Saturday, December 30, 2017

MIRLN --- 10-31 Dec 2017 (v20.18)

MIRLN --- 10-31 Dec 2017 (v20.18) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

20,000 artworks available for free download on LACMA's robust digital archive (My Modern Met, 4 Dec 2017) - You don't have to travel the world to see great art. As museums continue to digitize their collections, you can view paintings, sculptures, and other artwork that spans thousands of years and geographical locations. The Los Angeles County Museum of Art (LACMA) has worked for the past two years to make their acquisitions viewable online . There are 20,000 images available and in the public domain, making them also free downloadable art for anyone. Altogether, the museum has uploaded 80,000 works on their website with both restricted and unrestricted use-a quarter of the art that's in their physical collection. It's easy to find an image that will inspire you. The robust online search is sorted via highlights, chronology, curatorial area, and more; it's a great place to start. If you're looking for something more specific, however, they've tagged individual works with their defining attributes. Typing in the word "cactus", for instance, will bring up photographs, paintings, and objects having to do with the plant. You can even choose the option to filter only images that are in the public domain. top

Vicarious liability for data breach by rogue [UK] employee (Clyde & Co, 5 Dec 2017) - In the first group litigation of its kind, Morrisons Supermarkets was found to be vicariously liable for the actions of a rogue employee who, driven by a grudge against the supermarket chain, took payroll data relating to 100,000 employees and published it online. This was despite the fact that Morrisons was found to be entirely innocent of any misuse, that the employee had acted deliberately to harm his employer, had been convicted and imprisoned for his actions and that disclosure of the data had been done at home, on a Sunday outside office hours. In principle, the decision could mean that Morrisons will be liable to compensate all 5,500 employees involved in the claim. Permission has already been given for Morrisons to appeal the decision to the Court of Appeal. top

Almost one-third of US businesses had a data breach (Sys-Con Media, 7 Dec 2017) - Almost one-third of U.S. businesses (29 percent) experienced a data breach in the previous year, a survey for The Hartford Steam Boiler Inspection and Insurance Company (HSB), part of Munich Re, reported today, and eight in ten spent at least $5,000 to respond. The HSB survey conducted by Zogby Analytics also found that almost half of the breaches (47 percent) were caused by a vendor or contractor working for a business, followed by employee negligence (21 percent) and lost or stolen mobile devices or storage media (20 percent). In two-thirds of the data breaches, the businesses reported their reputation was negatively affected. When asked what the biggest hurdle would be for their organization to respond to a data breach, 51 percent said lack of knowledge and 41 percent a lack of resources. The financial impact of a data breach was considerable: 27 percent of the businesses spent between $5,000 and $50,000 to respond and 30 percent spent between $50,000 and $100,000. top

Governors and federal agencies are blocking nearly 1,300 accounts on Facebook and Twitter (ProPublica, 8 Dec 2017) - Amanda Farber still doesn't know why Maryland Gov. Larry Hogan blocked her from his Facebook group. A resident of Bethesda and full-time parent and volunteer, Farber identifies as a Democrat but voted for the Republican Hogan in 2014. Farber says she doesn't post on her representatives' pages often. But earlier this year, she said she wrote on the governor's Facebook page, asking him to oppose the Trump administration's travel ban and health care proposal. She never received a response. When she later returned to the page, she noticed her comment had been deleted. She also noticed she had been blocked from commenting. (She is still allowed to share the governor's posts and messages.) According to documents ProPublica obtained through an open-records request this summer, hers is one of 494 accounts that Hogan blocks. Blocked accounts include a schoolteacher who criticized the governor's education policies and a pastor who stance against accepting Syrian refugees. They even have their own Facebook group: Marylanders Blocked by Larry Hogan on Facebook . In August, ProPublica filed public-records requests with every governor and 22 federal agencies, asking for lists of everyone blocked on their official Facebook and Twitter accounts. The responses we've received so far show that governors and agencies across the country are blocking at least 1,298 accounts. More than half of those - 652 accounts - are blocked by Kentucky Gov. Matt Bevin, a Republican. Four other Republican governors and four Democrats, as well as five federal agencies, block hundreds of others, according to their responses to our requests. Five Republican governors and three Democrats responded that they are not blocking any accounts at all. Many agencies and more than half of governors' offices have not yet responded to our requests. When the administrator of a public Facebook page or Twitter handle blocks an account, the blocked user can no longer comment on posts. That can create an inaccurate public image of support for government policies. ( Here's how you can dig into whether your elected officials are blocking constituents. ) top

How Google Fiber turned 2017 into its comeback year (TechRepublic, 11 Dec 2017) - Google Fiber showed new life in 2017, after a near death experience in late 2016. The fiber internet pioneer launched in three new cities-Huntsville, AL, Louisville, KY, and San Antonio, TX-this year. It also began to heavily rely on shallow trenching , a new method of laying cables, to expedite the construction process. "We're very pleased with the response from residents in these markets-along with our other existing Google Fiber cities, where we worked hard throughout the year to bring Fiber service to even more people in many more neighborhoods," a Google Fiber spokesperson told TechRepublic. The comeback happened after a construction halt and the CEO stepping down in October 2016, which left some wondering if Fiber was on its last breath. But 2017 wasn't entirely a year of redemption. In February, hundreds of Fiber employees were moved to new jobs at Google. And Gregory McCray left the role of CEO in July after only holding the position for five months. And internet experts still have their doubts. Chris Antlitz, a senior analyst at Technology Business Research, labelled Fiber's year as "not very good." Jim Hayes, president of the Fiber Optic Association, called Google Fiber a "very distant player" in the fiber market. Fiber set a new bar for broadband by showing incumbent internet service providers (ISPs) that it is economically feasible to bring 1 gigabit internet to consumers, Antlitz said. Since Google Fiber led a connectivity renaissance in 2011 when it launched in its first city, Kansas City, KS, top telecom providers have been in an arms race to upgrade their broadband pipes to accommodate 1 gigabit, Antlitz said. Google Fiber's presence in the market has caused competition that has forced other fiber providers like Verizon and AT&T Fiber to offer cheaper, faster service . Adding a second provider to a market can reduce prices by around one-third, according to a study by the Fiber to the Home Council . top

How email open tracking quietly took over the web (Wired, 11 Dec 2017) - "I just came across this email," began the message, a long overdue reply. But I knew the sender was lying. He'd opened my email nearly six months ago. On a Mac. In Palo Alto. At night. I knew this because I was running the email tracking service Streak , which notified me as soon as my message had been opened. It told me where, when, and on what kind of device it was read. With Streak enabled, I felt like an inside trader whenever I glanced at my inbox, privy to details that gave me maybe a little too much information. And I certainly wasn't alone. There are some 269 billion emails sent and received daily. That's roughly 35 emails for every person on the planet, every day. Over 40 percent of those emails are tracked, according to a study published last June by OMC, an "email intelligence" company that also builds anti-tracking tools. The tech is pretty simple. Tracking clients embed a line of code in the body of an email-usually in a 1x1 pixel image, so tiny it's invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. Newsletter services, marketers, and advertisers have used the technique for years, to collect data about their open rates; major tech companies like Facebook and Twitter followed suit in their ongoing quest to profile and predict our behavior online. But lately, a surprising-and growing-number of tracked emails are being sent not from corporations, but acquaintances. "We have been in touch with users that were tracked by their spouses, business partners, competitors," says Florian Seroussi, the founder of OMC. "It's the wild, wild west out there." According to OMC's data, a full 19 percent of all "conversational" email is now tracked. That's one in five of the emails you get from your friends. And you probably never noticed. "Surprisingly, while there is a vast literature on web tracking, email tracking has seen little research," noted an October 2017 paper published by three Princeton computer scientists. All of this means that billions of emails are sent every day to millions of people who have never consented in any way to be tracked, but are being tracked nonetheless. And Seroussi believes that some, at least, are in serious danger as a result. * * * top

Most companies fail to disclose cybersecurity as a risk factor in SEC filings (Corporate Counsel, 12 Dec 2017) - In recent years, the number of companies identifying cybersecurity as a risk factor in U.S. Securities and Exchange Commission filings has grown tremendously. But there appears to have been a leveling off in 2017, which may indicate that companies "have blinders on" when it comes to disclosing cybersecurity risks, according to a new report. From 2012 to 2016, the number of companies reporting cybersecurity as a risk factor in SEC filings has grown 277 percent, the report from Intelligize Inc. shows. Despite that increase though, the report, which is based on all public company SEC filings from 2012 to this year, indicates that there's still only a relatively small proportion of all public companies-38 percent-citing cybersecurity as a risk factor in quarterly and annual filings. What's more, the report said, while by 2016, 1,662 public companies reported cybersecurity was a risk factor, as of Oct. 31 of this year, that number had only seen a slight bump to 1,680 companies. The slowdown in disclosing cyber as a risk may indicate one of two things, Todd Hicks, CEO of Intelligize, said in an email. It means companies "either they have blinders on-or they are deliberately not acknowledging the risks because they don't want to tip off potential hackers," he said. But Hicks added that he expects to see more reporting from companies in the coming years. "For the 62 percent of public companies not disclosing, I would expect that number to get smaller over the next few years, especially as the SEC gets stricter on rules around specific risk factor disclosure," Hicks said. top

- and -

4 in 5 physicians had a cyberattack in their practices, says survey (AMA, 12 Dec 2017) - More than four in five U.S. physicians (83 percent) have experienced some form of a cybersecurity attack, according to new research released today by Accenture and the American Medical Association (AMA). This, along with additional findings, signals a call to action for the health care sector to increase cybersecurity support for medical practices in their communities. The findings, which examined the experiences of roughly 1,300 U.S. physicians, underscore the recognition that it is not "if" but "when" a cyberattack will occur. More than half (55 percent) of the physicians were very or extremely concerned about future cyberattacks in their practice. In addition, physicians were most concerned that future attacks could interrupt their clinical practices (cited by 74 percent), compromise the security of patient records (74 percent) or impact patient safety (53 percent). "The important role of information sharing within clinical care makes health care a uniquely attractive target for cyber criminals through computer viruses and phishing scams that, if successful, can threaten care delivery and patient safety," said AMA President David O. Barbe , M.D., M.H.A. "New research shows that most physicians think that securely exchanging electronic data is important to improve health care. More support from the government, technology and medical sectors would help physicians with a proactive cybersecurity defense to better ensure the availability, confidentially and integrity of health care data." The findings show the most common type of cyberattack was phishing-cited by more than half (55 percent) of physicians who experienced an attack-followed by computer viruses (48 percent). Physicians from medium and large practices were twice as likely as those in small practices to experience these types of attacks. Nearly two-thirds (64 percent) of all the physicians who experienced a cyberattack experienced up to four hours of downtime before they resumed operations, and approximately one-third (29 percent) of physicians in medium-sized practices that experienced a cyberattack said they experienced nearly a full day of downtime. top

Model publishing contract features author-friendly terms for open access scholarship (Authors Alliance, 14 Dec 2017) - The University of Michigan and Emory University have teamed up to create a Model Publishing Contract for Digital Scholarship designed to aid in the publication of long-form digital scholarship according to open access principles. Developed by a team of library and university press professionals, the model contract takes into account the needs of a variety of stakeholders. The contract is shorter and easier to understand than typical publishing contracts, and it offers authors more rights in their own work, while still allowing publishers sufficient rights for commercial uses and sales. Associated documents include: * * * top

Tips for capturing social media evidence (Attorney at Work, 15 Dec 2017) - It turns out that sometimes you can believe what you see on the internet. Criminal defendants and civil litigants overshare on social media just like the rest of us. But heading into court, that tendency is less an annoying habit and more a potential self-incrimination. In their search for credible evidence against opponents, lawyers are increasingly turning to social media for digital smoking guns. When Facebook first urged its users to "Go Live!" on its new video posting system, it probably imagined videos of blown-out birthday candles or baby's first steps. Disturbingly, the feature began to be used for posting videos bragging to the world about crimes. But self-incriminating evidence includes more than posting videos of possible crimes. For example, spouses often use internet posts against each other in divorce court. Even as early as 2010, 81 percent of divorce attorneys agreed there was an increase in social media evidence. They cited Facebook as the top source for online evidence, with 66 percent of those lawyers finding something useful for their clients on the social site. No area of practice is immune: Bankruptcy lawyers need to worry about posts that indicate hidden assets, and personal injury attorneys should worry that their client's Instagram posts will make the jury skeptical of claims of pain and suffering. You can use social media evidence to great effect, but first, you've got to find it and capture it in an efficient way. Consider these three tips: * * * top

DLA Piper had planned a cyberbreach response before major malware attack in June (ABA Journal, 19 Dec 2017) - DLA Piper had planned its response to a cyberbreach before its systems shut down in response to a major malware attack last June. Don Jaycox, DLA Piper's chief information officer for the Americas, tells the Wall Street Journal (sub. req.) that t he attack began when a malware agent known as NotPetya was downloaded on a finance server in Ukraine. "Our first instinct-because we had planned it out-was to shut everything down once we realized the attack had a fairly broad reach," Jaycox said. "Everything was off the air, along with roughly two-thirds of our end points, laptops, desktops, etc." DLA Piper had already contracted with companies that would assist it in monitoring its network and responding to an attack. Two were tapped the first day of the breach, and a third was called in on the second day. The law firm had registered all of its cellphones to a mass communication texting system, allowing for a blast communication. The firm also had a game plan for quickly recovering a targeted system, such as email, but it couldn't quickly restore every system at once. "People who do backups to the cloud, one of the things that you need to think about is what is the scenario for total recovery if you lose everything," Jaycox said. "Because getting all the data back if you need to get all of it can be a little bit challenging." The top question from clients was whether their data was compromised, Jaycox said. At first, the law firm was able to say it found no indications of compromised information. After additional assessment, that statement can now be made "with a very high degree of certainty," he said. top

- and -

Prepare, practice, protect: A strategy for defeating cyberthreats to lawyers (ABA Journal article, by ODNI's Bob Litt & colleagues, Jan 2018) - Corporate litigator Jane Doe sat down at her desk Monday morning and logged on to her computer. She opened an email appearing to be from a client that read: "Hi. Could you please take a look at this document? It's urgent." Doe clicked on the attachment. Two weeks later, a hacker website published confidential documents that one of her most important clients had given the firm in connection with a lawsuit alleging environmental violations. Doe's client called, furious, to inform her that she was discharged, and that the client was considering a lawsuit against her firm. Every week brings news of major new cyberattacks-the stealing of personal information from Equifax and the federal Office of Personnel Management, the Petya and WannaCry ransomware worms, the Russian hacking of the Democratic National Committee's emails, to name a few. Indeed, the cyberthreat from criminals, hacktivists and state actors is growing. The costs associated with these malicious activities are staggering: Last year, the Commission on the Theft of American Intellectual Property estimated that the annual cost of IP theft in three major categories may be as high as $600 billion and that the low-end total exceeds $225 billion, or 1.25 percent of the U.S. economy. Law firms have not been immune. In fact, they have been a ripe target: * * * [ Polley : This is the first in a year-long 2018 series "Digital Dangers", addressing cybersecurity and the threat faced by lawyers. This is related to the ABA's just-published Cybersecurity Handbook (2nd Ed.). The Journal's series, the Handbook, and other resources showcase work by the ABA's Cybersecurity Legal Task Force , which I have the privilege of co-chairing with Ruth Bro.] top

Rep. Blackburn introduces fake net neutrality legislation (Free Press, 19 Dec 2017) - On Tuesday, Rep. Marsha Blackburn (R-Tennessee) introduced anti-Net Neutrality legislation that she dubbed the "Open Internet Preservation Act." The bill lacks many of the fundamental guarantees that prevent internet access providers from interfering with online traffic. Rep. Blackburn, who is among the top recipients of campaign contributions from the phone and cable lobby, said on Twitter that she hopes to rush the legislation to President Donald Trump's desk for signing. The bill reportedly includes prohibitions on blocking or throttling of internet traffic, but would not prevent pay-to-play prioritization schemes. It would also constrain FCC authority to contend with future abuses and prevent states from enacting their own Net Neutrality protections. Free Press Action Fund President and CEO Craig Aaron made the following statement: "Having lost their fight against Net Neutrality in the court of public opinion, companies like AT&T, Comcast and Verizon are trying to use fake Net Neutrality bills like this to end all effective oversight of their anti-competitive, anti-consumer practices. Blackburn's legislation fails at the very thing it claims to accomplish. It prohibits a few open-internet violations, but opens the door to rampant abuse through paid-prioritization schemes that split the internet into fast lanes for the richest companies and slow lanes for everyone else. This bill's true goal is to let a few unregulated monopolies and duopolies stifle competition and control the future of communications. This cynical attempt to offer something the tiniest bit better than what the FCC did and pretend it's a compromise is an insult to the millions who are calling on Congress to restore real Net Neutrality." top

- and -

Bucking President Trump's FCC, New York introduces its own net neutrality bill (Fast Company, 19 Dec 2017) - Since the FCC voted last week to abolish net neutrality regulations, California, Washington, and New York State have vowed to take up the cause. New York is one of the first out the gate. State Assembly member Patricia Fahy -a Democrat whose district includes the capital, Albany-has drafted a short piece of legislation to introduce this week. It requires the state government, state agencies, and local governments (including New York City) to do business only with ISPs that adhere to net neutrality principles of no blocking or slowing down access to any legal content. Nor can they allow paid prioritization, or offer content providers premium-priced "fast lanes" for better service. "If you are going to be a contractor and want to work with New York, then you must meet the principles," Fahy tells Fast Company . She hopes that this approach will get around a roadblock known as preemption. The Constitution generally gives the federal government final authority over commercial activities that cross state lines. But while New York can't require ISPs to uphold net neutrality, it can use its "power of the purse" to punish ISPs that don't. "There's a decent amount of precedent for saying, if you want a state contract, you have to meet such and such requirements," she says, noting construction contracts contingent on certain labor practices or the use of U.S.-made steel. top

Facial scans at US airports violate Americans' privacy, report says (NYT, 21 Dec 2017) - A new report concludes that a Department of Homeland Security pilot program improperly gathers data on Americans when it requires passengers embarking on foreign flights to undergo facial recognition scans to ensure they haven't overstayed visas. The report , released on Thursday by researchers at the Center on Privacy and Technology at Georgetown University's law school, called the system an invasive surveillance tool that the department has installed at nearly a dozen airports without going through a required federal rule-making process. The report's authors examined dozens of Department of Homeland Security documents and raised questions about the accuracy of facial recognition scans. They said the technology had high error rates and are subject to bias, because the scans often fail to properly identify women and African-Americans. "It's telling that D.H.S. cannot identify a single benefit actually resulting from airport face scans at the departure gate," said Harrison Rudolph, an associate at the center and one of the report's co-authors. * * * top

Russian submarines are prowling around vital undersea cables. It's making NATO nervous. (WaPo, 22 Dec 2017) - Russian submarines have dramatically stepped up activity around undersea data cables in the North Atlantic, part of a more aggressive naval posture that has driven NATO to revive a Cold War-era command, according to senior military officials. The apparent Russian focus on the cables, which provide Internet and other communications connections to North America and Europe, could give the Kremlin the power to sever or tap into vital data lines, the officials said. Russian submarine activity has increased to levels unseen since the Cold War, they said, sparking hunts in recent months for the elusive watercraft. "We are now seeing Russian underwater activity in the vicinity of undersea cables that I don't believe we have ever seen," said U.S. Navy Rear Adm. Andrew Lennon, the commander of NATO's submarine forces. "Russia is clearly taking an interest in NATO and NATO nations' undersea infrastructure." NATO has responded with plans to reestablish a command post , shuttered after the Cold War, to help secure the North Atlantic. NATO allies are also rushing to boost anti-submarine warfare capabilities and to develop advanced submarine-detecting planes. top

Codified US laws from 1925 now available, searchable on loc.gov (Sierra Sun Times, 26 Dec 2017) - More than 60 years of U.S. laws are now published online and accessible for free for the first time after being acquired by the Library of Congress. The Library has made available the main editions and supplements of the United States Code from 1925 through the 1988 edition. The U.S. Code is a compilation of federal laws arranged by subject by the Office of the Law Revision Counsel of the House of Representatives. The Library's U.S. Code Collection is fully searchable. Filters allow users to narrow their searches by date, title and/or subject. PDF versions of each chapter can be viewed and downloaded. The collection is online at loc.gov/collections/united-states-code/ . This provides access to editions of the U.S. Code that previously were not available to the public online for free. "For the first time these historical materials will be available online for free in a searchable format," Law Librarian of Congress Jane Sanchez said. "The U.S. Code provides a convenient tool for locating the law in force at a particular point in time. These historical editions will help students, historians and other researchers delving into the primary sources of our government and democracy." top

Library of Congress gives up collecting all tweets because Twitter is garbage (Gizmodo, 26 Dec 2017) - In 2010, the Library of Congress started archiving every single public tweet that was published on Twitter. It even retroactively acquired all tweets dating back to 2006. But the Library of Congress will stop archiving every tweet on December 31, 2017. Why is it stopping? Because tweets are trash now. The Library of Congress issued a white paper this month saying that it was proud of its comprehensive collection of tweets from the first 12 years of Twitter, but that it's completely unnecessary for it to continue. Instead, the organization will only collect tweets that it deems historically significant. For instance, President Trump's tweets are almost certainly still going to be saved for future generations. One reason that the Library is stopping the comprehensive archive? The social media company's controversial change to allow 280 character tweets. The Library's halt on collection of all tweets puts Twitter more in line with the way that other digital collections are archived, including websites. The Library of Congress only archives websites on a selective basis, unlike the nonprofit, non-governmental organization the Internet Archive, which has a much broader goal of archiving everything online with its Wayback Machine . The Library of Congress also noted that many tweets include photos and video and that it has only been collecting text, making some of its collection worthless. top

That game on your phone may be tracking what you're watching on TV (NYT, 28 Dec 2017) - At first glance, the gaming apps - with names like "Pool 3D," "Beer Pong: Trickshot" and "Real Bowling Strike 10 Pin" - seem innocuous. One called "Honey Quest" features Jumbo, an animated bear. Yet these apps, once downloaded onto a smartphone, have the ability to keep tabs on the viewing habits of their users - some of whom may be children - even when the games aren't being played. The apps use software from Alphonso, a start-up that collects TV-viewing data for advertisers. Using a smartphone's microphone, Alphonso's software can detail what people watch by identifying audio signals in TV ads and shows, sometimes even matching that information with the places people visit and the movies they see. The information can then be used to target ads more precisely and to try to analyze things like which ads prompted a person to go to a car dealership. More than 250 games that use Alphonso software are available in the Google Play store; some are also available in Apple's app store. Some of the tracking is taking place through gaming apps that do not otherwise involve a smartphone's microphone, including some apps that are geared toward children. The software can also detect sounds even when a phone is in a pocket if the apps are running in the background. Alphonso said that its software, which does not record human speech, is clearly explained in app descriptions and privacy policies and that the company cannot gain access to users' microphones and locations unless they agree. Alphonso declined to say how many people it is collecting data from, and Mr. Chordia said that he could not disclose the names of the roughly 1,000 games and the messaging and social apps with Alphonso software because a rival was trying to hurt its relationships with developers. (The New York Times identified many of the apps in question by searching "Alphonso automated" and "Alphonso software" in the Google Play store.)

RESOURCES

Lee on Digital Copyright in the TPP (MLPB, 11 Dec 2017) - Jyh-An Lee, The Chinese University of Hong Kong Faculty of Law, has published Digital Copyright in the TPP, in Paradigm Shift in International Economic Law Rule-Making: TPP As a New Model for Trade Agreements? 371 (Julien Chaisse, Henry Gao & Chang-fa Lo eds., Springer, 2017). Here is the abstract: This chapter focuses on key copyright issues in TPP's IP Chapter, especially those related to the Internet and digital technologies. Those issues include copyright term extension, safe harbor for Internet service providers (ISPs), technological protection measures, criminal liability, and limitations and exceptions. This chapter analyzes whether private and public interests represented by various stakeholders in the copyright ecology are taken into full account and kept balanced under TPP. This chapter also evaluates member states' diverse considerations for implementing those copyright provisions. Furthermore, this chapter uses the IP Chapter as a lens to illustrate the international expansion of copyright facilitated by trade negotiations. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

The IT law Wiki (launched December 2007) -- This wiki is an encyclopedia of the legal issues, cases, statutes, events, people, organizations and publications that make up the global field of information technology law (often referred to as "computer law"). To learn more about this wiki, click on the "About this Wiki" link. To find an article, simply type the name in the "Search The IT Law Wiki" box in the upper right hand corner of [the referenced] page, click the "Content (A-Z)" button to the right or click the "Random page" button above or to the right. To write a new The IT Law Wiki article, enter the page title in the box. [see also the EFF's similar wiki: http://ilt.eff.org/index.php/Table_of_Contents ] top

Get your own XO laptop: OLPC Give 1 Get 1 project underway (ArsTechnica, 12 Nov 2007) - The One Laptop Per Child (OLPC) initiative announced today the official launch of the Give 1 Get 1 (G1G1) program, which allows individual donors in the United States and Canada to acquire their very own shiny OLPC XO laptop by donating $399 to the project. Designed specifically to be used by schoolchildren in developing countries, the XO laptop was originally only going to be sold in bulk quantity to governments. OLPC had to change those plans earlier this year in order to compensate for slow sales. The G1G1 program, which opens today and ends on November 26, allows individual donors to purchase XO laptops for personal use when also buying one for a child in a developing nation. Ponying up $399 will get donors an XO laptop, and $200 of that donation is tax-deductible. OLPC has also partnered with T-Mobile, which is offering free T-Mobile HotSpot access to all US donors who participate in the G1G1 program. top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, December 09, 2017

MIRLN --- 19 Nov - 9 Dec 2017 (v20.17)

MIRLN --- 19 Nov - 9 Dec 2017 (v20.17) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

New roadside scanner contract brings uninsured drivers closer to automatic tickets (Oklahoma Watch, 16 Nov 2017) - Oklahoma has finalized a deal with a Massachusetts company to use license-plate scanners to catch uninsured drivers, and the firm expects to issue 20,000 citations a month starting as early as next year. The program, believed to be the first of its kind in the nation, involves setting up automated high-speed cameras on highways around the state to detect uninsured vehicles and mailing their owners a citation with a fine of $184, according to the District Attorneys Council. Gatso USA, a Beverly, Massachusetts-based company that specializes in red-light-running and speeding detection systems, will initially get $80, or 43 percent, of each fine. Its cut will decrease to $74 after two years and $68 after five years, according to a contract approved by the state after months of legal review and negotiation. The company could expect to bring in $1.6 million a month, or $19 million a year, if the 20,000 citations are issued monthly. Gatso is a subsidiary of a Dutch company. Drivers who pay the fees will avoid having a charge of driving without insurance on their permanent record. The purpose of the Uninsured Vehicle Enforcement Diversion Program, approved by the state Legislature in 2016, is to reduce the high number of uninsured motorists in Oklahoma. A 2015 Pew Charitable Trusts survey found that 26 percent of all drivers in the state are uninsured - the highest rate in the nation - which can push up insurance premiums and hit-and-run accidents. But another incentive underlies the program. It will be overseen by the District Attorneys Council rather than law enforcement, and the state's 27 district attorneys' offices are expected to receive millions of dollars in citation revenue a year, although no estimates were provided. District attorneys have complained that their revenue sources are diminishing because of state budget cuts and the drop in bounced-check fines. top

The dangerous data hack that you won't even notice (Quartz, 17 Nov 2017) - A recent wave of cyberattacks-from WannaCry and Equifax to the alleged Russian influence on the US election-has demonstrated how hackers can wreak havoc on our largest institutions. But by focusing only on hackers' efforts to extort money or mess with our political process, we may have been missing what is potentially an even scarier possibility: data manipulation. Imagine that a major Big Food company gets hacked. But this time, instead of leaking the company's proprietary information to the public or freezing its systems with ransomware, the hackers subtly manipulate the data on which the company relies. Expiration dates on milk cartons get scrambled so that some are thrown away early while others make drinkers sick, despite appearing within their use-by date. Figures are tweaked slightly on pending invoices to vendors, altering the company's balance sheets by hundreds of thousands of dollars. Small changes are made to food-safety tests so that a dangerous product that was failing suddenly looks like it is passing regulation tests. Would the company even notice such changes happening? Could it still have the confidence that its backups were uncompromised? How could its investors accurately assess the company's value when all of its financials might suddenly be based on faulty information? And how might its customers and suppliers respond? Now apply this thought experiment to banks, medical institutions, and government organizations. It's pretty scary. Unlike "information-gathering" hacks (where data is stolen because it is valuable) or "hold hostage" attacks (when data is imprisoned until someone pays to release it), "manipulation hacks" are hard to detect: They result when individuals (or bots) illegally change vital information below the threshold of attention. * * * top

- and -

$1 billion lawsuit focuses on EHR data integrity concerns (Data Breach Today, 20 Nov 2017) - The suit alleges that eClinicalWorks' cloud-based EHR system failed to provide reliable health information for potentially millions of patients, which means "patients and doctors cannot rely on the veracity of those records." The lawsuit against eClinicalWorks comes about five months after the Department of Justice announced that the Westborough, Massachusetts-based vendor agreed to pay a $155 million financial settlement, as well as enter into a five-year corporate integrity agreement, with the Department of Health and Human Services' Office of Inspector General (see eClinicalWorks Case Shines Spotlight on Data Integrity ). The Justice Department alleged the company falsely claimed it met the HITECH Act EHR incentive program's certification requirements. Among the requirements it didn't meet, according to DoJ: accurately recording user actions - such as orders for diagnostic tests - that are conducted in the course of a patient's treatment and ensuring data portability. The civil lawsuit against eClinicalWorks alleges that as a result of the failure of the vendor to meet certification requirements of the HITECH Act EHR incentive program, the company's software: (1) Periodically displayed incorrect medical information in the right chart panel of the patient screen; (2) Periodically displayed multiple patients' information concurrently; (3) In specific workflows, failed to accurately display medical history on progress notes; and (4) Failed to have audit logs accurately record user actions, and in some cases the audit logs misled users as to the events that were conducted in the course of a patient's treatment. "As a direct result of these deficiencies, millions of patients have had their medical records compromised, i.e. they can no longer rely on the accuracy and veracity of their medical records," the lawsuit complaint claims. "Because the audit history does not accurately record user actions, there is no way for any patient to know if there records were deleted/altered/modified. In other words, ECW was grossly negligent, or in the alternative, intentionally coded their software to not accurately record user actions," the complaint says. The lawsuit, which seeks class action status and $999 million in damages for breach of fiduciary duty and gross negligence, was filed on Thursday in a New York district court by Kristina Tot, the administrator of the Estate of Stjepan Tot, "on behalf of herself and all others similarly situated." top

Cybersecurity: What to know about the 'Vulnerabilities Equities Process' (The Recorder, 22 Nov 2017) - They may not realize it, but any company hit by the WannaCry ransomware attack over the past several months was impacted firsthand by a secretive U.S. government policy mechanism known as the VEP. Short for the "Vulnerabilities Equities Process," the VEP is the procedure through which the government decides whether to hang on to knowledge of computer security flaws for offensive uses (i.e., hacking), or disclose them to ensure they get patched. In the case of WannaCry, news reports and comments by Microsoft's chief legal officer indicated that the NSA knew about the vulnerability at the root of the worm, but only told Microsoft after losing control of it. In the wake of the ensuing controversy, White House Cybersecurity Coordinator Rob Joyce last week for the first time unveiled a public version of the VEP Charter in an effort to shed some light on the government's decision-making process. The 14-page document describes in broad strokes the balancing act government hackers must go through after they discover new vulnerabilities. Here are a few things you ought to know about it: * * * top

The Fifth Amendment, decryption and biometric passcodes (Lawfare, 27 Nov 2017) - The spread of commercially available encryption products has made it harder for law enforcement officials to access to information that relates to criminal and national security investigations. In October, FBI Director Christopher Wray said that in an 11-month period, the FBI had been unable to extract data from more than 6,900 devices; that is over half of the devices it had attempted to unlock. It's a "huge, huge problem," Wray said. One might think that a way around this problem is for the government to order the user to produce the password to the device. But such an order might face a big hurdle: the Fifth Amendment. A handful of cases have emerged in recent years on the applicability of the Fifth Amendment to demands for passwords to encrypted devices. The protections afforded by the amendment depend on, among other things, whether the password involves biometric verification via a unique physical feature, or the more typical string of characters (passcode). As we will see, the government has a bit more leeway under the Fifth Amendment to insist on the decryption of personal computing devices using biometric passwords that-as in the new iPhone X-are increasingly prevalent. * * * [ Polley : this area is in flux, but the article is a decent summary.] top

Art galleries versus the Pentagon (InsideHigherEd, 28 Nov 2017) - Is it art? Or government property? Or both? The John Jay College of Criminal Justice is currently hosting an exhibit of art from eight current and former detainees at the detention camp at Guantánamo Bay Naval Base in Cuba. Earlier this month, however, the Department of Defense halted the export of artwork made by prisoners there, declaring that works made by the prisoners are property of the United States government. The exhibit, "Ode to the Sea: Art From Guantánamo," went on display at the City University of New York campus Oct. 2, when Department of Defense policy still allowed detainees to export art from the island prison where the U.S. government currently detains 41 people. A total of 779 people, all men, have been detained at Gauntanamo Bay since the prison's controversial opening in 2002. "On the opening pages of Moby-Dick , [Herman] Melville writes about the 'water-gazers' of New York, office-dwellers who spent their free time looking at the rivers and sea that surround the city," Erin Thompson, the exhibit's co-curator and an assistant professor in John Jay's Department of Art and Music, wrote in an essay for The Paris Review when the exhibit debuted. "The detainee artists told me that they thought of the sea as a symbol of both hope and fear. They represented it in order to dream about escape and to escape as best they could. By immersing themselves so fully in making art, they could imagine that they were in a ship at sea -- until the work was finished." The New York Post characterized the exhibit as "controversial," noting that some of the first responders who died in the Sept. 11 attacks had attended John Jay. (On the other hand, Thompson noted, only one of the current detainees whose work is on display has actually been charged with a crime.) After going through an examination by prison authorities, art created through prison programming was allowed to be released and sent abroad. That policy was changed earlier this month. "Items produced by detainees remain the property of the U.S. government," Ben Sakrisson, a Pentagon spokesman, said Monday, adding that the policy was in firmly in place and not under review, which previous reports had suggested was a possibility. Even if a detainee is eventually released, Sakrisson acknowledged that the policy implicitly states that any art made by the detainee would still be government property. top

BakerHostetler and Perkins Coie named 'founding stewards' in new blockchain ID network (ABA Journal, 28 Nov 2017) - BakerHostetler and Perkins Coie are "founding stewards" in the new blockchain-based identity network Sovrin. On account of high-profile data breaches of personal information and the increased interest and feasibility of blockchain technology, there is a growing movement to create IDs that do not rely on centralized storage, which is a honeypot for hackers. Sovrin, run by the nonprofit Sovrin Foundation, "is a global, decentralized identity network that allows people and organizations to create portable, self-sovereign digital identities, which they control, and cannot be taken away by any government or organization" according to the BakerHostetler website. As founding stewards, BakerHostetler and Perkins Coie "donate network power to maintain the ledger" that host nodes to house the self-sovereign IDs, according to an email from Judd Bagley, director of communications at Evernym, the company that invented Sovrin and spun it off as a separate nonprofit foundation. Bagley adds: "Stewards are charged with writing encrypted identity data to the Sovrin ledger and verifying the validity" of each ledger entry. Once in the network, the ID's existence is public across the distributed network. But it can only be accessed with the user's verification key, which is a public identifier, and a signing key, which is private and known only to the user. Collectively, those two cryptographic keys will signal to a bank, government or another individual or entity that a person is who they say. For Joe Cutler, a partner at Perkins Coie, self-sovereign identity is "the future of identity." In a press release he said: "SSI aims to shift control over your most personal information back into your own hands, and to end this notion that you must sacrifice privacy and security in order to participate in today's digital economy." Laura Jehl, a partner at BakerHostetler's D.C., office, told the ABA Journal in an email that being a steward is about helping their "clients understand and embrace a future where digital identities can be trusted, mitigating risks from data breaches and other cybersecurity incidents." The Sovrin Foundation is one of numerous entities focused on self-sovereign ID built on blockchain, which includes IBM's Blockchain Platform and Microsoft's partnership with Blockstack and ConsenSys, two blockchain companies. top

- and -

Coinbase ordered to give the IRS data on users trading more than $20,000 (TechCrunch, 29 Nov 2017) - Most digital currencies exist in a sort of twilight state just beyond the grasp of federal regulators, but the U.S. tax authority is starting to get savvy to this whole bitcoin thing. On Wednesday, a federal judge in San Francisco ruled that Coinbase must supply the IRS with identifying information on users who had more than $20,000 in annual transactions on its platform between 2013 and 2015. After noticing that the number of tax returns claiming gains from virtual currency didn't line up with the emerging popularity of digital currencies like bitcoin as an investment vehicle, the IRS asked Coinbase to hand over a broad swath of information on its users. Coinbase pushed back, and now the court has landed on a compromise that the company is calling a " partial victory ." "Coinbase itself admits that the Narrowed Summons requests information regarding 8.9 million Coinbase transactions and 14,355 Coinbase account holders. That only 800 to 900 taxpayers reported gains related to bitcoin in each of the relevant years and that more than 14,000 Coinbase users have either bought, sold, sent or received at least $20,000 worth of bitcoin in a given year suggests that many Coinbase users may not be reporting their bitcoin gains," the court documents read . While cryptocurrency users who value the relative decentralization and privacy afforded by digital currencies won't be happy, Coinbase succeeded in limiting the government's initial request for information on all Coinbase users who made transactions from 2013 to 2015 to the smaller subset of high-value users. The IRS initially requested nine kinds of user data, including "complete user profiles, know-your-customer due diligence, documents regarding third-party access, transaction logs, records of payments processed, correspondence between Coinbase and Coinbase users, account or invoice statements and records of payments." Rejecting some of those requests, today the court narrowed the scope of documents that the IRS can request from Coinbase to taxpayer ID number, name, date of birth, address, transaction logs and account statements, deeming the rest of the documents "not necessary." Again, these personal data requests will only apply to accounts that have bought, sold, sent or received more than $20,000 in any of those types of transactions between 2013 and 2015. top

As clients demand law firm cyber audits, who sets the terms? (Law.com, 29 Nov 2017) - With hackers and other cyber pitfalls affecting more and more law firms , there is still no universally accepted standard that firms must meet to show that they are adequately protected. In the legal industry, concerns about how to assess firms' cyber defenses will likely grow, as a growing number of corporate clients insist outside counsel undergo, and most often pay for, cybersecurity audits. "We have seen an exponential increase in inquiries from law firms in 2017 versus years past," said John DiMaria, a marketing executive in the London office of BSI Group, which provides certifications related to cybersecurity, including certification for ISO/IEC 27001, an international standard for information security management. According to Patti Moran, a spokeswoman for the International Legal Technology Association, and its subsidiary ILTA LegalSEC, a community of law firms seeking to improve the security in the global legal community, more than 44 law firms had achieved that certification by the end of last year, and another 56 were working toward it. That's a big increase from two years ago, when The American Lawyer reported that at least 10 Am Law 200 firms had attained the ISO certification to assure clients they were taking steps toward protecting their documents and communication systems. To make audits' worth their expense, cybersecurity auditors must use accepted and published benchmarks, said Jeffrey Ritter, a visiting fellow at the University of Oxford and founding chairman of the American Bar Association's committee on cyberspace law. "You have to show what criteria you are using," he said. At the same time, Ritter argues that such standards "have a level of ambiguity" that makes them insufficient safeguards. Meeting an ISO standard is simply not enough, according to John Sweeney, president of Nashville, Tennessee-based LogicForce, which conducts cybersecurity audits largely for law firms. (Other providers of cybersecurity audits include all the Big Four accounting firms, BSI Group and Resiliam.) "ISO is only a single standard that doesn't necessarily cover practical implementation of best practices. Our experience with corporate audits from financial, health, insurance, and other industries have shown ISO 27001 compliance isn't enough to get law firms to pass their audits," Sweeney wrote in an email responding to questions for this article. Moreover, many firms fall far behind even the minimum requirements to meet the ISO standards, a set of legal, physical and technical policies for information risk management procedures, including rules about documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. "There is currently a large gap in where plenty of law firms are today, and any formal certification process," Sweeney wrote. top

SWIFT warns banks on cyber heists as hack sophistication grows (Reuters, 28 Nov 2017) - SWIFT, the global messaging system used to move trillions of dollars each day, warned banks on Wednesday that the threat of digital heists is on the rise as hackers use increasingly sophisticated tools and techniques to launch new attacks. "Adversaries have advanced their knowledge," SWIFT said in a 16-page report co-written with BAE Systems Plc's cyber security division. "No system can be assumed to be totally infallible, or immune to attack." SWIFT has declined to disclose the number of attacks, identify victims or say how much money has been stolen. Still, details on some cases have become public. The new report described an attack on an unidentified bank. Hackers spent several months inside the network of one customer, preparing for the eventual attack by stealing user credentials and monitoring the bank's operations using software that recorded computer keystrokes and screenshots, the report said. When they launched the attack in the middle of the night, the hackers installed additional malware that let them modify messaging software so they could bypass protocols for confirming the identity of the computer's operator, according to the report. The hackers then ordered payments sent to banks in other countries by copying pre-formatted payment requests into the messaging software, according to the report. After the hackers ended the three-hour operation, they sought to hide their tracks by deleting records of their activity. They also tried to distract the bank's security team by infecting dozens of other computers with ransomware that locked documents with an encryption key, the report said. While SWIFT did not say how much money was taken, it said the bank quickly identified the fraudulent payments and arranged for the stolen funds to be frozen. [ Polley : I've seen such attacks executed with painstaking attention-to-detail, nearly-perfectly scripted. Impressive, and scary.] top

- and -

NATO mulls 'offensive defense' with cyber warfare rules (Reuters, 30 Nov 2017) - The United States, Britain, Germany, Norway, Spain, Denmark and the Netherlands are drawing up cyber warfare principles to guide their militaries on what justifies deploying cyber attack weapons more broadly, aiming for agreement by early 2019. The doctrine could shift NATO's approach from being defensive to confronting hackers that officials say Russia, China and North Korea use to try to undermine Western governments and steal technology. The 29-nation NATO alliance recognized cyber as a domain of warfare, along with land, air and sea, in 2014, but has not outlined in detail what that entails. In Europe, the issue of deploying malware is sensitive because democratic governments do not want to be seen to be using the same tactics as an authoritarian regime. Commanders and experts have focused on defending their networks and blocking attempts at malicious manipulation of data. Senior Baltic and British security officials say they have intelligence showing persistent Russian cyber hacks to try to bring down European energy and telecommunications networks, coupled with Internet disinformation campaigns. * * * NATO held its biggest ever cyber exercise this week at a military base in southern Estonia, testing 25 NATO allies against a fictional state-sponsored hacker group seeking to infiltrate NATO air defense and communication networks. "The fictional scenarios are based on real threats," said Estonian army Lieutenant-Colonel Anders Kuusk, who ran the exercise. NATO's commanders will not develop cyber weapons but allied defense ministers agreed last month that NATO commanders can request nations to allow them use of their weapons if requested. top

Facebook's new captcha test: 'Upload a clear photo of your face' (Wired, 28 Nov 2017) - Facebook may soon ask you to "upload a photo of yourself that clearly shows your face," to prove you're not a bot. The company is using a new kind of captcha to verify whether a user is a real person. According to a screenshot of the identity test shared on Twitter on Tuesday and verified by Facebook, the prompt says: "Please upload a photo of yourself that clearly shows your face. We'll check it and then permanently delete it from our servers." In a statement to WIRED, a Facebook spokesperson said the photo test is intended to "help us catch suspicious activity at various points of interaction on the site, including creating an account, sending Friend requests, setting up ads payments, and creating or editing ads." The process is automated, including identifying suspicious activity and checking the photo. To determine if the account is authentic, Facebook looks at whether the photo is unique. The Facebook spokesperson said the photo test is one of several methods, both automated and manual, used to detect suspicious activity. The company declined to share details to prevent the system from being manipulated. Suspicious activity might include someone who consistently posts from New York and then starts posting from Russia. Facial technology is increasingly common, such the use of Apple Face ID to authenticate users on iPhone X. A since deleted screenshot from Twitter seemed to indicate that users are locked out of their accounts while the photo is being verified. A message said, "You Can't Log In Right Now. We'll get in touch with you after we've reviewed your photo. You'll now be logged out of Facebook as a security precaution." Facebook users who suspect their account has been compromised can go to Facebook.com/hacked . The company would not say when it started using the technique, but in a post on Reddit users reported getting the same prompt in April. The new authentication scheme is the second in recent weeks that relies on photos. Earlier this month, Facebook asked users to upload nude photos to Facebook Messenger, as part of an effort to prevent revenge porn. Facebook said it would use the nude photos to create a digital fingerprint against which to compare future posts. Facebook said the photos are hashed and then deleted from its servers. [ Polley: Orwell.] top

Heightened security risks dictate a proactive corporate board (Security Info Watch, 1 Dec 2017) - * * * Despite the impact that data breaches and other types of cyber-attacks continue to have on all kinds of organizations, Jim Pflaging, principal, technology sector and strategy practice lead at security and risk management advisory firm The Chertoff Group, says the level of involvement many boards have today when it comes to addressing cybersecurity issues is really a mixed bag. Pflaging, who serves on the board of several technology companies himself and as a board advisor to several others, says that The Chertoff Group set out last year to get a better understanding about the state of maturity in cybersecurity conversations at the board level and subsequently interviewed over 100 leading executives across three different continents in companies ranging in size from Fortune 500 organizations to small, private firms. What they found, according to Pflaging, was a "tale of two cities." "The first (group) was the good news and that was Fortune 500 (companies) in what people would call critical infrastructure - transportation, utilities, finance, healthcare and some tech (firms) - they said, 'yeah, we've been talking about cybersecurity for years. It is a mature conversation, we talk about it from a risk point of view and, in some cases, it is beyond risk and in the overall business continuity discussion,' Pflaging says. "The second group was largely everybody else and this was not a pretty picture. This resonated with me because it reflected the boards that I am on and that is that cyber is rarely or never on the agenda and if it is on the agenda, it's in response to a breach. The state of the conversation was there really wasn't one." Pflaging says that many of these executives from the first group had learned about cybersecurity mostly from other boards but from personal stories as well. Those board members in the second group reported being confused about exactly what their roles should be as directors when it comes to cybersecurity and what questions they should be asking. top

It's gonna get a lot easier to break science journal paywalls (Wired, 3 Dec 2017) - * * * Today, even though you can't access Scholar directly from the Google-prime page, it has become the internet's default scientific search engine-even more than once-monopolistic Web of Science, the National Institutes of Health's PubMed, and Scopus, owned by the giant scientific publisher Elsevier. But most science is still paywalled. More than three quarters of published journal articles-114 million on the World Wide Web alone, by one (lowball) estimate -are only available if you are affiliated with an institution that can afford pricey subscriptions or you can swing $40-per-article fees. In the last several years, though, scientists have made strides to loosen the grip of giant science publishers. They skip over the lengthy peer review process mediated by the big journals and just … post. Review comes after. The paywall isn't crumbling, but it might be eroding. The open science movement , with its free distribution of articles before their official publication, is a big reason. Another reason, though, is stealthy improvement in scientific search engines like Google Scholar , Microsoft Academic, and Semantic Scholar -web tools increasingly able to see around paywalls or find articles that have jumped over. Scientific publishing ain't like book publishing or journalism. In fact, it's a little more like music, pre-iTunes, pre-Spotify. You know, right about when everyone started using Napster. * * * top

Stanford lied about business school scholarships (InsideHigherEd, 4 Dec 2017) - A breach of confidential data has indicated that the Stanford University Graduate School of Business has been publicly misrepresenting how it awards scholarships. The business school's website, for years, said that "all fellowships are need based," referring to scholarships. A student, Adam Allcock, recently found out that anyone in the business school had access to confidential data. He alerted the school to inform officials of the security flaw, but also downloaded the data and ran an analysis that showed that scholarship awards are not, in fact, need based. "The [Graduate School of Business] secretly ranks students as to how valuable (or replaceable) they were seen, and awarded financial aid on that basis," Allcock wrote in an 88-page report describing his analysis. "Not only has the GSB also been systematically discriminating by gender, international status and more while lying to their faces for the last 10 to ~25 years." Poets & Quants , an outlet that specializes in business school rankings and news, broke the story. The San Francisco Chronicle noted that the school has not disputed the report's findings, and that this isn't the only data breach Stanford has had in recent months. The school has since admitted that even though it claimed not to award scholarships based on merit, it "has offered additional fellowship awards to candidates whose biographies make them particularly compelling and competitive in trying to attract a diverse class." Women and those with backgrounds in finance were often favored for scholarship money, even if they had more ability to pay for tuition than others. In some cases, according to the report, scholarships could be three times larger between two different students with identical financial need. The secretive scholarship promise might explain why Stanford graduates perform so well, according to Poets & Quants : the school, for example, sends more students into venture capital and private-equity jobs than Wharton, Chicago Booth, Columbia or Harvard. "Allcock's discovery that more money is being used by Stanford to entice the best students with financial backgrounds suggests an admissions strategy that helps the school achieve the highest starting compensation packages of any M.B.A. program in the world," Poets & Quants wrote. "That is largely because prior work experience in finance is generally required to land jobs in the most lucrative finance fields in private equity, venture capital and hedge funds." top

Independent factual research by judges via the internet (ABA Formal Opinion 478, 8 Dec 2017) - Easy access to a vast amount of information available on the Internet exposes judges to potential ethical problems. Judges risk violating the Model Code of Judicial Conduct by searching the Internetforinformationrelatedtoparticipantsorfactsinaproceeding. Independent investigation of adjudicative facts generally is prohibited unless the information is properly subject to judicial notice. The restriction on independent investigation includes individuals subject to the judge's direction and control. top

RESOURCES

A Legal Anatomy of AI-generated Art: Part I (Harvard Journal of Law & Technology, 21 Nov 2017) - Abstract: This Comment is the first in a two-part series on how lawyers should think about art generated by artificial intelligences, particularly with regard to copyright law. This first part charts the anatomy of the AI-assisted artistic process. The second Comment in the series examine how copyright interests in these elements interact and provide practice tips for lawyers drafting license agreements or involved in disputes around AI-generated artwork : "Advanced algorithms that display cognition-like processes, popularly called artificial intelligences or "AIs," are capable of generating sophisticated and provocative works of art.[1] These technologies differ from widely-used digital creation and editing tools in that they are capable of developing complex decision-making processes, leading to unexpected outcomes. Generative AI systems and the artwork they produce raise mind-bending questions of ownership, from broad policy concerns[2] to the individual interests of the artists, engineers, and researchers undertaking this work. Attorneys, too, are beginning to get involved, called on by their clients to draft licenses or manage disputes. The Harvard Law School Cyberlaw Clinic at the Berkman Klein Center for Internet & Society has recently developed a practice in advising clients in the emerging field at the intersection of art and AI. We have seen for ourselves how attempts to negotiate licenses or settle disputes without a common understanding of the systems involved may result in vague and poorly understood agreements, and worse, unnecessary conflict between parties. More often than not, this friction arises between reasonable parties who are open to compromise, but suffer from a lack of clarity over what, exactly, is being negotiated. In the course of solving such problems, we have dissected generative AIs and studied their elements from a legal perspective. The result is an anatomy that forms the foundation of our thinking-and our practice-on the subject of AI-generated art. When the parties to an agreement or dispute share a common vocabulary and understanding of the nature of the work, many areas of potential conflict evaporate. This Comment makes that anatomy available to others, in the hopes that it will facilitate productive negotiations and clear, enforceable agreements for others involved in AI-related art projects. We begin by clarifying what we mean by AI-generated art, distinguishing it from art that is created by humans using digital creation and editing software. Next, we describe four key elements that make up the anatomy of a generative AI. We go into detail on each element, providing plain-language explanations that are comprehensible even to those without a technical background. We conclude with a brief preview of the second Comment in this series, which will delve into how we think about the application of copyright law in this context, including the questions of ownership that arise as to each element, and provide some practical insights for negotiating agreements in the context of AI-generated art. * * *" top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Army squeezes soldier blogs, maybe to death (Wired, 2 May 2007) -- The U.S. Army has ordered soldiers to stop posting to blogs or sending personal e-mail messages, without first clearing the content with a superior officer, Wired News has learned. The directive, issued April 19, is the sharpest restriction on troops' online activities since the start of the Iraq war. And it could mean the end of military blogs, observers say. Military officials have been wrestling for years with how to handle troops who publish blogs. Officers have weighed the need for wartime discretion against the opportunities for the public to personally connect with some of the most effective advocates for the operations in Afghanistan and Iraq -- the troops themselves. The secret-keepers have generally won the argument, and the once-permissive atmosphere has slowly grown more tightly regulated. Soldier-bloggers have dropped offline as a result. The new rules obtained by Wired News require a commander be consulted before every blog update. "This is the final nail in the coffin for combat blogging," said retired paratrooper Matthew Burden, editor of The Blog of War anthology. "No more military bloggers writing about their experiences in the combat zone. This is the best PR the military has -- it's most honest voice out of the war zone. And it's being silenced." Army Regulation 530--1: Operations Security (OPSEC) restricts more than just blogs, however. Previous editions of the rules asked Army personnel to "consult with their immediate supervisor" before posting a document "that might contain sensitive and/or critical information in a public forum." The new version, in contrast, requires "an OPSEC review prior to publishing" anything -- from "web log (blog) postings" to comments on internet message boards, from resumes to letters home. Active-duty troops aren't the only ones affected by the new guidelines. Civilians working for the military, Army contractors -- even soldiers' families -- are all subject to the directive as well. But, while the regulations may apply to a broad swath of people, not everybody affected can actually read them. In a Kafka-esque turn, the guidelines are kept on the military's restricted Army Knowledge Online intranet. Many Army contractors -- and many family members -- don't have access to the site. Even those able to get in are finding their access is blocked to that particular file. top

In trade ruling, Antigua wins a right to piracy (New York Times, 22 Dec 2007) - In an unusual ruling on Friday at the World Trade Organization, the Caribbean nation of Antigua won the right to violate copyright protections on goods like films and music from the United States - an award worth up to $21 million - as part of a dispute between the countries over online gambling. The award follows a W.T.O. ruling that Washington had wrongly blocked online gambling operators on the island from the American market at the same time it allowed online wagering on horse racing. Antigua and Barbuda had claimed damages of $3.44 billion a year. That makes the relatively small amount awarded Friday, $21 million, something of a setback for Antigua, which had been struggling to preserve its gambling industry. The United States argued that its behavior had caused $500,000 damage. Yet the ruling is significant in that it grants a rare form of compensation: the right of one country, in this case Antigua, to violate intellectual property laws of another - the United States - by allowing it to distribute copies of American music, movie and software products. top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, November 18, 2017

MIRLN --- 29 Oct - 18 Nov 2017 (v20.16)

MIRLN --- 29 Oct - 18 Nov 2017 (v20.16) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | DIFFERENT | LOOKING BACK | NOTES

ANNOUNCEMENT

The new Second Edition of the ABA's best-selling Cybersecurity Handbook is a must-read for anyone working in the field, including private-practice attorneys, in-house counsel, non-profit and government lawyers, and others. For more detail, visit the ABA store at http://bit.ly/2x7HNbJ . (get a 10% discount with code 2ECYBERTF10). Below, an ABA story on the Handbook:

Updated ABA cybersecurity handbook helps lawyers protect sensitive client information from hackers (ABA, 1 Nov 2017) - Cybersecurity breaches in law firms have made headlines and clients are asking questions about lawyers' and firms' security programs. From the massive Panama Papers breach that led to the dissolution of the Mossack Fonseca Law Firm in April 2016 to the WannaCry and Petya ransomware attacks, which led to a work outage at DLA Piper in June 2017, it is imperative that attorneys understand their obligations and the potential risk of inadequate information security practices to their practices and their clients. " The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business, Second Edition" is an updated edition of the handbook that expands on many of the issues raised in the 2013 first edition, while highlighting the extensive changes in the current cybersecurity environment. It is co-edited by cybersecurity legal experts Jill D. Rhodes, chief information security officer at Option Care and former senior executive with the intelligence community; and Robert S. Litt, counsel, Morrison & Forester and former general counsel of the Office of the Director of National Intelligence, This new edition will enable lawyers and law firms to identify potential cybersecurity risks and prepare a response in the event of an attack. It addresses the current overarching threat as well as ethical issues and special considerations for law firms of all sizes. It also includes the most recent ABA Ethics Opinions and illustrates how to approach the subject of cybersecurity threats and issues with clients, as well as when and how to purchase and use cyber insurance. Rhodes and Litt will deliver a book talk at noon on Dec. 8 at the Army Navy Club - click here for information on how to register. top

NEWS

How Facebook, Google and Twitter 'embeds' helped Trump in 2016 (Politico, 26 Oct 2017) - Facebook, Twitter and Google played a far deeper role in Donald Trump's presidential campaign than has previously been disclosed, with company employees taking on the kind of political strategizing that campaigns typically entrust to their own staff or paid consultants, according to a new study released Thursday. The peer-reviewed paper , based on more than a dozen interviews with both tech company staffers who worked inside several 2016 presidential campaigns and campaign officials, sheds new light on Silicon Valley's assistance to Trump before his surprise win last November. While the companies call it standard practice to work hand-in-hand with high-spending advertisers like political campaigns, the new research details how the staffers assigned to the 2016 candidates frequently acted more like political operatives, doing things like suggesting methods to target difficult-to-reach voters online, helping to tee up responses to likely lines of attack during debates, and scanning candidate calendars to recommend ad pushes around upcoming speeches. Such support was critical for the Trump campaign, which didn't invest heavily in its own digital operations during the primary season and made extensive use of Facebook, Twitter and Google "embeds" for the general election, says the study, conducted by communications professors from the University of North Carolina at Chapel Hill and the University of Utah. The companies offered such services, without charge, to all the 2016 candidates, according to the study, which details extensive tech company involvement at every stage of the race. But Hillary Clinton's campaign declined to embed the companies' employees in her operations, instead opting to develop its own digital apparatus and call in the tech firms to help execute elements of its strategy. "Facebook, Twitter, and Google [went] beyond promoting their services and facilitating digital advertising buys," the paper concludes, adding that their efforts extended to "actively shaping campaign communications through their close collaboration with political staffers." top

- and -

How Russian trolls got into your Facebook feed (WaPo, 1 Nov 2017) - Americans are getting our first glimpse of how we got played. On Wednesday, Congress released some of the 3,000 Facebook ads and Twitter accounts created by Russian operatives to sway American voters. You can explore them in an analysis the Post published here. These disturbing messages, seen by up to 126 million Americans, raise thorny questions about Silicon Valley's responsibility for vetting the information it publishes. Beyond Washington, it leaves all of us who use social media to keep up with friends, share photos and follow news wondering: How'd the Russians get to me? The short answer is Silicon Valley made it very easy. Facebook's top lawyer told Congress on Wednesday the Russian effort was "fairly rudimentary." Here's what he meant: Ever notice a Facebook ad that's eerily relevant to something you've been talking about? Had an ad for a pair of sneakers follow you around the Internet for a week? Or seen an ad that says your friend "liked" it? * * * You were in Russia's crosshairs if you liked the Facebook page of Donald Trump or Hillary Clinton. Same goes for people who said they were fans of Martin Luther King, Jr. Russians even targeted people who shared enough stuff about the South that Facebook tagged them being interested in "Dixie." top

- and -

Manipulating social media to undermine democracy (Freedom House, Nov 2017) - Key Findings: (1) Online manipulation and disinformation tactics played an important role in elections in at least 18 countries over the past year, including the United States; (2) Disinformation tactics contributed to a seventh consecutive year of overall decline in internet freedom, as did a rise in disruptions to mobile internet service and increases in physical and technical attacks on human rights defenders and independent media; (3) An record number of governments have restricted mobile internet service for political or security reasons, often in areas populated by ethnic or religious minorities. * * * Russia's online efforts to influence the American election have been well documented, but the United States was hardly alone in this respect. Manipulation and disinformation tactics played an important role in elections in at least 17 other countries over the past year, damaging citizens' ability to choose their leaders based on factual news and authentic debate. Although some governments sought to support their interests and expand their influence abroad-as with Russia's disinformation campaigns in the United States and Europe-in most cases they used these methods inside their own borders to maintain their hold on power. top

Days after activists sued, Georgia's election server was wiped clean (ArsTechnica, 26 Oct 2017) - A server and its backups, believed to be key to a pending federal lawsuit filed against Georgia election officials, was thoroughly deleted according to e-mails recently released under a public records request. Georgia previously came under heavy scrutiny after a researcher discovered significant problems with his home state's voting system. A lawsuit soon followed in state court , asking the court to annul the results of the June 20 special election for Congress and to prevent Georgia's existing computer-based voting system from being used again. The case, Curling v. Kemp , was filed in Fulton County Superior Court on July 3. As the Associated Press reported Thursday, the data was initially destroyed on July 7 by the Center for Elections Systems at Kennesaw State University, the entity tasked with running the Peach State's elections. The new e-mails, which were sent by the Coalition for Good Governance to Ars, show that Chris Dehner , one of the Information Security staffers, e-mailed his boss, Stephen Gay, to say that the two backup servers had been " degaussed three times ." * * * According to the AP, the FBI made a forensic image of the relevant server in March 2017 as part of its investigation. Atlanta FBI spokesman Stephen Emmett "would not say whether that image still exists." Neither Emmett nor the FBI field office in Atlanta immediately responded to Ars' request for comment. top

Law firms fail on cybersecurity, and corporate clients are cracking down (LegalTechNews, 26 Oct 2017) - Law firm technology services group LogicForce recently released its quarterly report card on law firm cybersecurity, giving the legal industry a score of only 42 percent on its cybersecurity health. The most recent scorecard aggregated data from client surveys at more than 300 law firms of various sizes. Scores were generated based on the number of firms who reported implementing 12 different factors set forth by LogicForce: information security executives, cybersecurity policies, multifactor authentication, cyber training, cyber insurance, penetration, vulnerability testing, third-party risk assessments, records management policies, cyber investment, full disk encryption, data loss prevention services, and third-party penetration testing. Each factor was weighted differently. The scorecard's most heavily weighted factor was the presence of an information security executive, a position filled at only 38 percent of surveyed law firms. * * * The report also noted that corporate law firm clients are beginning to crack down harder on their outside counsel for their failure to meet cybersecurity standards. The report found that 48 percent of law firms surveyed had their data security practices subjected to an audit by a corporate client in the last year. top

- and -

Corporate legal's new cybersecurity role: First risk responders (Corporate Counsel, 7 Nov 2017) - As corporations devote more attention to cybersecurity, many are expanding the legal department's role to cover tasks like third-party risk management. But according to Grant Thornton's " 2017 Corporate General Counsel Survey " of over 190 general counsel, that's far from where their cybersecurity responsibility ends. Over half (58 percent) of general counsel surveyed said they were highly involved in responding to their organizations' data security risks and cybersecurity incidents. In addition, 23 percent said that responding to such risks and events were their "primary responsibility," up from 11 percent in 2015. Of course, it wasn't always this way. "When we did this survey two years ago, the CFO among other members of the C-suite were driving cybersecurity initiatives," said Johnny Lee, principal and forensic technology practice leader for Grant Thornton's Forensic Advisory Services. But as "breaches become more prevalent and as they represent more downstream risk-regulatory and litigation exposure, for example-we've seen a shift to legal departments taking the helm on the response," he said. In light of legal repercussions of cybersecurity incidents, he added, the legal department's participation in risk response can be an asset given the umbrella of attorney-client privilege. Depending on the nature and extent of a breach, such privilege may need "to be attached early if it's going to be invoked, and may need to be managed carefully if it's going to be protected and preserved." Lee cautioned, however, that the legal department's cybersecurity role "doesn't necessarily mean they're inserting themselves into insurance discussions or being the primary flag holders in front of the board. But it does mean, vis-à-vis the response, that they intend to be the standard bearers there." top

- and -

Ok, we get technology competence, but how do we get technologically competent? (Above The Law, Bob Ambrogi, 6 Nov 2017) - By now, you've probably heard of the duty of technology competence. As more and more states adopt it, more and more articles get written about it, and more and more CLEs get presented about it. But the focus of all this is largely on the nature and scope of the duty. One aspect we hear little about is how lawyers can get and remain technologically competent. There are no easy answers to that question. Florida has taken the most dramatic step, not only mandating tech competence but also mandating technology training . The first and only state to do this, Florida requires that lawyers complete three hours of CLE every three years in approved technology programs. Another option for law firms and legal departments seeking to promote technology competence is the Legal Technology Assessment developed by Casey Flaherty and his company Procertas . The LTA assesses legal professionals' proficiency with the basic technology tools they use every day - Word, Excel, and PDF - and provides training on tasks in which they are deficient. Now, there is further progress. The past week brought news of two more initiatives that should further promote technology competence among legal professionals. One is online training for lawyers in legal innovation and technology, the other an index tracking how well law schools are preparing students to deliver legal services in the 21 st Century. * * * top

Can algorithms send you to prison? Apparently, yes. (Ride The Lightning, 1 Nov 2017) - The New York Times reported in an opinion piece last week on a fascinating and disturbing story. In 2013, police officers in Wisconsin arrested Eric Loomis, who was driving a car that had been used in a recent shooting. He pleaded guilty to attempting to flee an officer, and no contest to operating a vehicle without the owner's consent. Neither of his crimes mandated prison time. But at Mr. Loomis's sentencing, the judge cited, among other factors, Mr. Loomis's high risk of recidivism as predicted by a computer program called COMPAS, a risk assessment algorithm used by the state of Wisconsin. The judge denied probation and prescribed an 11-year sentence - six years in prison, plus five years of extended supervision. No one knows exactly how COMPAS works; its manufacturer won't disclose the proprietary algorithm. We only know the final risk assessment score, which judges may consider at sentencing. Loomis challenged the use of an algorithm as a violation of his due process rights to be sentenced individually, and without consideration of impermissible factors like gender or race. The Wisconsin Supreme Court rejected his challenge. In June, the United States Supreme Court declined to hear his case, meaning a majority of justices effectively condoned the algorithm's use. This may have far-reaching effects. Why are we allowing a computer program, into which no one in the criminal justice system has any insight, to play a role in sending a man to prison? The author of the op-ed piece asked that question - and so do I. Wisconsin is one of several states using algorithms in the sentencing process. * * * top

Oil States amicus briefs seek to stabilize IPR constitutional footing (Patently-O, 1 Nov 2017) - As per usual, the briefs are largely divisible into two categories: (1) direct merits arguments focusing on congressional power to enact the IPR regime; and (2) policy briefs arguing that IPRs do important work. I'll note here that the focus of the policy briefs is on efficient and timely adjudication. I have not seen any of the briefs so far that recognize the third reality - that the PTAB is invaliding patents that would have been upheld by a court. For some reason amicus consider it appropriate to identify court failures in efficiency but not to identify failures in the substantive decisionmaking. The closest on-point is likely Apple's Brief which promotes the "well-informed and correct" outcomes of the PTAB. 16-712bsacAppleInc . Overall, the collection of briefs here is quite strong. The most compelling brief in my view is that filed by the well-known team of Duffy and Dabney on behalf of several groups, including the Internet Association. They write: * * * [ Polley : Fairly arcane, but absolutely fascinating set of historical analyses, getting to the very fundamentals of US IPR jurisprudence.] top

What does a Director of Knowledge Management for a legal firm do? (KnoCo, 2 Nov 2017) - This month there were two "Director of KM" jobs advertised on linked-in. Let's see what this job entails. "Knowledge Management" is a poorly defined term, and Knowledge Management jobs can range from low level data-entry clerks to high level strategic posts, and anything in between. However when you see "Director of Knowledge Management" vacancies, that tells you that this is a high level post. One of these advertised vacancies gives few details of the post, but the second, from CMS (the legal firm) gives a full list of responsibilities and characteristics. These are listed below * * * top

New federal cybersecurity regulations force colleges to strengthen data management (EdScoop, 2 Nov 2017) - A new set of federal regulations is forcing colleges and universities to tighten their cybersecurity practices, which will require changes in the way colleges manage their data, according to a new report . Higher education institutions will have to fulfill new contractual obligations to maintain federal grants, research contracts and other transactions in which the institutions receive data from the federal government, according to the report, issued by Deloitte's Center for Higher Education Excellence and nonprofit EDUCAUSE. In 2016, the U.S. Department of Education signaled it would make colleges comply with requirements laid out in the National Institute of Standards and Technology (NIST) Special Publication 800-171, which are designed to protect the confidentiality of "controlled unclassified information." The first compliance deadline schools have to meet is Dec. 31. "Whether a college or university has many large government research contracts or one small contract, each institution will need to comply with these new data protection standards," said Joanna Lyn Grama, director of cybersecurity and IT GRC programs at EDUCAUSE. "Simply put, the evolving higher education threat landscape and very complex regulatory environment means that ad-hoc approaches to data management and protection are no longer adequate and formalized information security programs, based on recognized frameworks and responsive to specific regulations, are required." According to the report, while higher education CIOs and CISOs are aware of the new standard, "this awareness hasn't necessarily translated into progress. "Many institutions are still working out how to get started and get everyone on board," the report says. "Other institutions, notably those that receive significant defense research funding, are much further down the path." Colleges will have to overcome many existing challenges in order to fulfill the requirements, according to experts at Deloitte and EDUCAUSE. And those challenges go beyond just technological problems. They also encompass organizational change management, training, end-user adoption and process controls. Specific challenges outlined in the report include a lack of executive and board-level attention on NIST's regulations. top

35 states and DC back bid to collect online sales taxes (USA Today, 3 Nov 2017) - Thirty-five state attorneys general and the District of Columbia this week signed on to support South Dakota's legal bid to collect sales taxes from out-of-state Internet retailers. South Dakota is asking the U.S. Supreme Court to review whether retailers can be required to collect sales taxes in states where they lack a physical presence. The case could have national implications for e-commerce. South Dakota Attorney General Marty Jackley said in a statement Thursday that Colorado filed a friend-of-the-court brief supporting South Dakota's petition to the high court. The state is seeking to overturn legal rulings issued mostly before the online shopping boom that hamstring officials who want to collect sales taxes from out-of-state retailers. States have pushed Congress to address the issue without success, and one estimate put the loss to states at roughly $26 billion in 2015. South Dakota estimates it loses about $50 million annually to e-commerce. "The problem with the physical-presence rule is that it was first conceived of in 1967, two years before the moon landing and decades before the first retail transaction occurred over the Internet," according to the brief. Some companies such as Amazon have decided to collect state sales taxes despite the precedent. South Dakota legislators passed a law last year requiring collection of the tax. The law was struck down in September by the state Supreme Court due to precedent. The state had welcomed the defeat so it could try to get the U.S. Supreme Court to take up the case. top

US Court sides with Google against Canadian de-indexing order (ZDnet, 3 Nov 2017) - A US federal court on Friday issued a preliminary injunction against a Canadian Supreme Court ruling, which asked Google to de-index certain search results not just in Canada but on a global basis. The Canadian ruling "undermines the policy goals of Section 230 [of the US Communications Decency Act] and threatens free speech on the global internet," wrote Judge Edward Davila of the US District Court for Northern California. The ruling pertains to the case Google v. Equustek , which started with a 2011 complaint from the company Equustek Solutions. The British Columbia firm charged that a group of Equustek distributors (known as the Datalink defendants) were selling counterfeit Equustek products online. Datalink continued to sell these goods globally, even after the court ordered it to stop, prompting Equustek to ask Google to intervene. Google initially de-indexed 345 specific webpages associated with Datalink on google.ca. Equustek then sought an injunction to stop Google from displaying any part of the Datalink websites on any of its search results worldwide. A lower court granted the injunction, and the Canadian Supreme Court upheld it. The ruling's global implications elicited concern from freedom of speech advocates. Google asked the US District Court for Northern California to intervene, arguing that Canada's ruling was "repugnant" to the rights established by the First Amendment and the Communications Decency Act. Furthermore, the company said it "violates principles of international comity, particularly since the Canadian plaintiffs never established any violation of their rights under U.S. law." Now that the US District Court has intervened, Google can seek a permanent injunction and ask the Canadian court to modify its original order, according to the Electronic Frontier Foundation. top

TSA plans to use face recognition to track Americans through airports (EFF, 9 Nov 2017) - The "PreCheck" program is billed as a convenient service to allow U.S. travelers to " speed through security " at airports. However, the latest proposal released by the Transportation Security Administration (TSA) reveals the Department of Homeland Security's greater underlying plan to collect face images and iris scans on a nationwide scale. DHS's programs will become a massive violation of privacy that could serve as a gateway to the collection of biometric data to identify and track every traveler at every airport and border crossing in the country. Currently TSA collects fingerprints as part of its application process for people who want to apply for PreCheck. So far, TSA hasn't used those prints for anything besides the mandatory background check that's part of the process. But this summer, TSA ran a pilot program at Atlanta's Hartsfield-Jackson Airport and at Denver International Airport that used those prints and a contactless fingerprint reader to verify the identity of PreCheck-approved travelers at security checkpoints at both airports. Now TSA wants to roll out this program to airports across the country and expand it to encompass face recognition, iris scans, and other biometrics as well. [ Polley : "contactless fingerprint reader?!?] While this latest plan is limited to the more than 5-million Americans who have chosen to apply for PreCheck, it appears to be part of a broader push within the Department of Homeland Security (DHS) to expand its collection and use of biometrics throughout its sub-agencies. For example, in pilot programs in Georgia and Arizona last year, Customs and Border Protection (CBP) used face recognition to capture pictures of travelers boarding a flight out of the country and border and compared those pictures to previous recorded photos from passports, visas, and "other DHS encounters." In the Privacy Impact Assessments (PIAs) for those pilot programs, CBP said that, although it would collect face recognition images of all travelers, it would delete any data associated with U.S. citizens. But what began as DHS's biometric travel screening of foreign citizens morphed, without congressional authorization , into screening of U.S. citizens, too. Now the agency plans to roll out the program to other border crossings, and it says it will retain photos of U.S. citizens and lawful permanent residents for two weeks and information about their travel for 15 years. It retains data on "non-immigrant aliens" for 75 years. top

Equifax profit falls as hacking costs take toll (Reuters, 9 Nov 2017) - Equifax Inc ( EFX.N ) on Thursday reported lower quarterly profit, and quarterly revenue missed estimates, as the credit bureau warned that its massive data breach had prompted some customers to hold back business. The breach, which compromised sensitive data of 145.5 million people, has harmed the company's reputation and prompted investigations in every U.S. state, a federal criminal probe and hundreds of lawsuits. Equifax said it was not possible to estimate how much it would cost the company to respond to the probes and litigation. The Atlanta-based company said it recorded $87.5 million in expenses related to the hack during the quarter, including legal fees, investigation of the breach, and free credit monitoring for U.S. consumers whose data was exposed in the breach. Equifax estimated a range of additional costs between $56 million and $110 million to continue providing the free services. The company warned there could be further attacks. "We cannot assure that all potential causes of the incident have been identified and remediated and will not occur again," it said in a quarterly filing with the Securities and Exchange Commission. top

- and -

Equifax looks to in-house lawyer to 'build a new future' after massive breach (Law.com, 14 Nov 2017) - As Equifax Inc. continues to face fallout from the massive data breach announced earlier this year, the consumer credit reporting company has selected one of its in-house attorneys to oversee its response to the disaster. Taking on this role is Julia Houston, whose official title is chief transformation officer. Along with leading the company through the aftermath of the breach, Houston will coordinate Equifax's efforts to "build a new future," according to the company's corporate leadership page . In response to request for comment on Houston's role and on the timing of her appointment, an Equifax spokesperson said: "Equifax's top priorities are to improve service for consumers and to continue to strengthen our company's security capabilities. We have revised our corporate structure to address both of these areas and have created a Chief Transformation Officer who reports directly to the CEO." The spokesperson added that Houston was appointed to this role in October. Houston joined Equifax in October 2013 and was most recently senior vice president of U.S. legal, where she led Equifax's legal team supporting three businesses in the United States. She previously held the general counsel title at customer management company Convergys Corp. and energy company Mirant Corp. Prior to that, Houston was an in-house attorney at Delta Air Lines Inc. top

Alphabet's Project Loon delivers internet service to 100,000 people in Puerto Rico (The Verge, 9 Nov 2017) - Alphabet's Project Loon, which last month partnered with AT&T and T-Mobile to bring LTE connectivity to disaster-stricken Puerto Rico , says its helium air balloons have delivered internet to 100,000 residents on the island. A significant portion of Puerto Rico, still struggling to recover from the effects of Hurricane Maria, is still without cell tower reception, with the Federal Communications Commission reporting earlier today that nearly 44 percent of Puerto Rico cell sites are still out of service. Loon deployed balloons in late October in what was its fastest-ever deployment in an effort to help residents get back online as soon as possible. While 100,000 is an impressive metric on its own, Puerto Rico is an island of nearly 3.5 million people. A map released today by the FCC shows that a vast majority of the island's counties still have between 20 and 60 percent of cell towers out of service. Only four counties are reporting only 1 to 20 percent of cell sites out of service, while another four counties have more than 80 percent of their cell sites down. So while Loon is certainly helping Puerto Rico's government get more residents online, there's a lot of infrastructure work to be done to get the entire island back online and in contact with the rest of the world. top

Copyright exceptions for libraries widespread, study at WIPO shows, but disharmony persists (IP Watch, 15 Nov 2017) - Nobody among members of the World Intellectual Property Organization disputes the importance of the public services provided by libraries and archives. However, positions are different when it comes to providing exceptions to copyright to those entities so they can continue to dispense their services, in particular in the digital age. An updated study presented today in a WIPO committee shows that most countries have exceptions relating to libraries, but termed in very different ways, and are hesitant on how to deal with digital technologies. Prof. Kenneth Crews, former director of the copyright advisory office at Columbia University (US) and now an attorney at Gipson, Hoffman & Pancione in Los Angeles, today presented the latest version [pdf] of his original 2008 study, already updated in 2014 and in 2015, during the 35th session of the WIPO Standing Committee on Copyright and Related Rights, taking place from 13-17 November. According to Crews, since 2015, a number of countries have revised their copyright laws and the exceptions they provide to libraries and archives, which, he said, serves as a reminder that this is a dynamic issue. The study covers all 191 WIPO member states and found that 161 of those have at least one provision in their copyright statutes that explicitly applies to libraries or archives. Crews describes four types of exception: type 1 with no library exception (28); type 2 with a general library exception (21); type 3 with specific library exceptions; and type 4 providing for anti-circumvention exemptions. Compared to the last version of the study, fewer countries have no exception, and fewer countries are relying on general exception, Crews said. Specialised exceptions, which constitute the largest share of countries, include preservation and replacement, private study and research, making available on the premises, document delivery, and copy machines in the library. As example, Crews said 102 member states have an exception for preservation, 98 for replacement, and 105 for private study and research. Crews described the influence of several models in current copyright laws, such as the British Copyright Act, which provides multiple provisions such as for preservation and research. He also cited the Bangui Agreement, which also provides clear rules for preservation and research, and the 2001 Information Society Directive and the 2012 Orphan Works Directive of the European Union, which he said have influenced some 14 countries outside of the EU. top

Guide to cybersecurity due diligence worth reading (NY Law Journal, 15 Nov 2017) - On the subject of business risk, Warren Buffett observed that the rearview mirror is always clearer than the windshield. For an M&A acquirer, one prime risk is assessing the effectiveness of a target's cybersecurity program. As data breach incidents involving Yahoo and Neiman Marcus have shown, such incidents can profoundly impact even the largest deals. With billions of M&A dollars at stake, there is a need to clear the windshield. Ronald [sic] Smedinghoff and Roland Trope prove up to the task in this new book, which compiles topical papers written by M&A lawyers whose practices focus on protecting their clients' high-value digital assets. Although the book is primarily written for M&A lawyers, it can also be useful to a wider audience that includes directors, officers, in-house counsel and data security professionals whose duties include the designing, implementing, updating, testing and monitoring of cybersecurity programs. Throughout the book's thirteen chapters, it explains how an acquirer can properly assess a target's cybersecurity posture. As such, the book is intended as an issue-spotting resource. It is not intended to prepare an M&A lawyer to be an expert in cyber crime, or to serve as a manual of M&A provisions that specifically address cybersecurity risks. Although some of the material is repetitive, the editors have done an admirable job in organizing the topics, eliminating jargon, minimizing the use of acronyms, bullet-pointing key checklists, discouraging run-on sentences, reducing paragraph length and ensuring that the entire text appears as though it was written in plain English by a single author. * * * More than a hundred years ago, Theodore Roosevelt observed that risk is like fire: If controlled it can help you; uncontrolled it will rise up and destroy you. For M&A lawyers assessing a target's cybersecurity risk, this book helps control the fire. [ Polley : It's Tom Smedinghoff, not Ronald. Excellent resource, and quite positive review.] top

RESOURCES

Liability for Providing Hyperlinks to Copyright-Infringing Content: International and Comparative Law Perspectives (Columbia, 12 Nov 2017) - Abstract: " Hyperlinking, at once an essential means of navigating the Internet, but also a frequent means to enable infringement of copyright, challenges courts to articulate the legal norms that underpin domestic and international copyright law, in order to ensure effective enforcement of exclusive rights on the one hand, while preserving open communication on the Internet on the other. Several recent cases, primarily in the European Union, demonstrate the difficulties of enforcing the right of communication to the public (or, in US copyright parlance, the right of public performance by transmission) against those who provide hyperlinks that effectively deliver infringing content to Internet users. This article will first address the international norms that domestic laws of states member to the multilateral copyright agreements must implement. It next will explore how two of the most significant regional or national copyright regimes, the EU and the US, have coped with the question of linking, and then will consider the relationship of the emerging approaches to copyright infringement with national and regional laws instituting limited immunity for copyright infringements committed by internet service providers. We will conclude with an assessment of the extent to which the outcomes under US and EU regimes, despite their apparently different approaches, in fact diverge." top

Preventing Data Breaches at Law Firms: Adapting Proactive, Management-Based Regulation to Law-Firm Technology (Arizona Law Review, Nov 2017) - Today, law firms of every size are relying on technology more than ever before. However, a firm's investment in securing its information systems pales in comparison to that of its corporate counterparts, leaving law-firm clients' data unnecessarily at risk. Although there has been a modest increase in regulation for firm management overall, law firms have largely ignored the threat of data breaches, failing to adhere to widely accepted information security standards. This lack of compliance has caused cyber criminals to shift their sights from the client to the vulnerable information security systems of law firms. This Note proposes a proactive, regulatory approach to establish a technology infrastructure in law firms, thus ensuring the protection of client information. [ Polley : Others also have proposed a prescriptive, regulatory approach; I'm unconvinced.] top

DIFFERENT

The digital ruins of a forgotten future (The Atlantic, Dec 2017) - Gidge Uriza lives in an elegant wooden house with large glass windows overlooking a glittering creek, fringed by weeping willows and meadows twinkling with fireflies. She keeps buying new swimming pools because she keeps falling in love with different ones. The current specimen is a teal lozenge with a waterfall cascading from its archway of stones. Gidge spends her days lounging in a swimsuit on her poolside patio, or else tucked under a lacy comforter, wearing nothing but a bra and bathrobe, with a chocolate-glazed donut perched on the pile of books beside her. "Good morning girls," she writes on her blog one day. "I'm slow moving, trying to get out of bed this morning, but when I'm surrounded by my pretty pink bed it's difficult to get out and away like I should." In another life, the one most people would call "real," Gidge Uriza is Bridgette McNeal, an Atlanta mother who works eight-hour days at a call center and is raising a 14-year-old son, a 7-year-old daughter, and severely autistic twins, now 13. Her days are full of the selflessness and endless mundanity of raising children with special needs: giving her twins baths after they have soiled themselves (they still wear diapers, and most likely always will), baking applesauce bread with one to calm him down after a tantrum, asking the other to stop playing "the Barney theme song slowed down to sound like some demonic dirge." One day, she takes all four kids to a nature center for an idyllic afternoon that gets interrupted by the reality of changing an adolescent's diaper in a musty bathroom. But each morning, before all that-before getting the kids ready for school and putting in eight hours at the call center, before getting dinner on the table or keeping peace during the meal, before giving baths and collapsing into bed-Bridgette spends an hour and a half on the online platform Second Life , where she lives in a sleek paradise of her own devising. Good morning girls. I'm slow moving, trying to get out of bed this morning. She wakes up at 5:30 to inhabit a life in which she has the luxury of never getting out of bed at all. What is second life? The short answer is that it's a virtual world that launched in 2003 and was hailed by some as the future of the internet. The longer answer is that it's a landscape full of goth cities and preciously tattered beach shanties, vampire castles and tropical islands and rainforest temples and dinosaur stomping grounds, disco-ball-glittering nightclubs and trippy giant chess games. In 2013, in honor of Second Life's tenth birthday, Linden Lab-the company that created it-released an infographic charting its progress : 36 million accounts had been created, and their users had spent 217,266 cumulative years online, inhabiting an ever-expanding territory that comprised almost 700 square miles. Many are tempted to call Second Life a game, but two years after its launch, Linden Lab circulated a memo to employees insisting that no one refer to it as that. It was a platform . This was meant to suggest something more holistic, more immersive, and more encompassing. * * * [ Polley : detailed story, worth reading. I haven't logged into SL for years; I may need to go back for another look.] top

Math student wins "Dance Your Ph.D." contest (InsideHigherEd, 6 Nov 2017) - Science sponsors an annual "Dance Your Ph.D." contest to highlight research and the importance of communicating findings in ways that help nonspecialists understand them. Below is the video of this year's winner, Nancy Scherich of the University of California, Santa Barbara. She studies topology, the study of geometry in which shape and size don't matter. Her focus is on braid theory, or "the rules that determine the unique representations of twists and knots in high-dimensional spaces." [ Polley : I'm guessing the math is real; the 9m dance video (with some subtitles) certainly is intriguing. Remember the string game "Cat's Cradle"?] top

LOOKING BACK

FTC issues online ad privacy guidelines (NBC News, 20 Dec 2007) - On the same day they cleared Google Inc.'s purchase of online advertiser DoubleClick, federal regulators said industry needs to be more transparent about how consumers' Web-surfing habits are tracked. The Federal Trade Commission on Thursday proposed guidelines by which advertisers would voluntarily fess up to Web surfers about whether their online behaviors are monitored and used to personalize ads. Privacy experts said the guidelines could be helpful, but only if industry enforces them. Consumers are largely in the dark about companies tracking them through these ads, the agency said, adding that companies should give people a realistic choice in whether they want to be tracked or not. "You shouldn't have to be a computer geek to protect your privacy," said Peter Swire, an Ohio State University law professor and senior fellow at the Center for American Progress, a liberal think tank. top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top