $4.8 billion deal to acquire the company. Yahoo said in September that an investigation in August had uncovered the theft of personal information associated with at least a half billion Yahoo accounts, the biggest data breach in history. The company said at the time that it discovered the massive intrusion after a hacker claimed in August to have snatched 200 million Yahoo usernames and passwords in an earlier hack. But a Yahoo filing with the US Securities and Exchange Commission on Wednesday revealed that at least some people within the company were aware of the intrusion in 2014. "An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access," Yahoo said in its filing. It wasn't until the August probe, however, that the company got confirmation of the extent of the breach , a source with knowledge of the investigation said.

top

FTC issues data breach response guidance (Steptoe, 10 Nov 2016) - On October 25, the Federal Trade Commission (FTC) released a guide on data breach response, along with a video and business blog. The main guidance, entitled Data Breach Response, A Guide for Business, lays out some important steps for a swift and appropriate response when a data breach is suspected. Since the FTC is the primary judge in the United States of whether a company's preparation for, and response to, a breach was "reasonable," it would make sense for companies to incorporate the FTC's guidance in their incident response plans.

top

- and -

NIST issues small business information security: the fundamentals (Ride the Lightning, 14 Nov 2016) - The title pretty much says it all. The November 2016 release of the NIST (National Institute of Standards and Technology) Small Business Information Security: The Fundamentals is welcome indeed. The document clocks in at 32 pages with several helpful appendices (including worksheets and sample policy and procedure statements) extending the length to 54 pages. Reading this document constitutes a good crash course for any small business. If you know you need to come up to speed with a very current document, here's your opportunity.

top

Secret back door in some US phones sent data to China, analysts say (NYT, 15 Nov 2016) - For about $50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to China every 72 hours. Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence. International customers and users of disposable or prepaid phones are the people most affected by the software. But the scope is unclear. The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature. Kryptowire, the security firm that discovered the vulnerability, said the Adups software transmitted the full contents of text messages, contact lists, call logs, location information and other data to a Chinese server. The code comes preinstalled on phones and the surveillance is not disclosed to users, said Tom Karygiannis, a vice president of Kryptowire, which is based in Fairfax, Va. "Even if you wanted to, you wouldn't have known about it," he said.

top

'Augmented Intelligence' for higher ed (InsideHigherEd, 16 Nov 2016) - This company behind the Jeopardy!-winning computer, Watson, is now establishing itself in the adaptive and personalized learning markets. What is IBM? The company is partnering with a small number of hardware and software providers to bring the same technology that won a special edition of the game show back in 2011 to K-12 institutions, colleges and continuing education providers. The partnerships and the products that might emerge from them are still in the planning stage, but the company is investing in the idea that cognitive computing -- natural language processing, informational retrieval and other functions similar to the ones performed by the human brain -- can help students succeed in and outside the classroom. Chalapathy Neti, vice president of education innovation at IBM Watson, said education is undergoing the same "digital transformation" seen in the finance and health care sectors, in which more and more content is being delivered digitally. * * * IBM has been out of the personal computer market for more than a decade, and just as you no longer see any laptops branded with the "Big Blue" logo, the company won't be releasing its own adaptive learning platform or learning management system. Instead, IBM is working with major companies to bring its technology to market. In higher education, IBM is at the moment working with Blackboard and Pearson on student retention and tutoring, respectively. Both education companies are this fall beginning to test a handful of early prototypes, exploring potential use cases and working with clients to learn what sort of software they are interested in. Pearson is testing what Angie McAllister, senior vice president of personalized learning and analytics, described as an "intelligent tutoring system." As one of the major course material publishers in the market, Pearson controls a wealth of content, and it is testing IBM's technology as a way to offer one-on-one tutoring using artificial intelligence.

top

French law on digital versions of out-of-print books flouts EU directive (ArsTechnica, 16 Nov 2016) - A French law that allows royalty collectors to authorise the publication of digital versions of out-of-print books is not compatible with the EU copyright directive, Europe's top court has ruled. The Court of Justice of the European Union (CJEU) has ruled that authors must be informed about any plans to release their out-of-print books in this way so that they can object if they wish, and that the French law does not require this. The CJEU explained that currently "an approved collecting society, the SOFIA, is responsible for authorising the reproduction and communication, in digital form, of out-of-print books, it being understood that the authors of those books or their successors in title may oppose." But the EU copyright directive says that "authors have the exclusive right to authorise or prohibit the reproduction and communication to the public of their works," not collecting societies. Prior consent of authors to the use of their works can, under certain conditions, be expressed implicitly, the EU's top court said. One requirement is that "every author must be informed of the future use of his work by a third party and of the means at his disposal to prevent it if he so wishes." The problem with the French legislation, the CJEU ruled, was that it is possible that some of the authors affected are not made aware of the envisaged use of their works and, so are not able to adopt a position on it. "In those circumstances," the court said, "a mere lack of opposition on their part cannot be regarded as the expression of their implicit consent to the use of their works."

top

66% of organizations won't recover after cyberattack, Ponemon study says (Tech Republic, 17 Nov 2016) - A recent study performed by IBM's Resilient and the Ponemon Institute found that 66% of organizations would be unable to recover from a cyberattack. The results of the 2016 Cyber Resilient Organization study were released Wednesday, and show a decline in organizational resilience against cyberattacks. Of the respondents, 32% of IT and security professionals ranked their resilience as high. That same number was 35% in 2015, marking a drop over the past 12 months. A press release announcing the study defined resilience as "an organization's ability to maintain its core purpose and integrity in the face of cyberattacks." One of the biggest hindrances to effective security listed by respondents was the lack of a proper cyber security incident response plan (CSIRP). However, it should be noted that Resilient provides incident reporting services.

top

IRS demands identities of all US Coinbase traders over three year period (Motherboard, 18 Nov 2016) - In bitcoin-related investigations, authorities will often follow the digital trail of an illegal transaction or suspicious user back to a specific account at a bitcoin trading company. From here, investigators will likely subpoena the company for records about that particular user, so they can then properly identify the person suspected of a crime. The Internal Revenue Service, however, has taken a different approach. Instead of asking for data relating to specific individuals suspected of a crime, it has demanded bitcoin trading site Coinbase to provide the identities of all of the firm's US customers who made transactions over a three year period, because there is a chance they are avoiding paying taxes on their bitcoin reserves. Coinbase has a total of millions of customers. According to court filings , which were first flagged by financial blogger Zerohedge on Twitter , the IRS has launched an investigation to determine the correct amount of tax that those who use virtual currencies such as bitcoin are obligated to pay. But according to the documents, the IRS is asking for the identities of any US Coinbase customer who transferred crypto-currency with the service between 2013 and 2015. (Although the site does allow the trade of alternative virtual currency Ethereum, it was not introduced until 2016 , so it is outside the scope of this IRS request.)

top

UK Parliament approves unprecedented new hacking and surveillance powers (The Intercept, 22 Nov 2016) - A few years ago, it would have been unthinkable for the British government to admit that it was hacking into people's computers and collecting private data on a massive scale. But now, these controversial tactics are about to be explicitly sanctioned in an unprecedented new surveillance law. Last week, the U.K.'s Parliament approved the Investigatory Powers Bill, dubbed the "Snoopers' Charter" by critics. The law, which is expected to come into force before the end of the year, was introduced in November 2015 after the fallout from revelations by National Security Agency whistleblower Edward Snowden about extensive British mass surveillance. The Investigatory Powers Bill essentially retroactively legalizes the electronic spying programs exposed in the Snowden documents - and also expands some of the government's surveillance powers. Perhaps the most controversial aspect of the new law is that it will give the British government the authority to serve internet service providers with a "data retention notice," forcing them to record and store for up to 12 months logs showing websites visited by all of their customers. Law enforcement agencies will then be able to obtain access to this data without any court order or warrant. In addition, the new powers will hand police and tax investigators the ability to, with the approval of a government minister, hack into targeted phones and computers. The law will also permit intelligence agencies to sift through "bulk personal datasets" that contain millions of records about people's phone calls, travel habits, internet activity, and financial transactions; and it will make it legal for British spies to carry out " foreign-focused " large-scale hacks of computers or phones in order to identify potential "targets of interest."

top

- and -

The FBI hacked over 8,000 computers in 120 countries based on one warrant (Motherboard, 22 Nov 2016) - In January, Motherboard reported on the FBI's "unprecedented" hacking operation, in which the agency, using a single warrant, deployed malware to over one thousand alleged visitors of a dark web child pornography site. Now, it has emerged that the campaign was actually several orders of magnitude larger. In all, the FBI obtained over 8,000 IP addresses, and hacked computers in 120 different countries, according to a transcript from a recent evidentiary hearing in a related case. The figures illustrate the largest ever known law enforcement hacking campaign to date, and starkly demonstrate what the future of policing crime on the dark web may look like. This news comes as the US is preparing to usher in changes that would allow magistrate judges to authorize the mass hacking of computers, wherever in the world they may be located. "We have never, in our nation's history as far as I can tell, seen a warrant so utterly sweeping," federal public defender Colin Fieman said in a hearing at the end of October, according to the transcript. Fieman is representing several defendants in affected cases. Those cases revolve around the FBI's investigation into dark web child pornography site Playpen. In February 2015, the FBI seized the site, but instead of shutting it down, the agency ran Playpen from a government server for 13 days. However, even though they had administrative control of the site, investigators were unable to see the real IP address of Playpen's visitors, because users typically connected to it through the Tor network. In order to circumvent that anonymity, the FBI deployed what it calls a network investigative technique (NIT), or a piece of malware. That malware, which included a Tor Browser exploit, broke into the computer of anyone who visited certain child pornography threads on Playpen. It then sent the suspect's real IP address back to the FBI. According to court filings , the FBI obtained over 1,000 IP addresses of alleged US-based users. Over the past year, Motherboard has also found that the FBI hacked computers in Australia, Austria, Chile, Colombia, Denmark, Greece, and likely the UK, Turkey, and Norway too . But, those are only a tiny handful of countries in which the FBI was hacking computers. According to the newly published transcript, the FBI hacked computers in at least 120 countries. "The fact that a single magistrate judge could authorize the FBI to hack 8000 people in 120 countries is truly terrifying," Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU) told Motherboard in a phone call. (Soghoian has testified for the defense in Playpen cases).

top

Now's the time for courts to accept digital signatures (LegalTech News, 23 Nov 2016) - Digital processes are quickly replacing manual ones across the country. However, the judicial system sometimes throws a wrench in those digital gears, and it could have ramifications for a society that increasingly desires to embrace technology for just about everything. A California lawyer was recently sanctioned by a bankruptcy court judge for using electronic signatures on a bankruptcy petition instead of handwritten, wet-ink signatures. The Electronic Signatures in Global and National Commerce (ESIGN) Act, which went into effect in 2000, permitted e-signatures to be legally accepted in commercial affairs-but it didn't specifically include usage in the courts. As such, the judge stated that, although electronic signatures are accepted in commercial dealings, they may not substitute wet signatures on documents filed with the court. Moreover, the judge stated there was not sufficient means to prove the legitimacy of a document's electronic signature, so the signature didn't "protect the integrity of the documents filed in bankruptcy cases ." The attorney's client signed a declaration stating the signature on the bankruptcy petition was indeed his intended signature. But the judge found that if the electronic signature contained sufficient evidence and complied with the court's rule, the declaration wouldn't be necessary. [ Polley : Spotted by MIRLN reader Mike McGuire ]

top

RESOURCES

Final papers posted from the George Washington Law Review's CFAA symposium (Orin Kerr, 21 Nov 2017) - Last year, the George Washington Law Review hosted a symposium on the controversial Computer Fraud and Abuse Act . I was honored to be the faculty adviser to the symposium. I'm happy to say that the final papers have been posted on the Law Review's website. Here are the papers in order they appear in the issue:

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Computer crime costs $67 billion, FBI says (CNET, 19 Jan 2006) -- Dealing with viruses, spyware, PC theft and other computer-related crimes costs U.S. businesses a staggering $67.2 billion a year, according to the FBI. The FBI calculated the price tag by extrapolating results from a survey of 2,066 organizations. The survey, released Thursday, found that 1,324 respondents, or 64 percent, suffered a financial loss from computer security incidents over a 12-month period. The average cost per company was more than $24,000, with the total cost reaching $32 million for those surveyed. Often survey results can be skewed, because poll respondents are more likely to answer when they have experienced a problem. So, when extrapolating the survey results to estimate the national cost, the FBI reduced the estimated number of affected organizations from 64 percent to a more conservative 20 percent. "This would be 2.8 million U.S. organizations experiencing at least one computer security incident," according to the 2005 FBI Computer Crime Survey. "With each of these 2.8 million organizations incurring a $24,000 average loss, this would total $67.2 billion per year." By comparison, telecommunication fraud losses are about only $1 billion a year, according to the U.S. Secret Service. Also, the overall cost to Americans of identity fraud reached $52.6 billion in 2004, according to Javelin Strategy & Research. Other surveys have attempted to put a dollar amount on cybersecurity damages in the past, but the FBI believes its estimate is the most accurate because of the large number of respondents, said Bruce Verduyn, the special agent who managed the survey project. "The data set is three or four times larger than in past surveys," he said. "It is obviously a staggering number, but that is the reality of what we see."

top

Vulnerability auctions killing responsible disclosure (ZDnet, 19 July 2006) -- More security researchers are selling vulnerabilities to the highest bidder rather than disclosing them "responsibly" to the vendor whose products are affected. At a breakfast briefing organised by e-mail security firm MessageLabs on Wednesday, Graham Ingram, general manager of the Australian Computer Emergency Response Team (AusCERT), said that a market where vulnerabilities in software are traded is hotting up and the rewards for researchers can be very tempting. "I would speculate that if I am a vulnerability researcher and I have the option of, for example, a nice mention from Microsoft on an advisory under "responsible disclosure" or pay off my mortgage, which one do I choose? Responsible disclosure occurs when a security researcher discovers vulnerabilities in a popular application and then reports them to the relevant vendor rather than publishing the details online or, as has become a trend recently, selling that information to the highest bidder. "The economy on the market place is facilitating the sale of everything you want from custom Trojans to rootkit and moving through to things like vulnerabilities, which are a marketable commodity," said Ingram. Last week, security firm Finjan published evidence, which was compiled by the company's Malicious Code Research Centre, that showed examples of vulnerabilities being sold online. Finjan's chief technical officer, Yuval Ben-Itzhak, said that researchers will be even more likely to sell their discoveries as the demand -- and therefore the price -- goes up.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Steptoe & Johnson's E-Commerce Law Week

7. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

8. The Benton Foundation's Communications Headlines

9. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top