Saturday, November 26, 2016

MIRLN --- 6-26 Nov 2016 (v19.16)

MIRLN --- 6-26 Nov 2016 (v19.16) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Understanding footnote 14: NSA lawyering, oversight, and compliance (Lawfare, 7 Oct 2016) - In 2009, the government notified the Foreign Intelligence Surveillance Court (FISC) of a serious issue in the design and description of the National Security Agency's (NSA) Business Records metadata program. In short, the NSA had implemented a part of that program using an erroneous interpretation of the term "archived data" that appeared in the court's order. An inadvertent mistake in later reports to the FISC concealed the fact of the misinterpretation, which was incorporated into multiple reports over time. Readers are likely aware of the incident, which has become a persistent reference point for NSA's most ardent critics. One such critic recently pointed to a FISC memorandum referencing the episode as evidence that "NSA lawyers routinely lie, even to the secret rubber stamp FISA court"; another cited it in claiming DOJ's attorneys made "misleading claims about the intent and knowledge NSA had about the phone and Internet dragnets" and that "NSA had basically willfully treated FISA-collected data under the more lenient protection regime of EO 12333." These allegations are false. And by insisting that government officials routinely mislead and lie, these critics are missing one of the most important stories in the history of modern intelligence oversight. As people who served in the NSA during and after the time of this particular incident, we seek to offer a fuller account of this episode. [ Polley : On 14 Nov Bruce Schneier wrote about this story: "Former NSA attorneys John DeLong and Susan Hennessay have written a fascinating article describing a particular incident of oversight failure inside the NSA. Technically, the story hinges on a definitional difference between the NSA and the FISA court meaning of the word "archived." (For the record, I would have defaulted to the NSA's interpretation, which feels more accurate technically.) But while the story is worth reading, what's especially interesting are the broader issues about how a nontechnical judiciary can provide oversight over a very technical data collection-and-analysis organization -- especially if the oversight must largely be conducted in secret. In many places I have separated different kinds of oversight: are we doing things right versus are we doing the right things? This is very much about the first: is the NSA complying with the rules the courts impose on them? I believe that the NSA tries very hard to follow the rules it's given, while at the same time being very aggressive about how it interprets any kind of ambiguities and using its nonadversarial relationship with its overseers to its advantage. The only possible solution I can see to all of this is more public scrutiny. Secrecy is toxic here."]

top

Adobe Voco 'Photoshop-for-voice' causes concern (BBC, 7 Nov 2016) - Adobe unveiled Project Voco last week. The software makes it possible to take an audio recording and rapidly alter it to include words and phrases the original speaker never uttered, in what sounds like their voice. One expert warned that the tech could further undermine trust in journalism. Another said it could pose a security threat. However, the US software firm says it is taking action to address such risks. At a live demo in San Diego on Thursday, Adobe took a digitised recording of a man saying "and I kissed my dogs and my wife" and changed it to say "and I kissed Jordan three times". The edit took seconds and simply involved the operator overtyping a transcript of the speech and then pressing a button to create the synthesised voice track. "We have already revolutionised photo editing. Now it's time for us to do the audio stuff," said Adobe's Zeyu Jin, to the applause of his audience. He added that to make the process possible, the software needed to be provided with about 20 minutes-worth of a person's speech.

top

Lawyers may not use 'web bugs' to track email sent to opposing counsel, ethics opinion says (ABA Journal, 8 Nov 2016) - Lawyers should not plant "web bugs" to track the location and use of emails sent to opposing counsel, according to an Alaska ethics opinion. The Alaska Bar Association Ethics Committee is the second bar panel to address the issue, according to the ABA BNA Lawyers' Manual on Professional Conduct . An ethics opinion by the New York State Bar Association also found web bugs are not ethically permissible. The Oct. 26 opinion by the Alaska ethics committee said web bugs in emails can track a variety of information. They can be used to learn when and how often an email was opened, how long it was reviewed, how long an attachment was reviewed, whether the email or attachment was forwarded, and the rough geographical location of the recipient. Web bugs can reveal information that interferes with the lawyer-client relationship and the preservation of client confidences, the ethics opinion said. Seeking to invade the lawyer-client relationship through web bugs, even if the web bug is disclosed, violates ethics rules barring lawyers from engaging in misrepresentation and deceit, according to the opinion. The ethics opinion provides two examples of how web bugs can intrude on the attorney-client relationship.

top

- and -

Beware of sites importing your contacts, and watch your social media comments, ethics opinions say (ABA Journal, 21 Nov 2016) - The ethics committee of the District of Columbia Bar is advising lawyers about some social media dangers in two ethics opinions released this month. Many issues addressed in the opinions have been widely explored in ethics opinions in other jurisdictions, but a couple of topics haven't gotten much treatment in prior opinions, according to the ABA BNA Lawyers' Manual on Professional Conduct . The D.C. opinions are here and here . One "apparently novel warning" is about lawyers who take positions on legal issues when blogging or tweeting, according to the ABA BNA Lawyer's Manual. The ethics opinion says a lawyer's positions on social media could be adverse to the interest of a client, inadvertently creating a conflict. Those online positions could violate a D.C. ethics rule that prevents lawyers from representing clients if their professional judgment will be, or reasonably may be, adversely affected by a lawyer's own financial, property or personal interest, the ethics opinion says. Another new topic addressed is about the danger of allowing social media websites such as LinkedIn to access email contacts. Such access can allow a social media site to suggest potential connections with people the lawyer may know who are already members of the website, or to invite nonmembers to join and connect with the lawyer, explains D.C. Bar Ethics Opinion 370 . "However, in many instances, the people contained in a lawyer's address book or contact list are a blend of personal and professional contacts," according to the opinion. "Contact lists frequently include clients, opposing counsel, judges and others whom it may be impermissible, inappropriate or potentially embarrassing to have as a connection on a social networking site. … For attorneys, these connection services could potentially identify clients or divulge other information that a lawyer might not want an adversary or a member of the judiciary to see or information that the lawyer is obligated to protect from disclosure."

top

How Facebook, Twitter helped lead Trump to victory (AdAge, 9 Nov 2016) - America just endured its first presidential election in which the majority of the electorate got its news from social media. And the outcome is already prompting soul searching by the companies that shaped it. Facebook will have to contend with mounting dissatisfaction over its role as the most widely used news filter in history. Forty-four percent of American adults get their media through the site, many consuming news from partisan sources with which they agree. The proliferation of fake news on Facebook has also been a problem: false stories about the Clinton family committing murder and Huma Abedin being a terrorist flew fast and furious despite refutations from responsible news organizations. Those stories shaped public opinion, said Ed Wasserman, the dean of the University of California, Berkeley Graduate School of Journalism. "This is a landmark," he said. "Trump was able to get his message out in a way that was vastly influential without undergoing the usual kinds of quality checks that we associate with reaching mass public. You had a whole set of media having influence without really having authority. And the media that spoke with authority, the authority that comes after careful fact checking, didn't really have the influence."

top

- and -

This analysis shows how fake election news stories outperformed real news on Facebook (Buzzfeed, 16 Nov 2016) - In the final three months of the US presidential campaign, the top-performing fake election news stories on Facebook generated more engagement than the top stories from major news outlets such as the New York Times, Washington Post, Huffington Post, NBC News, and others, a BuzzFeed News analysis has found. During these critical months of the campaign, 20 top-performing false election stories from hoax sites and hyperpartisan blogs generated 8,711,000 shares, reactions, and comments on Facebook. Within the same time period, the 20 best-performing election stories from 19 major news websites generated a total of 7,367,000 shares, reactions, and comments on Facebook. (This analysis focused on the top performing link posts for both groups of publishers, and not on total site engagement on Facebook. For details on how we identified and analyzed the content, see the bottom of this post. View our data here .) Up until those last three months of the campaign, the top election content from major outlets had easily outpaced that of fake election news on Facebook. Then, as the election drew closer, engagement for fake content on Facebook skyrocketed and surpassed that of the content from major news outlets. [ Polley : see also Call it a 'crazy idea,' Facebook, but you need an executive editor (Margaret Sullivan in WaPo, 20 Nov 2016)]

top

- and -

Tens of thousands join 'Lawyers of the Left' Facebook group, sign Bannon protest letter (ABA Journal, 22 Nov 2016) - A law professor and a legal marketer apparently struck a chord when they appealed to lawyers disappointed in the election results and with a key appointment by Donald Trump. Nearly 120,000 people had joined an invitation-only Facebook group called Lawyers of the Left as of Monday morning, Robert Ambrogi reports for Above the Law . More than 10,000 lawyers signed a letter within 48 hours that objected to the appointment of Breitbart News chief Stephen Bannon as chief White House strategist. Above the Law reports on Traci Feit Love, the Harvard law graduate and legal marketer who created the Facebook group, while Bloomberg Big Law Business spoke with a law professor who wrote the protest letter. Legal marketer Traci Feit Love says her initial goal was to find 150 lawyers to join her Facebook group. Her idea, she wrote, was hatched after she saw Facebook posts from lawyers who proposed positive action after the election. "I thought to myself: Why not create a small Facebook group where those action-minded lawyers could really start making a difference?" Love wrote. One of the Facebook group's initial plans is to coordinate among members attending the Women's March on Washington on the day after the inauguration. University of Denver law professor Nancy Leong wrote the protest letter with colleagues Lindsey Webb and Robin Walker Sterling. Her goal was to get a couple hundred lawyers to view and repost the letter. More than 10,000 lawyers had signed the letter in less than 48 hours. The letter calls on Congress to ask Trump to rescind Bannon's appointment.

top

- and -

Call to Action lets you phone your Congressperson with just a tap (TechCrunch, 22 Nov 2016) - The U.S. election has inspired more people to become politically involved, and one of the most practical and direct ways to have an impact is to directly call your Congressperson to have your voice heard. However scouring .gov websites can be a little frustrating, and today's current crop of online resources for reaching Congress are often poorly designed or hard to locate. A new online application , Call To Action , wants to help. With a simple user interface that's accessible via the desktop or mobile web, Call To Action has a singular purpose: it makes it easy to find your representatives and place a phone call to their office. It even provides simple scripts to help you get started. However, Call To Action doesn't currently take a political position, nor is it associated with any political action groups. As evidenced by its purple color scheme, its main goal is to simply make reaching out to your House reps more accessible. When you launch the Call To Action website, you're prompted to enter in your home address, and the app will then locate your Congressional representative. As the website explains, because Congressional representatives serve fewer constituents than a Senator, calls to reps are more likely to be answered and hold more relative weight. Remarkably, Call To Action was a weekend project build by a team of ten, some friends and some strangers. Zack Shapiro, an iOS developer previously from Splash, had originally tweeted out the idea, and expressed his interest in building such a utility.

top

Yahoo admits some employees knew of massive hack in 2014 (CNET, 9 Nov 2016) - As any investigator can tell you, it's not just what you knew, but when you knew it. On Wednesday, Yahoo admitted that not long after a hack in 2014 some of its employees were aware a state-sponsored hacker had breached its network. The revelation is sure to cast a larger shadow over Verizon's $4.8 billion deal to acquire the company. Yahoo said in September that an investigation in August had uncovered the theft of personal information associated with at least a half billion Yahoo accounts, the biggest data breach in history. The company said at the time that it discovered the massive intrusion after a hacker claimed in August to have snatched 200 million Yahoo usernames and passwords in an earlier hack. But a Yahoo filing with the US Securities and Exchange Commission on Wednesday revealed that at least some people within the company were aware of the intrusion in 2014. "An Independent Committee of the Board, advised by independent counsel and a forensic expert, is investigating, among other things, the scope of knowledge within the Company in 2014 and thereafter regarding this access," Yahoo said in its filing. It wasn't until the August probe, however, that the company got confirmation of the extent of the breach , a source with knowledge of the investigation said.

top

FTC issues data breach response guidance (Steptoe, 10 Nov 2016) - On October 25, the Federal Trade Commission (FTC) released a guide on data breach response, along with a video and business blog. The main guidance, entitled Data Breach Response, A Guide for Business, lays out some important steps for a swift and appropriate response when a data breach is suspected. Since the FTC is the primary judge in the United States of whether a company's preparation for, and response to, a breach was "reasonable," it would make sense for companies to incorporate the FTC's guidance in their incident response plans.

top

- and -

NIST issues small business information security: the fundamentals (Ride the Lightning, 14 Nov 2016) - The title pretty much says it all. The November 2016 release of the NIST (National Institute of Standards and Technology) Small Business Information Security: The Fundamentals is welcome indeed. The document clocks in at 32 pages with several helpful appendices (including worksheets and sample policy and procedure statements) extending the length to 54 pages. Reading this document constitutes a good crash course for any small business. If you know you need to come up to speed with a very current document, here's your opportunity.

top

Secret back door in some US phones sent data to China, analysts say (NYT, 15 Nov 2016) - For about $50, you can get a smartphone with a high-definition display, fast data service and, according to security contractors, a secret feature: a backdoor that sends all your text messages to China every 72 hours. Security contractors recently discovered preinstalled software in some Android phones that monitors where users go, whom they talk to and what they write in text messages. The American authorities say it is not clear whether this represents secretive data mining for advertising purposes or a Chinese government effort to collect intelligence. International customers and users of disposable or prepaid phones are the people most affected by the software. But the scope is unclear. The Chinese company that wrote the software, Shanghai Adups Technology Company, says its code runs on more than 700 million phones, cars and other smart devices. One American phone manufacturer, BLU Products, said that 120,000 of its phones had been affected and that it had updated the software to eliminate the feature. Kryptowire, the security firm that discovered the vulnerability, said the Adups software transmitted the full contents of text messages, contact lists, call logs, location information and other data to a Chinese server. The code comes preinstalled on phones and the surveillance is not disclosed to users, said Tom Karygiannis, a vice president of Kryptowire, which is based in Fairfax, Va. "Even if you wanted to, you wouldn't have known about it," he said.

top

'Augmented Intelligence' for higher ed (InsideHigherEd, 16 Nov 2016) - This company behind the Jeopardy!-winning computer, Watson, is now establishing itself in the adaptive and personalized learning markets. What is IBM? The company is partnering with a small number of hardware and software providers to bring the same technology that won a special edition of the game show back in 2011 to K-12 institutions, colleges and continuing education providers. The partnerships and the products that might emerge from them are still in the planning stage, but the company is investing in the idea that cognitive computing -- natural language processing, informational retrieval and other functions similar to the ones performed by the human brain -- can help students succeed in and outside the classroom. Chalapathy Neti, vice president of education innovation at IBM Watson, said education is undergoing the same "digital transformation" seen in the finance and health care sectors, in which more and more content is being delivered digitally. * * * IBM has been out of the personal computer market for more than a decade, and just as you no longer see any laptops branded with the "Big Blue" logo, the company won't be releasing its own adaptive learning platform or learning management system. Instead, IBM is working with major companies to bring its technology to market. In higher education, IBM is at the moment working with Blackboard and Pearson on student retention and tutoring, respectively. Both education companies are this fall beginning to test a handful of early prototypes, exploring potential use cases and working with clients to learn what sort of software they are interested in. Pearson is testing what Angie McAllister, senior vice president of personalized learning and analytics, described as an "intelligent tutoring system." As one of the major course material publishers in the market, Pearson controls a wealth of content, and it is testing IBM's technology as a way to offer one-on-one tutoring using artificial intelligence.

top

French law on digital versions of out-of-print books flouts EU directive (ArsTechnica, 16 Nov 2016) - A French law that allows royalty collectors to authorise the publication of digital versions of out-of-print books is not compatible with the EU copyright directive, Europe's top court has ruled. The Court of Justice of the European Union (CJEU) has ruled that authors must be informed about any plans to release their out-of-print books in this way so that they can object if they wish, and that the French law does not require this. The CJEU explained that currently "an approved collecting society, the SOFIA, is responsible for authorising the reproduction and communication, in digital form, of out-of-print books, it being understood that the authors of those books or their successors in title may oppose." But the EU copyright directive says that "authors have the exclusive right to authorise or prohibit the reproduction and communication to the public of their works," not collecting societies. Prior consent of authors to the use of their works can, under certain conditions, be expressed implicitly, the EU's top court said. One requirement is that "every author must be informed of the future use of his work by a third party and of the means at his disposal to prevent it if he so wishes." The problem with the French legislation, the CJEU ruled, was that it is possible that some of the authors affected are not made aware of the envisaged use of their works and, so are not able to adopt a position on it. "In those circumstances," the court said, "a mere lack of opposition on their part cannot be regarded as the expression of their implicit consent to the use of their works."

top

66% of organizations won't recover after cyberattack, Ponemon study says (Tech Republic, 17 Nov 2016) - A recent study performed by IBM's Resilient and the Ponemon Institute found that 66% of organizations would be unable to recover from a cyberattack. The results of the 2016 Cyber Resilient Organization study were released Wednesday, and show a decline in organizational resilience against cyberattacks. Of the respondents, 32% of IT and security professionals ranked their resilience as high. That same number was 35% in 2015, marking a drop over the past 12 months. A press release announcing the study defined resilience as "an organization's ability to maintain its core purpose and integrity in the face of cyberattacks." One of the biggest hindrances to effective security listed by respondents was the lack of a proper cyber security incident response plan (CSIRP). However, it should be noted that Resilient provides incident reporting services.

top

IRS demands identities of all US Coinbase traders over three year period (Motherboard, 18 Nov 2016) - In bitcoin-related investigations, authorities will often follow the digital trail of an illegal transaction or suspicious user back to a specific account at a bitcoin trading company. From here, investigators will likely subpoena the company for records about that particular user, so they can then properly identify the person suspected of a crime. The Internal Revenue Service, however, has taken a different approach. Instead of asking for data relating to specific individuals suspected of a crime, it has demanded bitcoin trading site Coinbase to provide the identities of all of the firm's US customers who made transactions over a three year period, because there is a chance they are avoiding paying taxes on their bitcoin reserves. Coinbase has a total of millions of customers. According to court filings , which were first flagged by financial blogger Zerohedge on Twitter , the IRS has launched an investigation to determine the correct amount of tax that those who use virtual currencies such as bitcoin are obligated to pay. But according to the documents, the IRS is asking for the identities of any US Coinbase customer who transferred crypto-currency with the service between 2013 and 2015. (Although the site does allow the trade of alternative virtual currency Ethereum, it was not introduced until 2016 , so it is outside the scope of this IRS request.)

top

UK Parliament approves unprecedented new hacking and surveillance powers (The Intercept, 22 Nov 2016) - A few years ago, it would have been unthinkable for the British government to admit that it was hacking into people's computers and collecting private data on a massive scale. But now, these controversial tactics are about to be explicitly sanctioned in an unprecedented new surveillance law. Last week, the U.K.'s Parliament approved the Investigatory Powers Bill, dubbed the "Snoopers' Charter" by critics. The law, which is expected to come into force before the end of the year, was introduced in November 2015 after the fallout from revelations by National Security Agency whistleblower Edward Snowden about extensive British mass surveillance. The Investigatory Powers Bill essentially retroactively legalizes the electronic spying programs exposed in the Snowden documents - and also expands some of the government's surveillance powers. Perhaps the most controversial aspect of the new law is that it will give the British government the authority to serve internet service providers with a "data retention notice," forcing them to record and store for up to 12 months logs showing websites visited by all of their customers. Law enforcement agencies will then be able to obtain access to this data without any court order or warrant. In addition, the new powers will hand police and tax investigators the ability to, with the approval of a government minister, hack into targeted phones and computers. The law will also permit intelligence agencies to sift through "bulk personal datasets" that contain millions of records about people's phone calls, travel habits, internet activity, and financial transactions; and it will make it legal for British spies to carry out " foreign-focused " large-scale hacks of computers or phones in order to identify potential "targets of interest."

top

- and -

The FBI hacked over 8,000 computers in 120 countries based on one warrant (Motherboard, 22 Nov 2016) - In January, Motherboard reported on the FBI's "unprecedented" hacking operation, in which the agency, using a single warrant, deployed malware to over one thousand alleged visitors of a dark web child pornography site. Now, it has emerged that the campaign was actually several orders of magnitude larger. In all, the FBI obtained over 8,000 IP addresses, and hacked computers in 120 different countries, according to a transcript from a recent evidentiary hearing in a related case. The figures illustrate the largest ever known law enforcement hacking campaign to date, and starkly demonstrate what the future of policing crime on the dark web may look like. This news comes as the US is preparing to usher in changes that would allow magistrate judges to authorize the mass hacking of computers, wherever in the world they may be located. "We have never, in our nation's history as far as I can tell, seen a warrant so utterly sweeping," federal public defender Colin Fieman said in a hearing at the end of October, according to the transcript. Fieman is representing several defendants in affected cases. Those cases revolve around the FBI's investigation into dark web child pornography site Playpen. In February 2015, the FBI seized the site, but instead of shutting it down, the agency ran Playpen from a government server for 13 days. However, even though they had administrative control of the site, investigators were unable to see the real IP address of Playpen's visitors, because users typically connected to it through the Tor network. In order to circumvent that anonymity, the FBI deployed what it calls a network investigative technique (NIT), or a piece of malware. That malware, which included a Tor Browser exploit, broke into the computer of anyone who visited certain child pornography threads on Playpen. It then sent the suspect's real IP address back to the FBI. According to court filings , the FBI obtained over 1,000 IP addresses of alleged US-based users. Over the past year, Motherboard has also found that the FBI hacked computers in Australia, Austria, Chile, Colombia, Denmark, Greece, and likely the UK, Turkey, and Norway too . But, those are only a tiny handful of countries in which the FBI was hacking computers. According to the newly published transcript, the FBI hacked computers in at least 120 countries. "The fact that a single magistrate judge could authorize the FBI to hack 8000 people in 120 countries is truly terrifying," Christopher Soghoian, principal technologist at the American Civil Liberties Union (ACLU) told Motherboard in a phone call. (Soghoian has testified for the defense in Playpen cases).

top

Now's the time for courts to accept digital signatures (LegalTech News, 23 Nov 2016) - Digital processes are quickly replacing manual ones across the country. However, the judicial system sometimes throws a wrench in those digital gears, and it could have ramifications for a society that increasingly desires to embrace technology for just about everything. A California lawyer was recently sanctioned by a bankruptcy court judge for using electronic signatures on a bankruptcy petition instead of handwritten, wet-ink signatures. The Electronic Signatures in Global and National Commerce (ESIGN) Act, which went into effect in 2000, permitted e-signatures to be legally accepted in commercial affairs-but it didn't specifically include usage in the courts. As such, the judge stated that, although electronic signatures are accepted in commercial dealings, they may not substitute wet signatures on documents filed with the court. Moreover, the judge stated there was not sufficient means to prove the legitimacy of a document's electronic signature, so the signature didn't "protect the integrity of the documents filed in bankruptcy cases ." The attorney's client signed a declaration stating the signature on the bankruptcy petition was indeed his intended signature. But the judge found that if the electronic signature contained sufficient evidence and complied with the court's rule, the declaration wouldn't be necessary. [ Polley : Spotted by MIRLN reader Mike McGuire ]

top

RESOURCES

Final papers posted from the George Washington Law Review's CFAA symposium (Orin Kerr, 21 Nov 2017) - Last year, the George Washington Law Review hosted a symposium on the controversial Computer Fraud and Abuse Act . I was honored to be the faculty adviser to the symposium. I'm happy to say that the final papers have been posted on the Law Review's website. Here are the papers in order they appear in the issue:

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Computer crime costs $67 billion, FBI says (CNET, 19 Jan 2006) -- Dealing with viruses, spyware, PC theft and other computer-related crimes costs U.S. businesses a staggering $67.2 billion a year, according to the FBI. The FBI calculated the price tag by extrapolating results from a survey of 2,066 organizations. The survey, released Thursday, found that 1,324 respondents, or 64 percent, suffered a financial loss from computer security incidents over a 12-month period. The average cost per company was more than $24,000, with the total cost reaching $32 million for those surveyed. Often survey results can be skewed, because poll respondents are more likely to answer when they have experienced a problem. So, when extrapolating the survey results to estimate the national cost, the FBI reduced the estimated number of affected organizations from 64 percent to a more conservative 20 percent. "This would be 2.8 million U.S. organizations experiencing at least one computer security incident," according to the 2005 FBI Computer Crime Survey. "With each of these 2.8 million organizations incurring a $24,000 average loss, this would total $67.2 billion per year." By comparison, telecommunication fraud losses are about only $1 billion a year, according to the U.S. Secret Service. Also, the overall cost to Americans of identity fraud reached $52.6 billion in 2004, according to Javelin Strategy & Research. Other surveys have attempted to put a dollar amount on cybersecurity damages in the past, but the FBI believes its estimate is the most accurate because of the large number of respondents, said Bruce Verduyn, the special agent who managed the survey project. "The data set is three or four times larger than in past surveys," he said. "It is obviously a staggering number, but that is the reality of what we see."

top

Vulnerability auctions killing responsible disclosure (ZDnet, 19 July 2006) -- More security researchers are selling vulnerabilities to the highest bidder rather than disclosing them "responsibly" to the vendor whose products are affected. At a breakfast briefing organised by e-mail security firm MessageLabs on Wednesday, Graham Ingram, general manager of the Australian Computer Emergency Response Team (AusCERT), said that a market where vulnerabilities in software are traded is hotting up and the rewards for researchers can be very tempting. "I would speculate that if I am a vulnerability researcher and I have the option of, for example, a nice mention from Microsoft on an advisory under "responsible disclosure" or pay off my mortgage, which one do I choose? Responsible disclosure occurs when a security researcher discovers vulnerabilities in a popular application and then reports them to the relevant vendor rather than publishing the details online or, as has become a trend recently, selling that information to the highest bidder. "The economy on the market place is facilitating the sale of everything you want from custom Trojans to rootkit and moving through to things like vulnerabilities, which are a marketable commodity," said Ingram. Last week, security firm Finjan published evidence, which was compiled by the company's Malicious Code Research Centre, that showed examples of vulnerabilities being sold online. Finjan's chief technical officer, Yuval Ben-Itzhak, said that researchers will be even more likely to sell their discoveries as the demand -- and therefore the price -- goes up.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Steptoe & Johnson's E-Commerce Law Week

7. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

8. The Benton Foundation's Communications Headlines

9. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, November 05, 2016

MIRLN --- 16 Oct - 5 Nov 2016 (v19.15)

MIRLN --- 16 Oct - 5 Nov 2016 (v19.15) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENT | NEWS | PODCASTS/MOOCS | RESOURCES | BOOKS | LOOKING BACK | NOTES

ANNOUNCEMENT

Vendor Contracting Project: Cybersecurity Checklist (ABA's Cybersecurity Legal Task Force, Nov 2016) - The objective of this Checklist is to assist procuring organizations, vendors, and their respective counsel to address information security requirements in their transactions. The Checklist frames the issues parties should consider consistent with common principles for managing cybersecurity risk. The Checklist contemplates transactions from due diligence and vendor selection through contracting and vendor management. It suggests that cybersecurity provisions are not "one-size-fits-all," but should instead be informed by parties' assessment of risk and strategies to mitigate risk. The ABA Cybersecurity Legal Task Force recognizes that cybersecurity is a dynamic subject, and we expect practitioners will modify and supplement the Checklist to reflect the particular regulatory requirements and business needs of their clients. We welcome your feedback and suggestions regarding the Checklist. Please send your feedback to the Task Force staff: Kelly Russo at Kelly.Russo@americanbar.org .

top

NEWS

Half of US adults in a face-recognition database (ArsTechnica, 18 Oct 2016) - Half of American adults are in a face-recognition database, according to a Georgetown University study released Tuesday. That means there's about 117 million adults in a law enforcement facial-recognition database, the study by Georgetown's Center on Privacy & Technology says. "We are not aware of any agency that requires warrants for searches or limits them to serious crimes," the study says. The report (PDF), titled "The Perpetual Line-up: Unregulated Police Face Recognition in America," shows that one-fourth of the nation's law enforcement agencies have access to face-recognition databases, and their use by those agencies is virtually unregulated. "Innocent people don't belong in criminal databases," said Alvaro Bedoya, the executive director of the Center on Privacy & Technology and co-author of the study. "By using face recognition to scan the faces on 26 states' driver's license and ID photos, police and the FBI have basically enrolled half of all adults in a massive virtual line-up. This has never been done for fingerprints or DNA. It's uncharted and frankly dangerous territory." Where do the mug shots come from? For starters, about 16 states allow the FBI to use facial recognition to compare faces of suspected criminals to their driver's licenses or ID photos, according to the study. "In this line-up," the study says, "it's not a human that points to the suspect-it's an algorithm." The study says 26 states or more allow police agencies to "run or request searches" against their databases or driver's licenses and ID photos. This equates to "roughly one in two American adults has their photos searched this way," according to the study. Many local police agencies also insert mug shots of people they arrest into searchable, biometric databases, according to the report. According to the report, researchers obtained documents stating that at least five "major police departments," including those in Chicago, Dallas, and Los Angeles, "either claimed to run real-time face recognition off of street cameras, bought technology that can do so, or expressed an interest in buying it." [ Polley : see also Neural networks are alarmingly good at identifying blurred faces (Motherboard, 25 Sept 2016)]

top

Why a cyber risk assessment is essential for M&A due diligence (RSA, 18 Oct 2016) - According to J.P. Morgan , the global mergers and acquisitions (M&A) market amounted to $5 trillion in 2015 and continues to show strong levels of growth. When it comes to M&A, the due diligence process involves investigating the health of another business before engaging in any sort of transaction. This process will take many factors into account, including the target organization's assets, liabilities, finances, and commercial potential. The due diligence process influences the price that an organization ultimately pays in a M&A deal. If the enterprise uncovers risk, their offering price will be lower. Unfortunately, a cyber risk assessment is often not included as part of the process. In fact, according to a survey by law firm Freshfields Bruckhaus Deringer , 78% of organizations state that cyber security is not included in the risks they deal with or analyze in-depth during due diligence. Instead, many deal makers rely on statements regarding the state of security from executives or others in the organization, which may be less than reliable. In a recent survey, 60% of high-ranking executives stated they could "truthfully assure the board beyond reasonable doubt" that their organizations are secure. However, less than one-third claimed that they had full exposure to their network infrastructure. As such, they may not be fully aware of all the gaps that exist and where they are located. Without a cyber risk assessment, the acquiring organization puts itself at risk of taking on unknown security vulnerabilities, which can have a major impact on the organization's overall security level. In order for the acquiring enterprise to put good governance, risk management, and compliance practices into place, they must have a solid understanding of the other company's security posture. A thorough cyber risk assessment should encompass all parts of an organization's network and security architecture. Best practices call for acquiring enterprises to provide the acquired party with a questionnaire in which it can give a summary of all the administrative, technical, and physical security controls it has in place. This party should be asked to identify its most critical data assets, where its sensitive data is stored, and how this information is protected in motion, at rest, and in transit. * * *

top

Despite Obama's pledge to make the government more open, a report shows secret laws still abound (WaPo, 19 Oct 2016) - The Justice Department has kept classified at least 74 opinions, memos and letters on national security issues, including interrogation, detention and surveillance, according to a report released Tuesday by the Brennan Center for Justice. Also still classified are between 25 and 30 significant opinions issued between 2003 and 2013 by the Foreign Intelligence Surveillance Court (FISC), the secretive federal court that interprets the law governing foreign intelligence-gathering inside the United States. And at the State Department, 807 international agreements signed between 2004 and 2014 have not been published. Despite President Obama's pledge to make government more open and transparent, federal agencies are still keeping a considerable amount of policy and legal interpretations under wraps, the Brennan Center found. The opinions and memos by the Justice Department's Office of Legal Counsel (OLC) were written between 2002 and 2009, said the report's author, Elizabeth Goitein, who obtained several data sets through Freedom of Information Act requests. "This is an extensive body of secret law, which is fundamentally incompatible with democratic self-governance," said Goitein, the co-director of the Brennan Center's Liberty and National Security Program. "When the government makes law out of the public eye, the results are more likely to be tainted by bias or groupthink, and are frankly more liable to violate statutes or to be unconstitutional." But senior national security officials said the government has in fact been particularly transparent in recent years. "In the last several years the government has engaged in an unprecedented level of transparency regarding its intelligence collection authorities," said Brian Hale, a spokesman for the Office of the Director of National Intelligence.

top

Can warrants for digital evidence also require fingerprints to unlock phones? (Orin Kerr, Volokh Conspiracy, 19 Oct 2016) - There has been a lot of press coverage recently about a search warrant obtained in Los Angeles allowing the government to force people present when the warrant is executed to press their fingers and thumbs on the fingerprint sensors of any phones or computers found there to unlock them. A lot of people have wondered: Is that legal? I don't think there's an easy answer to that. Here's an overview of some of the legal issues. First, an important caveat: It's hard to draw conclusions about the legality of the warrant because we know so little about it. All we have is a seven-page memo in which the government makes the case for the warrant, plus word from Thomas Fox-Brewster ( who broke the story ) that the warrant was later executed at a residence. We haven't seen the warrant, and we don't know what it says. We don't know what happened when the warrant was executed. So we don't have much information yet. With that said, I have some preliminary thoughts on the question. The short version is, I think this raises a bunch of hard issues. Here are some details for those who want the longer version. * * *

top

- and -

The Fifth Amendment and Touch ID (Orin Kerr, Volokh Conspiracy, 21 Oct 2016) - My recent post on the legality of warrants that permit phone unlocking prompted some reader comments on how the Fifth Amendment might apply to using fingerprint readers such as Apple's Touch ID . I think this is a hard issue, so it might be worth explaining my thinking in detail. Here are my current thoughts, with the caveat that my views aren't completely settled and I may revisit them in the future. * * *

top

Regulators to set new cybersecurity standards for banks (The Hill, 19 Oct 2016) - Three of the federal government's most powerful financial regulators will propose new rules for financial institutions to protect themselves from cyberattacks. The Federal Deposit Insurance Corporation (FDIC), the Federal Reserve and the Office of the Comptroller of the Currency (OCC) issued Wednesday a notice of proposed rulemaking for enhanced cybersecurity standards. Those rules would cover how banks, financial institutions and affiliates create strategies to prevent cyberattacks, minimize and gauge their risk of a being hacked and respond to an attack. The rules would be divided into two tiers based on a bank or financial institution's size and prominence. The lower tier, called "enhanced standards," would apply to banks, bank holding companies, loan holding companies, and U.S. operations of foreign banks with more than $50 billion in assets and their subsidiaries and servicers. That tier also includes any non-bank financial companies and depository institutions with more than $50 billion in assets, along financial market utilities and financial market infrastructures. Regulators drew the $50 billion threshold from the Dodd-Frank financial reform law, which used that standard to identify systemically risky institutions, according to agency officials. The higher "sector critical" tier applies to banks and financial institutions that perform irreplaceable roles or cover significant portions of key financial markets. These include "systems" and their subsidiaries "that support the clearing or settlement of 5 percent of the value of transactions" in federal funds, foreign exchange, commercial paper, U.S. government and agency securities, and corporate debt and equity securities, according to the summary. The higher tier also includes institutions that support 5 percent of the value of transactions in exchange-traded and over-the-counter derivatives and institutions that provide irreplaceable services to the financial markets. Regulators could also determine a bank or institution to be sector critical even if it doesn't fall under the rule's definition for that tier. Covered firms wouldn't be required to submit cyberattack plans to federal regulators - as some do for financial crisis stress testing - but agency officials said they would monitor them for compliance.

top

- and -

G-7 adopts cybersecurity guidelines for financial sector (Steptoe, 20 Oct 2016) - The Group of 7 bloc of nations (G-7) ‒ comprising the United States, United Kingdom, Canada, France, Germany, Italy, and Japan ‒ released a set of cybersecurity guidelines for the financial sector. The guidelines, entitled "Fundamental Elements of Cybersecurity for the Financial Sector," provide best practices in cybersecurity for both public and private entities in the financial sector. They lay out eight elements to "serve as building blocks" for entities to design, implement, and continue to evolve their cybersecurity strategy and framework. While non-binding, the guidelines state that "[p]ublic authorities within and across jurisdictions can use the elements as well to guide their public policy, regulatory, and supervisory efforts." Although these guidelines address the financial sector specifically, we are likely to see international cooperation on cyber standards continue to expand. As the U.S. Department of Treasury and Board of Governors of the Federal Reserve System recognized in a statement praising their adoption, the guidelines are "a testament to the growing international resolve to counter cyberattacks."

top

Bloomberg Law's new litigation analytics peeks under the robes of judicial data (Bob Ambrogi, 19 Oct 2016) - Last year, I wrote here that judge analytics is the new black . I was referring to the growing selection of tools that analyze case dockets and judicial opinions to provide insights into how judges rule on various types of matters and how long it takes them to do so. Products in this space include ALM's Judicial Perspectives , Lex Machina , Premonition and Ravel Law with its Judge Analytics. Now comes Bloomberg Law to the mix with its launch yesterday of Litigation Analytics. It aims to help attorneys gain insights into questions such as how long federal judges typically take to resolve cases, how they rule on dispositive motions, and how often they are overturned on appeal. The product is not just for judicial analytics. It can also be used to perform analytics on some 7,000 law firms, more than 70,000 public companies, and more than 3.5 million private companies. To illustrate how litigators can use its new product, Bloomberg Law created an analytics snapshot comparing five influential federal judges. It shows how they rule in certain cases, how long they take to decide a case from start to finish and which firms appear before them most often.

top

- and -

Artificial intelligence predicted case outcomes with 79% accuracy by analyzing fact portrayal (ABA Journal, 25 Oct 2016) - Researchers were able to predict the results of human rights cases with 79 percent accuracy by using artificial intelligence to analyze the factual sections of published human rights judgments. The study, published in PeerJ Computer Science , found that the outcomes were best predicted by analyzing the "circumstances" section of a case-which includes factual background-along with the topics covered by the case and the language used, according to a press release . Publications covering the findings include the Wall Street Journal Law Blog , Law.com (sub. req.), the Guardian and Motherboard . The researchers examined 584 cases before the European Court of Human Rights with a machine-learning algorithm. They found that the court's judgments were highly correlated to facts rather than legal arguments. Ideally, the researchers said, they would use their algorithm to test applications to the court rather than published judgments, but they didn't have access to that data. Assuming a similarity between chunks of text in published judgments and applications and briefs, the research could be used to predict outcomes before judgment, the study says . The findings could help prioritize cases and identify which cases are most likely to be violations of the European Convention on Human Rights, according to the researchers. "We don't see AI replacing judges or lawyers," said University College London computer scientist Nikolaos Aletras in the press release. Also working on the study were academics from the University of Sheffield and the University of Pennsylvania. The researchers acknowledge that the circumstances section of a case is not a neutral statement of the facts. The section could contain the court's judgments about what is important, and could be tailor-made to reach a certain outcome. It's also possible, the researchers say, that judges were reacting to the facts because the cases had been selected for their indeterminate legal issues.

top

New tool from Bing maps the flow of campaign cash (Mashable, 20 Oct 2016) - How do the billions of dollars shaping this election seep through the United States? A new project from Microsoft's Bing and political tech firm Circa Victor looks to answer that question by drawing on dozens of types of public disclosures. Location data on vendors that serve campaigns and super PACs is fed into Circa Victor's system in real time, giving visitors a rough picture of how much each candidate is spending in each state. The company claims the entire process is quick enough that it oftentimes updates before donations are officially tallied and tracked. Using this data, the team added a panel within the search engine that is cued every time someone looks for information related to political spending - trigger terms include phrases like "Clinton spending" or "election predictions." Hover the cursor over a state to see totals for each of the four candidates - Democrat Hillary Clinton, GOP pick Donald Trump, Green Party nominee Jill Stein and Libertarian Gary Johnson - or select from a dropdown menu for a fuller profile. You can also find an ideological breakdown of each contender's leanings on particular policy points like abortion, drug policy and environmental issues. The tool reveals Trump to be somewhat liberal on LGBT rights and drug policy and only mildly conservative on tax reform, while Clinton remains staunchly progressive across the board.

top

Are you audit ready? Strategies, tools, and tactics to address compliance concerns in the legal industry (California Lawyer, 20 Oct 2016) - If you've read the headlines , you know that this has been a banner year for security breaches targeting law firms. The trends in 2016 are up and to the right, and they don't look like they're abating. Even the FBI has notified law firms that they're being targeted and their information security processes need to be tight. Clients recognize this as well and are increasingly holding firms accountable. As the American Bar Association reports , "Previously, some clients wanted to see law firm security policies. Some have allowed law firms to effectively audit themselves. Today, clients want to see if security policies and plans are actually being followed. And they want independent third-party audits, sometimes including penetration testing." Audits can take a variety of forms, and they're rarely consistent. There is no single format or framework for client requests. They can take the form of a simple questionnaire or a formal assessment validated by a third party. But each client will have their own version, and without a thorough and structured set of materials, responding to requests can be costly and time consuming. * * *

top

- and -

Cybersecurity insurance is a 'must have' for law firms (ABA Journal, 25 Oct 2016) - Nearly a quarter of law firms with 500 or more attorneys have experienced a cybersecurity breach, according to those who responded to the ABA's 2015 Legal Technology Survey Report . So there's no question that securing online information is on the mind of many law firm leaders. So is the need for cybersecurity insurance. "It's something you must have," says Robert Owen, a New York City-based partner with Sutherland Asbill & Brennan. A firm victimized by a cyberattack may need to hire experts to investigate the breach, reassure clients, stanch any reputational damage and address possible regulatory inquiries. "There's a whole host of risks," Owen says. An endorsement to a firm's property and casualty policy typically provides just a "sliver of coverage," says Eileen Garczynski, senior vice president with specialty broker Ames & Gough in McLean, Virginia. For instance, an endorsement might cover the cost to restore data, but not any fines stemming from the breach. An effective cybersecurity policy must have several provisions. First of all, it should be a primary policy. "A primary policy responds first," Garczynski says. It wouldn't require the firm to turn to its professional liability coverage first. The Lewis Baach law firm also looked for policies that would cover pre-existing problems, says Katherine Toomey, a Washington, D.C.-based partner there. That could include a virus in the firm's system at the time the policy was obtained that hadn't been detected. Law firms also will want to assess the additional services the insurer offers, Owen says. For example, some insurers retain forensics experts for use in cyber investigations. The firm should know if it will be required to use the insurer's expert. If so, it will want to evaluate the experts' qualifications. Some coverage is limited to personally identifiable information, such as Social Security numbers. "You want it to cover a breach of anything protected under attorney-client privilege," Garczynski says. Conduit coverage also is critical, says Jim Rhyner, senior vice president and specialty law firm segment manager with Chubb. This protects the firm if another entity suffers damages because of a breach in the firm's system. Applying for cybersecurity insurance often requires documenting the cybersecurity practices in place at the firm. The insurer may ask whether the firm encrypts data, if it has implemented an information security plan that addresses the network as well as portable devices, and if employees receive security training. "We're focused on a culture of risk mitigation versus just risk transfer," says Erica Davis, vice president with insurer Zurich North America.

top

- and -

Cyber security 'key issue for lawyers' (BBC, 25 Oct 2016) - Nearly half of Scottish solicitors see cyber security as their biggest technological challenge, according to a survey of practitioners. The survey, carried out by Ipsos Mori for the Law Society of Scotland, found 81% of lawyers had a "very" or "fairly" positive view about the impact of technology on their business. But 42% believed that maintaining cyber security was a key issue.

top

NPR rides Facebook wave to traffic record (Columbia Journalism Review, 20 Oct 2016) - Yesterday, NPR reported a large ratings increase across the board: radio, podcasts, and the website all saw a major jump in audience this year. NPR President and CEO Jarl Mohn attributes this to the country's "appetite for factual reporting" and NPR's reputation. On the digital side, one of NPR's greatest successes this year was its fact-checking page during the first presidential debate . The fact-checking page garnered almost 10 million page views total, NPR reports, and debate night and the day following made for NPR's two best traffic days ever. The page displayed a live transcript of the debate, with reporters' annotations rolling in on top of it. While NPR had prepared for the page to be popular, the amount of traffic it drove was unprecedented, and surprised many NPR staffers. Why did it perform so well? Building the audience ahead of time was surely one major factor contributing to the page's performance. NPR spent many months before the debates building a reputation as a source for fact-checking, Washington Editor Beth Donovan and NPR News Digital Editor Amita Kelly told me. They did test runs of the fact-checking process during the RNC and DNC speeches to build their muscles and refine the annotation approach. But this isn't the whole story. Looking into the analytics, according to Chartbeat data and confirmed by NPR, Facebook was the major driver of traffic for the page, though it also did well on search. On the night of the debate alone, Facebook sent over 2 million page views to the page.

top

Google has quietly dropped ban on personally identifiable web tracking (ProPublica, 21 Oct 2016) - When Google bought the advertising network DoubleClick in 2007, Google founder Sergey Brin said that privacy would be the company's "number one priority when we contemplate new kinds of advertising products." And, for nearly a decade, Google did in fact keep DoubleClick's massive database of web-browsing records separate by default from the names and other personally identifiable information Google has collected from Gmail and its other login accounts. But this summer, Google quietly erased that last privacy line in the sand - literally crossing out the lines in its privacy policy that promised to keep the two pots of data separate by default. In its place, Google substituted new language that says browsing habits "may be" combined with what the company learns from the use Gmail and other tools. The practical result of the change is that the DoubleClick ads that follow people around on the web may now be customized to them based on your name and other information Google knows about you. It also means that Google could now, if it wished to, build a complete portrait of a user by name, based on everything they write in email, every website they visit and the searches they conduct. Two years ago, Facebook announced that it would track its users by name across the Internet when they visit websites containing Facebook buttons such as "Share" and "Like" - even when users don't click on the button. (Here's how you can opt out of the targeted ads generated by that tracking). To opt-out of Google's identified tracking, visit the Activity controls on Google's My Account page , and uncheck the box next to "Include Chrome browsing history and activity from websites and apps that use Google services." You can also delete past activity from your account.

top

CJEU decision on dynamic IP addresses touches fundamental DP law questions (Bird & Bird, 21 Oct 2016) - The European Court of Justice ("CJEU") finally issued its long-awaited judgment on dynamic IP addresses ( judgment in Case C-582/14: Patrick Breyer v Bundesrepublik Deutschland ). The judgment will have a general impact on how to define 'personal data' beyond dynamic IP addresses, in particular on the question of whether a so-called 'subjective/relative approach' or 'objective/absolute' approach needs to be applied in this respect (which also affects more general questions like anonymisation, big data etc.). The court ruled that dynamic IP addresses may constitute 'personal data' even where only a third party (in this case an internet service provider) has the additional data necessary to identify the individual - but only under certain circumstances: The possibility to combine the data with this additional data must constitute a "means likely reasonably to be used to identify" the individual (the court assumed such means for Germany). The so-called 'absolute/objective approach', that is applied in some Member States and according to which data is already considered to be 'personal data' if any third party (worldwide) is able to determine the identity of the individual, was not applied (unfortunately the court did not expressly refrain from this concept). The CJEU favoured a more 'subjective/relative approach' that focuses on the online media service provider's possibility of (potentially) identifying an individual and whether it has the legal and practical means which enable it to do so with additional data a third party has about that person (this means third party knowledge needs to be considered but only to certain extent). In its judgment, the court also deemed a restrictive interpretation of a German law provision that allows only for limited use of personal data in the telemedia/online context to be not in line with the EU-Data Protection Directive 95/46/EC ("Directive") if it does not give any consideration to the concept of legitimate interest. The court held that legitimate interests must be considered and must constitute a legal justification beyond the restrictive provision of the German Telemedia Act. It therefore reconfirmed its earlier (but in many Member States in practice still often disregarded) view on the level of harmonisation provided by the Directive (see judgment of 24 November 2011, Cases C-468/10 and C-469/10: 'ASNEF and FECEMD' ). The judgment may have a considerable practical impact on online analytics and targeting (so-called "Profiling"), which is very strictly regulated in Germany and so far only possible to very limited extent. In more detail: * * *

top

EveryCRSReport.com is making 8,255 CRS reports available to the general public (BeSpacific, 23 Oct 2016) - Congressional Research Service reports are the best way for anyone to quickly get up to speed on major political issues without having to worry about spin - from the same source Congress uses. CRS is Congress' think tank, and its reports are relied upon by academics, businesses, judges, policy advocates, students, librarians, journalists, and policymakers for accurate and timely analysis of important policy issues. The reports are not classified and do not contain individualized advice to any specific member of Congress. Until today, CRS reports were generally available only to the well-connected. Now, in partnership with a Republican and Democratic member of Congress, we are making these reports available to everyone for free online. A coalition of public interest groups, journalists, academics, students, some Members of Congress, and former CRS employees have been advocating for greater access to CRS reports for over twenty years. Two bills in Congress to make these reports widely available already have 10 sponsors ( S. 2639 and H.R. 4702 , 114th Congress) and we urge Congress to finish the job. This website shows Congress one vision of how it could be done. What does EveryCRSReport.com include? EveryCRSReport.com includes 8,255 CRS reports. The number changes regularly. It's every CRS report that's available on Congress's internal website. We redact the phone number, email address, and names of virtually all the analysts from the reports. We add disclaimer language regarding copyright and the role CRS reports are intended to play. That's it. If you're looking for older reports, our good friends at CRSReports.com may have them.

top

MIT releases report on 'Future of Libraries' (InsideHigherEd, 25 Oct 2016) - The MIT libraries should focus on its four "pillars" -- community and relationships, discovery and use, stewardship and sustainability, and research and development -- to reimagine itself as an "open global platform," according to a preliminary report published Monday. The report is the culmination of a yearlong initiative at the Massachusetts Institute of Technology to determine "how the MIT libraries ought to evolve to best advance the creation, dissemination and preservation of knowledge; and to serve as a leader in the reinvention of research libraries," according to an announcement last October. The report, which contains the task force's recommendations, is available here .

top

AT&T used broad data-gathering system for federal government (The Hill, 25 Oct 2016) - An AT&T system meant to assist the Drug Enforcement Administration (DEA) by searching through the company's millions of stored phone records was used to help a broad array of government agencies on cases from Medicaid fraud to murder, according to a new report Tuesday. Law enforcement officials pay the telecommunications giant from $100,000 to $1 million or more per year to get information from its massive data trove, according to the Daily Beast , which obtained internal company documents about the system. The program itself, known as "Hemisphere," has been known to the public since 2013, when it was revealed by the New York Times. The Times reported at the time that the system was similar to but broader than a massive collection of phone records previously stored at the National Security Agency (NSA). That controversial NSA program was effectively ended last summer , following revelations from leaker Edward Snowden. The arrangement calls for AT&T officials to search the company's database on behalf of federal and local law enforcement officials, who pay for the access. The records under AT&T's control can go back decades. But new documents reported on by the Daily Beast on Tuesday detail the broad scope of the program as well as the company's efforts to disguise its extensive cooperation with the government. According to one 2014 document obtained by the news outlet, AT&T requires law enforcement agencies "not to use the data as evidence in any judicial or administrative proceedings unless there is no other available and admissible probative evidence." The practice of disguising the source of evidence, known to lawyers as "parallel construction," is viewed skeptically by civil rights activists who worry that it prevents people from challenging whether evidence against them was collected legally. Law enforcement officials do not need a warrant to obtain access to AT&T's system. Instead, the information can be acquired through administrative subpoenas, which are used by a greater number of agencies and do not require probable cause.

top

Oil industry should hire hackers to boost cybersecurity (Rigzone, 26 Oct 2016) - The oil and gas industry should hire hackers in order to boost cybersecurity, said Eric Knapp, chief engineer for cybersecurity solutions and technology at Honeywell Process Solutions. Speaking at the EMEA HUG conference in The Hague, Knapp urged delegates to shed their negative perceptions of these people and offer them a place in the sector. "We have to stop thinking of hackers as evil ... the truth is hackers are people. They have a curiosity, they have an interest, they have a skill, and a skill isn't good or evil. A person isn't good or evil. The circumstances you put them in dictate that," Knapp said. "If we hire them, and we put them on the good team, then they're our heroes. If we don't hire them, they're going to find some other way to make money off of their skills ... If they're on our team they help, if they're on the other team, they hurt. They're not going to just go away," he added. Knapp's comments followed a stark warning from Laura Pilia of energy company SARAS and Jos Oelers of petrochemicals firm SABIC, made during the opening speech of the third day of the conference, which outlined a growing spate of cyberattacks in the industry. Eighty-two percent of oil and gas industry respondents have reported an increase in successful cyberattacks over the past 12 months, Pilia and Oelers told conference participants. Looking at the influence of cyberattacks in the wider community, the conference leaders outlined that these occurrences cost businesses as much as $400 billion per year.

top

BDO board survey finds board of directors increasingly invested in cybersecurity issues (Legaltech News, 26 Oct 2016) - Corporate boards of directors are increasingly investing in and staying abreast of company cybersecurity practices, according to BDO Consulting's annual Board Survey released this week. The survey, which took stock of 160 corporate directors of public company boards, found that 74 percent of directors say their board is more involved with cybersecurity than it was a year ago, a steady growth from the 69 percent last year and 59 percent in 2014. Breach response planning showed similar expansion, as over half (63 percent) of directors reported having breach response plans in place, up from 45 percent last year. Because many companies and corporate legal departments outsource sensitive data to third-party vendors, they've needed to beef up the security standards used to evaluate third-party organizations. The BDO Board Survey found that 43 percent of directors now report using specific risk requirements and assessments for third-party vendors, as compared to 35 percent reporting the same last year.

top

FCC orders far-reaching new privacy and data security rules (Wilson Sonsini, 27 Oct 2016) - As expected, the Federal Communications Commission (FCC) has handed down sweeping new privacy and security rules for Internet service providers (ISPs). On Thursday, October 27, 2016, a sharply divided commission voted to enact these new rules, which impose strict new requirements for ISPs' collection, use, sharing, and protection of their customers' information, including information ISPs receive about their customers' geolocation and online activities. Consequently, ISPs will soon be subject to heightened notice and consent requirements for activities such as behavioral advertising and other online tracking, as well as more robust security and data breach notification obligations. Up until now, there have not been specific FCC privacy rules that govern ISPs' handling of such data. ISPs and members of the online advertising industry objected strenuously to numerous aspects of the FCC's proposed rules, including the FCC's classification of web browsing behavior as sensitive information subject to opt-in consent, an approach at odds with that of the Federal Trade Commission (FTC), the nation's primary regulator of commercial privacy and security interests. Ultimately, the FCC waved off those objections in adopting its final rules. The FCC's action today represents the culmination of a rulemaking process that the FCC initiated in 2015. At that time, as part of the Open Internet Order, the FCC made the decision to apply the privacy requirements of Section 222 of the Communications Act-which had previously only governed telephone services-to the world of broadband. The FCC adopted a Notice of Proposed Rulemaking (NPRM) in March 2016 to address a host of questions regarding how Section 222 applies to broadband providers. On October 6, 2016, FCC Chairman Tom Wheeler circulated to his fellow commissioners a proposed Order, which was approved earlier today by a 3-2 vote. The final Order has not yet been released. This WSGR Alert briefly summarizes the aspects of the FCC's decision that we believe will be of the greatest significance to our clients. * * *

top

The average cost of a data breach involving fewer than 10,000 records was $5 million (Network World, 28 Oct 2016) - * * * Given the large numbers involved, it can seem a challenge to attempt to calculate the total price tag of a widespread data breach. It is, however, possible to review the data and establish some benchmarks, as has been done in the 2016 Data Breach Study by the Ponemon Institute and IBM . According to the report, the total average cost for a breach is $7 million. Only in 2011 was there a higher average cost, $7.24 million. Unfortunately, this year saw the highest average cost per record , costing companies an average of $221 per compromised record. Looking at that number more closely yields an important piece of information-companies spend more on the indirect costs than direct costs of a data breach. In this case, direct costs refer to the amount spent to minimize the consequences of a data breach and to assist victims. Indirect costs are defined as the amount spent on existing internal resources to deal with the data breach. Using that measure, only $76 per record represents the direct cost to the organization, including items such as legal fees and technological investments. The far greater portion, $145, reflects the indirect costs of a data breach, including the damage to an organization's reputation and increased customer churn rate. Certain industries are more vulnerable to churn and, consequently, have higher data breach costs. Financial, healthcare, technology, life sciences and service companies all experience higher churn rates after a breach. Heavily regulated industries such as insurance also suffer higher costs than average. Knowing this helps explain why these industries put so much investment in securing their information.

top

It's finally legal to hack your own devices (even your car) (Wired, 31 Oct 2016) - You may have thought that if you owned your digital devices, you were allowed to do whatever you like with them. In truth, even for possessions as personal as your car, PC, or insulin pump, you risked a lawsuit every time you reverse-engineered their software guts to dig up their security vulnerabilities-until now. Last Friday, a new exemption to the decades-old law known as the Digital Millennium Copyright Act quietly kicked in, carving out protections for Americans to hack their own devices without fear that the DMCA's ban on circumventing protections on copyrighted systems would allow manufacturers to sue them. One exemption, crucially, will allow new forms of security research on those consumer devices. Another allows for the digital repair of vehicles. Together, the security community and DIYers are hoping those protections, which were enacted by the Library of Congress's Copyright Office in October of 2015 but delayed a full year, will spark a new era of benevolent hacking for both research and repair. For now, the exemptions are limited to a two-year trial period. And the security research exemption in particular only applies to what the Copyright Office calls "good-faith" testing, "in a controlled environment designed to avoid any harm to individuals or to the public." But within those restrictions, the exemptions remove a looming fear of DMCA lawsuits that has long hung over the security research community. "There's a universe of security vulnerabilities that the law keeps researchers from figuring out and telling you about, but are nonetheless present in devices you use every day," says Kit Walsh, an attorney with the Electronic Freedom Foundation. "For the next two years, that threat will be lifted for many forms of security research that are really important."

top

UK ICO recommends company directors have personal liability for data breaches (SC Magazine, 31 Oct 2016) - The UK's Information Commissioner, Elizabeth Denham, recently recommended at a Parliamentary meeting to discuss the draft Digital Economy Bill, that the government should hold company directors with personal liability and accountability for data breaches . Denham gave evidence to a House of Commons Public Bill Committee on the 13th of October, detailing the ICO's recommendations for the Digital Economy Bill , one of which was support for making directors personally liable for breaches of data protection law by their companies. Denham claimed that the ICO issued a total of £4 million in fines in the last year, and only collected a small percentage of that sum. This is down to companies who had committed serious breaches of data protection law would shut down following the fine, quickly re-opening with the same management, staff and premises only with a new corporate identity. The ICO recently imposed a fine of £400,000 on UK ISP TalkTalk, which was its largest fine ever for a breach of data protection law. With the General Data Protection Regulation's honeymoon period ending on the 25 May 2018, it will give the ICO the power to impose fines of up to the greater sum of €20 million or 4 percent of worldwide turnover .

top

Companies face lawsuits over website accessibility for blind users (SJ, 1 Nov 2016) - The disability lawsuits started hitting the Pittsburgh federal courthouse last July, all claiming corporations' websites violated the law by not being accessible to the blind. The first round came against household names such as Foot Locker Inc., Toys "R" Us, Brooks Brothers Group Inc., and the National Basketball Association. Later suits targeted lesser-known retailers including Family Video Movie Club Inc. and Rue21 Inc. All told, about 40 nearly identical cases have landed in front of the same federal judge, Arthur Schwab, all brought by one local law firm, Carlson Lynch Sweet Kilpela & Carpenter LLP. Nationwide, more than 240 businesses have been sued in federal court since the start of 2015, concerning allegedly inaccessible websites, according to law firm Seyfarth Shaw LLP. Most settle quickly, for between $10,000 and $75,000, lawyers involved say, with the money typically going toward plaintiffs' attorneys' fees and expenses. The suits named above have been dismissed, according to court dockets, which don't reflect if a private settlement was reached. Toys "R" Us said it is looking for ways to make its website more accessible. The other companies had no comment or didn't respond to a request for comment. The Justice Department, which enforces the Americans with Disabilities Act, has delayed since 2010 releasing technical guidelines as to how websites should comply, most recently putting it off until 2018. The delay has led to "complete mayhem," said Minh Vu, a Seyfarth Shaw partner who represents companies in disability-access cases. A Justice Department spokesman declined to comment on the guidelines, but noted public settlements the agency has reached with companies, including tax-preparation service H&R Block and online grocer Peapod, requiring them to make websites accessible. Public businesses have long been required to be accessible to the disabled under the ADA, signed into law in 1990. Websites, however, weren't expressly included in the law as a place of "public accommodation." Federal appellate courts have been divided on the issue, with some finding that all websites must comply with disability standards, and others contending that websites only fall under the ADA if they have a "nexus" to a brick-and-mortar business. Mr. Danielsen said there is no data as to how many websites don't accommodate blind users.

top

ABA Blueprint launches today to help small firm lawyers buy products and services (Bob Ambrogi, 3 Nov 2016) - The American Bar Association today is launching ABA Blueprint , its website designed to help solo and small firm lawyers manage the complexities of their legal practices by helping them find the products and services they need at affordable prices. As I reported here in August, plans to develop the site were first announced by ABA President Linda A. Klein in a speech to the ABA House of Delegates during the ABA Annual Meeting in San Francisco. The site will provide lawyers with a "one-stop shop for members to get what they need while saving far more than they pay in dues," she said then. The site is intended to be used by all solo and small firm attorneys, but ABA members get access to special services and product discounts through the site. The idea of the site is to help lawyers choose the products and services they need to build their firms. Lawyers who come to the site are given two routes by which to do this. The first, called Firm Builder, is restricted to ABA members and is intended to provide customized recommendations based on the user's unique needs. The user first chooses a category - technology, virtual assistance or marketing - and then answers a series of questions. The result is a set of recommended products and services. The other route, called Universal Solution, is open to anyone and offers one-size-fits-all packages tailored to these needs: * * * A notable advantage of using the site is the discounts it offers. Take Clio, for example. Clio has three levels of monthly subscriptions (with an annual contract) - $39, $59 and $99. Blueprint offers 25 percent discounts off Clio's top two tiers, so the $59 tier would be $44.25 and the $99 tier would be $74.25. That is an annual savings of $177 or $297. Ruby Receptionists is offering a new Solo Plan through Blueprint that is not available through the company's own website. The solo plan is $180 a month, compared to the lowest-priced plan on the company's website, which is $259 a month. Clearly, the ABA intends the members-only features of this site to provide an incentive for non-members to join. The fact is, the ABA appears to be right about this. Consider that ABA dues for a solo lawyer range from $117 to $260 (depending on year of bar admission). Just the Clio discount alone could make back the price of the dues. If you buy other products as well, then the savings become even greater.

top

NOTED PODCASTS/MOOCS

Every piece of art you've ever wanted to see - up close and searchable (TED video, Feb 2016; 15:00) - What does a cultural Big Bang look like? For Amit Sood, director of Google's Cultural Institute and Art Project, it's an online platform where anyone can explore the world's greatest collections of art and artifacts in vivid, lifelike detail. Join Sood and Google artist in residence Cyril Diagne in a mind-bending demo of experiments from the Cultural Institute and glimpse the exciting future of accessibility to arts and culture.

top

How to get social media evidence admitted to court (ABA, 1 Nov 2016) - As technology continues to influence the practice of law, court cases are increasingly turning on social media. But unlike other forms of evidence, social media is fleeting - and, if you can get the data, questions of authenticity arise when you seek to admit it as evidence. In a recent ABA CLE, " Acquiring, Preserving and Authenticating Websites and Social Media ," Jennifer Ellis of Lowenthal & Abrams PC, and Michael Maschke of Sensei Enterprises, Inc., share how you can obtain and use social media and other forms of digital evidence in your cases. When it comes to using social media as evidence, all the usual standards apply, said Ellis, who is not only her firm's go-to expert on digital evidence, but also a consultant with a focus on technology issues. "Is it relevant? Is it more probative than prejudicial? Is there a hearsay problem or exception? And, is it authentic?" she told lawyers to ask themselves, referencing Federal Rules 401-402, 403 and 901-902. But in order to get the material in the first place, should you just subpoena Facebook or Twitter? Ellis said no, explaining that social media sites will likely claim that sharing the information violates the Stored Communications Act. "They won't respond to a subpoena for the content itself," she said. But "they do cooperate with authorities in regard to criminal cases." What you may be able to get is proof of ownership, which can be critical to the authentication of the evidence if the owner of the account lies and says it isn't her account. "It's not easy," said Ellis, explaining that most of the social media sites are based in California and they will want a local subpoena. "It can be complex-but sometimes critically necessary." So, how do you get access to the specific posts you need? " Trail v. Lesko really spells out where the law is going in terms of getting access to this stuff," Ellis said of the case, which centered on accessing a Facebook account during discovery. According to Judge R. Stanton Wettick's decision, a requesting party must show "sufficient likelihood" that such an account would include relevant information that is "not otherwise available" before being granted access to it. * * *

top

RESOURCES

The Future of Self-Regulation is Co-Regulation (Ira Rubinstein, NYU, 5 October 2016) - The Cambridge Handbook of Consumer Privacy, From Cambridge University Press (Forthcoming). Abstract: Modern regulatory theory has long treated voluntary self-regulation and direct government regulation as opposing ends of a regulatory continuum, with most self-regulatory schemes falling somewhere in the middle. This chapter explores the middle ground by examining co-regulatory approaches to privacy, in which industry enjoys considerable flexibility in shaping self-regulatory guidelines, consumer advocacy groups have a seat at the table, and government sets default requirements and retains general oversight authority to approve and enforce these guidelines. Privacy co-regulation is generally understood as a collaborative, flexible, and performance-based approach to privacy regulation that draws on the theoretical insights of collaborative governance theory. This chapter argues that privacy self-regulation in the form of voluntary codes has had a sufficiently long run to prove its worth but has failed. Now is the time to make the transition to co-regulation, especially in the U.S. It is organized into three sections. The first considers in greater detail the differences between self-regulation and co-regulation. The second looks at the failure and stubborn persistence of voluntary codes of conduct. The third shifts the discussion to three case studies of privacy codes and practices that have benefited from a co-regulatory approach. In the past few years, there have been some notable developments in co-regulatory schemes as well some important empirical studies. These new materials provide an opportunity to understand the conditions for the success (and failure) of co-regulatory solutions in the privacy field and what this implies for the future of regulatory innovation. The chapter concludes by offering a few recommendations on how the U.S. Congress can implement co-regulatory approaches in any future legislation to optimally protect online consumer privacy while preserving innovation and economic growth.

top

BOOKS

A Practical Guide to Software Licensing for Licensees and Licensors (6th Edition, by MIRLN subscriber Ward Classen, available thru the ABA Webstore) [ Polley : I reviewed the 4th edition in MIRLN 15.07. This new edition still contains access to on-line forms with contract language (perfect for cut-and-paste), checklists and new chapters on software development agreements, agile development, APIs, and SDKs.]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Yale to post video of courses online (Inside Higher Ed, 20 September 2006) -- Yale University announced plans to begin posting video of course lectures online. Yale's effort is part of a larger movement in higher education toward open courseware, led in large part by an initiative started at MIT in 2001. For the OpenCourseWare project, MIT posts course materials online, including syllabi, reading lists, and other resources. Diana Kleiner, who is leading the effort at Yale, said the project follows "MIT's footprints" but represents the next step. Kleiner said that Yale officials believe the in-class experience to be central to the educational experience. Under the program, all of the lectures for a given course will be recorded and placed online. Beginning with seven courses this year, the program is expected to grow quickly to include many more in successive years. The university is exploring ways to ensure that offering video of lectures online will not encourage Yale students to skip class and simply watch the lectures at their convenience. Also at issue are intellectual property considerations, given that faculty are free to use some copyrighted materials in lectures, but that those materials may not be used similarly by the public. http://www.insidehighered.com/news/2006/09/20/yale

top

- and -

Harvard offers virtual class in Second Life (Edupage, 30 August 2006) -- This fall, Harvard Law School professor Charles Nesson will coteach a course on argument with his daughter, Harvard Extension School instructor Rebecca Nesson, that will take place in the Second Life virtual world. In Second Life, users create avatars that they control, using them to move around the virtual environment and interact with others and with the virtual physical space. A number of other colleges and universities have used Second Life as a component of certain courses. For this new course at Harvard, Nesson and Nesson will teach students--entirely through the virtual environment--how to use blogs, wikis, podcasts, and other electronic tools to make effective arguments. The class, which is open to the public through Harvard's extension school, will take place in an online replica of the university's Ames Courtroom. Rebecca Nesson will hold office hours in Second Life; Charles Nesson's office hours will be in his actual office.

top

- and -

Second Lifers get first look at new hotel chain (CNET, 14 August 2006) -- Avatars looking for a stylish place to mingle and get a cocktail will soon be able to check out a trendy new hotel--months before their fleshy counterparts. Starwood Hotels & Resorts Worldwide, which oversees such well-known hotel brands as Sheraton, St. Regis and Westin, will launch its newest chain, Aloft, in the online society "Second Life" in September. In the brick-and-mortar realm, the plan is for the first Aloft inn to open sometime in 2008, catering to active, urban 30- to 50-year-olds. But the real-world lodge will be preceded by a 3D cyberversion designed to prompt feedback from virtual guests and help guide the earthbound endeavor. "We think the SL world is a specific community of early adopters, of tech-savvy people who like to voice their opinions," said Brian McGuinness, vice president of the Aloft Hotels brand. Aloft will be the first hotel for "Second Life," which has already incorporated businesses from Wells Fargo to Major League Baseball. Marc Schiller, CEO and founder of ElectricArtists 2.0, a marketing services company, approached Starwood two months ago with the idea of a virtual debut for Aloft. Starwood then purchased an island in "Second Life," and construction began on the hotel a month ago. "We're hoping we can learn a lot about where (Second Lifers) congregate and how they use space in a communal way," Schiller said. "That could be valuable as Starwood develops the hotel." "Second Life" is an open-ended virtual world in which players can create or do just about anything they can imagine. Opened to the public in 2003, it features a mainland composed of an array of square, 16-acre plots. The so-called metaverse is free to play in, but users must pay monthly fees if they want to own land. Its publisher, Linden Lab, makes money from land-usage fees, as well as player purchases of the "Second Life" currency, the Lindendollar, which is used to purchase property and other goods. The virtual marketplace supports millions of U.S. dollars in monthly transactions. One of the most intriguing elements of "Second Life" is its bustling economy. Linden Lab is one of the few companies that grants its users full intellectual-property rights to their creations, and that's engendered a robust marketplace in any number of virtual goods, including land, clothing, vehicles, magic wands and more.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Steptoe & Johnson's E-Commerce Law Week

7. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

8. The Benton Foundation's Communications Headlines

9. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top