Saturday, January 23, 2016

MIRLN --- 3-23 Jan 2016 (v19.02)

MIRLN --- 3-23 Jan 2016 (v19.02) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS/MOOCS | RESOURCES | LOOKING BACK | NOTES

Libraries lend mobile Wi-Fi hot spots to those who need Internet service (NPR, 29 Dec 2015) - The mobile Wi-Fi hot spots let people get Internet service anywhere there's a cell connection. The library in Spring Hill, Tenn., is joining the likes of big-city libraries in New York and Chicago.

top

How to survive a software licensing audit (Information Week, 1 Jan 2016) - You've received a software licensing audit letter. What do you do now? You can disregard it, which is unwise, or react to it in a number of ways. There are better and worse ways of handling an audit, and if you don't know the difference, your audit experience may be more costly, time-consuming, and frustrating than it needs to be. Most companies want to do the right thing, but that very desire may drive them to take actions that are not in the best interest of their organizations. Here are a few factors that can help or hurt. * * *

top

Pentagon grants contractors an extension on hack detection rules (Nextgov, 4 Jan 2016) - The Pentagon has updated data breach rules for defense contractors to allow companies an extra year-and-a-half to comply with one portion. The original regulations, titled "Network Penetration Reporting and Contracting for Cloud Services," took effect Aug. 26, 2015, and cover more network problems and types of information than past guidelines. After hearing from 85 members of the public at an open meeting on Dec. 14, the Defense Department relaxed the regulations right before New Year's Eve. This second rule has been issued "to provide immediate relief" from one stipulation that had required vendors to comply with certain standards as soon as they are awarded a contract, Pentagon officials said. "Contractors are at risk of not being able to comply with the terms of contracts that require the handling of covered defense information," they said in the revision, which was published Dec. 30, 2015, in the Federal Register, the government's daily journal At the meeting and in prior written comments, industry members emphasized they need an extension to institute certain National Institute of Standards and Technology security requirements (NIST SP 800-171). Those protections, which include multistep login procedures for systems, would have had to be in place before June 2016. The update moves back the deadline to "as soon as practical" but no later than Dec. 31, 2017. Now, contract awardees, within 30 days of winning work, must notify the department's chief information officer if any of the required NIST security controls are lacking. Pentagon officials say they believe the heads-up should enable the military to spot difficulties contractors are experiencing with requirements and possibly adjust them.

top

- and -

The hidden cybersecurity risk for federal contractors (FCW, 12 Jan 2016) - After a rough year of cyberattacks and data breaches, the federal government is getting serious about protecting its sensitive information when in the hands of its contractors. As a result, contractors are being sent to the front lines of the fight. Already, the Defense Department has imposed requirements to protect ""unclassified controlled technical information"," and it recently expanded these obligations via interim rules with immediate effect. The National Archives and Records Administration is about to complete its new regulation to better protect sensitive but unclassified federal information. The National Institute of Standards and Technology has issued new cyber protection standards intended for commercial companies. And the General Services Administration stands poised to issue new rules for schedule holders. We are going to see new cyber protection requirements in many solicitations and contract modifications. And an unwary contractor might become a casualty when it certifies compliance, even implicitly, with "all IT security standards." For example, the second draft request for proposals for GSA's Alliant 2 subjects contractors to "all ordering activity IT security standards … and government wide laws or regulation applicable to the protection of government wide information security." How can a contractor certify before it knows what "sensitive data and information" will be part of the performance of a task order? Or even what all the standards will be? Yet if a contractor does not certify or impliedly certify, it may lose the chance to compete for award. Agreement to the condition of providing cyber security that meets all the standards of any "sensitive data and information" could subject a contractor to risks under the False Claims Act.

top

The FBI's 'unprecedented' hacking campaign targeted over a thousand computers (Motherboard, 5 Jan 2016) - In the summer of 2015, two men from New York were charged with online child pornography crimes. The site the men allegedly visited was a Tor hidden service, which supposedly would protect the identity of its users and server location. What made the case stand out was that the Federal Bureau of Investigation (FBI) had used a hacking tool to identify the IP addresses of the individuals. The case received some media attention , and snippets of information about other , related arrests started to spring up as the year went on. But only now is the true extent of the FBI's bulk hacking campaign coming to light. In order to fight what it has called one of the largest child pornography sites on the dark web, the FBI hacked over a thousand computers, according to court documents reviewed by Motherboard and interviews with legal parties involved. "This kind of operation is simply unprecedented," Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU), told Motherboard in a phone interview. * * * "We're not talking about searching one or two computers. We're talking about the government hacking thousands of computers, pursuant to a single warrant," said Soghoian, the ACLU technologist. * * * "Although the application for the NIT in this case isn't public, applications for NITs in other cases are ," said Soghoian. "Time and time again, we have seen the Department of Justice is very vague in the application they're filing. They don't make it clear to judges what they're actually seeking to do. They don't talk about exploiting browser flaws, they don't use the word 'hack.'" "And even if judges know what they're authorizing, there remain serious questions about whether judges can lawfully approve hacking at such scale," Soghoian added. But Fieman said that the warrant "effectively authorizes an unlimited number of searches, against unidentified targets, anywhere in the world." While Soghoian warned about what this scale of hacking may signal for the future of policing. "This is a scary new frontier of surveillance, and we should not be heading in this direction without public debate, and without Congress carefully evaluating whether these kind of techniques should be used by law enforcement," he said.

top

Why the blockchain, not bitcoin, is what's fascinating builders (ReadWrite, 6 Jan 2016) - A few years ago, Bitcoin, the distributed digital currency, was the hottest thing to roll through the intersection of finance and technology. It gained significant interest amongst those keen to create a peer-to-peer, cashless currency But its attempt to enter the mainstream has been marred by reports of thefts , poor marketing , and a general lack of comprehension by the general populace That's too bad, because Bitcoin is really just one application of a much broader technology: the distributed ledger known as the blockchain. And fortunately, people are beginning to understand the blockchain as a phenomenon distinct from Bitcoin specifically and digital currency in general. The blockchain's strength lies in how it decentralizes transactions of all sorts, allowing all kinds of digital assets to be safely and permanently exchanged. It also promises the potential to create records that can't be erased by attacking some central store of data. Because of the features, the blockchain possesses the potential to increase security and accountability in a range of industries Here are just a few new ways the blockchain is being used. Some may surprise you. * * *

top

- and -

A Bitcoin believer's crisis of faith (NYT, 14 Jan 2016) - Mike Hearn, a British computer programmer, holed up in his two-bedroom apartment in Zurich over several days and nights last week, writing a cri de coeur. Two years ago, Mr. Hearn quit a cushy programming job at Google's Swiss headquarters to devote himself full time to what was his great passion: the virtual currency Bitcoin. He was one of a handful of developers around the world dedicated to maintaining the basic software that governs both the creation of new Bitcoins and the network on which the financial transactions take place. But a nasty fight has torn apart the small brotherhood of Bitcoin developers and raised questions about the survival of the virtual currency. Mr. Hearn, until recently one of the most prominent leaders of the Bitcoin project, became so disillusioned that in December he sold the few hundred Bitcoins he had left and quietly took a job at a new start-up. The impassioned blog post he was working on last week was an announcement that he was leaving Bitcoin behind entirely: "Bitcoin has gone from being a transparent and open community to one that is dominated by rampant censorship and attacks on bitcoiners by other bitcoiners." The dispute - which grew out of a question about the number of transactions the Bitcoin network can handle - may sound like something of interest only to the most die-hard techies. But it has exposed fundamental differences about the basic aims of the Bitcoin project, and how online communities should be governed. * * * [ Polley : VERY interesting issue, well-reported. Also see Bitcoin has 'failed,' says one of its most prominent developers (Business Insider, 15 Jan 2016)]

top

- and -

FinTech Bits: Bitcoin and terrorist financing (Steptoe, 15 Jan 2016) - Following the attacks in Paris and San Bernardino, polls show that Americans identify terrorism-more than any other issue-as the most important problem facing the US In this environment, some media outlets have predicted a pending "crackdown" on digital currencies, particularly by European governments, because of the risk that the technology could be used to fund terrorism. But do digital currencies like bitcoin actually pose a unique threat when it comes to funding terrorist networks? Jason Weinstein published a post on Medium earlier this week-" Combating Bitcoin Use by Terrorists? "-that seeks to answer this question. Jason's post applauds governments and law enforcement for increasing scrutiny on how terrorists communicate and fund their activities But a singular focus on digital currencies is misplaced According to a recent report from the UK Treasury, the money laundering risk posed by digital currencies is "low." Traditional banks, charities, and cash (of course) all pose a greater risk The public, permanent nature of bitcoin's distributed ledger actually makes it easier for law enforcement to "follow the money" without the need for a subpoena or cooperation from a foreign government Law-abiding companies and emerging coalitions like the Blockchain Alliance have a crucial role to play, both by educating law enforcement, the media, and the public and by building the capacity to go after criminals and terrorists who may try to use digital currencies for nefarious purposes.

top

- and -

Why you should buy back your Bitcoin (Lawfare, 16 Jan 2016) - Last week, we hated on bitcoin. This week we give it some love. This week, Brookings hosted a discussion on Bitcoin and the technology that undergirds the currency, specifically focusing on the promise of the distributed-ledger. The panel featured David Wessel, Michael Barr, Brad Peterson, Barry Silbert, and Margaret Liu, on how the blockchain could revolutionize payment flows and reduce the cost of financial transactions, all while securing information and enhancing privacy. They also tackle some of the most pressing policy questions facing the technology-from consumer protection to terrorists' finances-and how those tensions can be addressed It's a relatively positive take on Bitcoin and its future potential and an argument for why you should buy back your Bitcoin if you sold it after last week's show featuring Lawfare's Bitcoin skeptic, Nick Weaver

top

- and -

Call for papers: Demystifying Blockchain (ESTS Journal; 1 February 2016)

top

- and -

The technology behind bitcoin is coming to high finance faster than anyone predicted (Business Insider, 20 Jan 2016) - 11 top investment banks have used blockchain technology to do mock trades with each other, signaling a big step towards adopting the technology first developed for bitcoin into mainstream finance. R3, an industry-wide consortium of 42 investment banks looking at the technology , announced in an email that banks "simulated exchanging value, represented by tokenized assets on the distributed ledger without the need for a centralized third party." In plain English: banks traded toy money and tokens representing shares and commodities with each other over this new, decentralized network that meant they didn't need to go through third party settlement or clearing house. The trades were carried out in R3's lab environment - a safe sandbox for them to experiment in. The 11 banks involved in the proof of concept were: Barclays, BMO Financial Group, Credit Suisse, Commonwealth Bank of Australia, HSBC, Natixis, Royal Bank of Scotland, TD Bank, UBS, UniCredit, and Wells Fargo. R3 says the "transition from vision to execution" represents "a major step forward for the application of distributed ledger technology across the entire industry."

top

- and -

Dutch arrest 10 men suspected of using Bitcoin to launder money (Reuters, 20 Jan 2016) - Ten men suspected of using the digital currency Bitcoin to launder up to 20 million euros ($22 million) of criminal money made from online drug deals have been arrested in the Netherlands, Dutch prosecutors said on Wednesday. The men, described as all in their 20s and with Dutch nationality, were arrested on Tuesday in coordinated raids on 15 locations around the country, said spokeswoman Valentine Hoen of the country's Fiscal Information and Investigation Service.

top

The world on your phone: Periscope offers a powerful new tool for bar associations (ABA's Bar Leader, 7 Jan 2016) - Live video streaming with the Twitter-owned Periscope application is one way to bring bar members and others into the audience or behind the scenes at legal education seminars and bar association events.

By effectively turning your smartphone into a satellite news truck, enabling you to broadcast live video that is accessible from anywhere in the world, Periscope and similar social media platforms are augmenting the marketing and audience engagement strategies of organizations of all types and sizes, from Fortune 500 companies to media outlets to local nonprofits. Karen Korr, director of communications and outreach strategy at the San Diego County Bar Association , says Periscope and Meerkat , a similar application, were the focus of a presentation at a recent event the SDCBA organized with the local chapter of the Society of Professional Journalists . The event was designed to bring together lawyers, judges and reporters for learning and networking. * * * But for bar association staff members and others, Periscope also represents a potential new component of a successful marketing strategy. It provides an opportunity to educate those interested in your area of expertise and draw them into your circle. * * * [ Polley : there are IP issues associated with unrestricted use of Periscope-like services - e.g., in the performance rights for a CLE program. Bar associations (and others) need to factor this into their embrace of such tools.]

top

The Internet of Things that talk about you behind your back (Bruce Schneier, 8 Jan 2016) - SilverPush is an Indian startup that's trying to figure out all the different computing devices you own. It embeds inaudible sounds into the webpages you read and the television commercials you watch. Software secretly embedded in your computers, tablets, and smartphones pick up the signals, and then use cookies to transmit that information back to SilverPush. The result is that the company can track you across your different devices. It can correlate the television commercials you watch with the web searches you make. It can link the things you do on your tablet with the things you do on your work computer. Your computerized things are talking about you behind your back, and for the most part you can't stop them-or even learn what they're saying. This isn't new, but it's getting worse. * * *

top

Why Amazon's data centers are hidden in spy country (The Atlantic, 8 Jan 2016) - Once in a while-not quite often enough to be a crisis, but just often enough to be a trope-people in the United States will freak out because a huge number of highly popular websites and services have suddenly gone down. For an interminable period of torture (usually about 1-3 hours, tops) there is no Instagram to browse, no Tinder to swipe, no Github to push to, no Netflix to And Chill. When this happens, it usually means that Amazon Web Services is having a technical problem, most likely in their US-East region. What that actually means is that something is broken in northern Virginia. Of all the places where Amazon operates data centers, northern Virginia is one of the most significant, in part because it's where AWS first set up shop in 2006. When I contacted AWS to ask specific questions about the data-center region, how they ended up there, and the process of deciding between building data centers from scratch versus leasing existing ones, they declined to comment. Unlike Google and Facebook, AWS doesn't aggressively brand or call attention to their data centers. They absolutely don't give tours, and their website offers only rough approximations of the locations of their data centers, which are divided into "regions." Within a region lies at minimum two "availability zones" and within the availability zones there are a handful of data centers. I knew I wasn't going to be able to find the entirety of AWS' northern Virginia footprint, but I could probably find bits and pieces of it. My itinerary was a slightly haphazard one, based on looking for anything tied to Vadata, Inc., Amazon's subsidiary company for all things data-center-oriented. Google's web crawlers don't particularly care about AWS' preference of staying below the radar, and searching for Vadata, Inc. sometimes pulls up addresses that probably first appeared on some deeply buried municipal paperwork and were added to Google Maps by a robot. It's also not too hard to go straight to those original municipal documents with addresses and other cool information, like fines from utility companies and documentation of tax arrangements made specifically for AWS. (Pro tip for the rookie data-center mapper: if you're looking for the data centers of other major companies, Foursquare check-ins are also a surprisingly rich resource). * * * [ Polley : fascinating; good detective story, too.

top

OFAC issues cyber-related sanctions regulations (Steptoe, 8 Jan 2016) - On December 31, 2015, the US Treasury Department, Office of Foreign Assets Control (OFAC) issued the Cyber-Related Sanctions Regulations (CRSR), 31 C.F.R. Part 578 The CRSR formally implement the sanctions set forth in Executive Order (EO) 13694 of April 1, 2015, which authorizes sanctions against persons involved in malicious "cyber-enabled" activities, and are effective immediately.

top

Yes, PACER stinks … but is it also overcharging its customers? (David Post in WaPo, 9 Jan 2016) - As anyone who has ever used PACER - the "Public Access to Court Electronic Records" system under which you and I and the rest of the public can get access to ostensibly "public" information about cases in the US federal court system - knows quite well, the system is antiquated and inefficient Registration and login procedures are cumbersome, the interface is dreadful, and searching is truly state-of-the-art, circa 1995, relying, as it does, on an incomprehensible series of indexing conventions [You can get a taste of this by using the free "training sessions," available here .] It is also quite expensive to use The system charges $0.10 per HTML page for all documents retrieved by a search - a charge that would perhaps make sense if this were a photocopying machine, but is pretty outrageous for the display of an electronic file [There is a cap of $3.00 per document - but insofar as there may be dozens or scores of documents pertaining to any individual case, the charges can mount up …] This is part of a much larger, and much more serious, problem - the absence of a publicly-accessible, searchable repository of authoritative information about the statutes, regulations, judicial opinions, etc. that constitute the law of this country But that is a story for another day. According to a lawsuit filed a couple of weeks ago in the Western District of Washington, that's not the only problem The suit - filed on behalf of a class consisting of "all PACER users who, within the last six years, accessed a U.S. District Court, U.S. Bankruptcy Court, or the U.S. Court of Federal Claims and were charged for at least one docket report in HTML format," asserts that PACER has been overcharging users for years, by systematically miscalculating the number of pages displayed by any given search. [see also US Courts Administrative Office sued because PACER's bad math is overcharging users (TechDirt, 8 Jan 2016)]

top

Investors want AT&T to clarify policies on surveillance requests (OpenMic, 11 Jan 2016) - Citing concern about reports of behavior that appear inconsistent with AT&T's pledge to protect customer privacy "to the fullest extent possible," shareholders are asking the company to clarify how it provides information to law enforcement and intelligence agencies "above and beyond what is legally required by court order or other legally mandated process." The shareholder proposal cites an August 2015 New York Times story which reported that as recently as 2013, AT&T shared 60 million foreign-to- foreign emails a day with the National Security Agency (NSA), on a voluntary basis, not required by court order. The Times article analyzed NSA documents, one of which stated that AT&T's relationship with the NSA was "a partnership, not a contractual relationship." The proposal was filed by Arjuna Capital , an investment manager Arjuna was a co-sponsor of a related 2014 shareholder proposal, which asked AT&T to publish semi-annual transparency reports on government requests for customer information. The proposal was withdrawn after AT&T, like Verizon Communications, agreed to publish transparency reports. "While AT&T must comply with its legal obligations, failure to persuade customers of a genuine and long-term commitment to privacy rights could present AT&T with serious financial, legal and reputational risks" the proposal states. AT&T is seeking to block a vote on the proposal by shareholders and has filed a request with the Securities and Exchange Commission for a "no-action" letter to allow the company to exclude the proposal from its 2016 proxy statement. Among other arguments, AT&T suggests that "implementing the Proposal would cause AT&T to violate federal laws intended to protect the intelligence-gathering activities of the United States." [ Polley : see related story below in " Looking Back "]

top

Admissions officers check applicants on social media (InsideHigherEd, 14 Jan 2016) - About 40 percent of admissions officers say they research applicants on social media, according to a survey released Wednesday by Kaplan Test Prep. That's quadruple the percentage from a 2008 Kaplan survey. At the same time, the survey found that most admissions officers who do check social media don't use it often -- of those who use social media to check on applicants, 89 percent said they did so "rarely." Some of the reasons people check are potentially positive, such as investigating applicants' abilities and interests. But Kaplan officials have heard anecdotal reports of "admissions sabotage" in which some people send tips to admissions officers that other applicants have images on Facebook or elsewhere that might give an admissions panel doubt about offering a spot.

top

Snopes' field guide to fake news sites and hoax purveyors (Snopes, 14 Jan 2016) - The sharp increase in popularity of social media networks (primarily Facebook) has created a predatory secondary market among online publishers seeking to profitably exploit the large reach of those networks and their huge customer bases by spreading fake news and outlandish rumors. Competition for social media's large supply of willing eyeballs is fierce, and a number of frequent offenders regularly fabricate salacious and attention-grabbing tales simply to drive traffic (and revenue) to their sites. Facebook has worked at limiting the reach of hoax-purveying sites in their customers' news feeds, inhibiting (but not eradicating) the spread of fake news stories. Hoaxes and fake news are often little more than annoyances to unsuspecting readers; but sometimes circulating stories negatively affect businesses or localities by spreading false, disruptive claims that are widely believed. So long as social media allows for the rapid spread of information, manipulative entities will seek to cash in on the rapid spread of misinformation. Perhaps the most egregious of the many nonsense peddlers on social media are fake news sites, so here we offer a guide to several of the most frequent (and unapologetic) hoax purveyors cluttering up newsfeeds everywhere. * * *

top

Could 'explorable explanations' help tell a new kind of story? (Columbia Journalism Review, 14 Jan 2016) - Newsrooms have become increasingly focused on interactive journalism and creative graphics as they look for new ways to progress storytelling in the digital age. Now, they're venturing into more advanced techniques, borrowing from tools commonly used in computer modeling and game development. Take, for example, the " parole simulator ," a collaborative effort from FiveThirtyEight and The Marshall Project, released last year. The two outlets joined forces on a project that explores the fairly dystopian methods of predictive policing. Their piece focused on Pennsylvania, which may become the first state to adopt a sentencing system that would uses big data to predict a defendant's future criminality when assigning prison time. The simulator demonstrates how predictive policing already plays out during parole hearings, and allows readers to adjust parameters and see how outcomes change based on their choices. The parole simulator is unique from much of what is found in interactive journalism in that it uses real-world data to project uncertain outcomes based on reader input. One way to refer to this type of work is through the term " explorable explanations ," coined by former Apple designer Bret Victor to describe a genre and philosophy of the internet that encourages active readership. Nicky Case is both a practitioner and a champion of this philosophy. Case pulls from systems thinking, animation, modeling, game development, computational sociology, and a good dose of nonlinear thinking to create interactive models that float somewhere between journalism and gaming. "I'm a bee," says Case. "I cross-pollinate fields." In March, Case will begin a Mozilla Knight Open-News fellowship at PBS Frontline, with the intent of creating simple-to-use tools for journalists who want to experiment with explorable explanations. * * *

top

CFTC proposes cybersecurity testing (Steptoe, 14 Jan 2016) - Last month, the Commodity Futures Trading Commission (CFTC) approved for publication two proposed rules to amend existing regulations addressing cybersecurity The proposed rules would establish testing requirements for the automated systems used by designated contract markets (DCMs), swap execution facilities (SEFs), swap data repositories (SDRs), and derivatives clearing organizations (DCOs) In particular, the proposed rules would require DCMs, SEFs, SDRs, and DCOs to conduct five types of cyber testing: (1) vulnerability testing; (2) penetration testing; (3) controls testing; (4) security incident response testing; and (5) enterprise technological risk assessment The proposed rules also would establish minimum testing frequencies and independent contractor testing requirements for DCOs, SDRs, and covered DCMs ( i.e. , those whose total annual trading volume is five percent or more of the total annual trading volume of DCMs regulated by the CFTC for the year in question).

top

Clinic works w/law scholars to argue against copyright in legal codes (Harvard, 15 Jan 2016) - This week, the Harvard Law School Cyberlaw Clinic, on behalf of a group of esteemed law scholars, filed an amicus brief (pdf) in the United States District Court for the District of Columbia in American Society for Testing and Materials (ASTM) v. Public.Resource.org . Amici argue in the brief that model codes incorporated into law are not, and should not be, copyrightable. Several standards developing organizations (SDOs) - including ASTM , the National Fire Protection Association (NFPA) , and the American Society of Heating, Refrigerating, and Air Conditioning Engineers (ASHRAE) - filed the lawsuit against Public Resource back in 2013, alleging copyright and trademark infringement. After a lengthy discovery process, the federal District Court in D.C. is currently considering motions for summary judgment from both parties.

top

Patenting pedagogy? (InsideHigherEd, 15 Jan 2016) - A recent patent application by Khan Academy is raising questions about whether teaching methods can be patented, but patent law experts see the move as an influential player fortifying its position in the market. Ultimately, the U.S. Patent and Trademark Office will have the last say. The online education platform, which primarily focuses on K-12 education and test preparation, in March applied for a patent for "systems and methods for split testing educational videos" -- in other words, the method of showing students two different clips and determining which one is more effective at teaching a certain topic. News of the patent application, first reported by Slashdot , was met with confusion from ed-tech analysts over the holidays. Why, they asked, would Khan Academy, a nonprofit whose mission is to "provide a free, world‑class education for anyone, anywhere" patent what effectively amounts to A/B testing in education? How would it affect other online education providers? Most importantly, could it even be patented? Intellectual property and patent law experts, pointing to supporting documents filed with the patent application, said the patent suggests Khan Academy is aware of the growing interest in online and adaptive education. Applying for a patent now, the experts said, could prevent legal issues in the future. * * * In order to actively sue another company for patent infringement unprovoked, Khan Academy would have to violate what is known as an innovator's patent agreement. Introduced by Twitter in 2012 in an effort to make patents more palatable to developers, the agreement is a contract that ensures a company that holds a patent is unable to use it for "offensive" purposes -- suing a company, for example -- unless it gets permission from the employee who came up with the idea or invention. In this case, Khan Academy entered into an innovator's agreement with Matt Faus, a developer. Khan Academy did not respond to a request from comment. A copy of the innovator's patent agreement can be seen here .

top

This stunning map shows the flow of traffic across the globe using the anonymous network TOR (Business Insider, 18 Jan 2016) - The Tor Project is one of the most important organisations on the internet. It doesn't have the same mainstream name recognition as Google or Facebook, but its work is arguably equally important - it provides a way to securely and anonymously browse the internet. It maintains the Tor network, a global network of computers that give its users a free and easy way to get online without being tracked. Traffic is routed through a series of relay servers, masking its original location, while the Tor Browser comes with an array of other privacy-centric features. Tor frequently gets bad press because it can help facilitate online drug dealing and other nefarious activities. But it's also a godsend to activists, dissidents living in authoritarian regimes, journalists - and anyone else who needs to communicate online securely and anonymously. It debuted in 2002 and was based on technology from the US military. How is it used today? Uncharted, a data-visualisation company, has created a map of traffic on the network, Wired reports . By moving the slide, you can see how the traffic flow has changed as the network has grown. Double-click or use the buttons to zoom in for a better look. [ Polley : this is very interesting, especially when you move the slider from 2008 to today.]

top

Judge refuses to toss graffiti artist's suit claiming his mural was used on dress worn by Katy Perry (ABA Journal, 19 Jan 2016) - A federal judge in California has refused to dismiss a lawsuit by a graffiti artist who claims the Moschino apparel brand used his work on a dress worn by pop star Katy Perry at an art gala. U.S. District Judge Stephen Wilson ruled for the graffiti artist known as Rime, whose real name is Joseph Tierney, in a Jan. 13 order (PDF), according to the Hollywood Reporter's THR, Esq. blog. Tierney's trademark and copyright infringement suit claims Moschino used portions of Tierney's Detroit "vandal eyes" wall mural in the dress and used his tag "Rime" in the related clothing collection. Besides the intellectual property claims, the suit alleges negligence and violations of California law regarding unfair competition and appropriation of name and likeness. Moschino and its creative director had sought to dismiss the lawsuit partly on the basis of California's anti-SLAPP statute, intended to protect defendants from lawsuits based on First Amendment activity.

top

Data breach logs: The new 'hot' document (Corporate Counsel, 19 Jan 2016) - Much has been written about Canada's amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), which (subject to implementing regulations) will require most companies doing business in Canada to notify the national Privacy Commissioner and affected Canadian consumers if the breach of personal data creates "a real risk of significant harm to an individual." But scant attention has been paid to another provision of this new law that was passed in June 2015: a requirement that companies maintain "a record of every breach of security safeguards involving personal information under its control." This latter requirement continues to await implementation. Now that elections have taken place in Canada, the new government's implementing order is expected soon. As U.S. cyber lawyers who counsel clients with operations, employees and customers in Canada, we view this requirement to create a "breach log" as potentially disrupting certain key risk-mitigation practices common among American companies. Understanding to whom this new law applies, how it applies and how vigorously it will be enforced will be critical to developing an internal strategy that addresses compliance requirements while appropriately protecting against creating a discoverable liability "roadmap" for private or government enforcers. A statutorily mandated "breach log" has the potential to be a game changer for U.S. companies. Companies are now experiencing their second or third significant breach (along with dozens of minor incidents), creating a history of cybersecurity performance ripe for examination. Because acquiring information about a company's breach can be both expensive and time-consuming, regulators and class action plaintiffs are always looking for quick, inexpensive ways to gather that evidence. A breach log may prove to be not only a windfall to them, but also one of the most important documents in any breach. * * *

top

Mettle Fatigue: VW's single-point-of-failure ethics (IEEE, January 2016; by Roland Trope and Eugene Ressler) - In September 2015, after issuing denials for more than a year, Volkswagen (VW) officials admitted that multiple makes and models of its diesel vehicles contained defeat device software. Defeat device is a US Environ- mental Protection Agency (EPA) term of art for any technology that causes a vehicle to behave differently in the lab than on the road. On 18 September 2015, the EPA and the California Air Resources Board (CARB) issued notices of violation (NoVs) to VW. The NoVs reveal a succession of dishonest actions. For seven years, from 2009 through 2015, VW personnel installed defeat devices, despite apparently knowing that doing so violated the federal Clean Air Act. And it appears that supervisors knew about and condoned these actions. As VW Chairman Dieter Hans Pötsch recently observed, there was "an attitude in some areas of our company that tolerated breaches of rules ... and I freely admit that is the factor that we all find the most difficult to accept." * * * In this article, we develop a plausible explanation for how trained VW engineers could have decided to devise corrupt so ware to cheat emissions control tests rather than design an engine that could pass them. We construct two chronologies: one details the decisions that brought the defeat device so ware into production, and the other traces VW's denials to regulators. We draw on facts the chronologies illuminate to explain the dysfunctional practices that appear to account for what happened inside VW. We then dis- cuss serious challenges posed by the use of defeat device so ware. e rst is that VW's development of defeat devices constitutes a new form of insider cyberthreat: the use of corrupt so ware for dishonest purposes. e second is the ethical breakdown that occurred and how to prevent its recurrence.

top

NOTED PODCASTS/MOOCS

What's hot in cybersecurity for law firms? (Ride the Lightning, 5 Jan 2016; 25 mins) - It's not often that Jim Calloway, my co-host on the Legal Talk Network Digital Edge podcast, and I have a chance to interview my partner John Simek, but when a guest suddenly had to reschedule, we used the opportunity to have John talk about " What's Hot in Cybersecurity for Law Firms ?" The answer, of course, is "a lot." We are seeing more and more law firms scrambling to get security certifications like the International Standards Organization (ISO) 27001 certification. Others self-certify or have third parties certify to compliance with the National Institute of Standards (NIST) small business standards. John offers helpful resources for small firms, talks about the data breaches of 2015, discusses e-mail encryption and the recent Texas ethics opinion, tells lawyers how to protect their networks from ransomware, cites the most common security mistakes in law firms and offers a view into the security world evolving from passwords to multi-factor authentication. If you want a fast run-down of security concerns for law firms in 2016, here it is in 25 minutes.

top

RESOURCES

What Made the Ostrich Lift Its Head? Significant Developments in Cybersecurity (ABA's The Business Lawyer, by Roland Trope and Lixian Loong Hantover, Winter 2016) From the introduction: Roland Trope and Lixian Hantover lead off with a review of cybersecurity developments, wondering rhetorically in the title of their piece whether this might be the year when business and government finally begin to take seriously the threats posed by network intrusions.2 The November 2014 cyberattack against Sony Pictures Entertainment, which resulted in exposure of internal company data and unreleased films, focused public attention on the reality and seriousness of destructive cyberattacks, and offers context for the developments that Trope and Hantover review. They de- scribe an executive order that the attack prompted, calling for the imposition of sanctions against cyberattackers located outside the United States. They also describe the Securities and Exchange Commission's new regulation, called System Compliance and Integrity, which is aimed at improving the resilience of the U.S. securities markets' network infrastructure to cyberattacks.

top

Hoofnagle and Meleshinsky on native advertisement and endorsement (MLPB, 13 Jan 2016) - Chris Jay Hoofnagle, School of Information, University of California, Berkeley, and School of Law, Berkeley Center for Law & Technology, and Eduard Meleshinsky, Bryan Schwartz Law, have published Native Advertising and Endorsement: Schema, Source-Based Misleadingness, and Omission of Material Facts in Technology Science #2015121503 (December 15, 2015). Here is the abstract: Native advertising is the new term for "advertorials," advertisements disguised as editorial content. Modern native advertising started in the 1950s, but its first uses were clearly signaled to the consumer. This paper explains why consumers might be misled by advertorials - even when labeled as such - when advertising material has elements of editorial content. Results summary: We surveyed consumers (N=598) with a realistic, labeled advertorial embedded in a blog. We found that just over one-quarter of respondents (27%) thought that the advertorial was written by a reporter or an editor. We find that labeling - even using a "sponsored content" disclosure - is insufficient to disabuse a significant minority of consumers about the provenance of the advertising material. Our findings are not generalizable, since we targeted the survey to internet users who appeared on marketing lists derived from behavioral tracking. However, our findings are compatible with those of other researchers who suggested that in addition to initial disclosures, elements in the advertorial itself must also signal to the consumer that this may be commercial material. While the advertorial we tested was a story about the potential of abuse of diet pills, the writing made dramatic claims about the effectiveness of named products for weight loss and included a portrait replicated from a real advertisement appearing in a health magazine. We found that merely using a blue background to frame the endorser's portrait led many respondents to think her to be a medical expert. Traditionally, the appearance of a lab coat or stethoscope has signaled a medical expert endorsement, something subject to greater regulation. Our findings point to consumers using subtle clues about context to associate an endorser with an expert profession. We conclude by discussing regulatory options for the FTC, including a ban on advertorials, enhanced disclosure requirements, and approaches that put the burden on publishers to show that advertorials are not misleading. -- We explain why consumers might be misled by advertorials - even when labeled - when advertising material has elements of editorial content. -- We surveyed nearly 600 consumers online with an advertorial embedded on a blog site . -- 27% of consumers thought the advertorial was written by a reporter or editor. -- 60% of consumers thought the spokesperson was a medical expert with a background image of blue products versus 23% with a white background. -- We present regulatory options for the FTC, including a ban on advertorials, enhanced disclosure requirements, and putting the burden on publishers to show that advertorials are not misleading.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

AT&T says cooperation with NSA could be legal (CNET, 22 August 2006) -- An AT&T executive on Tuesday offered a glimpse into how a company could be required to cooperate with a federal entity such as the National Security Agency. James Cicconi, AT&T's senior executive vice president for external and legislative affairs, said there are "very specific federal statutes that prescribe means, in black and white law, for provision of information to the government under certain circumstances." "We have stringently complied with those laws," Cicconi said. "It's pretty obvious, you know, as far as the court case is going, that they've not reached a different conclusion." That's a slightly more detailed explanation than AT&T has publicly offered so far. In February, AT&T declined to answer related questions from CNET News.com. In May, an AT&T spokesman told News.com: "Without commenting on or confirming the existence of the program, we can say that when the government asks for our help in protecting national security, and the request is within the law, we will provide that assistance." Because Cicconi was AT&T's general counsel before the merger with SBC Communications, he would have been responsible for reviewing the legality of cooperating with the NSA. A longtime Republican, Cicconi worked as deputy chief of staff to President George H.W. Bush and as an assistant to President Ronald Reagan. He's recently served as co-chairman of Progress for America, a prominent group devoted to electing Republican politicians. Cicconi's remarks--in response to a question at the Progress and Freedom Foundation's annual summit here--seem to indicate that AT&T received formal authorization from the U.S. Department of Justice to authorize the program. The existence of such a letter has never been confirmed. Cicconi may have been referring to an obscure section of federal law, 18 U.S.C. 2511, which permits a telecommunications company to provide "information" and "facilities" to the federal government as long as the attorney general authorizes it. The authorization must come in the form of "certification in writing by...the Attorney General of the United States that no warrant or court order is required by law." If a letter of certification exists, AT&T could be off the hook in its lawsuits. Federal law says that a "good faith" reliance on a letter of certification "is a complete defense to any civil or criminal" lawsuit, including one brought against the company by the Electronic Frontier Foundation. (Other officials, including the deputy attorney general and state attorneys general, also are authorized to write these letters.)

top

US drops plan to restrict foreign researchers (InfoWeek, 9 June 2006) -- The Commerce Department has withdrawn proposed changes to export rules that would have tighten restrictions on foreign researchers working in the U.S. The department's Bureau of Industry and Security (BIS) said last week it is withdrawing two "deemed" exports proposals that originated with the Defense Department. They would have limited foreign researchers' access to sensitive U.S. technologies. According to the Commerce Department, "An export of technology or source code (except encryption source code) is 'deemed' to take place when it is released to a foreign national within the United States." The bureau said in a ruling published in the Federal Register that it "determined that the current licensing requirement based upon a foreign national's country of citizenship or permanent residency is appropriate." The Pentagon was seeking to tighten restrictions on deemed exports to restrict the flow of technical knowledge to potential enemies. The new restrictions would have among other things affected contracts for classified scientific research involving foreign nationals. Universities and research groups vigorously opposed the plan in comments filed with the Commerce Department. BIS said its decision to withdraw the proposals reflected most of the public comments filed in response to a proposed rulemaking.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, January 02, 2016

MIRLN --- 13 Dec 2015 - 2 Jan 2016 (v19.01)

MIRLN --- 13 Dec 2015 - 2 Jan 2016 (v19.01) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

!!! HAPPY NEW YEAR !!!

permalink

NEWS | LOOKING BACK | NOTES

Online property information aids deed thieves (ABA Journal, 9 Dec 2015) - Online property information is making it easier for swindlers to forge deeds so they can sell vacant homes to unsuspecting buyers. The problem is particularly bad in New York City, where 120 cases are being investigated, the Wall Street Journal (sub. req.) reports. The city posts online copies of deeds, mortgages, liens and other documents. That makes it possible for scammers to see information such as owners' signatures, addresses, emails and phone numbers. The information also makes it easier to obtain owners' Social Security numbers. David Szuchman, chief of the investigative division of the Manhattan District Attorney's office, tells the Wall Street Journal that the online records have become "one-stop shopping for fraud." The New York City Department of Finance is trying to stop the fraud by notifying property owners when a new deed is recorded for their property. Detroit and Chicago are also reporting increased deed fraud. Cook County, which includes Chicago, is currently investigating 62 cases.

top

Ninth Circuit hears arguments on IP address blocking and shared accounts under the CFAA (Orin Kerr, 11 Dec 2015) - On Wednesday, the Ninth Circuit heard argument in Facebook v. Power Ventures , an important case on the Computer Fraud and Abuse Act ("CFAA"). The case considers whether a company violated the CFAA by accessing Facebook accounts with user permission in violation of Facebook's Terms of Service, even after Facebook sent a cease-and-desist letter to the company and blocked its IP address. And that's not the only CFAA case the Ninth Circuit recently heard on using shared passwords. A different panel heard argument in United States v. Nosal on a similar question but involving very different facts. Let's start with the Facebook case. Power Ventures ("Power") allowed Facebook users to set up an account at the Power website and to give Power permission to access the user's Facebook account on the user's behalf. Facebook didn't like this, as it wanted to maintain control of Facebook's system. So Facebook told Power to stop accessing its website and also blocked an IP address used by the Power website. Power continued to access Facebook's site anyway. The legal question: Did the subsequent access by Power, with Facebook user permission but against the permission of Facebook, constitute a criminal unauthorized access under the CFAA? * * * Last month's oral argument in United States v. Nosal (" Nosal II ") provides an intriguing contrast. Nosal II considers whether a former employee violated the CFAA when he persuaded a current employee to give him the employee's username and password to the company network and then used the account for his own purposes. In a forthcoming essay on the CFAA, " Norms of Computer Trespass ," to be published in the Columbia Law Review, I offer an approach to deciding both of these cases. I've mentioned the draft before, but I posted an improved version of the still-forthcoming article two weeks ago. Here's a brief rundown of my approach. * * *

top

New York attorney general solicits help from the public in broadband probe (Reuters, 13 Dec 2015) - New York Attorney General Eric Schneiderman invited the public on Sunday to test the speed of their Internet and submit the results online as part of an ongoing probe into whether large providers may be short-changing customers with slower-than-advertised speeds. The office launched an investigation into Verizon Communications Inc, Cablevision Systems Corp and Time Warner Cable Inc in October over the issue. Schneiderman's office sent the three companies letters asking for a variety of information, including copies of any tests they have done on Internet speeds and copies of the disclosures they have made to their customers. On Sunday, Schneiderman said he wanted feedback from the public to assist with the investigation. He announced his office has created a new online broadband test on a site called Internethealthtest.org that will capture a customer's "throughput" - or the speed at which customers actually access Internet content. After the test is completed, he said he wants customers to submit a screenshot of the results and fill out an online form.

top

- and -

Comcast cap blunder highlights how nobody is ensuring broadband meters are accurate (TechDirt, 28 Dec 2015) - For years now we've noted that while broadband ISPs rush toward broadband caps and usage overage fees, nobody is checking to confirm that ISP meters are accurate . The result has been user network hardware that reports usage dramatically different from an ISPs' meters, or users who are billed for bandwidth usage even when the power is out or the modem is off . Not only have regulators historically failed to see the anti-innovation, anti-competitive impact of usage caps, you'd be hard pressed to find a single official that has even commented on the problem of inaccurate broadband usage meters. Enter Comcast, which has, of course, been slowly but surely expanding its usage caps into more and more noncompetitive markets. And given that Comcast continues to have among the worst customer service in any U.S. industry , the combined end result is about what you'd expect. Like users who say they've been repeatedly over-billed for broadband consumption that never actually occurred: "Oleg received warnings in September and another in October, the latter while he was overseas for a multiple-week vacation with his wife. When they returned home on November 9th, Comcast's data meter was "showing I used 120 gigs of data, like, while I was gone," he wrote. Customers can check their usage on Comcast's website." ...Calls with Comcast customer service agents didn't clear up the problem. "I called Comcast... and was patronizingly informed that 'it must be somebody stealing your Wi-Fi,'" he wrote. "Possible, but highly unlikely. I'm a software developer, Linux kernel contributor, and I take my home security very seriously."

top

Kazakhstan's unsettling new cybersecurity plan (Slate, 14 Dec 2015) - One of the fun and fascinating-and sometimes frightening-things about Internet security policy is that no one has any idea how to do it well. Governments pretty much make it up as they go along-often attempting slight variations on other country's efforts, occasionally coming up with unusual and unexpected new twists. Witness the decision by Kazakhstan earlier this month to require its citizens to install a "national security certificate" on all of their devices as of Jan. 1. Digital certificates are how we make sure that the websites we visit and communicate with are actually the websites we think they are. Kazakhstan's approach here is an odd melding of old and new policy ideas-lots of countries, including the United States, have been struggling to deal with encrypted digital communications and to provide appropriate access channels for law enforcement or intelligence officials. That is, essentially, what a mandatory certificate issued by the Kazakh government would do, by enabling government officials to execute man-in-the-middle attacks on their citizens' encrypted communications. At the same time, Kazakhstan's approach is a relatively new one, both because it seems to rely on its government issuing a certificate specifically designated for the purpose of intercepting traffic, and because it relies on individuals to proactively download that certificate onto devices. [ Polley : reminds me a bit of the "Secure Hardware Environment" in the Vernor Vinge's terrific SciFi novel " Rainbow's End ".]

top

In the race to open Congress's secretive think tank, a new trove of confidential research goes public (WaPo, 14 Dec 2015) - A new website is cracking open Congress's secretive in-house think tank with a free, publicly accessible archive of 33,000 research reports on public policy issues from the U.S. Postal Service to Bitcoin. CRSReports.com joins at least two other efforts to wrest the highly regarded studies by the nonpartisan Congressional Research Service from the confidential files of Senate and House lawmakers, who request the research and keep it secret unless they choose to release it themselves. "What we're doing is simply accessing publicly available websites and downloading what we think are CRS documents," said Antoine McGrath, 30, who is based in San Francisco and has a passion for digital archives. "We're casting a wide net." McGrath, who worked for the nonprofit Internet Archive, a free digital library, is collaborating on his CRS project with two software programmers who have written a code that scans about 100 sites for metadata in CRS studies. The oldest one they've found dates to March 24, 1989: "The Corporate Minimum Tax: Rationale, Effects, and Issues." The new site calls itself the Internet's "largest free and public collection of Congressional Research Service reports." It has competition, from the Federation of American Scientists and the University of North Texas , both of which have amassed impressive digital libraries of CRS reports. But none of the three can claim to scrape the Internet for every one of the thousands of studies issued to members of Congress every year by experts on just about every subject that touches government. So it's a race of sleuths to do the most exhaustive scans they can, from academic sites to postings by embassies and other groups.

top

Half of law firms do not have a data protection committee (SC Magazine, 16 Dec 2015) - As corporations struggle to prepare against massive breaches like those that have rattled the industry over the past year, two reports by a legal competitive intelligence group shed light on how perspectives are shifting among legal professionals. The two reports , published by ALM Legal Intelligence, the competitive intelligence unit of ALM Media, explore reactions to cyber threats as voiced by law firms and corporate clients. The results demonstrated some of the conflicting cyber priorities for corporate entities and their legal teams. As the legal sector weighs the logistical challenge of preventing hacks and data breaches, charting a strategic plan is a challenge for law firms. One of the reports, "Cybersecurity and Law Firms," surveyed 69 professionals at law firms, serving as CIO (28 percent), COO (14 percent), IT director (14 percent), information security director (9 percent), CFO (7 percent) and executive director (7 percent) positions. The report found only half of the law firm professionals surveyed said their firm has a data protection team or committee in place. The report also noted that 73 percent of the professionals surveyed said their firm has a data breach plan in place, while 22 percent of the respondents said their firm is in the process of creating a plan.

top

- and -

A cyber attack is headed your way (ALM, 16 Dec 2015) - Talking about when to "trigger incident response," during a panel discussion, speakers at ALM cyberSecure- which brought 557 attendees to Midtown on Tuesday and was hosted by GlobeSt.com's parent company-first worked to convey to attendees the high probably of an attack. It didn't take them long. "It's virtually impossible that you won't be attacked in the next 18 months," declared panel moderator Mark Sangster, VP, marketing, eSentire. Added Richard Jacobs, assistant special agent in-charge of the cyber branch, New York office, FBI, "There are still companies that don't think an attack against them is likely, but on Sept. 10th, 2001, the thought of airplanes crashing into buildings and killing thousands of people didn't seem likely either. So we need to be ready." Attorney Vince Polley, principal, KnowConnect, echoed that last thought. "The time to start planning is now." He advised professionals to first conduct a risk assessment. "Determine what do you have and what you need. Evaluate using third party service providers and the rules that apply to your behavior set by industry organizations." He also suggested putting together a team of first responders. "Identify the internal team; those who will have to make a decision and take action when an incident happens. That should include people in governance, information technology, legal, press/investor relations, marketing, sales and financial systems. Don't let customers fall into the trap that IT can solve this alone; it can't." Further, Polley advised, "Pre-arrange external resources, such as law enforcement and technical tools/providers. If you've practiced and developed relationships and cues with each other before hand, it's a lot easier-which means cheaper. Organizations that are proactive and have good incident response planning have been shown to see a shift in the costs of mitigating a breach."

top

Ninety Percent of industries, not just healthcare, have disclosed PHI in breaches (Dark Reading, 17 Dec 2015) - Financial services companies, retailers, government agencies, take heed. You're vulnerable to breaches of personal health information (PHI) too, and someone in your sector has already suffered one, according to the first-ever Verizon Protected Health Information Data Breach Report , released yesterday. The report covers 1,900 PHI breaches and spans 20 years of security events between 1994 and 2014 (although most occurred between 2004 and 2014). Over that period, 392 million records were exposed, amounting to half the population of the United States. From those lists, researchers not only selected incidents from healthcare organizations, but also any incidents in which medical records were lost or in which an affected individual was labeled as a "patient" by the breached organization. Therefore, not all "PHI" in this report contains medical records; it might be credit card data scraped from a PoS system at a dentist's office or LAN login credentials at a hospital. And not all PHI is from healthcare organizations; it might be medical records lifted from a university clinic or a corporate wellness program. In fact, what surprised Verizon researchers the most was that unauthorized disclosures of PHI (including medical records) were happening from so many non-healthcare organizations.

top

Secret document exposes how the U.S. government spies on your cellphone (Mashable, 18 Dec 2015) - The Intercept has obtained a secret, internal U.S. government catalogue of dozens of cellphone surveillance devices used by the military and by intelligence agencies. The document, thick with previously undisclosed information, also offers rare insight into the spying capabilities of federal law enforcement and local police inside the United States. The catalogue includes details on the Stingray, a well-known brand of surveillance gear, as well as Boeing "dirt boxes" and dozens of more obscure devices that can be mounted on vehicles, drones, and piloted aircraft. Some are designed to be used at static locations, while others can be discreetly carried by an individual. They have names like Cyberhawk, Yellowstone, Blackfin, Maximus, Cyclone, and Spartacus. Within the catalogue, the NSA is listed as the vendor of one device, while another was developed for use by the CIA, and another was developed for a special forces requirement. Nearly a third of the entries focus on equipment that seems to have never been described in public before. The Intercept obtained the catalogue from a source within the intelligence community concerned about the militarization of domestic law enforcement. (The original is here .) A few of the devices can house a "target list" of as many as 10,000 unique phone identifiers. Most can be used to geolocate people, but the documents indicate that some have more advanced capabilities, like eavesdropping on calls and spying on SMS messages. Two systems, apparently designed for use on captured phones, are touted as having the ability to extract media files, address books, and notes, and one can retrieve deleted text messages. * * * Judges have been among the foremost advocates for ending the secrecy around cell-site simulators, including by pushing back on warrant requests. At times, police have attempted to hide their use of Stingrays in criminal cases, prompting at least one judge to throw out evidence obtained by the device. In 2012, a U.S. magistrate judge in Texas rejected an application by the Drug Enforcement Administration to use a cell-site simulator in an operation, saying that the agency had failed to explain "what the government would do with" the data collected from innocent people. * * *

top

German court orders man to destroy naked images (BBC, 22 Dec 2015) - Germany's highest court has ordered a man to destroy intimate photos and videos of his ex-partner because they violate her right to privacy. The Federal Court said the man, a photographer, should no longer possess naked photos and sex tapes, even if he had no intention of sharing them. The woman had originally agreed to the images but this consent stopped when the relationship ended, the court said. Germany has some of the strictest privacy laws in Europe. The Federal Court was called upon to rule in a dispute between a former couple, who were arguing over whether or not the man should delete intimate photos and videos. In its ruling (in German), the court said everyone had the right to decide whether to grant insight into their sex life - including to whom they grant permission and in what form. It said that by retaining the images, the photographer had a certain "manipulative power" over his ex-lover. He should no longer have rights to the photos and videos once the relationship had ended, it concluded. It is not clear how the ruling will be enforced.

top

Add two more states to those that have adopted duty of technology competence (Robert Ambrogi, 23 Dec 2015) - In my continuing effort to track states that have adopted the ethical duty of technology competence for lawyers, I have two more to add, one that adopted it recently and one that I missed from earlier this year: (1) Iowa adopted the rule on Oct. 15, 2015, effective immediately. Here is the rule and here is the order . from the Supreme Court of Iowa; (2) Utah adopted the rule on March 3, 2015, effective May 1, 2015. Here is the rule and here is the order . Unless I've missed others, that brings the number of states that have adopted the rule to an even 20.

top

How does the Cybersecurity Act of 2015 change the Internet surveillance laws? (Orin Kerr, 24 Dec 2015) - The Omnibus Appropriations Act that President Obama signed into law last week has a provision called the Cybersecurity Act of 2015. The Cyber Act, as I'll call it, includes sections about Internet monitoring that modify the Internet surveillance laws. This post details those changes, focusing on how the act broadens powers of network operators to conduct surveillance for cybersecurity purposes. The upshot: The Cyber Act expands those powers in significant ways, although how far isn't entirely clear. * * *

top

Harvard Law review freaks out, sends Christmas Eve threat over public domain citation guide (TechDirt, 28 Dec 2015) - In the fall of 2014, we wrote about a plan by public documents guru Carl Malamud and law professor Chris Sprigman, to create a public domain book for legal citations (stay with me, this isn't as boring as it sounds!). For decades, the "standard" for legal citations has been "the Bluebook" put out by Harvard Law Review, and technically owned by four top law schools. Harvard Law Review insists that this standard of how people can cite stuff in legal documents is covered by copyright . This seems nuts for a variety of reasons. A citation standard is just an method for how to cite stuff. That shouldn't be copyrightable. But the issue has created ridiculous flare-ups over the years, with the fight between the Bluebook and the open source citation tool Zotero representing just one ridiculous example . In looking over all of this, Sprigman and Malamud realized that the folks behind the Bluebook had failed to renew the copyright properly on the 10th edition of the book, which was published in 1958, meaning that that version of the book was in the public domain. The current version is the 19th edition, but there is plenty of overlap from that earlier version. Given that, Malamud and Sprigman announced plans to make an alternative to the Bluebook called Baby Blue, which would make use of the public domain material from 1958 (and, I'd assume, some of their own updates -- including, perhaps, citations that it appears the Bluebook copied from others ). * * * Apparently, this sent the Harvard Law Review into a bit of a tizzy, and they made their lawyers at the big, respectable law firm of Ropes & Gray come into the office on Christmas Eve to dash off this ridiculous threat letter to Malamud and Sprigman, demanding that they not move forward with releasing Baby Blue. * * *

top

Google defeats copyright lawsuit over Waze data (Eric Goldman, 28 Dec 2015) - The basic copyright rule is clear: facts are not copyrightable; factual compilations can be. However, this simple rule masks considerable nuance. What is a "fact," how does it differ from "non-facts," what does it mean to "compile" facts, and when is a compilation sufficiently original to become copyrightable? These questions are more epistemological than legal, so not surprisingly, the associated legal disputes routinely baffle judges. As a result, the copyright caselaw regarding facts and compilations is confused-and confusing. These issues surfaced again in a recent case where Google defeated a copyright challenge over data used in its Waze navigation application (Google bought Waze in 2013). The plaintiff, PhantomALERT, offers a GPS-based navigational app that competes with Waze. Both apps use databases containing "the location of traffic conditions, road hazards, and traffic enforcement monitors, such as speed cameras" (what the court calls a "points of interest database"). PhantomALERT alleged that Waze ripped off its points of interest database, as evidenced by the alleged presence of fake points of interest created by PhantomALERT appearing in Waze's database. This fact pattern resembles Feist v. Rural Telephone Service , the seminal 1991 Supreme Court opinion involving the copying of telephone "white pages" data. * * * The Feist case casts a long shadow on the PhantomALERT case. The court held that individual points of interest were facts and therefore never copyrightable. PhantomALERT argued that it exercised some judgment deciding where to place each point of interest on its map and how much advance notice to give drivers about each point of interest. The court says the location decision is driven by functional considerations, which I infer means that PhantomALERT sought to be as factually precise as possible to improve the app's functionality. The court also says there's no evidence Waze copied any of PhantomALERT's judgments about where to locate the points of interest or how much notice to give drivers. But what about PhantomALERT's overall compilation of points of interest? Per basic copyright law, PhantomALERT ought to have a compilation copyright for its database as a whole. The judgments PhantomALERT made to prepare a detailed map surely are significantly more extensive than the simplistic alphabetization of white pages info. However, the compilation copyright would be "thin" in the sense that it would only prevent wholesale verbatim copying. Any other implementation shouldn't be copyright infringement because it doesn't copy PhantomALERT's original contributions. Applying these basic principles, the court says there doesn't appear to be any originality in how PhantomALERT organized the points of interest database, but PhantomALERT may have exercised enough judgment selecting which points of interest to include in the database. As evidence of PhantomALERT's editorial judgment about selecting or excluding facts, the court gave the example of how PhantomALERT may delete speed traps from its database if it believes those traps don't pose a significant risk to drivers. * * *

top

Report: 191M voter records exposed online (The Hill, 28 Dec 2015) - Security bloggers and researchers claim to have uncovered a publicly available database exposing the personal information of 191 million voters on the Internet. The information contains voters' names, home addresses, voter IDs, phone numbers and date of birth, as well as political affiliations and a detailed voting history since 2000. While in most states, voter registration lists are a matter of public record, many have regulations restricting access and use. For example, South Dakota requires those requesting access to voter data to confirm that the information "may not be used or sold for any commercial purpose and may not be placed for unrestricted access on the internet." Security researcher Chris Vickery discovered the breach and reported it to DataBreaches.net, which has since reached out to law enforcement, as well as the California attorney general's office. Steve Ragan, a security blogger for the security and risk management website CSO, has also investigated the breach, noting that none of the political database firms he identified and reached out to in connection with the database claimed ownership of the IP address where the files are posted.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Bush lets U.S. spy on callers without courts (New York Times, 16 Dec 2005) -- Months after the Sept. 11 attacks, President Bush secretly authorized the National Security Agency to eavesdrop on Americans and others inside the United States to search for evidence of terrorist activity without the court-approved warrants ordinarily required for domestic spying, according to government officials. Under a presidential order signed in 2002, the intelligence agency has monitored the international telephone calls and international e-mail messages of hundreds, perhaps thousands, of people inside the United States without warrants over the past three years in an effort to track possible "dirty numbers" linked to Al Qaeda, the officials said. The agency, they said, still seeks warrants to monitor entirely domestic communications. The previously undisclosed decision to permit some eavesdropping inside the country without court approval was a major shift in American intelligence-gathering practices, particularly for the National Security Agency, whose mission is to spy on communications abroad. As a result, some officials familiar with the continuing operation have questioned whether the surveillance has stretched, if not crossed, constitutional limits on legal searches. "This is really a sea change," said a former senior official who specializes in national security law. "It's almost a mainstay of this country that the N.S.A. only does foreign searches." Nearly a dozen current and former officials, who were granted anonymity because of the classified nature of the program, discussed it with reporters for The New York Times because of their concerns about the operation's legality and oversight. The White House asked The New York Times not to publish this article, arguing that it could jeopardize continuing investigations and alert would-be terrorists that they might be under scrutiny. After meeting with senior administration officials to hear their concerns, the newspaper delayed publication for a year to conduct additional reporting. [Editor in 2005 : This is the story-of-the-decade for me; separation of powers and Article II supremacy. I'm astounded that the Times sat on it for a year. Reminds me of a senior DOD lawyer who carries a copy of the Constitution in his suit coat pocket, and pulls it out several times a day to cite Article II authority, as if there weren't two centuries of statutory, regulatory, and case-law gloss. Editor in 2015 : <sigh>.]]

top

Trojan e-mails suggest trend toward targeted attacks (Computerworld, 17 June 2005) -- A report on Trojan e-mail attacks against critical-infrastructure systems in the U.K. highlights an emerging trend away from mass-mailing worms and viruses to far more targeted ones, analysts said. The U.K.'s National Infrastructure Security Co-Ordination Center yesterday released a report (PDF format) disclosing that more than 300 government departments and businesses were targeted by a continuing series of e-mail attacks designed to covertly gather sensitive and economically valuable information (see story). Unlike with phishing and mass-mailing worms, the attackers appear to be going after specific individuals who have access to commercially or economically privileged information, the report said. The attacks involved the use of e-mails containing so-called Trojan programs or links to Web sites containing Trojan files. Once installed on a user's system, Trojans covertly run in the background and perform a variety of functions, including collecting usernames, passwords and system information; scanning of drives; and uploading of documents and data to remote computers. "The e-mails use social engineering to appear credible, with subject lines often referring to news articles that would be of interest to the recipient," the report said. "In fact, they are 'spoofed,' making them appear to originate from trusted contacts, news agencies or government departments." The report highlights how hackers are starting to tailor their attacks and go after specific high-value targets instead of simply launching mass-mailing worms and viruses, said Mark Sunner, chief technology officer at MessageLabs Ltd., a New York-based provider of e-mail security services.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top