MIRLN --- 26 June - 23 July 2016 (v19.10) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)
NEWS | PODCASTS/MOOCS | RESOURCES | LOOKING BACK | NOTES
- Lawyers prepare for 'driverless M&A' as smart contract era dawns
- New Mexico top court overturns conviction due to Skype testimony, warns judges about social media
- Social media endorsements: Undue flattery will get you nowhere
- This week in legal tech: Ethics and technology competence
- Law firms increasingly joining information sharing centers for cyber threat info
- DHS issues final procedures for cybersecurity threat information sharing
- Mining sector has faced 17 major cyber-incidents in the past six years
- What media companies don't want you to know about ad blockers
- Keeper and Ponemon Institute study finds more than 50% of SMBs breached in past year
- Evidence from the Wayback machine is admissible (at least in Kansas)
- Bulgaria got a law requiring open source
- European Union's first cybersecurity law gets green light
- Standards body whines that people who want free access to the law probably also want 'free sex'
- Appeals court says government email stored on private servers is still subject to FOIA requests
- Is the DOJ using obsolete software to subvert FOIA requests?
- Does the First Amendment protect citizen journalists who film police?
- Ninth Circuit: It's a federal crime to visit a website after being told not to visit it
- Second Circuit: Warrants cannot be used to compel disclosure of emails stored outside the United States
- Pokémon Go: Who owns the virtual space around your home?
- Pokémon Go players in Bosnia warned to avoid minefields
- Augmented Reality - Technology & Policy Primer
- HHS: Healthcare groups must report all ransomware attacks
- DHS looking to link to the blockchain
- Just as open competitor to Elsevier's SSRN launches, SSRN accused of copyright crackdown
- Legalist is making it easier for lawyers to find state court records
- After errant Melania tweet, DOJ rethinks social media policy
- WSJ reporter: Homeland Security tried to take my phones at the border
Lawyers prepare for 'driverless M&A' as smart contract era dawns (Australia Financial Review, 19 June 2016) - The nation's top law firms are braced for disruption as "smart contract" technology threatens thousands of legal jobs and lawyers' role intermediating commercial negotiations and disputes is automated by computers. One of the country's biggest law firms, Allens, sent a report to its clients on Friday afternoon admitting that lawyers' business model of profiting from an absence of trust in companies transacting with each is under threat from trust being coded into computers via distributed ledger technology, also known as blockchain . "Smart contracts" are an application on the blockchain, referring to computer protocols which verify and execute the terms of a contract, removing the need for humans to monitor compliance and enforcement. "For almost 200 years, our own business has been built on the basis that people need to transact but often lack the trust to rely on a handshake alone," Allens said. "In essence, we help organisations do business in the absence of trust - we design governance structures, we draft and negotiate contracts, and sometimes, if things go pear-shaped, we litigate. So when a new technology comes along that creates trust through computers - distributed ledger technology, also known as blockchain - is it going to be potentially disruptive." Gilbert+Tobin managing partner Danny Gilbert said disruptive change to law firms is inevitable and they will get smaller as lawyers are put out of jobs by automation of their role as a trusted adviser. "Legal services and legal products have been driven by the human mind and the human hand, and we're about to see a fundamental change in that. We have driverless cars, we have robots doing surgery and we will have driverless M&A," he said.
New Mexico top court overturns conviction due to Skype testimony, warns judges about social media (ABA Journal, 23 June 2016) - The New Mexico Supreme Court is warning judges about the perils of social media in an opinion that nonetheless sidesteps whether the trial judge's Facebook posts indicated bias. The New Mexico Supreme Court ruled (PDF) on June 20 that Truett Thomas was entitled to a new trial on a murder charge because the judge improperly allowed Skype testimony of a prosecution witness, the New Mexico Appellate Law Blog and the Santa Fe New Mexican report. The court said the Skype testimony violated Thomas' right to "physical face-to-face confrontation" of the witness, who did not appear because of inconvenience. As a result of the Skype reversal, the court didn't consider whether reversal was required because of the trial judge's Facebook post. The judge had posted on his campaign website that a guilty verdict had been returned and, "Justice was served. Thank you for your prayers." The opinion nonetheless cautioned judges "to avoid both impropriety and its appearance in their use of social media." "While we make no bright-line ban prohibiting judicial use of social media," the opinion said, "we caution that 'friending,' online postings, and other activity can easily be misconstrued and create an appearance of impropriety. Online comments are public comments, and a connection via an online social network is a visible relationship, regardless of the strength of the personal connection." The court said it agreed with an ABA ethics opinion that judicial campaign websites be maintained by campaign committees rather than the candidates. "We clarify that a judge who is a candidate should post no personal messages on the pages of these campaign sites other than a statement regarding qualifications" the court said. The judge should not allow public comments to be posted on the campaign website, the court said, "and should engage in no dialogue, especially regarding any pending matters that could either be interpreted as ex parte communications or give the appearance of impropriety." Judges should also use privacy settings to protect their online presence and should consider any statements posted online to be a public statement, the court said. Concerns raised by social media include the inability to truly delete a posted message, the public perception that friendships exist between people who are not actually acquainted, and the ease with which posts can be widely disseminated.
- and -
Social media endorsements: Undue flattery will get you nowhere (ABA's Peter Geraghty, July 2016) - It goes without saying, but I'll say it again: social media has a way of raising ethical issues that filter into the day-to-day practice of law in ways that may not have been fully anticipated, but at the same time raise familiar themes that the profession has addressed in different nonelectronic contexts over the past 100 years. Take for example the subject of endorsements that lawyers receive either from clients or from other lawyers on their social media websites. What if a lawyer who concentrates his practice in real estate transactions and who never engages in litigation receives an endorsement from a former client lauding his ability as a litigator? Or where a lawyer who has a Social Security disability practice gets an endorsement from another lawyer touting his abilities as an estate planner? Does a lawyer have an obligation to monitor his social media page to ensure that the endorsements he receives are accurate? We at ETHICSearch have produced a variety of columns on social media over the past few years, some of which touch on some of the issues addressed in this month's column. See, e.g., Facebook follies (April 2016), Privacy settings and postings on social media: Etched in plastic or carved in stone? (February 2015), Client reviews: Your thumbs down may come back around (September 2014) and May 2009 entitled, Ringing or stinging endorsements? * * * [ Polley : Excellent and thorough.]
- and -
This week in legal tech: Ethics and technology competence (Robert Ambrogi, 11 July 2016) - I had a call last week from two partners at a 25-lawyer firm. Their secretary arranged the call so I had no idea what it was about. At the appointed hour, they got quickly to the point. "When it comes to technology, we are still in the dark ages," they said. They realized that, to remain competitive, their firm needs to change. But not all their partners are on board. They wanted outside help to better understand the benefits and risks. They are no anomaly. My sense is that a lot of firms are still in the dark ages about technology. As these two partners correctly perceived, that is a competitive risk. What many lawyers fail to perceive, however, is that it is also an ethical risk. The very goal these two partners described - to better understand the benefits and risks of technology - is in fact an ethical duty in a growing number of U.S. states. Four years ago next month, the American Bar Association formally approved a change to the Model Rules of Professional Conduct to make clear that lawyers have a duty to be competent not only in the law and its practice, but also in technology. More specifically, the ABA's House of Delegates voted to amend Comment 8 to Model Rule 1.1, which pertains to competence, to read (emphasis added): * * * This being a model rule, it must be adopted in a state for it to apply there. I've been keeping a tally of the states that have adopted the duty of technology competence. So far, 21 states have done so. No doubt, there will be more to come. But what exactly does it mean for a lawyer to be competent in technology? Unfortunately, we do not yet have a lot of guidance to help us answer that question. But we do have some. One of the most detailed discussions of this issue came in the form of an ethics opinion last year from the State Bar of California. Part of the reason that Formal Opinion No. 2015-193 was so striking was that it dealt with technology competence in the context of e-discovery. Many attorneys still think of e-discovery as an esoteric specialty - an area of practice better left to others to understand. But this ethics opinion makes clear that, in an age when any case can involve electronic evidence, every attorney who steps foot in a courtroom has a basic duty of competence with regard to e-discovery. * * *
Law firms increasingly joining information sharing centers for cyber threat info (LegalTech News, 24 June 2016) - Law firms have different options to gain information on cyber risks. One option that many are currently undertaking is joining a regional consortium or an information sharing center to gain the most up-to-date threat information. It is true, according to Mark Sangster, vice president and industry security strategist at eSentire, that "many law firms still learn about cyber threats from the headlines, when the FBI shows up to report a breach or when illegal use of stolen data is used to front run trades." Also, "firms of all scale are quickly mobilizing mechanisms to detect and block threats. However, he told Legaltech News, "Many of the technologies adopted by resource-strapped firms produce automated reports that report on threats after the fact," when in actuality, "real-time detection and response is mission critical to stay on top of emerging threats." "Heightened cybersecurity awareness at all levels has helped to make cybersecurity a priority. It's impossible to ignore the incredible number of breach cases impacting organizations today," he added. "This year in particular has been a difficult one for the industry, which has seen a significant rise in the number of successful law firm cyberattacks." Moreover, Sangster pointed out that law firms "are recognizing the value in threat sharing organizations. … Actionable intelligence has become integral to every law firm as the number of cyberattacks targeting law firms continues to rise." For instance, he noted how the Financial Services Information Sharing and Analysis Center (FS-ISAC) recently launched the Information Sharing & Analysis Organization (LS-ISAO). It provides real-time alerts, access to analysts, curated intelligence, and crisis notifications. The center says such sharing communities are "recognized as one of the best defenses against cyber threats and attacks." The LS-ISAO launched after officials talked to close to 180 firms that may be interested in joining, Legaltech News reported last year. "Firms are no longer alone in this hostile environment - members are trust-sourcing threat indicators for analysts to research, scrub and anonymize, yielding actionable intelligence for dissemination in real-time," according to a center statement. There are other kinds of organizations that law firms are joining as well, some of which are more broad-based. For instance, the Massachusetts-based Advanced Cyber Security Center (ACSC) is a consortium, founded some five years ago, that brings together business, university and government organizations to address the most advanced cyber threats. It focuses on sharing cyber threat information, engaging in cybersecurity research and development, creating education programs to address the shortfall in cyber talent, and advancing policies that will enhance security. Current members include the Foley Hoag law firm, which also provides the center legal advice. The firm's chair of its privacy and data security practice group, Colin Zick, called the ACSC "unique," given its diverse membership, and such regional assets as major research universities, military resources and businesses. In this way, Foley Hoag can partner with a "broad cross-section of organizations" to improve its knowledge on advanced persistent threats and what may be coming. Other threat sharing organizations are often built around a specific industry or have members from a single state.
- and -
DHS issues final procedures for cybersecurity threat information sharing (Steptoe, 30 June 2016) - On June 15, the Department of Homeland Security, jointly with the Department of Justice, issued its final procedures and final guidelines for cybersecurity threat information sharing, which were required by the Cybersecurity Act of 2015. DHS also released updated guidance for non-federal entities sharing information with the government under the Act. The procedures and guidelines relate to Title I of the Act, entitled the Cybersecurity Information Sharing Act of 2015 (CISA), which provides processes and protections for sharing cybersecurity threat information between government and private sector entities. DHS had issued interim versions of the procedures and guidelines, along with two other guidance documents in February 2016. It was required by CISA to issue the final versions of the procedures and guidelines, and also opted to release updated guidance based on feedback from industry.
Mining sector has faced 17 major cyber-incidents in the past six years (Softpedia, 29 June 2016) - A comprehensive report published yesterday by security firm Trend Micro revealed that threat groups are intensifying their efforts against companies activating in the mining sector. The reasons behind these attacks can be geo-political, but related to also financial gains. Threat groups are targeting these companies to gain insights on state-operated mining firms in order to understand or subvert local politics but also to steal intellectual property and other proprietary information. This information usually reaches the black market or is passed on to local mining corporations in case of state-powered cyber-attacks. Since 2010, cyber-security firms have been called in to investigate 17 incidents involving cyber-attacks on 22 entities activating in the mining sector. The first attack took place in April 2010 and targeted the Rio Tinto Group, BHP Billiton Ltd., and Fortescue Metal Groups. Experts believe the hackers were from Asia and sought information for commercial espionage. The second attack occurred in February 2011, again against BHP Billiton. The company's boss suspected that the main reason behind the cyber-attack was for nation states and competitors to get their hands on market pricing for key commodities. In April 2011, hackers broke into the Australian Federal Parliament email accounts to gain access to email conversations between ministers and executives of Australian mining companies operating in China. Later that year, in October and November, hackers attacked law firms and the Government of Canada's Finance Department and Treasury Board to obtain insight on bids to take over Canadian mining firm Potash Corporation of Saskatchewan. * * *A more in-depth read is available via Trend Micro's Cyber Threats to the Mining Industry 50-page report.
What media companies don't want you to know about ad blockers (Columbia Journalism Review, 29 June 2016) - New York Times CEO Mark Thompson caused a minor stir a couple weeks ago when he gave a speech at an advertising conference declaring that "No one who refuses to contribute to the creation of high quality journalism has the right to consume it." He went on to say that while the Times is "not there yet," the company may soon prevent users with ad blockers from accessing its site. But newspaper executives like Thompson often focus exclusively on the drawbacks of ad blockers, leaving a big part of the story untold. Thompson did not say one word in his keynote address about the significant security benefits of ad blockers, which is ironic, because his paper was one of several news organizations that served its users ransomware-a particularly vicious form of malware that encrypts the contents of your computer and forces you to pay the perpetrators a ransom in bitcoin to unlock it-through its ad networks just a few months ago. Several major news sites-including the Times , the BBC, and AOL-had their ad networks hijacked by criminal hackers who attempted to install ransomware on readers' computers. Advertising networks have served malware onto the computers of unwitting news readers over and over in the past couple years. Ads on Forbes , for example, attacked their readers in January, right after the magazine forced readers to disable ad-blocking software to view its popular annual "30 Under 30" feature. As Engadget reported , "visitors were immediately served with pop-under malware, primed to infect their computers, and likely silently steal passwords, personal data and banking information." It wasn't the first time this had happened at Forbes , either. And it's not just in the US. A couple months ago, almost every major news site in the Netherlands served malware through its ads to its users.
Keeper and Ponemon Institute study finds more than 50% of SMBs breached in past year (MarketWired, 30 June 2016) - Keeper Security, Inc., the world's leading password manager and secure digital vault, today announced the results of a North American study analyzing the state of cybersecurity in small and medium-sized businesses (SMBs). Sponsored by Keeper Security and conducted by the Ponemon Institute, the study found that more than 50% of SMBs have been breached in the last 12 months. No business is too small to evade a cyber attack or data breach and businesses across all industries are impacted by this threat. Only 14% of the companies surveyed rated their ability to mitigate cyber attacks as highly effective. Confidence in SMB cybersecurity posture is so low primarily because personnel, budget and technologies aren't sufficient. Additionally, IT security priority determination is not centralized to one specific function in a company, therefore reducing accountability and resulting in less informed decision making. [ Polley : There's no reason to suspect that law firms don't have the same exposure.]
Evidence from the Wayback machine is admissible (at least in Kansas) (Lawyerist, 1 July 2016) - Although the internet is well-entrenched in every aspect of our lives, the legal profession still struggles with how it is to be used as a source of information, connectedness, and admissible evidence. Heck, states even differ wildly on whether or not you can friend a judge on Facebook. No one is entirely sure what to do about sitting jurors and use of social media. With all of that confusing (and sometimes downright Luddite ) thinking about the virtual world, it is gratifying when there are decisions that reflect that a judge understands how the internet works. Recently, the United States District Court for the District of Kansas issued an opinion which held that evidence obtained from the Wayback Machine was admissible. The plaintiff, a trucking company, brought a trademark infringement suit against the defendant, a truck driver job posting website, alleging unauthorized use of the plaintiff's trademark on the defendant's website. To prove the defendant's use of the trademark, the plaintiff intended to introduce at trial screenshots of defendant's website taken from the Wayback Machine, along with authenticating deposition testimony from an employee of the Internet Archive.
Bulgaria got a law requiring open source (Slash-Dot, 4 July 2016) - All software written for the government in Bulgaria are now required to be open-source. The amendments to put such laws in motion were voted in domestic parliament and are now in effect , announced software engineer Bozhidar Bozhanov, who is also an adviser to the Deputy Prime Minister at Council of Ministers of the Republic of Bulgaria. All such software will also be required by law to be developed in a public repository. Bozhanov writes in a blog post: That does not mean that the whole country is moving to Linux and LibreOffice, neither does it mean the government demands Microsoft and Oracle to give the source to their products. Existing solutions are purchased on licensing terms and they remain unaffected (although we strongly encourage the use of open source solutions for that as well). It means that whatever custom software the government procures will be visible and accessible to everyone. After all, it's paid by tax-payers money and they should both be able to see it and benefit from it. As for security -- in the past "security through obscurity" was the main approach, and it didn't quite work -- numerous vulnerabilities were found in government websites that went unpatched for years, simply because a contract had expired. With opening the source we hope to reduce those incidents, and to detect bad information security practices in the development process, rather than when it's too late.
European Union's first cybersecurity law gets green light (Bloomberg, 6 July 2016) - The European Union approved its first rules on cybersecurity, forcing businesses to strengthen defenses and companies such as Google Inc. and Amazon.com Inc. to report attacks. The European Parliament endorsed legislation that will impose security and reporting obligations on service operators in industries such as banking, energy, transport and health and on digital operators like search engines and online marketplaces. The law, voted through on Wednesday in Strasbourg, France, also requires EU national governments to cooperate among themselves in the field of network security. The rules "will help prevent cyberattacks on Europe's important interconnected infrastructures," said Andreas Schwab, a German member of the 28-nation EU Parliament who steered the measures through the assembly. EU governments have already supported the legislation.
Standards body whines that people who want free access to the law probably also want 'free sex' (TechDirt, 7 July 2016) - You would think that "the law" is obviously part of the public domain. It seems particularly crazy to think that any part of the law itself might be covered by copyright, or (worse) locked up behind some sort of paywall where you cannot read it. Carl Malamud has spent many years working to make sure the law is freely accessible... and he's been sued a bunch of times and is still in the middle of many lawsuits, including one from the State of Georgia for publishing its official annotated code (the state claims the annotations are covered by copyright). But there's another area that he's fought over for many years: the idea that standards that are "incorporated by reference" into the law should also be public. The issue is that many lawmakers, when creating regulations will often cite private industry "standards" as part of the regulations. So, things like building codes may cite standards for, say, sheet metal and air conditioning that were put together by the Sheet Metal and Air Conditioning Contractors National Association (SMACNA), and say that buildings need to follow SMACNA's standards. And those standards may be great -- but if you can't actually read the standards, how can you obey the law. At one point SMACNA went after Malamud for publishing its standards. And while they eventually backed down, others are still in court against Malamud -- including the American Society for Testing & Materials (ASTM), whose case against Malamud is set to go to trial in the fall. In the midst of all of this, various standards making bodies, along with the American National Standards Institute (ANSI), have been working over time to get the American Bar Association to adopt a proposal that limits publication of standards that are incorporated by reference. ANSI has pushed for a solution it prefers called "reasonable availability," in which the standard-makers decide by themselves how best to make the standards "available." ANSI, for example, hosts a bunch of incorporated by reference standards on its website -- but the only way to read them is to install a special kind of DRM (Windows and Mac only) that makes the documents purely read only. You are not allowed to save them. You are not allowed to download them permanently. You are not allowed to print them. And it's not all standards that are incorporated by reference. Why do they do this? Well, most of them sell their standards to professionals who need to buy them, and they don't want to give up on that revenue source (especially once those standards are incorporated by reference because at that point they become mandatory). [ Polley : The pending ABA policy is in Resolution 112, to be taken up by the House of Delegates on August 8 or 9. It's less-than-transparent and pernicious - see bolded language above . If you're in the House, look carefully at this language, and hear out Carl Malamud, who'll be in the audience.]
Appeals court says government email stored on private servers is still subject to FOIA requests (TechDirt, 8 July 2016) - There were indications that Clinton's use of a private email address was an attempt to route around FOIA requests. As her server was being set up, communications from both her staff and the State Department's noted that an account in her name existed already, but would be subject to FOIA requests. This has been a problem elsewhere. Several government officials have conducted an inordinate amount of government business using private email accounts or personal devices in hopes of skirting public records requests. The DC Circuit Court's case deals with a little-known government agency, but an all-too-familiar dodge by public officials . In a decision Tuesday in a case not involving Clinton directly, the U.S. Court of Appeals for the D.C. Circuit held that messages contained in a personal email account can sometimes be considered government records subject to Freedom of Information Act requests. The case ruled on by the D.C. Circuit focused on a relatively obscure White House unit: the Office of Science and Technology Policy. * * *
- and -
Is the DOJ using obsolete software to subvert FOIA requests? (Slash-Dot, 17 July 2016) - A new lawsuit alleges that the U.S. Department of Justice intentionally conducts inadequate searches of its records using a decades-old computer system when queried by citizens looking for records that should be available to the public," reports The Guardian. Slashdot reader Bruce66423 writes: An MIT PhD student has filed a suit in Federal court alleging that the use of a 21-year-old, IBM green screen controlled search software to search the Department of Justice databases...constitutes a deliberate failure to provide the data that should be being produced. Ryan Shapiro's lawsuit alleges "failure by design," saying that the Justice Department records are inadequately indexed -- and that they fail to search the full text of their records when responding to requests "When few or no records are returned, Shapiro said, the FBI effectively responds 'sorry, we tried' without making use of the much more sophisticated search tools at the disposal of internal requestors." The FBI has a $425 million software system to handle FOIA requests, but refuses to use it, saying that would be "needlessly duplicative...and wasteful of Bureau resources."
Does the First Amendment protect citizen journalists who film police? (MLPB, 8 July 2016) - Does the First Amendment protect a citizen's right to film police officers while they perform their duties? The Supreme Court hasn't ruled, but some lower courts have. See Gericke v. Weare (1st Circuit) and Glik v. Cunliffe (1st Circuit), Smith v. City of Cumming (11th Circuit), ACLU v. Alvarez (7th Circuit), generally upholding the right of the public to film officers who are in public, discharging their duties, and when the activities are of public interest and the individual filming is not interfering with the officer's activities. In the wake of police shootings in Baton Rouge, LA, and Falcon Heights, MN, and shootings of officers in Dallas, TX, here's a short discussion of the issue from the National Coalition Against Censorship (NCAC). See also this article in the New York Times, reporting that Ruben An has filed a lawsuit against the New York Police Department, claiming that the NYPD violated his rights by interfering with him while he filmed officers interacting with another person in 2014. Police arrested Mr. An; some charges were later dropped, and he was acquitted on the remaining counts.
9th Circuit: It's a federal crime to visit a website after being told not to visit it (Orin Kerr on Volokh, 12 July 2016) - The U.S. Court of Appeals for the 9th Circuit has handed down a very important decision on the Computer Fraud and Abuse Act, Facebook v. Vachani , which I flagged just last week. For those of us worried about broad readings of the Computer Fraud and Abuse Act , the decision is quite troubling. Its reasoning appears to be very broad. If I'm reading it correctly, it says that if you tell people not to visit your website, and they do it anyway knowing you disapprove, they're committing a federal crime of accessing your computer without authorization. I think this decision is wrong, and that it has big implications going forward. Here's a rundown of the case and why it matters. I'll conclude with a thought about a possible way to read the case more narrowly, as well as why I'm not convinced that narrow reading is correct. * * * [ Polley : Orin Kerr is my designated go-to authority on conservative readings of internet-related 4th Amendment jurisprudence; I often don't like what he writes, but it's always compelling.]
- and -
Second Circuit: Warrants cannot be used to compel disclosure of emails stored outside the United States (Orin Kerr on Volokh, 14 July 2016) - The Second Circuit has handed down its long-awaited decision in the Ireland warrant case, In the Matter of a Warrant to Search a Certain E ‐Mail Account Controlled and Maintained by Microsoft Corporation . The holding: If a U.S. company stores customer email outside the United States, whether of U.S. or foreign customers, the government cannot use a domestic search warrant to compel the disclosure of the email. If the data is stored outside the United States, the government has to find some other way to compel the email other than a traditional search warrant. This post will cover the reasoning of the opinion, and in another post I'll address its implications and what happens next. * * * [ Polley: see also Microsoft just won a big victory against government surveillance -- why it matters (Dan Solove, 15 July 2016)]
Pokémon Go: Who owns the virtual space around your home? (The Guardian, 13 July 2016) - When a virtual space overlaps a real-world space, then whose space is it, and who controls what is created as a result? The success of augmented-reality game Pokémon Go has forced this question into focus. Since its launch less than a week ago, groups worldwide have struggled with the game's unforeseen ramifications. Washington DC's Holocaust Museum has asked Pokémon Go players to stay away : the museum was designated a Pokéstop, where players can pick up items like Pokéballs and revives, forcing its communications director to point out that playing a game inside a memorial to victims of Nazism is "extremely inappropriate". In the Sydney suburb of Rhodes, a chance confluence of Pokéstops has led to "hundreds" of players milling around a small outdoor area . "The place is in complete chaos with crowds of well over 1,000 per night. There is a massive level of noise after midnight, uncontrollable traffic, excessive rubbish, smokers, drunk people, people who are 'camping' in the site, and even people peddling mobile phone chargers," a resident told Buzzfeed. Boon Sheridan, a Massachusetts man who lives in a converted church, has found his house has been designated a Pokémon Gym , the most important category of locations in the game. For days, people have been loitering outside his house, leaving him concerned it "could easily make this place look like a dealer's house". Ingress, a science fiction-tinged game developed back when the company was still a subsidiary of Google, has been running for six and half years. In July 2015, the company faced an almost identical controversy, after the German magazine Zeit reported that concentration and death camps including Dachau, Buchenwald and Auschwitz-Birkenau were all set up as in-game "portals". Some were deleted the day after Zeit contacted Google; others remained, including a portal specifically located at the notorious "Arbeit Macht Frei" gates in Auschwitz. * * * [ Polley : Interesting; I watched oblivious Pokemon-Go players bumping into visitors in Stockholm's Kungstradgarden park last week.]
- and -
Pokémon Go players in Bosnia warned to avoid minefields (Mashable, 20 Jul 2016) - Bosnian players of the popular Pokémon Go app have been told to avoid areas still littered with landmines from the war in the 1990s. A charity which deals with demining in the Balkan country, Posavina bez mina, has issued a warning after receiving reports of gamers hunting for Pokémon in risky areas. "Today we received information that some users of the Pokémon Go app in Bosnia were going to places which are a risk for [unexploded] mines, in search of a Pokémon. Citizens are urged not to do so, to respect demarcation signs of dangerous minefields and not to go into unknown areas," the NGO said. About 120,000 mines are still to be found in Bosnia, according to another demining group. As the popularity of Pokémon Go increases around the world, several incidents have been reported, from people falling into a pond to a car crash . Two men were rescued in California after falling off a seaside cliff while playing the game.
- and -
Augmented Reality - Technology & Policy Primer (University of Washington's Tech Policy Lab, October 2015) - This whitepaper is aimed at identifying some of the major legal and policy issues augmented reality (AR) may present as a novel technology, and outlines some conditional recommendations to help address those issues. Our key findings include: (1) AR exists in a variety of configurations, but in general, AR is a mobile or embedded technology that senses, processes, and outputs data in real-time, recognizes and tracks real-world objects, and provides contextual information by supplementing or replacing human senses; (2) AR systems will raise legal and policy issues in roughly two categories: collection and display. Issues tend to include privacy, free speech, and intellectual property as well as novel forms of distraction and discrimination; (3) We recommend that policymakers-broadly defined-engage in diverse stakeholder analysis, threat modeling, and risk assessment processes. We recommend that they pay particular attention to: a) the fact that adversaries succeed when systems fail to anticipate behaviors; and that, b) not all stakeholders experience AR the same way; and (4) Architectural/design decisions-such as whether AR systems are open or closed, whether data is ephemeral or stored, where data is processed, and so on-will each have policy consequences that vary by stakeholder.
HHS: Healthcare groups must report all ransomware attacks (SC Magazine, 14 July 2016) - The Federal Health and Human Services Department (HHS) issued guidelines this week that could require hospitals and doctor offices to notify HHS if they are victimized by a ransomware attack. The HHS guidance has several stipulations for if and when health providers would be required to make a notification. The primary trigger would be if the electronic protected health information (ePHI) is not protected in accordance with HHS regulations or if the ePHI is properly encrypted making it impervious to a criminal enterprise. However, if neither of these thresholds are met than the affected organization would have to notify HHS if a ransomware incident takes place. This differs from the current standard which only required healthcare providers report incidents in which the personal information of more than 500 people was compromised through a data breach. A ransomware attack did not fall under these guidelines. One example provided by HHS states, "if a laptop encrypted with a full disk encryption solution in a manner consistent with HHS guidance is properly shut down and powered off and then lost or stolen, the data on the laptop would be unreadable, unusable and indecipherable to anyone other than the authenticated user. Because the PHI on the laptop is not "unsecured PHI", a covered entity or business associate need not perform a risk assessment to determine a low probability of compromise or provide breach notification." The HHS guidance stated that entities that comply with HIPAA security rules will be more secure from ransomware and other cyberattacks as they require the implementation of cybersecurity measures, conducting a risk analysis to identify threats and vulnerabilities and taking measures to remediate those risks.
DHS looking to link to the blockchain (ReadWrite, 15 July 2016) - The Department of Homeland Security has stepped up its research and investment into blockchain technologies, as it searches for ways to make the government more secure, accountable, and autonomous. Public interest in the blockchain from the DHS started in December last year, when it called for small business proposals to research the advantages and disadvantages of the emerging technology. Six months later, it awarded the $200,000 grant to Factom. Factom is not the only startup working with the DHS on blockchain, Solarity Solutions, Respect Network and Digital Bazaar have also received funding, according to CoinDesk , to research the blockchain. The DHS also has a Silicon Valley office looking into authentication advantages using the tech pioneered by Bitcoin. Most of the research seems preliminary: separate the fact from fiction, research the technology's capabilities, report back. But in the near future we may see the DHS move from inquiry into active adoption of the blockchain for all sorts of privacy and security interests.
Just as open competitor to Elsevier's SSRN launches, SSRN accused of copyright crackdown (TechDirt, 18 July 2016) - A couple of months ago, we wrote about how publishing giant Elsevier had purchased the open access pre-publisher SSRN. SSRN is basically the place where lots of research that we regularly report on is published. Legal and economics academics quite frequently post their journal articles there. Of course, Elsevier has a well-known reputation for being extreme copyright maximalists in dangerous ways. Having Elsevier take over SSRN concerned a lot of academics, and even led to calls for alternatives, including many asking the famed arXiv to open a social science research operation as well. Indeed, it appears that arXiv was paying attention, because just about a week ago, SocArXiv was announced , and it already has a temporary home hosted by Open Science Framework. And perhaps this came just in time, because just as that happened, Stephen Henderson, a law professor, noted that SSRN took down his paper saying that they didn't think he retained the copyright to it. When I posted a final PDF of an article for which not only do my co-author and I retain the copyright, but for which the contract also includes _explicit_ permission to post on SSRN, I received the typical happy "SSRN Revision Email" saying all was well. Only when I went to take a look, I found there was no longer any PDF to download at all-merely the abstract. So, download counts are gone, and no article. Not the former working version nor the final version. And then in the revision comments, I found this: "It appears that you do not retain copyright to the paper, and the PDF has been removed from public view. Please provide us with the copyright holder's written permission to post. Alternatively, you may replace this version with a working paper or preprint version, if you so desire. Questions and/or written permissions may be emailed to support@ssrn.com, or call 1-877-SSRNHELP (877-777-6435 toll free) or 1-585-442-8170 outside the US." So, not only have they completely changed their model, but-at least to me-they gave no effective notice, and they pull papers without asking. Nobody bothered to _ask_ whether I had permission; they simply took down every version of the article and said nothing. Alas. And when I called customer support and someone called back, I pointed out that some profs have hundreds of articles posted for which SSRN doesn't hold the copyright agreements. "Are you going to take all those down too?," I asked. The answer, in essence, "Those were posted in error." Unbelievable.
Legalist is making it easier for lawyers to find state court records (TechCrunch, 19 July 2016) - Imagine a lawyer with a client who lives in one county and works in another. Or even a lawyer who litigates in multiple states. Both common occurrences, but situations that make it very hard to keep track of legal documents. Essentially, it should be easy to keep track of court records from multiple counties and states - but it's not. In fact, it's pretty awful. Most are hosted online, but each county could have different databases and even different databases providers, making it a huge hassle to constantly search for court records and updates. For example, Ohio has 88 counties, and you have to search each one separately for legal records. It's such a mess that some lawyers have found it easier to have employees just drive from county to county tracking down records in person. Enter Legalist - a startup launching in Y Combinator's Summer '16 batch. Founded by Eva Shang and Christian Haigh, two current Harvard undergrads, the startup is trying to become a Google for state court records. They are doing this by scraping these databases and aggregating the documents into one main searchable database. This takes a while - most counties and states have records going back to 1989. For example, the startup is currently scraping 10 different states - a process that is providing them with 400,000 new documents a day. Besides searchable records, the startup also offers email updates for cases. This means that the site will scrape databases each day for updates to flagged cases and automatically email lawyers with the new documents so they don't have to manually check every day for case updates. So far the site is live for users in Massachusetts, Ohio, and Maryland - with more to come soon. These three states have provided the databases with documents for over 7 million cases and 110,000 different lawyers. The service is also free for any licensed attorney registered with their state's bar association. However the startup plans on charging for additional features in the future. These include an option to see cases sorted by outcome based on a certain judge - this will help lawyers choose the best litigation strategy in a specific case. Another future paid feature is "predicted timeline", which uses their millions of archived cases to provide an estimate on how long a certain case will take. The startup says that lawyers find this feature especially helpful because the first question a client often asks their lawyer is how long the entire legal process will take. For now, the startup is just focused on state and county records. This is because the vast majority of court cases happen on the state level. Out of an approximately 95 million cases filed each year nationwide, only about 1 million happen in federal court. Plus, federal court records are already organized in a central database called PACER . So while Legalist eventually plans on adding federal records to their database, it isn't an immediate need.
After errant Melania tweet, DOJ rethinks social media policy (NextGov, 20 July 2016) - The Justice Department is adjusting its social media policy after a staffer posted a personal message to DOJ's more than 1 million Twitter followers. The gaffe occurred Tuesday, in apparent response to allegations that Melania Trump's speech at the Republican National Convention lifted chunks of a speech delivered by Michelle Obama during the 2008 Democratic National Convention. "CNN is the biggest troll of them all lmao #Petty," DOJ's official account tweeted, posting a link to a CNN news story headlined, "Campaign denies Melania Trump's speech plagiarizes parts of Michelle Obama's." The tweet, since deleted, was posted "erroneously" and "was meant for a personal account," said a DOJ statement provided to Nextgov. The staffer's access to the account has been revoked. This incident prompted DOJ to make "procedural changes to the way we use our social media accounts," the statement said. The department also plans to "provide additional social media training for employees." DOJ didn't respond to multiple requests for more detail about what those procedural changes, or additional training, entail. The General Services Administration's DigitalGov team, which encourages other agencies to use social media in a controlled manner, has outlined several suggestions for safe use, including using two-step verification for access from mobile devices.
WSJ reporter: Homeland Security tried to take my phones at the border (Motherboard, 21 July 2016) - On Thursday, a Wall Street Journal (WSJ) reporter claimed that the Department of Homeland Security demanded access to her mobile phones when she was crossing the border at the Los Angeles airport. The case highlights the powers that border agents purport to have, and how vulnerable sensitive information can be when taken through airports in particular. "I wanted to share a troubling experience I had with the Department of Homeland Security (DHS), in the hopes it may help you protect your private information," Maria Abi-Habib, a WSJ journalist focused on ISIS and Al Qaeda wrote in a post on Facebook . (Abi-Habib confirmed to Motherboard that the Facebook account was hers, but declined to comment further.) Abi-Habib says she had arrived in town for a wedding, when an immigration officer approached her, and took her aside from the main queue. This by itself was not unusual, Abi-Habib writes: because of her job, she has reportedly been put on a list that allows her to bypass the usual questioning someone with her travel profile may encounter. But things changed quickly, and Abi-Habib was escorted to another part of the airport. "Another customs agent joined her at that point and they grilled me for an hour-asking me about the years I lived in the US, when I moved to Beirut and why, who lives at my in-laws' house in LA and numbers for the groom and bride whose wedding I was attending. The first DHS agent then asked Abi-Habib for her two cell phones, in order "to collect information," Abi-Habib reports the officer as saying. "And that is where I drew the line," Abi-Habib writes. "I told her I had First Amendment rights as a journalist she couldn't violate and I was protected under. I explained I had to protect my government and military sources-over the last month, I have broken two stories that deeply irked the US government, in addition to other stories before I went on maternity leave, including one in Kabul that sparked a Congressional investigation into US military corruption, all stories leaked by American officials speaking to me in confidence." The agent passed over a document, which Abi-Habib later photographed and posted to Facebook, purportedly showing that the agent has the right to seize those devices. Abi-Habib instead said that the border agents would need to contact WSJ's lawyers. After some back and forth, the agent went to see her supervisor, and eventually said Abi-Habib is free to go. Abi-Habib said she reported the incident to a WSJ lawyer, encryption expert and the outlet's in-house security. From those conversations, Abi-Habib says, "My rights as a journalist or US citizen do not apply at the border, as explained above, since legislation was quietly passed in 2013 giving DHS very broad powers (I researched this since the incident). This legislation also circumvents the Fourth Amendment that protects Americans' privacy and prevents searches and seizures without a proper warrant."
NOTED PODCASTS/MOOCS
Steptoe Cyberlaw Podcast: An Interview with Jamie Smith (Steptoe, 24 June 2016; 46 minutes) - With Stewart on vacation, the blockchain takes over the podcast! In episode 121, Jason Weinstein and Alan Cohn talk all things bitcoin, blockchain, and distributed ledger technology, and interview Jamie Smith, Global Chief Communications Officer for the BitFury Group, one of the largest full-service blockchain technology companies. [ Polley : very interesting, with discussion ranging across the Atlantic and describing the DAO "hack".]
RESOURCES
The Future of Transatlantic Data Flows: Privacy Shield or Bust? (Prof Greg Voss, 1 May 2016) - Abstract: This article starts by providing background for the recently announced EU-US Privacy Shield, beginning with the adoption of the European Union's 1995 Data Protection Directive that limited cross border transfers of personal data to countries with "an adequate level of protection" of such data. The resulting "Safe Harbor" negotiated between the EU and the U.S. in order to allow continuing data flows between the two blocs is described, together with the Schrems decision invalidating it, with the consequences for transatlantic data flows being highlighted. The need for a "Safe Harbor 2.0," and details of the same, relabelled as the "Privacy Shield," are provided. Finally, the current legal uncertainty surrounding the Privacy Shield and potential alternatives to it are evoked.
Digital Searches and Seizures: Overview of Proposed Amendments to Rule 41 of the Rules of Criminal Procedure (CRS, 29 June 2016) - With the Rules Enabling Act, Congress granted to the Supreme Court the authority to write federal rules of procedure, including the rules of criminal procedure. After several years of evaluation by the Judicial Conference, the policy-making arm of the federal judiciary, on April 28, 2016, the Supreme Court transmitted to Congress proposed changes to Rule 41 of the Federal Rules of Criminal Procedure. These proposed changes would amend the federal search and seizure rules to permit the government to remotely access electronic devices although the location of the device may be unknown. This issue has become more pressing in recent years with an increasing number of users anonymizing their communications, hindering the government's ability to pinpoint the location of the target, and thus making it difficult to discern the appropriate federal court to apply for a search warrant. In recent years, a tension has arisen between Rule 41 as currently drafted and the Department of Justice's (DOJ's) desired use of the rule for digital searches. This issue arose recently in a 2012 magistrate judge's ruling from the Southern District of Texas, in which the court denied DOJ's application to conduct remote searches of a computer believed to have been part of a fraudulent scheme, because the government could not establish the location of the target, thereby placing it outside the scope of Rule 41 and in violation of the Fourth Amendment particularity requirement. There have been at least two lines of argument against the proposed rule change, one based on the substance of the proposed amendment and the other grounded in the process by which the rule is being changed. The substantive arguments pertain to the actual substance of the rule and include for example, an argument that the new rule would breach the particularity requirement of the Fourth Amendment. The procedural arguments pertain to how this potential authorization should be made law: through the rulemaking process by the courts or through enacted legislation by Congress. While federal law enforcement has been supportive of the proposed change, some advocacy groups have argued that the proposed rule change "would have significant legal and technical implications" and thus "merit[s] open consideration by Congress, rather than a rulemaking proceeding of the Judicial Conference." This report provides a brief overview of the proposed amendment to Rule 41. First, it provides a background on the origin of, and rationale underlying, the proposed amendment and a description of the rule as currently written. Second, it reviews the potential changes made by the proposed amendment and will survey various concerns commenters have raised with the proposal. Lastly, this report addresses efforts being made in Congress to alter, delay, or stop this rule change.
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
Senators caught rewriting Wikipedia (NewsFactor.com, 9 Feb 2006) -- Online reference compendium Wikipedia has found that employees working in the U.S. Congress have made several changes to political biographies, removing facts considered negative and tweaking language to portray politicians in a better light. Wikipedia began an investigation after a Democratic representative, Marty Meehan, admitted that he had spiffed up his online biography page. It was found that articles on other senators had been changed, sometimes significantly, and that the edits could be traced to computers on Capitol Hill. Although Wikipedia is a collectively run reference, and can be edited by any of its users, those who run the site attempt to police changes to make sure they adhere to fact and not opinion or prejudice. In its investigation, Wikipedia examined the public edit history on the political biography pages in question. Researchers discovered the links to the U.S. Senate and began checking the biographies that had been visited. Half a dozen pages were changed, according to Wikipedia, including those of California Senator Dianne Feinstein, Iowa Senator Tom Harkin, and Minnesota Senator Norm Coleman. Senator's Coleman staff confirmed the changes, noting that they had made several changes, such as a description of the senator in college. Where he had once been described as a "liberal," the staff edited the listing to dub him an "activist." Staff members of Senator Harkin removed a paragraph noting that Harkin had claimed falsely to have been in combat in North Vietnam, a claim he later recanted.
British law goes online (ComputerActive, 20 Dec 2006) -- The British government has made the entirety of the country's law statutes available online. The Statute Law website contains the 'official revised edition' of the UK's primary legislation - that is, any acts passed by parliament. The database includes details of how laws have changed over time, as well as how existing laws will be amended by future legislation that is not yet in force. The content - all 30,000 items - is available for free for private use. In addition to acts of parliament, the website also contains secondary legislation - laws passed directly by the government of the day - that has come into effect since 1991. In addition to national law, the database also contains acts of the Scottish parliament and the Northern Ireland assembly.
NOTES
MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.
Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.
SOURCES (inter alia):
1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu
2. InsideHigherEd - http://www.insidehighered.com/
3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/
4. Aon's Technology & Professional Risks Newsletter
5. Crypto-Gram, http://www.schneier.com/crypto-gram.html
6. Steptoe & Johnson's E-Commerce Law Week
7. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/
8. The Benton Foundation's Communications Headlines
9. Gate15 Situational Update Notifications, http://www.gate15.us/services.html
10. Readers' submissions, and the editor's discoveries
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.
PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top