Sunday, March 27, 2016

MIRLN --- 6-26 March 2016 (v19.05)

MIRLN --- 6-26 March 2016 (v19.05) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Over half of British businesses to suffer cyber attacks by 2018, PwC says (Independent, 25 Feb 2016) - Cybercrime is expected to affect over half of British firms in the next two years, according PriceWaterhouseCoopers. PwC's latest Global Economic Crime Survey 2016 said that cyber attack will become the UK's largest economic crime by 2018. More than half of UK organisations have been the victim of an economic crime, an illegal act committed by an individual or a group to obtain a financial or professional advantage, in the last two years, outstripping countries such as the US and China. A third of UK organisations admitted they have no response plan to protect themselves from an attack. Only 12 per cent of respondents believe that law enforcement authorities have the necessary skills to help. Nearly half of UK respondents say that cybercrime would have no impact on their reputation and almost 60 per cent are not concerned about the potential for theft of intellectual property.

top

How the SEC decides whether to investigate breached entities (Vedder Price, 26 Feb 2016) - In a February 19th speech at the annual SEC Speaks conference, Stephanie Avakian, Deputy Director of the SEC's Division of Enforcement, explained what the SEC expects of entities that experience a cyber intrusion and how the SEC decides whether to investigate such entities. With respect to responding to cyber intrusion, the SEC's stated expectations are high level and axiomatic. Entities are expected to (1) assess the situation, (2) address the problem and (3) minimize the damage. Ms. Avakian emphasized the importance of quickly involving authorities such as the FBI or Department of Homeland Security. Ms. Avakian also expressed awareness of the practical impediments to self-reporting cyber intrusions to the SEC. Specifically, entities may be hesitant to do so for fear of triggering an investigation and enforcement action regarding their policies/procedures and implementation thereof. To assuage this concern, Ms. Avakian noted that the SEC's goals in the cybersecurity area are to prevent hacking, protect customer data and ensure the smooth operation of America's financial system. In other words, the SEC-at least from a priority standpoint-is on the same side as the entities that may fall prey to a cyber intrusion. In the case of registrants, when investigating cyber intrusions the SEC will focus on whether a registrant had policies and procedures reasonably designed to protect customer data and related remediation action plans. In the case of public companies, the SEC is not looking to second-guess good-faith decisions regarding data privacy, and would likely not bring an enforcement action against a cyber intrusion victim absent a "significant" disclosure issue. Ms. Avakian also pointed out that entities who self-disclose cyber intrusions will be rewarded with cooperation credit.

top

- and -

Businesses are still scared of reporting cyberattacks to the police (ZDnet, 3 March 2016) - Under a third of cyberattacks against businesses are reported to the police, suggesting that organisations are underestimating the threat posed by hackers and cybercrime, a new study has warned. According to Cyber Security: Underpinning the Digital Economy , a report by the Institute of Directors and Barclays bank, companies are keeping quiet about being the victim of a cyberattack, even if their operations were badly affected by such an incident -- as figures suggest was the case for half of respondents. The research suggests that only 28 percent of cyberattacks against businesses were reported to the police, despite many police forces now having dedicated cybercrime divisions. Indeed, the report finds that whilst nine in ten business leaders said that cybersecurity was important, only around half had a formal strategy in place to protect themselves and just a fifth held insurance against an attack.

top

- and -

Investors don't reward candor about cyber risk - but the SEC might (Baker & McKenzie, 10 March 2016) - A study by three Creighton University professors concludes that company disclosures relating to cybersecurity risk are associated with significant declines in the company's share price. Reviewing the response to the SEC's 2011 guidance on disclosure regarding cybersecurity and cyber incidents, they find that few companies have chosen to make risk disclosures prior to the occurrence of a cyber breach and that those they do make disclosure suffer a decline in market price. Meanwhile, an SEC staff member has warned that companies that fail to disclose cyber breaches may face enforcement action. In " SEC Cybersecurity Guidelines: Insights into the Utility of Risk Factor Disclosures for Investors ," Edward A. Morse, Vasant Raval, John R. Wingender reviewed how companies have responded to the SEC Division of Corporation Finance's 2011 guidance entitled "Cybersecurity." The 2011 guidance states, in part, that companies "should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky." The Creighton study (which considers pre-incident risk disclosure) reaches the following conclusions * * *

top

DHS publishes interim regulations for cybersecurity information sharing (Steptoe, 27 Feb 2016) - Last month, the Department of Homeland Security published interim policies, procedures, and guidelines required by the Cybersecurity Act of 2015. Title I of the Act, entitled the Cybersecurity Information Sharing Act of 2015 (CISA), calls for processes and protections for sharing cybersecurity threat information between government and private sector entities. The interim regulations consist of (1) guidance to non-federal entities on how to share information; (2) guidance as to how government agencies share information; (3) guidelines for privacy and civil liberties; and (4) policies and procedures for how the government will receive and use threat data shared under the Act.

top

California courts demand total access to email and social media accounts (The Intercept, 29 Feb 2016) - As the FBI and Apple fight a media war over whether the federal government can force the computer company to hack an iPhone, in California a new privacy law is raising questions over how deeply government should be allowed to peer into a convicted criminal's digital life. That new law, the California Electronic Communications Privacy Act (CalECPA), requires law enforcement to obtain a warrant before searching a person's cellphone, laptop, or any digital storage device. At issue is whether the law covers people on probation, parole, and other forms of supervised release who've agreed to what's known as a "Fourth waiver," a condition that allows law enforcement to search their person and property at any time. CalECPA took effect on January 1, 2016. Three days later, San Diego County prosecutors and Superior Court judges began asking defendants who were eligible for probation to sign a form giving "specific consent" to county probation officers "and/or a law enforcement government entity" to collect information that would be otherwise protected under CalECPA. * * * Issues with digital privacy aside, probation conditions are supposed to be narrowly tailored to address a person's crime and what will "reasonably" prevent future criminal acts, said Jeff Thoma, outgoing president of California Attorneys for Criminal Justice. "The whole idea of probation and sentencing is to individualize something," Thoma said. "When you don't do that and are just trying to put all these restrictions, it becomes, 'Oh we might catch this person doing something.'" In late January, the San Diego County public defender's office filed a petition with a state appeals court, arguing that the consent form hadn't gone through the proper vetting process. Shortly after the appeal was filed, judges who had been using the form stopped requiring probationers to sign it, and the district attorney's office stopped including it in plea deals offering probation.

top

Time to rethink mandatory password changes (FTC, 2 March 2016) - Data security is a process that evolves over time as new threats emerge and new countermeasures are developed. The FTC's longstanding advice to companies has been to conduct risk assessments, taking into account factors such as the sensitivity of information they collect and the availability of low-cost measures to mitigate risks. The FTC has also advised companies to keep abreast of security research and advice affecting their sector, as that advice may change. What was reasonable in 2006 may not be reasonable in 2016. This blog post provides a case study of why keeping up with security advice is important. It explores some age-old security advice that research suggests may not be providing as much protection as people previously thought. When people hear that I conduct research on making passwords more usable and secure , everyone has a story to tell and questions to ask. People complain about having so many passwords to remember and having to change them all so frequently. Often, they tell me their passwords (please, don't!) and ask me how strong they are. But my favorite question about passwords is: "How often should people change their passwords?" My answer usually surprises the audience: "Not as often as you might think." I go on to explain that there is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. (And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren't taken to correct security problems.) Mandated password changes are a long-standing security practice designed to periodically lock out unauthorized users who have learned users' passwords. While some experts began questioning this practice at least a decade ago, it was only in the past few years that published research provided evidence that this practice may be less beneficial than previously thought, and sometimes even counterproductive. Let's take a look at two excellent peer-reviewed papers that address this issue. * * *

top

Company tracks Iowa caucusgoers by their cell phones (Schneier, 2 March 2016) - It's not just governments. Companies like Dstillery are too: "We watched each of the caucus locations for each party and we collected mobile device ID's," Dstillery CEO Tom Phillips said. "It's a combination of data from the phone and data from other digital devices." Dstillery found some interesting things about voters. For one, people who loved to grill or work on their lawns overwhelmingly voted for Trump in Iowa, according to Phillips. There was some pretty unexpected characteristics that came up too. "NASCAR was the one outlier, for Trump and Clinton," Phillips said. "In Clinton's counties, NASCAR way over-indexed." What really happened is that Dstillery gets information from people's phones via ad networks. When you open an app or look at a browser page, there's a very fast auction that happens where different advertisers bid to get to show you an ad. Their bid is based on how valuable they think you are, and to decide that, your phone sends them information about you, including, in many cases, an identifying code (that they've built a profile around) and your location information, down to your latitude and longitude. Yes, for the vast majority of people, ad networks are doing far more information collection about them than the NSA­ -- but they don't explicitly link it to their names. So on the night of the Iowa caucus, Dstillery flagged all the auctions that took place on phones in latitudes and longitudes near caucus locations. It wound up spotting 16,000 devices on caucus night, as those people had granted location privileges to the apps or devices that served them ads. It captured those mobile ID's and then looked up the characteristics associated with those IDs in order to make observations about the kind of people that went to Republican caucus locations (young parents) versus Democrat caucus locations. It drilled down farther (e.g., 'people who like NASCAR voted for Trump and Clinton') by looking at which candidate won at a particular caucus location.

top

- and -

FTC issues warning letters to app developers using 'Silverpush' code (FTC, 17 March 2016) - The staff of the Federal Trade Commission has issued warning letters to app developers who have installed a piece of software that can monitor a device's microphone to listen for audio signals that are embedded in television advertisements. Known as Silverpush, the software is designed to monitor consumers' television use through the use of "audio beacons" emitted by TVs, which consumers can't hear but can be detected by the software. The letters note that the software would be capable of producing a detailed log of the television content viewed while a user's mobile device was turned on for the purpose of targeted advertising and analytics. The letters note that Silverpush has stated publicly that its service is not currently in use in the United States, but it encourages app developers to notify consumers that their app could allow third parties to monitor consumers' television viewing habits should the software begin to be used in the United States. "These apps were capable of listening in the background and collecting information about consumers without notifying them," said Jessica Rich, Director of the FTC's Bureau of Consumer Protection. "Companies should tell people what information is collected, how it is collected, and who it's shared with." The warning letters note that app developers ask users for permission to use the device's microphone, despite the apps not appearing to have a need for that functionality. The letters also note that nowhere do the apps in question provide notice that the app could monitor television-viewing habits, even if the app is not in use. The letters warn the app developers that if their statements or user interface state or imply that the apps in question are not collecting and transmitting television viewing data when in fact they do, that the app developers could be in violation of Section 5 of the FTC Act. The FTC provided guidance in a 2013 staff report on best practices for privacy disclosures in mobile apps . The letters were issued to 12 app developers whose apps are available for download in the Google Play store and appear to include the Silverpush code.

top

Sounds emitted by 3D printers could put intellectual property at risk (3Ders.org, 2 March 2016) - A new study from the University of California, Irvine, has revealed the surprising fact that the sounds emitted from a 3D printer could be enough to compromise valuable intellectual property, allowing cyber attackers to reverse-engineer and re-create 3D printed objects based off of nothing more than a smartphone audio recording. The research was led by Mohammad Al Faruque, electrical engineer, computer scientist, and director of UCI's Advanced Integrated Cyber-Physical Systems Lab. He and his team demonstrated that the acoustic signals emitted by a 3D printer carry unique information about the precise movements of the nozzle, and that this information can be reverse-engineered to reveal the object's original source code. The acoustic information is in fact so precise, that Al Faruque and his team were able to recreate a key-shaped object with nearly 90 percent accuracy using only the 3D printer's audio recordings. If used maliciously, the technique could represent a significant security threat.

top

- and -

How White Hat hackers stole crypto keys from an offline laptop in another room (Motherboard, 15 Feb 2016) - In recent years, air-gapped computers, which are disconnected from the internet so hackers can not remotely access their contents, have become a regular target for security researchers . Now, researchers from Tel Aviv University and Technion have gone a step further than past efforts, and found a way to steal data from air-gapped machines while their equipment is in another room. "By measuring the target's electromagnetic emanations, the attack extracts the secret decryption key within seconds, from a target located in an adjacent room across a wall," Daniel Genkin, Lev Pachmanov, Itamar Pipman, and Eran Tromer write in a recently published paper . The research will be presented at the upcoming RSA Conference on March 3. "The attack in its current form uses lab equipment that costs about $3000 and, as shown in the photos, is somewhat unwieldy," Tromer told Motherboard in an email. "However, experience shows that once the physical phenomena are understood in the lab, the attack setup can be miniaturized and simplified." Although similar research on "listening" to steal crypto keys has been carried out before , this is the first time such an approach has been used specifically against elliptic curve cryptography running on a PC, the authors say.

top

Federal Circuit recognizes patent agent privilege (Patently-O, 7 March 2016) - In an interesting and important mandamus ruling, the Federal Circuit has ordered the district court to withdraw its order compelling discovery of communications with non-attorney patent agents. The decision here recognizes "patent agent privilege": [W]e find that the unique roles of patent agents, the congressional recognition of their authority to act, the Supreme Court's characterization of their activities as the practice of law, and the current realities of patent litigation counsel in favor of recognizing an independent patent-agent privilege. The court, however, includes the important limitation that the privilege only extends to the extent that communications fall within the patent agent's scope-of practice as "authorized by Congress."

top

Google's Project Fi mobile network is now open to everyone in the US (The Verge, 7 March 2016) - Project Fi is ditching the invite system. 10 months after Google unveiled its own mobile network, which lets consumers pay only for the amount of data they use each month, the company is opening access to everyone inside the United States. "With Project Fi, we deliver fast wireless service with the flexibility to use it where you want (even internationally) and a monthly bill that's simple and easy to understand," wrote Simon Arscott, Fi's product manager, in a blog post. "Today, we're excited to be exiting our invitation-only mode and opening up Project Fi so that people across the U.S. can now sign up for service without having to wait in-line for an invite." For the next month, Google is discounting the Nexus 5X down to $199 as an inexpensive way to get started with Fi, which only works with Nexus smartphones. Project Fi connects to the cellular networks of both T-Mobile and Sprint, switching between the two to offer customers the best possible coverage. Google is also pushing Wi-Fi and public hotspots in a big way with Fi; over 50 percent of current customers connect to public hotspots using Fi's "Wi-Fi Assistant" on a weekly basis. As for cellular data, Google's Project Fi subscribers are impressively lean in their usage, averaging 1.6GB of data each month.

top

Maryland court suppresses evidence gathered by warrantless Stingray use (TechDirt, 9 March 2016) - The Maryland Special Appeals Court isn't buying government lawyers' arguments that warrantless deployment of Stingray devices has no 4th Amendment implications. The government had argued that " everyone knows " phones generate location data when turned on and this information is "shared with the rest of the world" (but most importantly with law enforcement). The court has yet to release its written opinion, but it did issue a one-page order upholding the lower court's suppression of evidence related to law enforcement's use of a Stingray. This ruling is especially important in Maryland, where Baltimore police have used the devices hundreds of times a year without seeking warrants or notifying judges and defendants about the origins of evidence . As has been noted here, the Baltimore police use pen register orders to deploy Stingrays, allowing it obscure the usage of the devices as well as to avail itself of lower evidentiary demands. This won't be the case going forward.

top

Legal industry was heavily targeted with cyber threats in January (Bloomberg, 9 March 2016) - The legal industry reported more "cyber threats" in January than nearly any other sector, according to one estimate. The estimate is taken from a report by the IT security company TruShield, and was published last week. Only the retail industry, followed by the financial industry were targeted more than the legal industry in January, the report found. It is consistent with other months for the legal industry to be in the top three most targeted, the report said. The majority of the threats in January, which include spamming, phishing, malware and scanning, originated in the U.S., followed by China and then South Korea. The report noted, however, that 60 to 70 percent of the malicious traffic from South Korea actually originates in China. Eran Kahana, a cyber security lawyer at the Maslon Law Firm in Minneapolis, said his own advice to law firms is that they gather their attorneys who deal in litigation, in cybersecurity and in privacy law so and come up with a plan for handling cyber threats. Kahana added that they must remember that the firm is no different from any other business and that it is open to the threat of cyber-attacks. The report called it a surprise that the legal industry did not face any significant incidents, despite the high number of threats. Laura Jehl, co-chair of Sheppard Mullin's data security group in Washington, D.C., who reviewed the report said the lack of significant events, such as a data breach, in the legal industry is likely because law firms are investing in network security. "I don't think they're necessarily safe," said Jehl, about law firms. "I think there's an element of luck, but I would hope there's been good training and preparation." [ Polley : I think it's due to a lack of publicity.]

top

- and -

FBI alert warns of criminals seeking access to law firm networks (Bloomberg, 11 March 2016) - Earlier this month, the FBI's cyber division issued an alert that it has information that hackers are specifically targeting international law firms as part of an insider trading scheme. "In a recent cyber criminal forum post, a criminal actor posted an advertisement to hire a technically proficient hacker for the purposes of gaining sustained access to the networks of multiple international law firms," the alert from March 3rd stated. The FBI alert - 160304-001 - didn't share any other information, such as the name of the forum where it saw this post, or when it exactly it was posted. But it did say that it believed the criminal behind the post is interested in obtaining sensitive information for insider trading purposes. The alert which was sent to some law firms did not appear to be posted online. "This goes well beyond hacking to obtain personal data and credit card numbers, " Michael Overly, a partner at Foley & Lardner who focuses on cyber security issues, wrote in an email, adding the alert highlights the growing sophistication of hackers. "In all honesty, I believe many law firms, particularly small and mid-size firms are behind the curve when it comes to addressing information security," Overly added. "That is certainly changing as clients are now routinely sending security due diligence questionnaires to their counsel to assess the security preparedness of their firms." In March 2015, the New York Times reported on an internal Citigroup report that found "digital security at many law firms, despite improvements, generally remains below the standards for other industries." Overly predicted that firms with poor security will lose clients and those with better security will gain a competitive advantage. Laura Jehl, a Sheppard Mullin Richter & Hampton partner who works on cyber security, said the alert was "disturbing," but "not really surprising." "We've known for a while that law firms are a frequent target of hackers because they hold significant amounts of non-public information," Jehl wrote in an email. "The FBI warning is a clear reminder to firms that they need to protect their networks and be alert to increasingly sophisticated phishing and other schemes."

top

- and -

Help wanted: Insider trader seeks hacker to access law-firm networks (ABA Journal, 14 March 2016) - An FBI alert issued earlier this month warns law firms about an online ad seeking a hacker to access the networks of international law firms. The ad, posted to a cyber criminal forum, listed search terms that could contribute to an insider-trading scheme, Bloomberg Big Law Business reports. The FBI alert was sent to some law firms. Bloomberg Big Law Business spoke with cyber security lawyers for their take on the alert. Michael Overly, a partner at Foley & Lardner, told the publication the alert shows how hackers are growing increasingly sophisticated. "In all honesty, I believe many law firms, particularly small and mid-size firms are behind the curve when it comes to addressing information security," Overly said. "That is certainly changing as clients are now routinely sending security due diligence questionnaires to their counsel to assess the security preparedness of their firms." Pillsbury partner Brian Finch agreed that cyber security is an increasing focus. He said many international law firms have been upgrading their security networks, particularly law firms serving large financial institutions that are demanding better security. "It's also becoming an ethics requirement among the state bars," Finch told Bloomberg Big Law Business. "They're increasingly focused on it and I think that will drive attention to the issue."

top

- and -

Cybersecurity experts offer stern warnings, tips for security in mass-surveillance era (ABA Journal, 19 March 2016) - FaceTime is actually a pretty secure way to communicate. The FBI can access the camera on your laptop without you knowing about it. And lawyers should think twice before storing their confidential files on Dropbox. Those were just some of the tips and warnings given out by a panel consisting of cybersecurity heavyweights during a Friday evening plenary session at ABA Techshow . The panel, entitled "Can They Hear Me Now? Practicing Law in an Age of Mass Surveillance," was moderated by Above the Law's managing editor David Lat and consisted of digital rights attorney Marcia Hofmann , American Civil Liberties Union technologist Chris Soghoian and ACLU attorney Ben Wizner . The plenary session expanded on some of the themes Electronic Frontier Foundation executive director Cindy Cohn talked about during her Friday afternoon keynote address -particularly mass surveillance and the need for greater awareness of cybersecurity. Panelists focused on providing practical tips for attorneys on how best to safeguard their confidential information when everyone seems to be trying to steal it. * * *

top

- and -

Amid hacking threats, law firms turn to cyber insurance (American Lawyer, 21 March 2016) - With news of crippling cyber attacks against big companies making regular headlines, more and more law firms are buying cyber insurance to cover the cost of a data breach. According to insurance brokerage Aon, more than 60 out of the 250 medium and large law firms that it services have purchased cyber insurance within the last two years. Marsh said that close to 40 percent of its roughly 100 large law firm clients have purchased the insurance, up from 20 percent two years ago. The policies that law firms typically carry, such as lawyers' professional liability insurance, general liability insurance and property insurance, do not always provide coverage when employee rather than client data is compromised, or when the firm must hire a forensic team to determine what data was lost and how. They also most likely won't cover the cost of notifying regulators or engaging a public relations firm. Daniel Garrie, co-head of the cybersecurity practice at Zeichner Ellman & Krause, identified another factor that is pushing firms to buy cyber insurance. "Their clients are compelling the action," Garrie said. "They're requiring the law firms to have cyber insurance as a matter of business."

top

Federal Circuit: No new card game patents unless you also invent a new deck (Patently-O, 10 March 2016) - Ray and Amanda Smith's patent applications claims a new method of playing Blackjack. The new approach offers ability to bet on the occurrence of "natural 0" hands as well as other potential side bets. Claim 1 in particular requires a deck of 'physical playing cards" that are shuffled and then dealt according to a defined pattern. Bets are then taken with the potential of more dealing and eventually all wagers are resolved. In reviewing the application, the Examiner Layno (Games art unit 3711) rejected these card games patents as ineligible under Section 101 - noting that the claim is "an attempt to claim a new set of rules for playing a card game [and thus] qualifies as an abstract idea." The Patent Trial & Appeal Board affirmed that ruling - holding that "independent claim 1 is directed to a set of rules for conducting a wagering game which . . . constitutes a patent-ineligible abstract idea." The particular physical steps such as shuffling and dealing are conventional elements of card-gambling and therefore (according to the Board) insufficient to transform the claimed abstract idea into a patent eligible invention. On appeal, the Federal Circuit has affirmed - agreeing that the method of playing cards is an unpatentable abstract idea. The court held that a wagering game is roughly identical to fundamental economic practices that the Supreme Court held to be abstract ideas in Alice and Bilski .

top

Microsoft: We store disk encryption keys, but we've never given them to cops (Motherboard, 11 March 2016) - Microsoft says it has never helped police investigators unlock its customers' encrypted computers-despite the fact that the company often holds the key to get their data. If you store important stuff on your computer, it's great to have the option to lock it up and encrypt your data so that no one can access it if you ever lose your laptop or it gets stolen. But what happens if, one day, you forget your own password to decrypt it? To give customers a way to get their data back in this situation, Microsoft has been automatically uploading a recovery key in the cloud for Windows computers since 2013. In light of the ongoing battle between Apple and the FBI over encryption, surveillance experts and technologists have criticized Microsoft for this feature because it doesn't give users a choice (other than deleting the key afterwards), and it gives the government the option to request that key from Microsoft if it ever needs it to get into a suspect's Windows computer. It's unclear if the US government, or any government, ever asked Microsoft for that, but a company spokesperson told Motherboard that Microsoft has never turned over customers' keys. "We haven't provided a customer encryption key to law enforcement," a Microsoft spokesperson told me in an email. [ Polley : Parse their language carefully - it's not credible that MS hasn't assisted law enforcement, and if they had they'd likely be under disclosure restrictions. I'd bet that the quote means that MS has given plaintext to law enforcement, but not the keys themselves. Turning over enough plaintext, of course, facilitates key discernment; might be equivalent to key delivery.]

top

TP-Link blocks open source router firmware to comply with new FCC rule (Ars Technica, 11 March 2016) - Networking hardware vendor TP-Link says it will prevent the loading of open source firmware on routers it sells in the United States in order to comply with new Federal Communications Commission requirements. The FCC wants to limit interference with other devices by preventing user modifications that cause radios to operate outside their licensed RF (radio frequency) parameters. The FCC says it doesn't intend to ban the use of third-party firmware such as DD-WRT and OpenWRT; in theory, router makers can still allow loading of open source firmware as long as they also deploy controls that prevent devices from operating outside their allowed frequencies, types of modulation, power levels, and so on. But open source users feared that hardware makers would lock third-party firmware out entirely, since that would be the easiest way to comply with the FCC requirements. The decision by TP-Link-described by the company in this FAQ -shows that those fears were justified. TP-Link's FAQ acknowledges that the company is "limiting the functionality of its routers." "The FCC requires all manufacturers to prevent user[s] from having any direct ability to change RF parameters (frequency limits, output power, country codes, etc.)," TP-Link says. TP-Link says that it distributes devices with country-specific firmware and that "devices sold in the United States will have firmware and wireless settings that ensure compliance with local laws and regulations related to transmission power." TP-Link says the change will go into effect for routers produced on and after June 2, 2016, a date set by the FCC in guidance issued in November .

top

Should all research papers be free? (NYT, 12 March 2016) - Drawing comparisons to Edward Snowden , a graduate student from Kazakhstan named Alexandra Elbakyan is believed to be hiding out in Russia after illegally leaking millions of documents. While she didn't reveal state secrets, she took a stand for the public's right to know by providing free online access to just about every scientific paper ever published, on topics ranging from acoustics to zymology. Her protest against scholarly journals' paywalls has earned her rock-star status among advocates for open access, and has shined a light on how scientific findings that could inform personal and public policy decisions on matters as consequential as health care, economics and the environment are often prohibitively expensive to read and impossible to aggregate and datamine. "Realistically only scientists at really big, well-funded universities in the developed world have full access to published research," said Michael Eisen , a professor of genetics, genomics and development at the University of California, Berkeley, and a longtime champion of open access. "The current system slows science by slowing communication of work, slows it by limiting the number of people who can access information and quashes the ability to do the kind of data analysis" that is possible when articles aren't "sitting on various siloed databases." Journal publishers collectively earned $10 billion last year, much of it from research libraries, which pay annual subscription fees ranging from $2,000 to $35,000 per title if they don't buy subscriptions of bundled titles, which cost millions. The largest companies, like Elsevier, Taylor & Francis, Springer and Wiley, typically have profit margins of over 30 percent, which they say is justified because they are curators of research, selecting only the most worthy papers for publication. Moreover, they orchestrate the vetting, editing and archiving of articles. That is the argument Elsevier made, supported by a raft of industry amicus briefs, when it filed suit against Ms. Elbakyan, resulting in an injunction last fall against her file-sharing website, Sci-Hub . But since a federal court order isn't enforceable in Russia (Ms. Elbakyan won't confirm where she is exactly), much less on the Internet, Sci-Hub continues to deliver hundreds of thousands of journal articles per day to a total of 10 million visitors.

top

- and -

Handful of biologists went rogue and published directly to Internet (Amy Harmon in NYT, 15 March 2016) - On Feb. 29, Carol Greider of Johns Hopkins University became the third Nobel Prize laureate biologist in a month to do something long considered taboo among biomedical researchers: She posted a report of her recent discoveries to a publicly accessible website , bioRxiv, before submitting it to a scholarly journal to review for "official" publication. It was a small act of information age defiance, and perhaps also a bit of a throwback, somewhat analogous to Stephen King's 2000 self-publishing an e-book or Radiohead's 2007 release of a download-only record without a label. To commemorate it, she tweeted the website's confirmation under the hashtag #ASAPbio, a newly coined rallying cry of a cadre of biologists who say they want to speed science by making a key change in the way it is published. Such postings are known as "preprints" to signify their early-stage status, and the 2,048 deposited on three-year-old bioRxiv over the last year represent a barely detectable fraction of the million or so research papers published annually in traditional biomedical journals. But after several dozen biologists vowed to rally around preprints at an "ASAPbio" meeting last month, the site has had a small surge, and not just from scientists whose august stature protects them from risk. On Twitter, preprint insurgents are celebrating one another's postings and jockeying for revolutionary credibility. * * *

top

VPN provider's no-logging claims tested in FBI case (Slashdot, 12 March 2016) - An anonymous reader writes from an article published on TorrentFreak: [A] criminal complaint details the FBI's suspicions that 25-year-old Preston McWaters had conveyed " false or misleading information regarding an explosive device ." The FBI started digging and in February 2016 two search warrants against Twitter and Facebook required them to turn over information on several accounts. Both did and the criminal complaint makes it clear that the FBI believes that McWaters was behind the accounts and the threats. With McWaters apparently leaving incriminating evidence all over the place (including CCTV at Walmart where he allegedly purchased a pre-paid Tracfone after arriving in his own car), the FBI turned to IP address evidence available elsewhere. "During the course of the investigation, subpoenas and search warrants have been directed to various companies in an attempt to identify the internet protocol (IP) address from where the email messages are being sent ," the complaint reads. "All the responses from [email provider] 1&1, Facebook, Twitter, and Tracfone have been traced by IP address back to a company named London Trust Media [doing business as] PrivateInternetAccess.com. A subpoena was sent to London Trust Media and the only information they could provide is that the cluster of IP addresses being used was from the east coast of the United States," the FBI's complain reads. "However, London Trust did provide that they accept payment for their services through credit card with a vendor company of Stripe and/or Amazon. They also accept forms of payment online through PayPal, Bitpay, Bit Coin, Cash You, Ripple, Ok Pay, and Pay Garden." [ Polley : This is one of the VPN services I use.]

top

White House requires agencies to share custom code with open-source community (SC Magazine, 14 March 2016) - The White House has released for public comment a draft of its Source Code Policy , which establishes rules for sharing customized software between federal agencies, in the hopes of improving government access to applications and reducing development costs. As part of this policy, the Obama Administration will also launch a pilot program that will require federal agencies to release at least 20 percent of third-party-developed custom coding as open source software, making it fully accessible to external developers within the open-source community. "Through this policy and pilot program, we can save taxpayer dollars by avoiding duplicative customer software purchases and promote innovation and collaboration across federal agencies," said Tony Scott , U.S. CIO, in an online blog post last week.

top

Crowdfunded 'Star Trek' fan film violates Klingon language copyright, says lawsuit by major studios (ABA Journal, 14 March 2016) - Boldly going where no lawsuit has gone before, two movie studios are contending that a crowdfunded Star Trek fan film has violated copyright law by-among many other things-using the Klingon language. But the original complaint by Paramount Pictures Corp. and CBS Studios Inc. wasn't detailed enough, Axanar Productions Inc. contended in a motion to dismiss the federal suit. So on Friday the plaintiffs filed an amended complaint against Axanar and lead producer Alec Peters. Among other allegations, it says the filmmakers infringed on Star Trek copyrights by depicting characters with the "Vulcan appearance," including pointed ears, wearing gold uniform shirts and, most interesting from a legal standpoint, speaking the Klingon language, says the Hollywood Reporter's THR, Esq. blog. Can a language, in fact, be copyrighted? That question has not yet been answered, the article says. As the lawsuit notes, "Klingonese or Klingon, the native language of Qo'NoS, was first spoken in Star Trek-The Motion Picture in 1979. It was used in several works moving forward, including Star Trek III The Search for Spock ." An earlier Geek post provides more details about the case, which was filed in federal district court in the Central District of California.

top

Judge says Chipotle social media rules violated labor law, orders rehiring of worker fired for tweet (ABA Journal, 16 March 2016) - Fired last year for criticizing Chipotle wages in a tweet, a server at one of the chain's suburban Philadelphia restaurants must now be rehired and get back pay, an administrative law judge ruled Monday. Social media rules at Chipotle that banned such critical comments violated the National Labor Relations Act, found the judge, who also is requiring the company to post signs acknowledging their error. The Associated Press and the Philadelphia Inquirer have stories. Plaintiff James Kennedy, who is now working for an airline in a union job at Philadelphia International Airport told the Inquirer he is very happy with his new position, which he got about a month after being fired by Chipotle. He also said he would be happy to accept food vouchers from Chipotle for some of the damages he is due.

top

Are ad blockers needed to stay safe online? (MIT Technology Review, 16 March 2016) - Last weekend some of the world's largest websites exposed millions of people to malicious software that encrypts data and demands money for its safe return. The incident adds weight to an argument made by some security experts that using software to block online ads is necessary to stay safe online. Security company Malwarebytes reports that MSN, the New York Times, BBC, and AOL were among those that served up the ransomware , as such software is known. It happened because those sites, like many, use third-party companies to display advertising. Criminals have a strong incentive to sneak malicious ads into ad networks because their reach is huge. This is far from the first time this has happened-Yahoo, Forbes, and the Economist have all been caught out in the same way in the past. And some research suggests the problem is growing . Because of this, some security experts say that apart from the ethical and business questions of whether it's okay to block online ads that support free content, you should do so just to stay safe . That was the conclusion of a study of the malicious ads problem led by the University of California, Santa Barbara , that singled out a popular ad blocker called Adblock Plus as the most effective defense against bad ads. Edward Snowden, the federal contractor who leaked information about NSA surveillance, also recommends ad blockers for safety reasons . The way some popular ad blockers are trying to make themselves more acceptable to publishers and the ad industry could undermine their protective effect, though. Adblock Plus, for example, will let ads through if they meet certain criteria , such as not showing moving imagery. The company behind the ad blocker even charges companies including Amazon and Google to include their ads in that scheme. Adblock Plus's criteria for "acceptable ads" don't include mention of security, and it and other companies that offer ad blockers are unlikely to have the resources to screen out malicious ads.

top

San Francisco legislators dodging public records requests with self-destructing text messages (Techdirt, 17 March 2016) - Cory Weinberg of The Information reports San Francisco legislators [warning: paywalled link] are using one of those infamous tools o' terrorism -- messaging service Telegram -- to dodge open records requests. [ Link to a non-paywalled story covering the same thing]: In an interview, a San Francisco government staff member said they were encouraged to use the app by colleagues in City Hall who described it as a way to skirt the city's public records laws. "That is exactly what it's being used for," the staff member said. "It's caught on." April Veneracion, a top aide to Supervisor Jane Kim and a Telegram user, said one reason officials use the app is because it "self destructs." She also praised the app's chat room feature that "allows us to be in touch with each other almost instantaneously." Yes, messaging apps are great for instant communications. Self-destructing messages, however, are antithetical to public records laws. Also: possibly illegal.

top

EU Court of Justice advocate general says open WiFi operators shouldn't be liable for infringement (Techdirt, 17 March 2016) - Back in 2010, there was a troubling ruling in Germany, saying that people who ran open WiFi access points needed to secure them , or they could be held liable for people using those connections to download infringing content. This seemed to contradict with the European Ecommerce Directive that gives safe harbors to internet service providers (similar to our DMCA safe harbors in the US). In the fall of 2014, we noted that the EU Court of Justice was taking up that case and now that court's Advocate General has recommended that the court allow open WiFi , in saying that, yes, those who operate WiFi access points can be considered ISPs under the law, and are thus protected from liability. * * *

top

Face-tracking software lets you make anyone say anything in real time (Mashable, 20 March 2016) - You know how they say, "Show me pictures or video, or it didn't happen"? Well, the days when you could trust what you see on video in real time are officially coming to an end thanks to a new kind of face tracking. A team from Stanford, the Max Planck Institute for Informatics and the University of Erlangen-Nuremberg has produced a video demonstrating how its software, called Face2Face , in combination with a common webcam, can make any person on video appear to say anything a source actor wants them to say. In addition to perfectly capturing the real-time talking motions of the actor and placing them seamlessly on the video subject, the software also accounts for real-time facial expressions, including distinct movements such as eyebrow raises. To show off the system, the team used YouTube videos of U.S. President George W. Bush, Russian President Vladimir Putin and Republican presidential candidate Donald Trump . In each case, the facial masking is flawless, effectively turning the video subject into the actor's puppet. It might be fun to mix this up with something like "Say it with Trump," but for now the software is still in the research phase. "Unfortunately, the software is currently not publicly available - it's just a research project," team member Matthias Niessner told Mashable . "However, we are thinking about commercializing it given that we are getting so many requests." We knew this kind of stuff was possible in the special effects editing room, but the ability to do it in real time - without those nagging "uncanny valley" artifacts - could change how we interpret video documentation forever. [ Polley : Watch the demo; unless they cheated, this is game-changing stuff.]

top

Siri and iAd restricted by Apple 'policy czars' to limit customer data collection (MacRumors, 21 March 2016) - Reuters has published a new report outlining how a team of "policy czars" has impacted Apple's data collection policy and restricted Siri and iAd in the process: Unlike Google, Amazon and Facebook, Apple is loathe to use customer data to deliver targeted advertising or personalized recommendations. Indeed, any collection of Apple customer data requires sign-off from a committee of three "privacy czars" and a top executive, according to four former employees who worked on a variety of products that went through privacy vetting. The three "policy czars" are Jane Horvath, a lawyer who served as global policy counsel at Google, Guy Tribble, a member of the original Macintosh team and the vice president of software technology who spends a significant amount of time on privacy, and Erik Neuenschwander, who reviews lines of engineer's code to confirm that they're following policy.

top

Lexmark: Can patent rights overwhelm traditional notions of title? (Patently-O, 22 March 2016) - I see the dispute between Impression and Lexmark as more of a property law issue than one focusing on patent law. Of course, the Federal Circuit sees it differently. In its en banc opinion, the Federal Circuit reaffirmed (1) that a seller can use its patent rights to block both downstream resale and downstream reuse of a product (here used printer ink cartridges) and (2) that sales of a product abroad presumptively do not exhaust the US patent rights associated with that product, even when the US patent holder expressly authorizes those foreign sales. Both of these holdings turn on the fact that the goods in question are covered by patent rights. For unpatented goods, these covenants and restrictions generally do not bind subsequent bona fide purchasers. Impression raises the following questions in its newly filed petition for writ of certiorari: 1. Whether a "conditional sale" that transfers title to the patented item while specifying post-sale restrictions on the article's use or resale avoids application of the patent exhaustion doctrine and therefore permits the enforcement of such post-sale restrictions through the patent law's infringement remedy. 2. Whether, in light of this Court's holding in Kirtsaeng v. John Wiley & Sons, Inc., 133 S. Ct. 1351, 1363 (2013), that the common law doctrine barring restraints on alienation that is the basis of exhaustion doctrine "makes no geographical distinctions," a sale of a patented article-authorized by the U.S. patentee-that takes place outside of the United States exhausts the U.S. patent rights in that article. I see the Federal Circuit's decision as dangerous in the way that it undercuts the notion of ownership and transfer-of-title. Restrictions on use and resale of goods have traditionally been unenforceable against downstream owners as a mechanism for facilitating a robust market economy. Impression Products, Inc. v. Lexmark Int'l, Inc. (Supreme Court 2016)

top

RESOURCES

Electronic Signature Laws Around the World: Download eBook (General Counsel News, 17 March 2016) - Electronic signatures are in use across the globe, reports eSignLive in a new ebook the company has made available for complimentary downloading. The widespread adoption of e-signatures has been supported by electronic signature laws around the world, including the Americas, Europe, Middle East, Africa and Asia-Pacific. Many of these are based on a model law enacted by the United Nations Commission on International Trade Law - Model Law on Electronic Signatures (2001). Today there are more than 75 countries that recognize the legal validity of e-signatures. This eBook provides an introduction to electronic signature laws around the world, including * * *

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

New security glitch found in Diebold system (InsideBayArea.com, 10 May 2006) -- Elections officials in several states are scrambling to understand and limit the risk from a "dangerous" security hole found in Diebold Election Systems Inc.'s ATM-like touch-screen voting machines. The hole is considered more worrisome than most security problems discovered on modern voting machines, such as weak encryption, easily pickable locks and use of the same, weak password nationwide. Armed with a little basic knowledge of Diebold voting systems and a standard component available at any computer store, someone with a minute or two of access to a Diebold touch screen could load virtually any software into the machine and disable it, redistribute votes or alter its performance in myriad ways. "This one is worse than any of the others I've seen. It's more fundamental," said Douglas Jones, a University of Iowa computer scientist and veteran voting-system examiner for the state of Iowa. "In the other ones, we've been arguing about the security of the locks on the front door," Jones said. "Now we find that there's no back door. This is the kind of thing where if the states don't get out in front of the hackers, there's a real threat." This newspaper is withholding some details of the vulnerability at the request of several elections officials and scientists, partly because exploiting it is so simple and the tools for doing so are widely available. A Finnish computer expert working with Black Box Voting, a nonprofit organization critical of electronic voting, found the security hole in March after Emery County, Utah, was forced by state officials to accept Diebold touch screens, and a local elections official let the expert examine the machines.

top

- and -

MD House approves paper ballots (Washington Post, 10 March 2006) -- The Maryland House of Delegates unanimously passed legislation yesterday to ditch the state's touch-screen voting machines for the coming election in favor of a system that uses paper ballots. The 137 to 0 vote in the House and the endorsement of the plan this week by Republican Gov. Robert L. Ehrlich Jr. represents a stunning turnaround for a state that was on the leading edge of touch-screen voting in 2001, and it reflects a national shift toward machines that provide a paper record. The touch-screen system, for which Maryland has committed more than $90 million, would be put aside for one year while the state spends at least $13 million to lease optical scan machines. "It's critically important for voters to know their vote was cast and that it will be counted correctly," said Del. Obie Patterson (D-Prince George's). The fate of the plan in the Senate is less certain, and Ehrlich has not set aside money in his budget to lease the new machines. Senate President Thomas V. Mike Miller Jr. (D-Calvert) yesterday defended the record of the state's touch-screen machines and said that changing systems six months before an election would cause headaches for local administrators and lead to long lines and late returns.

top

AND NOW SEE:

Why hasn't Internet voting caught on? This expert has a nefarious theory (WaPo, 24 March 2016)

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Friday, March 04, 2016

MIRLN --- 14 Feb - 5 March 2016 (v19.04)

MIRLN --- 14 Feb - 5 March 2016 (v19.04) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Following up on last MIRLN's " License plate readers in Texas are now also debt collectors " (Wired, 30 Jan 2016)": now see City of Kyle rescinds agreement with Vigilant Solutions (Texas Tribune, 22 Feb 2016) - A Kyle city council member says police officers are doing a good job with traditional warrant round ups, but using a California-based company's license plate recognition technology to identify debtors would be unfair to poor drivers and raises privacy concerns, she said. Late last Tuesday, the Kyle City Council voted 6-1 to rescind an agreement with Vigilant Solutions that would have paid the company a 25 percent surcharge to help police identify drivers with outstanding warrants and - after stopping them - collect their fines roadside. Kyle had voted in January to join the program. "When we first voted for it, I was very uncomfortable with it, because, really, after I had more and more time to think about it, the original plan really hurts the poor in the first place," City Council Member Daphne Tenorio said. "To me, it was too much Big Brother," Tenorio said. "And there was no way that they could honestly say that that information was safe, and in this day of technology, with hackers, nothing is safe. I wouldn't want my information being given and shared with other people."

top

Law firm cybersecurity audits: Getting to good (Law Practice Today, 12 Feb 2016) - Most law firms are just starting to think seriously about conducting cybersecurity assessments, and getting their policies and procedures into shape. For solo practitioners and small practices, cybersecurity can seem especially daunting. How do you build an effective cybersecurity program, no matter what your size? Here are nine building blocks of an effective cybersecurity program: * * * [ Polley : useful, succinct.]

top

Lawyers speak out about massive hack of prisoners' phone records

(The Intercept, 12 Feb 2016) - In the Summer of 2013, Missouri criminal defense attorney Jennifer Bukowsky was preparing for an evidentiary hearing in the case of a pro bono client, Jessie McKim. The stakes were high: Along with his co-defendant, James Peavler, McKim had been convicted in 1999 of killing a woman named Wendy Wagnon and was serving life without parole at a maximum security prison. At the upcoming hearing, Bukowsky planned to argue that her client was innocent - and that the murder that sent him to die in prison was never a murder at all. McKim was convicted in part based on the testimony of a local medical examiner, who claimed that the presence of petechiae on a dead body - small spots on the skin or the whites of the eyes where capillaries have hemorrhaged - is proof that a person was suffocated. Among the witnesses Bukowsky planned to call at the hearing were five different pathologists who would testify that the state's medical examiner was wrong when he claimed Wagnon was suffocated - and that evidence pointed to a meth overdose instead. As she prepped witnesses and decided who else should take the stand, she shared her strategy with McKim via lengthy phone calls - calls understood to be protected by attorney-client privilege. Unlike calls between prisoners and their family or acquaintances, which are routinely monitored, conversations with lawyers are not to be recorded. The hearing took place in August 2013. The following spring, a circuit court judge ruled against McKim, upholding his conviction and saying that even if Wagnon was not suffocated, McKim and his co-defendant could have killed her another way - by intentionally forcing her to overdose on meth, a theory the state had never previously argued, for which there was no supporting evidence. Last fall, Bukowsky received an unexpected phone call related to McKim's case. The call came from The Intercept , following our November 11, 2015, report on a massive hack of Securus Technologies, a Texas-based prison telecommunications company that does business with the Missouri Department of Corrections. As we reported at the time, The Intercept received a massive database of more than 70 million call records belonging to Securus and coming from prison facilities that used the company's so-called Secure Call Platform. Leaked via SecureDrop by a hacker who was concerned that Securus might be violating prisoners' rights, the call records span a 2 1/2-year period beginning in late 2011 (the year Securus won its contract with the Missouri DOC) and ending in the spring of 2014. Although Securus did not respond to repeated requests for comment for our November report, the company released a statement condemning the hack shortly after the story was published. Securus insisted there was "absolutely no evidence" that any attorney-client calls had been recorded "without the knowledge and consent" of the parties to each call.

top

Researcher illegally shares millions of science papers free online to spread knowledge (Science Alert, 12 Feb 2016) - A researcher in Russia has made more than 48 million journal articles - almost every single peer-reviewed paper every published - freely available online. And she's now refusing to shut the site down , despite a court injunction and a lawsuit from Elsevier, one of the world's biggest publishers. For those of you who aren't already using it, the site in question is Sci-Hub , and it's sort of like a Pirate Bay of the science world. It was established in 2011 by neuroscientist Alexandra Elbakyan, who was frustrated that she couldn't afford to access the articles needed for her research, and it's since gone viral, with hundreds of thousands of papers being downloaded daily. But at the end of last year, the site was ordered to be taken down by a New York district court - a ruling that Elbakyan has decided to fight, triggering a debate over who really owns science.

top

- and -

Sci-Hub helps science 'pirates' to download 100,000s of papers per day (Torrent Freak, 29 Feb 2016) - "Information wants to be free" is a commonly used phrase in copyright debates. While it may not apply universally, in the academic world it's certainly relevant. Information and knowledge are the cornerstones of science. Yet, a lot of top research is locked up behind expensive paywalls. As with most digital content, however, there are specialized sites that offer free and unauthorized access. In the academic world Sci-Hub has become an icon for this pirate version of "Open Access." Early last year one of the largest academic publishers, Elsevier, filed a complaint at a New York District Court accusing the sites' operators of systematic copyright infringement. However, instead of stopping the site the case raised its profile, putting it at the center of a debate about paywalled research. As a classic demonstration of the Streisand effect the site's userbase grew while many academics publicly showed their support. According to Sci-Hub's founder Alexandra Elbakyan tens of thousands of people now use the site to download papers. On an average day last week 69,532 users downloaded 217,276 different papers, all without paying a penny.

top

Take-down: altering your social media content during litigation (Smart Business, 15 Feb 2016) - Social media now permeates our daily lives. Yet, because most of us don't anticipate being involved in litigation, we don't consider how our status updates, photographs or tweets could affect us in a lawsuit. Clients typically don't consider the impact of their social media posts until their attorneys see them from the perspective of pseudo-judge, only to gasp out with a George Takei-esque "Oh my." Out comes the opposing party's formal discovery request for that social media content and in comes the lawyer's dilemma: Can lawyers advise clients to delete damning content? Conceal it from public view? Clean up future posts? Court sanctions in this regard have been severe: * * * Such scathing rulings - and lack of consistent authority - have created a chilling effect in the legal community, and in some situations, a "deer in headlights" look when a client asks his or her attorney what to do with Instagram photos showing them intoxicated, in a bar, wearing moose antlers, at 3 a.m. on a Tuesday with a custody case on the horizon. Florida recently tackled this very issue. Florida Advisory Opinion 14-1 confirmed that attorneys could advise clients to increase privacy settings (to conceal social media content from public eye) and to remove information relevant to the foreseeable proceeding from social media accounts so long as the data was preserved and no preservation and/or spoliation of evidence rules were broken. Finally, attorneys got a roadmap. Sort of. The inquiry commenced with Florida Rule of Professional Conduct 4-3.4(a), which dictates that a lawyer must not unlawfully obstruct another party's access to evidence or unlawfully alter, destroy or conceal a document or other material that the lawyer knows or reasonably should know is relevant to a pending or a reasonably foreseeable proceeding, nor counsel or assist another person to do such act. The proper inquiry is whether a client's social media account is relevant to a "reasonably foreseeable proceeding," not whether the information is directly related to the matter. That is, information not directly related to the lawsuit may still be relevant. But, the relevancy determination is fact-intensive, with no bright-line rule. The Committee also declined to define unlawful obstruction or destruction of evidence, although spoliation has been found where evidence is destroyed or significantly altered, or where a party fails to preserve property for another's use as evidence in pending or reasonably foreseeable litigation. Likewise, litigants in federal court have a duty to preserve relevant evidence that they know, or reasonably should know, will likely be requested in reasonably foreseeable litigation. Florida's decision follows a nationwide trend and comes on the heels of similar decisions by New York, North Carolina and Pennsylvania.

top

As marijuana sales grow, start-ups step in for wary banks (NYT, 16 Feb 2016) - When Lamine Zarrad was not at his job as a federal banking regulator in recent months, he was spending a lot of time at Denver's marijuana dispensaries. As a federal employee, he could not partake of the pot. He was there, instead, to pitch the shops on a start-up he has been working on in his free time and is making official this week after quitting his job as a bank examiner at the Office of the Comptroller of the Currency, a division of the Treasury Department. Mr. Zarrad's start-up, Tokken (pronounced token), is one of several recently created companies looking to solve one of the most vexing problems facing marijuana businesses in Colorado and several other states: the endless flow of dirty, dangerous, hard-to-track cash. The State of Colorado legalized marijuana for recreational use in 2014, joining several other states where the drug has been decriminalized in some form, but Visa and MasterCard will not process transactions for pot dispensaries and most banks will not open accounts for the businesses - leaving dispensaries dealing with a constant influx of cash, and nowhere good to put it. Tokken and others start-ups, with names like Hypur and Kind Financial, have been putting together software that helps banks and dispensaries monitor and record transactions, with the long-term goal of moving transactions away from cash. Most of the start-ups trying to help with this problem are focused, in one way or another, on tracking every detail of every purchase in a more sophisticated way. Careful record-keeping can answer the concerns of banks worried about violating anti-money laundering laws. The start-ups hope their software can allow banks to open up their accounts, and their payment networks, to cannabis businesses. Hypur, a two-year-old company based in Arizona, has built software for banks that uses GPS to geo-locate each purchase and prove it was done in an authorized dispensary. The California-based start-up Kind Financial is offering software as well as hardware, in the form of kiosks that can go inside dispensaries. Customers can deposit cash in the Kind kiosk to pay for their purchase, removing one headache for the dispensary. Mr. Zarrad's start-up, Tokken, is younger than the others, but he is aiming to offer something new - an electronic payment system that will not rely on the credit card companies or debit networks. Somewhat like PayPal or Venmo, Tokken will use the electronic money transfer system in the United States known as the Automated Clearinghouse, or ACH, to move money from the bank account of a dispensary customer to Tokken's bank account. Tokken will then keep subaccounts for each dispensary - making it unnecessary for the banks to deal directly with dispensaries.

top

The conscription of Apple's software engineers (The Atlantic, 18 Feb 2016) - * * * The FBI's effort to force Apple's hand isn't just about whether the costs of unbreakable encryption outweigh the benefits. (Technically, it isn't even about "backdoors.") The most important question raised by this case concerns coercion. The federal government is empowered to compel individuals and corporations to hand over data in their possession upon the presentation of a valid search warrant. Is the FBI also empowered to compel Americans to write and execute malware? Does it have a claim on the brainpower and creativity of citizens and corporations? Apple CEO Tim Cook aptly summed up the situation: "The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe," he declared. A federal judge is effectively ordering these unnamed people to write code that would indisputably harm their company and that would, in their view, harm America. They are being conscripted to take actions that they believe to be immoral, that would breach the trust of millions, and that could harm countless innocents. They have been ordered to do intellectual labor that violates their consciences. That may be commonplace in authoritarian countries, but liberal democracies ought to avoid doing the same out of an aversion to transgressing against core freedoms. The order could set a sweeping precedent if it stands. "If you allow people to be conscripted in this way, as investigative arms of the government," Julian Sanchez observes, "not just to turn over data, but to help extract data, where the only connection to a case is that they wrote some software the suspect used or made a device the suspect used, you're effectively saying that companies are going to have to start a sideline in helping the government with surveillance." He adds: "Do we want to accept that courts may compel any software developer, any technology manufacturer, to become a forensic investigator for the government, whether or not the investigation is intrinsically legitimate?"

top

A 19-year-old made a free robot lawyer that has appealed $3 million in parking tickets (Business Insider, 18 Feb 2016) - Hiring a lawyer for a parking-ticket appeal is not only a headache, but it can also cost more than the ticket itself. Depending on the case and the lawyer, an appeal - a legal process where you argue out of paying the fine - can cost between $400 to $900. But with the help of a robot made by British programmer Joshua Browder, 19, it costs nothing. Browder's bot handles questions about parking-ticket appeals in the UK. Since launching in late 2015, it has successfully appealed $3 million worth of tickets. Once you sign in, a chat screen pops up. To learn about your case, the bot asks questions like "Were you the one driving?" and "Was it hard to understand the parking signs?" It then spits out an appeal letter, which you mail to the court. If the robot is completely confused, it tells you how to contact Browder directly. Beyond parking tickets, Browder's bot can also help with delayed or canceled flights and payment-protection insurance (PPI) claims. Although the bot can only help file claims on simple legal issues - it can't physically argue a case in front of a judge - it can save users a lot of money. Browder programmed his robot based on a conversation algorithm. It uses keywords, pronouns, and word order to understand the user's issue. He says that the more people use the robot, the more intelligent it becomes. Its algorithm can quickly analyze large amounts of data while improving itself in the process.

top

Judge in Anthem case rules that breach harmed patients (Digital Guardian, 18 Feb 2016) - The legal wrangling over whether data breaches cause harm to consumers got even more complicated this week, following a District Court ruling against the health insurer Anthem. In an opinion released on Sunday, U.S. District Judge Lucy Koh found that the loss of personal information in the breach of Anthem constitutes harm under New York's General Business Law. The ruling rejected arguments from Anthem and its lawyers that no direct harm resulted from the breach, which was first disclosed in February, 2015, The Recorder reported this week . The decision, if upheld, would kick one leg out from the stool upon which breached corporations have rested their defense against consumer class action lawsuits. Namely: that consumers can't prove that any harm was done to them as a result of having their personal or financial information stolen. That has become a common refrain around the country, as this blog has noted . One example: attorneys working for home improvement giant Home Depot asked a federal court in Atlanta to dismiss that suit, claiming that the consumers behind it could not prove they were damaged by a breach of that company's payment systems in 2014 .

top

Ravel Law adds judges, features to its judge analytics tool (Robert Ambrogi, 18 Feb 2016) - Judge analytics is the new black. Or at least that's what I wrote in a post last summer that discussed several products that could do things such as help you predict how a particular judge might rule on an issue or which cases that judge was likely to find most persuasive. One of the products I covered in that post was Ravel Law's Judge Analytics, which promised to provide "never-before-available information and analysis about how individual federal court judges make decisions." Today, Ravel Law introduced an update to its Judge Analytics product that adds both new content and new functionality. The update adds: * * * A key value of the service is its ability to identify rules, cases and specific language that a judge commonly cites. It also shows you the cases a judge has authored together with analyses of other judges who have influenced them. Although basic access to Ravel Law is free, Judge Analytics is available only with Ravel's Elite-level subscription plan. Pricing for that plan is not listed on Ravel's website.

top

Hollywood hospital pays $17,000 in bitcoin to hackers (LA Times, 18 Feb 2016) - Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoin to a hacker who seized control of the hospital's computer systems and would give back access only when the money was paid, the hospital's chief executive said Wednesday. The hospital said it alerted authorities and was able to regain control of all its computer systems by Monday, with the assistance of technology experts. Stefanek said patient care was never compromised, nor were hospital records.

top

ABA abandons Rocket Lawyer venture amid attorney backlash (ALM, 18 Feb 2016) - Facing strong opposition from state and local bar groups, the American Bar Association has quickly backed away from a pilot project aimed at helping small business owners find lawyers for a reasonable price. The project, ABA Law Connect, was launched last October in partnership with Rocket Lawyer , a company backed by Google Ventures (now GV) that takes a mass-market approach to helping consumers consult with lawyers and create legal documents. In an Oct. 1 press release , ABA president Paulette Brown lauded the program as an "exciting opportunity" to provide small businesses with affordable legal services, while offering lawyer members a chance to serve new clients. Customers would pay just $4.95 to ask an ABA-member lawyer a question online and a follow-up question. The lawyer and client could negotiate for further services. ABA Law Connect was tested in California, Illinois and Pennsylvania for roughly three months before being shut down in January. In two of the three test states-Pennsylvania and Illinois-the state bar associations struck back against the program, in part because they feared it would take business away from state and local bar referral services, which generate revenue for bar groups. Rocket Lawyer founder and CEO Charley Moore said in a statement that he still expects to collaborate with "forward-thinking" bar associations. "We are disappointed that a few individuals chose protecting their lawyer referral revenue and high fees, over innovation, fair competition and the public's need for wider access to attorney advice," he said.

top

Federal mandate on e-Voicing & government contract compliance (General Counsel News, 18 Feb 2016) - The Office of Management and Budgets (OMB) has issued a memo mandating that all billing and invoicing from government contractors and federal agencies must be electronic. Approximately 12 million invoices still need to make the transition, report two partners in Alston & Bird. They advise that government contractors and payment service providers should be prepared to implement clear, practical methods of e-payments. "Pilot programs in the federal government - both pure payment-vendor relationships and added services to banking relationships - are available to facilitate the OMB-directed shift to e-invoicing," says Jeff Belkin , partner and leader of Alston & Bird's Government Contracts Group with expertise in complex government contract compliance issues. "While it is unclear if the shift to e-invoicing will ultimately end in a no-fee electronic payments program, or, a model that requires the government (or its partners) to pay others to facilitate the program, there surely will be many challenges before that final equilibrium is reached." "As of July 2015, a mere 40% of invoices were processed using e-invoicing," says Tony Balloon , partner in Alston & Bird's Financial Services & Products Group , who has deep knowledge of the payments industry. "Though the initial transition leading up to the 2018 deadline will be challenging, the adoption of e-invoicing will result in increased efficiency and timely payments for both federal agencies and government contractors."

top

California Attorney General releases report defining "reasonable" data security (Hunton & Williams, 19 Feb 2016) - On February 16, 2016, California Attorney General Kamala D. Harris released the California Data Breach Report 2012-2015 (the "Report") which, among other things, provides (1) an overview of businesses' responsibilities regarding protecting personal information and reporting data breaches and (2) a series of recommendations for businesses and state policy makers to follow to help safeguard personal information. Importantly, the Report states that, "[t]he failure to implement all the [Center for Internet Security's Critical Security] Controls that apply to an organization's environment constitutes a lack of reasonable security" under California's information security statute.

top

Singapore-based legal startup LawCanvas expands into Australia, Malaysia and Hong Kong (Asia Law Portal, 22 Feb 2016) - Recent months have seen a flurry of activity among legal startups in the Asia-Pacific region. In late 2015, Hong Kong-based legal startup Dragon Law expanded into Singapore , while Australian Cloud-based legal services start-up LawPath closed a $1.3m bridge funding round . Anna Zhang, writing in The Asian Lawyer, chronicled the rise of no fewer than 6 legal startups in mainland China. And this month, the rise of Locum Legalis, Malaysia's "Uber for lawyers", was detailed in The Star Online . Also this month, Singapore-based LawCanvas , a contract management startup based in Singapore, announced it will expand into three more countries - Australia, Malaysia and Hong Kong. In an announcement about it's planned expansion, LawCanvas detailed that it has worked with three thousand local Singaporean businesses to generate legal documents, shorten processing time, and save legal costs. Hastened by a tripling of the number of documents in their template library, the company decided to expand regionally, offering contracts and agreements that are relevant to local businesses.

top

Testing the limits - Cyber coverage litigation update (Locke Lord, 23 Feb 2016) - The growing percentage of businesses that purchase cyber security and data privacy insurance portends a growing number of claims and, inevitably, litigation over some of those claims. Wells Fargo's 2015 Cyber Security and Data Privacy Survey: How Protected Are You? indicates that nearly half (44%) of companies with $100 to $500 million in revenue that have cyber security and data privacy insurance have filed a claim with their carriers at some point. But 96% of those companies that filed a claim are satisfied with their coverage and the insurers' handling of the claim. If the data can be extrapolated, then the remaining 4% are in or could end up in some sort of dispute resolution proceeding - small by percentage but potentially large in terms of the direct and indirect costs that can arise from cyber risk. Recent litigation filings provide a glimpse into what types of claims are in dispute and several are noted here; however, it is important to note that these cases are still pending and no coverage decisions have been made. * * *

top

The New York Times might ban visitors who use ad blockers (Adweek, 23 Feb 2016) - New York Times CEO Mark Thompson did not mince words Tuesday when talking about ad blocking, which has been causing more than a few headaches for publishers . During a keynote discussion at Social Media Week in New York, Thompson compared using ad blockers to stealing a print issue from a newsstand. "Trying to use and get benefit of the Times' journalism without making any contribution to how it's paid is not good," he said. "Everything we do should be worth paying for. Everything should feel like it's HBO rather than a broadcast network." Thompson said the Times' subscription model only covers some of its costs. "This stuff is not made for free," he said. Thompson was blunt about ad blocking companies that allow publishers to be "whitelisted" (meaning their ads won't get blocked). Such companies "essentially are asking for extortion to allow for ads to take place," he said. "That should not be allowed." Thompson said he is considering banning ad-blocking readers who are not subscribers, as some publishers have already done . "In the end, they're not really helping pay for what they consume," he said.

top

Latest qualification for cyber security? No law degree (Bloomberg, 24 Feb 2016) - Jeff Lolley joined Hogan Lovells in 2014 to help oversee the firm's internal security issues. Even though he's not a lawyer, during the past two years, Lolley gradually assumed a new role, helping the firm's clients respond to a data breach, or with training and awareness on cyber issues. Now, he leads a unit of non-lawyers at Hogan Lovells that work alongside the firm's partners in the Cyber Security Solutions practice group. And his title changed from chief information security officer to managing principal of cyber risk services. Lolley is not an isolated example: Across the country, law firms increasingly are turning to non-lawyers to help build their cyber security practice groups. Based on interviews with lawyers in this field, at least a half-dozen law firms including Hogan Lovells, Venable, Seyfarth Shaw, DLA Piper and others, are using non-lawyers, often professionals with deep backgrounds in technology and technical expertise, to complement the lawyers focused on data security and privacy. Harriet Pearson, a Hogan Lovells partner who focuses on cyber security and privacy, explained, "You need folks who can translate the topics and put them into the language of risk including legal risk." Hiring a non-lawyer can raise a firm's profile: In October, Venable hired Ari Schwartz from the White House where his title was Special Assistant to the President and Senior Director for Cybersecurity . His title at the law firm is managing director of cyber security services. Last week, Schwartz announced he will coordinate a group of tech companies that want to provide a unified voice on cyber security policy issues. Called the Coalition for Cybersecurity Policy and Law, it includes Microsoft, Oracle, Cisco, Intel and smaller companies.

top

The new promises of France's legal tech startups (Tech Crunch, 24 Feb 2016) - Where there is friction, there are business opportunities. In France, a host of startups are flourishing with the promise to ease the pain of paperwork from user-unfriendly administrations or banks. Examples of such startups include Guacamol for legal paperwork, PayFit for super-simple payroll or Fred De La Compta for cheap, frictionless accounting. France is known for making it hard for entrepreneurs, namely because the legal environment (tax law, in particular) is quite uncertain (or at least is perceived by foreign investors to be more unstable than that of many other countries). In fact, public services have become a lot simpler in the past few years, but many stakeholders, not all acting in concert, are involved. Paradoxically enough, being in France is an advantage for such startups: If you can make it seamless in France, you can make it anywhere. The added value of integrating the different steps is bigger both for French and international entrepreneurs in France. These companies can make France more attractive and help accelerate the creation of more businesses. By helping companies in a complex environment, they are setting the bar a lot higher for everyone else. They are imposing new standards for different professions (lawyers, in particular). * * * The first generation of legal tech startups applied tech and software to help law firms automate a certain number of tasks, like storing documents, billing or accounting. Basically, these startups are about helping law firms be more efficient and maximize the number of billable hours their lawyers could charge. The first legal tech startups are primarily about "efficiency," i.e., helping to reduce the costs, make more with less. The second generation of legal tech startups started disrupting the practice of law, either by giving clients direct access to online software to automate tasks and bypass the lawyers or by operating marketplaces to match lawyers with clients ( Rocket Lawyer is the best example), thus increasing market transparency and competition and leading to lower prices. A good thing, to be sure… * * * [T]he third generation of legal tech startups is about the integration of all legal and administrative services into a single-service platform that solves all of the client's legal and administrative problems. The platform that will integrate all services such as registration, incorporation, hiring and contracts, patents, intellectual property and payroll could win big. * * * [ Polley : rest of the article delves into three specific tools/apps under development; this is quite interesting.]

top

California attorney advertising rules may soon apply to blogs even when lawyer is not in charge (Lawyerist.com, 25 Feb 2016) - California's Standing Committee on Professional Responsibility and Conduct (COPRAC) has been working on an ethics opinion on the applicability to attorney advertising rules to blogs for a while now, and after receiving public comments on its draft opinion, it released a revised draft and opened up a new 90-day public comment period. Comments can be submitted through May 12, 2016. The question is whether lawyer blogs subject to attorney advertising rules (which in California means subject to the many restrictions of Rule of Professional Conduct 1-400 , which significantly ups a lawyer's potential liability for making a mistake in a blog post). The biggest changes being made to the draft opinion in light of public comment pertain to blogs of a non-legal nature. COPRAC says that blogs by lawyers on non-legal topics will not be subject to the Rules of Professional Conduct even if it contains a link to the lawyer's professional website unless the blog contains "extensive and/or detailed professional identification information" announcing that the attorney is available for employment. The same general rule applies to a blog hosted outside of the lawyer's own website - the rules only kick in if the lawyer holds himself out in the blog post as available for employment. This is consistent with First Amendment law, as COPRAC expressly acknowledges. * * * COPRAC's opinion does not exempt from the advertising rules a blog that is not maintained by the lawyer but contains content written by the lawyer. The critical point in determining whether a blog post is subject to the advertising rules or not is whether it contains a reference to availability for employment. So, if you write on a site that you do not host or maintain, be very careful in how you describe your practice and your intent to gain new clients.

top

Judge wants to know more about FBI's secret recordings of conversations near courthouse steps (TechDirt, 25 Feb 2016) - Last November, lawyers defending five real estate investors against auction price-rigging allegations discovered the FBI had planted bugs to capture conversations during real estate auctions on the San Mateo (CA) Courthouse steps. The lawyers questioned whether these surreptitious recordings violated wiretap laws, despite them taking place in a public area. As they noted, investors often huddled away from the steps to discuss bidding strategies in "hushed tones" in order to prevent competitors from overhearing them. According to these lawyers, the "hushed tones" were not unlike the closing of a phone booth door -- a key element in the Supreme Court's 1967 Katz decision , which found an expectation of privacy could be found in public areas, provided the person being targeted by recording devices performed certain actions. Now, the judge presiding over the case has a few questions of his own . ( non-reg/paywall link ): On Thursday at a hearing before U.S. District Judge Charles Breyer, prosecutors and defense lawyers clashed over whether the tactic crossed a constitutional line. Government lawyers, who used the microphones to investigate a federal bid-rigging case, contend that individuals picked up on the recordings were speaking in a public place and thus had no reasonable expectation of privacy. Defense lawyers insist that the surveillance, conducted without judicial approval, amounted to unlawful government eavesdropping and want Breyer to suppress all evidence derived from the devices. Although Breyer held off on ruling, he expressed at least gut-level discomfort with the notion of government agents listening at the courthouse door.

top

- and -

Devices on public buses in Maryland are listening to private conversations (WaPo, 1 March 2016) - The Maryland Senate on Tuesday delayed action on a bill that would clamp down on when public buses and trains can record the private conversations of their passengers. Sen. Robert A. Zirkin (D-Baltimore County), chair of the Senate Judicial Proceedings, which unanimously voted for the measure to move to the Senate floor, said he wanted the committee to address an amendment offered by some of those who are concerned about costs associated with the bill. "What [the Maryland Transit Administration] is doing is a mass surveillance," Zirkin said. "I find it outrageous," he said. "I don't want to overstate it, but this is the issue of our generation. As technology advances, it becomes easier and easier to encroach on people's civil liberties." While Zirkin and other proponents argue that the technology, which has been in use since 2012, is an infringement on civil liberties, the bill's opponents say the recordings are a necessary tool for homeland security. The bill, which would affect MTA buses in the Baltimore area, Ride On buses in Montgomery County and TheBus in Prince George's County, creates guidelines for audio recordings and places limits on when they can be made. MTA began using recording devices inside some of its buses in 2012, without seeking legislative approval. Nearly 500 of its fleet of 750 buses now have audio recording capabilities. Officials say the devices can capture important information in cases of driver error or an attack or altercation on a bus. Under the bill, recording devices would have to be installed near a bus or train operators' seat. The devices would be controlled by the driver and could be activated only in the event of a public-safety incident.

top

German police can now use spyware to monitor suspects (Ars Technica, 25 Feb 2016) - German police are now permitted to infect a suspect's computers, and mobile devices with special trojan software to monitor communications made with the systems, the country's interior ministry has confirmed. The malware can only be deployed when lives are at risk, or the state is threatened, and will require a court order to allow police officers to infect the machines of alleged criminals. However, the government-developed malware must not be used to monitor other activities on the system, or to change data or programs. It follows a decision by Germany's Constitutional Court in 2008, which ruled that the an individual's private life should have absolute protection, and that eavesdropping must be limited to a person's communications with the outside world. But Frank Rieger, a spokesperson from the famous Chaos Computer Club (CCC), has cast doubt on the German government's pledge to adhere to those standards with its trojan software. In an article on the Deutschlandfunk website ( in German ), Rieger noted that it was very hard to create malware that can be used to monitor communications in a way that does not infringe on the protected private sphere.

top

Classified 2002 letter on N.S.A. eavesdropping is made public (NYT, 29 Feb 2016) - The Obama administration on Monday made public a previously classified letter from 2002 about the Bush administration's secret program that allowed the National Security Agency to eavesdrop on Americans' international communications without court orders. The release of the 22-page letter , written by John Yoo, then a top lawyer in the Justice Department's Office of Legal Counsel, adds to the historical record of one of the most controversial pieces of the Bush administration's response to the terrorist attacks of Sept. 11, 2001: The surveillance and bulk data collection program known by the code name Stellarwind. The letter explained to Colleen Kollar-Kotelly, who at that time was the new chief judge of the Foreign Intelligence Surveillance Court, why the Justice Department considered the program lawful even though, as Mr. Yoo acknowledged, it clashed with wiretapping laws laid out in the Foreign Intelligence Surveillance Act. The letter appeared to track a memorandum Mr. Yoo had written in Nov. 2, 2001, soon after President George W. Bush directed the N.S.A. to begin the program. A previously released inspector general report about the program included a partially redacted summary of that memo. Among other things, Mr. Yoo claimed in the letter that the president's constitutional authority as commander-in-chief overruled statutory prohibitions and that under the circumstances the program complied with the Fourth Amendment , which bars unreasonable searches and usually requires warrants. In the letter, Mr. Yoo wrote that, "We face a situation here where the government's interest on one side - that of protecting the Nation from direct attack - is the highest known to the Constitution. On the other side of the scale, the intrusion into individual privacy interests is greatly reduced due to the international nature of the communications."

top

State Department will try to fix Wassenaar arrangement (EFF, 29 Feb 2016) - Regular readers of this blog will likely be familiar with the Wassenaar Arrangement , a 41-nation agreement intended to regulate the export of certain "dual-use" technologies, such as guns and fissile material. In December 2013, the list of controlled technologies was amended to include surveillance systems for the first time and the participating countries have slowly been rolling out their implementations ever since. Today, news outlets in Washington DC are reporting that the State Department has finally agreed to try to renegotiate the language of the Wassenaar Arrangement to eliminate the 2013 changes. Nowhere has the implementation of the Wassenaar Arrangement's new language been more problematic than in the United States. After the Commerce Department released its proposed implementation of the Wassenaar definitions for inclusion into U.S. law (an implementation that included dangerously vague language about regulating the export of software used to create exploits), all hell broke loose. Countless security companies, as well as EFF, pointed out that the proposed rule would have had dire and far-reaching consequences for the infosec industry. But the problems that we pointed out weren't limited to the U.S. proposed rule; we remain concerned that the definitions in the Wassenaar control lists which were approved in December 2013 are too vague to be implemented in any fashion without resulting in serious chilling effects on security research. In our formal comments to the Commerce Department last summer, we urged a return to Wassenaar to renegotiate the control lists to fix the problem at its source. The inclusion of intrusion software on the Wassenaar control list was done with good intentions. Human rights advocates have recognized that surveillance software designed and sold by companies in Western countries has been responsible for serious abuses around the world. We at EFF have long fought such abuses in court. We believe strongly that this is a fight worth having, but export controls are simply the wrong tool for the job. It appears that the State Department has heard these concerns loud and clear. Not only has all talk of finalizing the proposed rule as drafted come to halt, but State has put "removal of the technology control" on the agenda for the December 2016 meeting at Wassenaar. [see also US to renegotiate rules on exporting "intrusion software" (Ars Technica, 2 March 2016)]

top

Study: Which students persist in MOOCs? (InsideHigherEd, 1 March 2016) - Learners who sign up for a massive open online course just days before it starts and complete a precourse survey are much more likely than their peers to finish the MOOC, according to a new paper published in the Journal of Higher Education . Researchers at Vanderbilt University examined the behavior of more than 2.1 million learners in 44 different MOOCs offered on Coursera, finding that precourse survey completers viewed 12 more lectures and were 12 percent more likely to earn a certificate of completion compared to those who skipped the survey. The results also provided some pointers for MOOC instructors on how best to structure their courses. Learners were more likely to watch lecture videos if they were posted toward the end of the week, the researchers found, while the length of the lectures appeared to have no impact on whether students watched them.

top

Swiping a priceless antiquity ... with a scanner and a 3-D printer (NYT, 1 March 2016) - Two German artists walked into the Neues Museum in central Berlin in October and used a mobile device to secretly scan the 19-inch-tall bust of Queen Nefertiti, a limestone-and-stucco sculpture more than 3,000 years old that is one of Germany's most visited attractions. They used the data to create copies of the bust and delivered them to Egypt. Then last December, in the tradition of Internet activism, they released the data to the world, allowing anyone to download the information for free and create their own copies with 3-D printers. On Thursday, German museum authorities responded publicly for the first time. They were not amused. * * * Don Undeen, the senior manager of the MediaLab at the Metropolitan Museum of Art in New York, called it a "very good model" coming from consumer-level technology. "I'm glad to see the bust of Nefertiti join the ever-growing online collection of scanned art objects," he said. The artists' project, "The Other Nefertiti," confronts what they see as cultural theft and persisting colonialist notions of national ownership by making the object widely available. It's also a potent example of the way 3-D scanning technologies, which are becoming cheaper and more accessible, present cultural institutions with new opportunities, as well as new challenges. * * * Ms. Badri and Mr. Nelles planned their project for a year and a half. Ms. Badri concealed the scanning device - a modified version of the Kinect, a motion sensor developed by Microsoft for the Xbox 360 that can be purchased for around $100 - underneath a blue cashmere scarf, circling and scanning the artifact whenever the guards would congregate to chat with one another, while Mr. Nelles filmed, during the October visit. The artists then handed the data off to be assembled by outside experts - hackers who declined to be identified. Two months later, they leaked the resulting 3-D data set to the public under a Creative Commons license at Europe's largest hacker conference, the Chaos Communication Congress, in Hamburg. Within 24 hours, at least 1,000 people had downloaded the torrent. * * * Some institutions take a relatively open approach to scanning technology. The Art Institute of Chicago and the Met encourage visitors to scan objects in their collections. The British Museum hosted a "scanathon" for which museumgoers were asked to use scanning devices and smartphones to create a crowd-sourced digital archive, and the Musée du Louvre in Paris held a similar series of digital workshops.

top

Survey results: Truths about lawyers and social media (Attorney at Work, 4 March 2016) - A year ago, we thought social media couldn't get any hotter as the marketing mode of choice for lawyers. Comparing results from the recent "Attorney at Work 2016 Social Media Marketing Survey" to last year's shows we may have been right. In our second annual survey, we again asked lawyers about their social media habits, preferences and attitudes. Still hot? Sure, but things seem to be leveling off: (1) Most of the lawyers responding - 88 percent - are using social media, but only 68 percent say their use of social media is part of an overall marketing strategy. That's compared to 91 percent and 60 percent in 2015; (2) Almost half of those respondents (47 percent) say lawyers' use of social media for marketing is more hype than reality. In 2015, 56 percent agreed; (3) Only 3 percent say social media is "very" responsible for actually getting them clients, compared to 4 percent in 2015. However, 41 percent say it is "somewhat" responsible. In 2015, 35 percent said "somewhat" responsible. There's a 12 percent gap between the two age groups when it comes to using social media as part of their marketing strategy - 69 percent of over-30 lawyers say it's in their strategy, compared to 57 percent of younger lawyers. Older lawyers (37 percent) say LinkedIn is the best source of new business among the various platforms, but the under-30s (47 percent) say Facebook is best for them. Fifty percent of young lawyers use social media management tools of some kind (Hootsuite, Google Analytics, TweetDeck, etc.), and 71 percent of them say they handle all social media activity themselves. Meantime, only 33 percent of the over-30 group use these types tools - but 70 percent do it all themselves.

top

RESOURCES

Cloud computing - security issues to consider (Bar Council of England and Wales, Dec 2015) - To guide all barristers on security issues relating to cloud computing * * *

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Disney's iTunes sales hit 125,000 (Financial Times, 19 Sept 2006) -- Disney has sold 125,000 online film downloads less than a week after agreeing to make its titles available on Apple's iTunes store. The sales have added about $1m in incremental revenue to the media company, according to chief executive Bob Iger, who expressed confidence that revenues from the new film venture could reach $50m in its first year. "Clearly, customers are saying to us that they want content available in multiple ways," Mr Iger said at an investor conference sponsored by Goldman Sachs. Disney broke with other Hollywood studios when it agreed last week to make 75 titles available on iTunes at prices ranging from $9.99 to $14.99.

top

Hack the vote? No problem (Salon.com, 13 Sept 2006) -- Having reported extensively on the security concerns that surround the use of electronic voting machines, I anxiously awaited the results of a new study of a Diebold touch-screen voting system, conducted by Princeton University. The Princeton computer scientists obtained the Diebold system with cooperation from VelvetRevolution, an umbrella organization of more than 100 election integrity groups, which I co-founded a few months after the 2004 election. We acquired the Diebold system from an independent source and handed it over to university scientists so that, for the first time, they could analyze the hardware, software and firmware of the controversial voting system. Such an independent study had never been allowed by either Diebold or elections officials. The results of that study, released this morning, are troubling, to say the least. They confirm many of the concerns often expressed by computer scientists and security experts, as well as election integrity activists, that electronic voting -- and indeed our elections -- may now be exceedingly vulnerable to the malicious whims of a single individual. The study reveals that a computer virus can be implanted on an electronic voting machine that, in turn, could result in votes flipped for opposing candidates. According to the study, a vote for George Washington could be easily converted to a vote for Benedict Arnold, and neither the voter, nor the election officials administering the election, would ever know what happened. The virus could also be written to spread from one machine to the next and the malfeasance would likely never be discovered, the scientists said. The study was released along with a videotape demonstration. "We've demonstrated that malicious code can spread like a virus from one voting machine to another, which means that a bad guy who can get access to a few machines -- or only one -- can infect one machine, which could infect another, stealing a few votes on each in order to steal an entire election," said the study's team leader, Edward W. Felten, professor of computer science and public affairs at Princeton. The Princeton study is the first extensive investigation of the Diebold AccuVote DRE (Direct Recording Electronic) system, which is employed in Maryland, Florida, Georgia and many other states. Such touch-screen voting systems made by Diebold will be in use in nearly 40 states in this November's elections.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top