Saturday, January 28, 2017

MIRLN --- 8-28 Jan 2017 (v20.02)

MIRLN --- 8-28 Jan 2017 (v20.02) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Dems, civil libertarians blast fines for live-streaming on House floor (The Hill, 4 Jan 2017) - Civil libertarians are blasting new rules from House Republicans that would impose fines on lawmakers who take pictures or live-stream video on the House floor. The fines are intended to prevent a repeat of protests like the sit-in by House Democrats last year calling for gun control legislation after the mass shooting in an Orlando, Fla., nightclub. Democrats broadcast their sit-in on social media, including Periscope and Twitter, after GOP leadership cut the camera feed that was being aired by C-SPAN. Michael Macleod-Ball, a First Amendment attorney for the American Civil Liberties Union, called the new fines an overreaction. "Ultimately what harm was done?" Macleod-Ball said of Democrats broadcasting their sit-in, noting that the House floor is constantly being televised. "I just don't see that there's a huge justification for imposing this penalty," he added. "Adding the penalty is just one further step in the wrong direction. The original rule would have had some chilling effect, the rule with the penalty has a further chilling effect, and because of that we don't think it's a good idea." Before the fines, there were already existing rules against recording on the House floor, but lawmakers rarely faced any consequences for violating it before Tuesday. The new fines are part of a rules package that was opposed by the entire Democratic caucus and just three Republicans. It imposes a $500 fine on lawmakers for their first offense and a $2,500 fine for every subsequent violation. The money would be taken out of a member's salary.

top

FTC goes after D-Link for shoddy security in routers, cameras (Computer World, 5 Jan 2017) - The U.S. Federal Trade Commission is cracking down on D-Link for selling wireless routers and internet cameras that can easily be hacked, the regulator said Thursday. Thousands of consumers are at risk, the FTC said in a complaint filed against the Taiwanese manufacturer, charging D-Link with repeatedly failing to take reasonable measures to secure the products. The action comes as hackers have been hijacking poorly secured internet-connected products to launch massive cyberattacks that can force websites offline. Recently, a notorious malware known as Mirai has been found infecting routers, cameras, and DVRs built with weak default passwords. In D-Link's case, the company said its products are "easy to secure" and offer "advanced network security." But in the reality, the devices contained preventable security flaws open to easy exploitation, the FTC alleged. Among those flaws were guessable login credentials embedded in D-Link camera software, using the word "guest" for both the username and password. In addition, D-Link also failed to patch vulnerabilities in the product software, including a command injection flaw that would have given hackers remote control over a device. "We can't say whether we will take action against similar companies," an FTC spokesman said on Thursday.

top

A few states now actually help you figure out if you've been hacked (Wired, 6 Jan 2017) - Thousands of US companies were hacked last year , and each time people's private data was taken. Was yours? You may not know because it's hard to keep track, much less do anything about it when there are so many incidents all the time. But if the data collected on breaches in the US were available to you, it would be a lot easier to check whether you've interacted with compromised businesses and institutions. That data exists. In fact, nearly every US state (47 to be exact) requires companies to disclose when a breach affects their citizens, and most track this data internally. That data is usually a public records request away from you, the consumer, who could actually use it to inform your digital habits. But, recently a small group of states have decided to make breach information freely available to the public. This week, Massachusetts joined them. Massachusetts joins California , Indiana , and Washington in making this data public. The US Department of Health and Human Services has also collected and publicly posted information about patient data breaches since 2009. The DHH data collection is often referred to colloquially as the "Wall of Shame." For Massachusetts, the decision is a way to increase transparency.

top

A lawyer rewrote Instagram's terms of use 'in plain English' so kids would know their privacy rights (WaPo, 8 Jan 2017) - Members of " Generation Z " can spend up to nine hours a day sharing photos on Instagram, consuming "content" on YouTube and talking to friends on Snapchat. But how much do these teens understand what they've agreed to give up when they start an account with those sites? Probably very little, according to a report released last week - and dense terms and conditions that are "impenetrable and largely ignored" are partly to blame. "'Terms and conditions' is one of the first things you agree to when you come upon a site," Jenny Afia, a privacy lawyer and partner at Schillings law firm in London, told The Washington Post. "But of course no one reads them. I mean, most adults don't read them." Afia was a member of a "Growing Up Digital" task force group convened by the Children's Commissioner for England to study Internet use among teens and the concerns children might face as they grow up in the digital age. The group found more than a third of Internet users are younger than 18, with 12- to 15-year-olds spending more than 20 hours a week online. Most of those children have no idea what their privacy rights are, despite all of them agreeing to terms and conditions before starting their social media accounts, Afia said. The task force, which included experts from the public and private sector, worked for a year and released its report Wednesday. * * * The group ran Instagram's terms and conditions through a readability study and found that it registered at a postgraduate reading level, Afia said. She was tasked with rewriting the company's terms and conditions "in plain English." It took her several hours, she said. "It was doable," Afia said. "But it was quite taxing and definitely time-consuming." The simplified terms of service fit on a single page. * * *

top

George Washington University Law School launches the Cybersecurity Law Initiative (Lawfare, Orin Kerr, 9 Jan 2017) - I'm pleased to announce the launch of the Cybersecurity Law Initiative , of which I am the director, at George Washington University Law School . For years, GW Law has had strong faculty expertise and curricular offerings in cybersecurity law . We decided to bring that together with a formal initiative that includes affiliated scholars from elsewhere in the university. In the near term, the initiative will include a lecture series that is open to the public on topics of cybersecurity law and technology. It likely will host conferences in the field as well. In the long term, we may end up expanding to include research papers or perhaps a more formal educational component (possibly making cybersecurity law one of the specialty fields offered in GW's LLM program ). For more details - including information about full scholarships available to study cybersecurity law at GW - see the website for the initiative: www.law.gwu.edu/cybersecurity . I'll announce future events for the initiative on the home page and on my Twitter feed . If there's a particularly interesting event, I may also flag it here on the blog.

top

Lessons for legal: Inside the cybertheft faced by two large firms (American Lawyer, 10 Jan 2017) - The fact that three Chinese nationals profited off of insider-trading information illicitly obtained through the hacking of two U.S.-based law firms is one of few known certainties in yet another successful instance of law firm cyberattacks. While the indictment from U.S. Attorney Preet Bharara of the Southern District of New York did not name the law firms infiltrated, The American Lawyer noted that based on the details in the indictment of the breached firms' involvement in specific mergers and acquisitions (M&A) deals, it can be surmised that the firms are Cravath, Swaine & Moore and Weil, Gotshal & Manges. * * * In the case of the M&A hacks outlined in the indictment, once inside the law firms' servers, cyberattackers planted malware in the network, and extracted sensitive M&A data to their possession-sometimes in large tranches. The indictment notes, for example, that "more than 40 gigabytes of data" was taken from one law firm "over the course of at least eight days." Such theft was possible, Rasmussen explained, because it is not uncommon to see law firms unequipped to notice such large data transfer activity in their network. "Network monitoring is a mostly proactive security control that retains a lot of data and requires a large amount of human capital to digest, triage and analyze," he said, adding that this may be a too much of a cost for legal to shoulder. "Many law firms still must consider the cost benefit of enlarging their internal resources to throw at a potential problem, instead of a known problem, as some firms feel they are not at risk. Current client needs often trump security needs," he added. Supporting his point, Novitex and the Association of Legal Administrators (ALA) recently conducted a survey of over 800 law firms and legal administration professionals worldwide and found that reducing cybersecurity risk came in a distant fourth among top concerns behind increasing net profits, attracting new clients, and bolstering revenues. * * * "A law firm is not going to keep an advanced attacker from getting in the network," Abrenio added. "Therefore, the goal should be to limit what an attacker can do once they get inside the network."

top

You've probably never heard of this creepy genealogy site. But it knows a lot about you. (WaPo, 12 Jan 2017) - Early Tuesday morning, Anna Brittain got a text from her sister: Did she know about Familytreenow.com? The relatively unknown site, which presents itself as a free genealogy resource, seemed to know an awful lot about her. "The site listed my 3- and 5-year-olds as 'possible associates,' " Brittain, a 30-year-old young-adult fiction writer in Birmingham, Ala., told The Washington Post on Tuesday. Her sister, a social worker who works at a child advocacy center, found the site while doing a regular Internet footprint checkup on herself. "Given the danger level of my sister's occupation," Brittain added, the depth of information available on the genealogy site "scared me to death." There are many "people search" sites and data brokers out there, like Spokeo, or Intelius, that also know a lot about you. This is not news, at least for the Internet-literate. And the information on FamilyTreeNow comes largely from the public records and other legally accessible sources that those other data brokers use. What makes FamilyTreeNow stand out on the creepy scale, though, is how easy the site makes it for anyone to access that information all at once, and free.

top

FBI withdrew national security letter after Cloudflare lawsuit (ZDnet, 12 Jan 2017) - Cloudflare received a national security letter (NSL) from the United States Federal Bureau of Investigation (FBI) back in February 2013, its transparency report for 2016 has shown, with the company only now able to report the event after being placed under a gag order. The FBI had been seeking the names, addresses, length of service, electronic communications transactional records, transaction and activity logs, and all email header information linked with a certain Cloudflare account, although not the content of those emails. Once served with the NSL, Cloudflare, with the help of the Electronic Frontier Foundation (EFF), filed a lawsuit under seal , successfully getting the FBI to rescind the NSL in July 2013 and withdraw its request for customer information. Consequently, no customer information was ever provided by Cloudflare under the NSL, but the company was required to fulfil the non-disclosure obligations that have now been lifted. "For nearly four years, Cloudflare has pursued its legal rights to be transparent about this request despite the threat of criminal liability. As explained above, the FBI recently removed that gag order, so we are now able to share the redacted text of NSL-12-358696," Cloudflare said in a blog post . The redacted NSL does not show whose account was requested by the FBI, or which FBI agent was involved in making the request.

top

New checklist from ABA Cybersecurity Legal Task Force aims to make vendor partnerships safer (ABA, 13 Jan 2017) - Imagine this: Your bar association is excited to partner with a new vendor. Its products or services are exactly what's needed to keep the bar's operations running smoothly or to help your members in their practice. The introduction is a big splash, everyone is happy … and then the vendor calls. There's been a data breach. It involves your data. And the truth is, it could just as easily be you having to make that difficult phone call because something on your end has put the vendor at risk. The ABA Cybersecurity Legal Task Force recently released its Vendor Contracting Project: Cybersecurity Checklist to help avoid this and other nightmare scenarios that could occur anytime you-or your members and/or their law firms-do business with an outside partner. Here are just a few of the questions that the checklist indicates are critically important when considering any such partnership: * * *

top

Ethics panel says ok for judge to tweet - within limits (Bob Ambrogi, 13 Jan 2017) - A judicial ethics panel of the Massachusetts court system has determined that a judge may ethically maintain a Twitter account, but only within certain boundaries, and that a judge must be particularly cautious about selecting accounts to follow on Twitter. The opinion from the Massachusetts Committee on Judicial Ethics does not identify the judge, but says that the judge maintains an active Twitter account and requested the committee's advice concerning the judge's continuing use of Twitter. I was able to find only one Massachusetts state judge who maintains an active Twitter account, Superior Court Judge Shannon Frison . Her Twitter activity matches some of that described by the committee, such as "posts intended to reveal the existence of racism and implicit bias in the courts." Judge Frison is president of the Massachusetts Black Judges Conference. The committee's opinion said that a judge's obligations with regard to Twitter are, broadly speaking, no different than they would be when using any form of social media, although different types of social media pose distinct issues. The committee has previously issued opinions approving judges' use of LinkedIn and Facebook , but as here, also within boundaries. * * *

top

Obama's cyber legacy: He did (almost) everything right and it still turned out wrong (NextGov, 17 Jan 2017) - The Obama administration made an unprecedented all-fronts effort to secure cyberspace. So, why are we less secure? For eight years, cyberspace proved the Obama administration's most unpredictable adversary, always twisting in new directions and delivering body blows where least expected. The administration took the cyber threat seriously from day one, launching reviews, promulgating policy, raising defenses and punishing cyberspace's most dangerous actors. That included imposing sanctions against Russia and North Korea and indicting government-linked hackers from China and Iran. But, in the end, cyberspace won. President Barack Obama will leave office this week following an election in which digital breaches ordered by Russian President Vladimir Putin helped undermine the losing candidate Hillary Clinton, sowed doubts about the winner Donald Trump's legitimacy and damaged faith in the nation's democratic institutions. When the history of the Obama administration's cyber policy is written, that fact will likely loom larger than anything else, numerous cyber experts and former officials told Nextgov , overshadowing years of hard work to prepare the government and the nation for an age of digital insecurity. It will also likely overshadow the dozens of instances in which Obama officials got the big cyber questions, more or less, right. "He set himself up with all the tools, but he blew this," said Paul Rosenzweig, a deputy assistant secretary at the Department of Homeland Security during the Bush administration. [ Polley : excellent summary.]

top

Does litigation database belong to law firm or clients? Suit against ex-partners raises the issue (ABA Journal, 19 Jan 2017) - A Boston law firm and six former partners are battling in court over rights to databases for the firm's asbestos and toxic tort cases. The Governo Law Firm and name partner David Governo contend in a lawsuit that the partners took proprietary databases that cost hundreds of thousands of dollars to build, report the Boston Globe and the Boston Business Journal . The former partners, who opened a firm called CMBG3 Law on Dec. 1, claim database information belongs to the firm's clients, who were billed for work associated with the databases. According to the Boston Globe, the suit is "being carefully watched by the city's legal community, which anticipates it may establish case law on the legal and ethical parameters for leaving a law firm in the digital age." In a Jan. 11 decision, Judge Kenneth Salinger of Boston Superior Court refused to issue an injunction for the return of database material. Salinger said both sides presented evidence on whether the database belongs to the firm or its clients, but he was unable to decide the issue on the current record.

top

Deutsche Bank to ban texts and messaging apps (InfoSecurity, 19 Jan 2017) - German banking giant Deutsche Bank is banning the use of any mobile phone-based messaging which can't be monitored by the lender, in a bid to improve compliance efforts. The new policy was communicated to employees in a memo last Friday, signed by chief operating officer Kim Hammonds and chief regulatory officer, Sylvie Matherat. "We fully understand that the deactivation will change your day-to-day work and we regret any inconvenience this may cause. However, this step is necessary to ensure Deutsche Bank continues to comply with regulatory and legal requirements," it noted, according to reports . The move will effectively ban the use of SMS messages and any third party apps including WhatsApp, Google Talk and Apple's iMessage. It will apparently apply not only to corporate-owned devices but also personal handsets used by staff in the workplace - although it's not clear how the latter will be enforced. The move comes in apparent response to Deutsche Bank's poor record on regulatory compliance, which has cost the lending giant close to $14 billion in fines since 2008, according to Bloomberg data . Some of these fines may have been levied in the past as a result of the bank's failure to produce accurate communications records when asked, it is believed.

top

Corporate legal counsel fret over cybersecurity (Dark Reading, 20 Jan 2017) - A majority of in-house legal counsels at US corporations view data breaches and cross-border data privacy regulations as among their biggest e-discovery related legal risks. BDO Consulting, a company that provides financial, business, and technology advisory services, recently surveyed over 100 senior legal executives at organizations ranging in size from $100 million to over $5 billion. Seventy four percent, or nearly three in four of the respondents, pointed to data breaches as one of their top data-related risks, while 68% say the legal department in their organization was more engaged with cybersecurity compared to 12 months ago as result of such concerns. "E-discovery systems collect, store and process highly sensitive information that is a potential goldmine for hackers," said Shahryar Shaghaghi, head of BDO International's cybersecurity and technology advisory Services practice in the report . "These systems and the data they contain require strong risk management oversight as well as proper cybersecurity defenses and protocols." In situations where third-party service providers manage the data for enterprises, more than one quarter of the survey respondents (27%) say they are unaware of the risk posed to their organization by third-parties.

top

Hackers downloaded US government climate data and stored it on European servers as Trump was being inaugurated (Quartz, 21 Jan 2017) - As Donald Trump was sworn into office as the new president of the US on Jan. 20, a group of around 60 programmers and scientists were gathered in the Department of Information Studies building at the University of California-Los Angeles, harvesting government data . A spreadsheet detailed their targets: Webpages dedicated to the Department of Energy's solar power initiative , Energy Information Administration data sets that compared fossil fuels to renewable energy sources, and fuel cell research from the National Renewable Energy Laboratory, to name a few out of hundreds. Many of the programmers who showed up at UCLA for the event had day jobs as IT consultants or data managers at startups; others were undergrad computer science majors. The scientists in attendance, including ecologists, lab managers, and oceanographers, came from universities all over Southern California. A motley crew of data enthusiasts who assemble for projects like this is becoming something of a trend at universities across the country: Volunteer "data rescue" events in Toronto, Philadelphia, Chicago, Indianapolis, and Michigan over the last few weeks have managed to scrape hundreds of thousands of pages off of EPA.gov, NASA.gov, DOE.gov, and whitehouse.gov, uploading them to the Internet Archive . Another is planned for early February at New York University . Hackers, librarians, scientists, and archivists had been working around the clock, at these events and in the days between, to download as much federal climate and environment data off government websites as possible before Trump took office. But suddenly, at exactly noon on Friday as Trump was sworn in, and just as the UCLA event kicked off, some of their fears began to come true: The climate change-related pages on whitehouse.gov disappeared. It's typical of incoming administrations to take down some of their predecessor's pages, but scrubbing all mentions of climate change is a clear indication of the Trump administration's position on climate science.

top

Three states propose DMCA-countering 'right to repair' laws (SlashDot, 23 Jan 2017) - Automakers are using the Digital Millennium Copyright Act to shut down tools used by car mechanics -- but three states are trying to stop them. An anonymous reader quotes IFixIt.Org: in 2014, Ford sued Autel for making a tool that diagnoses car trouble and tells you what part fixes it. Autel decrypted a list of Ford car parts, which wound up in their diagnostic tool. Ford claimed that the parts list was protected under copyright (even though data isn't creative work) -- and cracking the encryption violated the DMCA. The case is still making its way through the courts. But this much is clear: Ford didn't like Autel's competing tool, and they don't mind wielding the DMCA to shut the company down... Thankfully, voters are stepping up to protect American jobs. Just last week, at the behest of constituents, three states -- Nebraska , Minnesota , and New York -- introduced Right to Repair legislation (more states will follow). These 'Fair Repair' laws would require manufacturers to provide service information and sell repair parts to owners and independent repair shops. Activist groups like the EFF and Repair.org want to "ensure that repair people aren't marked as criminals under the DMCA," according to the site, arguing that we're heading towards a future with many more gadgets to fix. "But we'll have to fix copyright law first."

top

NIST issues two important publications (Ride the Lightning, 24 Jan 2017) - It is important to take a look at The National Institute of Standards and Technology (NIST) Special Publication 800-160, System Security Engineering (issued in November of 2016), and its draft update to the Framework for Improving Critical Infrastructure Cybersecurity , issued January 10, 2017. Special Publication 800-160 is directed mostly at engineers, but the C-Suite folks need to read it too. One of the main goals of the publication is to push for building security into Internet of Things devices the way that safety features are built into automobiles. NIST is also trying to expedite public and private sectors to immediately address the proliferation of new risks associated with IoT. In addition, NIST 800-160 seems to be a response to the Federal Trade Commission's recent statements on whether complying with NIST standards demonstrates "reasonable security." NIST 800-160 expressly provides a framework for how an organization may show "adequate security," which focuses on the adequacy of the procedures and documentation used to arrive at the ultimate cybersecurity decisions. It focuses heavily on the documentation of "better security practices" as opposed to "perfect security practices." The draft update to the Framework for Improving Critical Infrastructure Cybersecurity provides new details on managing cyber supply chain risks, clarifies key terms, and introduces measurement methods for cybersecurity. The updated framework aims to further develop NIST's voluntary guidance to organizations on reducing cybersecurity risks.

top

Lawsuit challenging PACER fees certified as class action (Bob Ambrogi, 25 Jan 2017) - A federal lawsuit challenging as excessive the fees charged by PACER, the federal courts' electronic records system, has been certified as a class action. Yesterday, U.S. District Judge Ellen Segal Huvelle in the District of Columbia approved the class of "[a]ll individuals and entities who have paid fees for the use of PACER within the past six years, excluding class counsel and agencies of the federal government." The lawsuit, National Veterans Legal Services Program v. U.S. , claims that PACER's fee schedule is higher than necessary to cover the costs of operating PACER and therefore violates the E-Government Act of 2002, which allows the federal judiciary to charge fees for PACER that are reasonable and "only to the extent necessary." Plaintiffs assert that the judiciary is charging far more than necessary in PACER fees, and that the fees it collects are going to purposes other than PACER, such as courtroom technology, websites for jurors, and bankruptcy notification systems. Judge Huvelle found that the lawsuit meets the requirements for class certification under the Federal Rules of Civil Procedure. In December, Judge Huvelle denied the government's motion to dismiss the suit. Judge Huvelle's memorandum granting class certification is below. (If you have trouble with the PDF viewer, here is a direct link to the PDF .)

top

RESOURCES

When the mother of invention is a machine, who gets credit? (Singularity Hub, 3 Nov 2016) - What do the Oral-B CrossAction toothbrush, about a thousand musical compositions and even a few recent food recipes all have in common? They were invented by computers, but you won't find a nonhuman credited with any of these creations on U.S. patents. One patent attorney would like to see that changed. Ryan Abbott is petitioning to address what he sees as more than a quirk in current laws but a fundamental flaw in policy that could have wide-ranging implications in areas of patent jurisprudence, economics and beyond if his proposals are adopted. "I argue that we ought to acknowledge a computer as an inventor because it would incentivize the development of creative computers and result in more innovations for society," says Abbott, a professor of law and health sciences at the University of Surrey's School of Law and adjunct assistant professor of medicine at the David Geffen School of Medicine at UCLA. He is also a licensed and board certified physician and registered patent attorney with the U.S. Patent and Trademark Office (USPTO). In a paper recently published in the Boston College Law Review , Abbott offers a framework for revamping how the USPTO approaches­­ nonhuman inventors. The current regulations are outdated and don't recognize that computers are already producing patentable inventions, Abbott says in an interview with Singularity Hub. Abbott notes in the paper, "I Think, Therefore I Invent: Creative Computers and the Future of Patent Law," that early versions of AI, dating back to the 1990s, were independently creating all sorts of things, such as new super-strong materials and devices that search the internet for messages from terrorists. * * * Abbott's solution is to assign patents to the computer's owner, which generally refers to software ownership. He sees other options - such as the developer or user of the AI -as more problematic. For instance, allowing a computer's user to own a patent might compel owners to tighten restrictions or access to their software. * * *

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Where real money meets virtual reality, the jury is still out (Washington Post, 26 Dec 2006) -- Veronica Brown is a hot fashion designer, making a living off the virtual lingerie and formalwear she sells inside the online fantasy world `. She expects to have earned about $60,000 this year from people who buy her digital garments to outfit their animated self-images in this fast-growing virtual community. But Brown got an unnerving reminder last month of how tenuous her livelihood is when a rogue software program that copies animated objects appeared in Second Life. Scared that their handiwork could be cloned and sold by others, Brown and her fellow shopkeepers launched a general strike and briefly closed the electronic storefronts where they peddle digital furniture, automobiles, hairdos and other virtual wares. As virtual worlds proliferate across the Web, software designers and lawyers are straining to define property rights in this emerging digital realm. The debate over these rights extends far beyond the early computer games that pioneered virtual reality into the new frontiers of commerce. "Courts are trying to figure out how to apply laws from real life, which we've grown accustomed to, to the new world," said Greg Lastowka, a professor at Rutgers School of Law at Camden in New Jersey. "The law is struggling to keep up." U.S. courts have heard several cases involving virtual-world property rights but have yet to set a clear precedent clarifying whether people own the electronic goods they make, buy or accumulate in Second Life and other online landscapes. Also unclear is whether people have any claim when their real-life property is depicted online, for instance in Microsoft's new three-dimensional renderings of actual real estate. The debate is assuming greater urgency as commerce gains pace in virtual reality.

top

Sweden to set up embassy in Second Life (The Local, 26 Jan 2007) -- Sweden is to become the first country to establish diplomatic representation in the virtual reality world of Second Life, officials said on Friday. "We are planning to establish a Swedish embassy in Second Life primarily as an information portal for Sweden," Swedish Institute (SI) director Olle Wästberg told AFP. The embassy would not provide passports or visas but would instruct visitors how to obtain such documents in the real world and act as a link to web-based information about the Scandinavian country. "Second Life allows us to inform people about Sweden and broaden the opportunity for contact with Sweden easily and cheaply," Wästberg said. The Swedish Institute is an agency of the Swedish foreign ministry tasked with informing the world about Sweden. The ministry fully backed the initiative, he added.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, January 07, 2017

MIRLN --- 18 Dec - 7 Jan 2017 (v20.01)

MIRLN --- 18 Dec - 7 Jan 2017 (v20.01) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

This begins MIRLN’s 20th year!

NEWS | RESOURCES | LOOKING BACK | NOTES

Obama: Espionage is being ‘turbocharged’ by the internet (NPR, 16 Dec 2016) - The world is entering a new cyber era — one with no ground rules, and with the potential for traditional espionage to be “turbocharged” by the Internet, President Obama told NPR in an exclusive interview. “Among the big powers, there has been a traditional understanding of, that everybody is trying to gather intelligence on everybody else,” Obama told Morning Edition ’s Steve Inskeep in a wide-ranging interview on Thursday. “It’s no secret that Russian intelligence officers, or Chinese, or for that matter Israeli or British or other intelligence agencies, their job is to get insight into the workings of other countries that they’re not reading in the newspapers every day.” The informal, unwritten rules of the past are no longer adequate, the president added. “One of the things that we’re going to have to do over the next decade is to ultimately arrive at some rules of what is a new game,” he said. “And that is the way in which traditional propaganda and traditional covert influence efforts are being turbocharged by the Internet.” The president suggested the U.S. is more vulnerable than other nations because the American economy is both bigger and more highly digitized than those of other countries.

top

Guidance issued on determining if companies need a Data Protection Officer under GDPR (Winston & Strawn, 19 Dec 2016) - The new data privacy regulations (the GDPR) requires some companies to have a data protection officer. For many companies, they will need a DPO if they have core activities that require regular and systematic monitoring of individuals on a large scale. Article 37(1)(b). The effective date of the regulations is May 2018. There has been confusion about which companies need such a role. In response, the Article 29 Working Party recently issued a guidance . It gives some clarification for these three concepts: (1) core activities requiring monitoring, (2) regular and systematic monitoring, and (3) large scale. The Working Party expects that companies will document how they determined if they needed a DPO. As companies think about the DPO role, it is helpful to look at how the Working Party thinks about these three concepts. Core activities, the guidance indicates, are those that are key to achieving a company’s goals. Examples given are processing of patient data by a hospital, or the surveillance a private security company might carry out of a shopping center. Routine processing, like HR-related processing, is not a core activity. Examples given of regular and systematic monitoring include “all forms of tracking and profiling on the internet,” as well as email retargeting, location tracking (by mobile apps, for example), loyalty programs, and monitoring fitness data by a wearable device, among others. Finally, with respect to large scale, the Working Party indicates that standards to define this will likely develop over time. For now, examples given include processing geo-location data of customers for statistical purposes related to the company’s services (in the example given, a fast food chain restaurant) and processing of customer data in the “regular course of business” by a bank or insurance company. The guidance also gives direction on the DPO’s role and responsibilities, reminds companies that DPOs do not have the ultimate compliance obligation under GDPR (that responsibility falls on the controller or processor), and even if a company concludes that it does not need a DPO, it may find it “useful” to voluntarily designated someone to be in that role.

top

A lack of Yakking (InsideHigherEd, 19 Dec 2016) - Remember Yik Yak? The app was the scourge of the college campus just last year, with anonymous harassment posted to its local discussion boards causing arrests, demonstrations, sit-ins and more. Administrators grappled with how to respond -- some moved to ban the app or restrict students’ access to it, but those actions drew criticism from civil liberties and free speech groups. Now the app appears to be going the way of Google+, MySpace and Vine. Once a staple on smartphone app store top downloads charts, Yik Yak has this year fallen out of the top several hundred most popular. Students appear to have moved to other platforms -- Snapchat, for example, which is showing impressive reach among 18- to 34-year-olds (as well as all-important appeal to advertisers). As a business, Yik Yak’s momentum is also slowing down. The Verge reported last week that the company, which has raised $73.5 million and was once valued at between $300-400 million, has fired about 60 percent of its employees, shrinking its office from about 50 to 20 people. Some social media experts point to Yik Yak’s shift away from anonymity as one reason why the app is no longer as popular as it once was. Last year, Yik Yak introduced user names -- first optional, later mandatory -- and began highlighting nearby users. The changes were controversial among users, and by that November, the company reversed its course. But more recent changes to the app, such as phone number verification, have continued to trend away from anonymity. “When Yik Yak moved away from anonymity, they took away the most important feature of the app,” said Eric Stoller, a higher education consultant (and Inside Higher Ed blogger) who frequently writes about social media. “Why use Yik Yak when you can use other platforms that have user profiles? Yik Yak was always about user location and anonymity.”

top

How good is law firm security? This report may surprise you (Ride the Lightning, 20 Dec 2016) - As DarkReading recently reported , there is good news about law firm security: The legal sector scored second-best in the latest security ratings report by BitSight, just ahead of retail, and behind the formidable financial industry. It’s hard to surprise me, but this report did. As much as I’ve seen greater attention to cybersecurity by law firms over the past several years, I’ve also seen a lot of data breaches, some public and some not. Since BitSight uses publicly disclosed breaches to benchmark security, it may be that there are a lot of law firm data breaches that have not been publicly disclosed. It is probably also true, since BitSight analyzed 1,269 legal entities, that it probably did not include a lot of solo and small firms. The bad news: More than half of law firms are vulnerable to a known attack called DROWN that breaks encryption and exposes communication and information in Web and e-mail servers and VPNs, and a large percentage of law firms scored low security-wise. BitSight provides a credit-score type security rating system for various industries. On a 250 (lowest) to 900 (highest) security rating scale, finance scored 703; legal, 687; retail, 685; healthcare, 668; energy/utilities, 667; and government, 657. Legal actually dropped two points from last year’s rating of 690. 70% of law firms surveyed in the recent Law Firm Cybersecurity Report by ALM Intelligence said they are under pressure from their clients to beef up internal data security, but only about half conduct regular “fire drills” for incident response. The report said firms were confident in their ability to thwart attacks. Um, that’s not what they tell us. But it does make for good PR. “Many firms’ confidence in their own cyberattack preparedness seems misguided. Our research indicates that most remain surprisingly unprepared for the threat,” said Daniella Isaacson, co-author of the report and ALM Intelligence senior legal analysis. “For example, many never test their cybersecurity protocols. This means that on the day of a breach, those firms are using an unproven response plan.”

top

- but -

3 men made millions by hacking merger lawyers, US says (NYT, 27 Dec 2016) - Law firms that advise on mergers once had to worry about a rogue employee trading on deal tips. Now, they have to worry about hackers doing the same. Federal prosecutors in Manhattan have charged three Chinese citizens with making more than $4 million by trading on information they got by hacking into some of the top merger-advising law firms in New York. The three men targeted at least seven New York law firms to try to obtain information about deals in the works, according to an indictment unsealed on Tuesday. The men were successful in hacking two firms, stealing emails of partners who work on mergers, prosecutors said. The three then bought shares of target companies, selling them after the deals were announced, prosecutors said. Hackers’ ability to breach the defenses of big law firms in search of confidential information about corporate clients — including tips about coming mergers and acquisitions — has long been a concern of federal authorities. Most major law firms have played down the threat posed by hackers and have been reluctant to discuss breaches or even attempted breaches. “This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world,” Preet Bharara , the United States attorney in Manhattan, said in a statement. “You are and will be targets of cyberhacking because you have information valuable to would-be criminals.” [ Polley : see also Law firm hacks traced back to Bay Area transactions (SF Gate, 27 Dec 2016)]

top

- and -

Law firms subject to same cyber risk as others, but is compliance required? (CSO Online, 4 Jan 2017) - This is an article I have been meaning to write ever since we performed an IT audit for a large law firm a year or so ago. The firm was responding to the HIPAA law that requires all third-party vendors working with healthcare organizations to have a Risk Assessment. This further proves my point that most businesses won’t do much in the area of cyber security or compliance, not even an IT risk assessment unless required by law. Let’s look at some specifics about the legal sector: ALM Legal Intelligence has reported the following facts on the legal sector. * * * [ Polley : pretty interesting.]

top

- and -

Court documents for law firm lax security case (Ride the Lightning, 5 Jan 2017) - On December 12 th , I posted about the lawsuit filed by Edelson PC against Chicago’s Johnson & Bell law firm alleging that lax security put client data at risk. No breach was alleged and it was acknowledged that security vulnerabilities had been fixed. The lawsuit has moved into a confidential arbitration and it is likely that we will never learn the outcome. But the court documents are available for review – hat tip to colleague Lance Johnson – and I have posted them here . According to the complaint, “Johnson & Bell has injured its clients by charging and collecting market-rate attorneys’ fees without providing industry standard protections for client confidentiality.” That is really the heart of the argument and I am still dubious that such suits will succeed where no breach or damage can be shown, especially where the law firm took steps to remediate the insecurities when they became known. Nonetheless, happy reading and see what you think of Edelson’s arguments.

top

Big banks are stocking up on blockchain patents (Bloomberg, 21 Dec 2016) - In the headlong rush to revolutionize modern finance, blockchain enthusiasts are overlooking one potentially costly problem: their applications, built on open-source code, may actually belong to someone else. Recently, some of the biggest names in business, from Goldman Sachs to Bank of America and Mastercard, have quietly patented some of the most promising blockchain technologies for themselves. Through mid-November, the number of patents that companies have obtained or said they’ve applied for has roughly doubled since the start of the year, according to law firm Reed Smith. As the blockchain -- essentially a shared, cryptographically secure ledger of transactions -- evolves beyond its techno-utopian roots and startups like Chain and Hyperledger open their source code to the public, the risk is growing that patents will turn into powerful weapons in protracted lawsuits over intellectual property, especially in the hands of trolls trying to cash in on the technology’s skyrocketing rise. Increasingly, experts warn established firms will use them to assert exclusive rights over the work of blockchain’s pioneers. “Open-source code -- that doesn’t necessarily restrict the ability to patent the underlying innovation,” said Patrick Murck, a long-time blockchain legal expert who joined Cooley LLP last month. “Anybody who’s investing in the ecosystem, anybody who’s interested in the technology should be worried about this.”

top

Is distance ed rule DOA? (InsideHigherEd, 21 Dec 2016) - The U.S. Department of Education, with a month to go until the transition of power, has finalized a rule that clarifies how colleges become authorized to offer online programs to students in other states -- an effort in the works since the first years of the Obama administration. But the rule is by all indications dead on arrival. The final rule, released on Dec. 16, requires colleges that offer online education programs to follow each state’s authorization process -- which often involves filling out an application and paying a fee to a local higher education agency -- and clarifies disclosure and student complaint procedures. It also recognizes that states can participate in reciprocity agreements. The rule-making process has been one of fits and starts, complete with court cases, delays and failed negotiations -- and then a surprise last-ditch effort this summer. After collecting input on a draft this fall, the Education Department published the final rule in the Federal Register on Monday. Yet the rule may never go into effect. The Trump administration will have plenty of time to set its own regulatory agenda, given that the rule’s effective date isn’t until July 1, 2018.

top

GE creates ‘Yelp for Lawyers’ to assess outside law firms (Bloomberg, 21 Dec 2016) - General Electric has developed what it’s calling a Yelp for lawyers . An internal website is now available to its approximately 800 in-house lawyers, through which they can search “preferred providers” of outside counsel and learn about their track record with the company. Titled GE Select Connect, more than 200 of the company’s outside law firms maintain profiles (à la Facebook) that feature firm information, including feedback the outside firms have received from GE lawyers, the firm’s diversity staffing levels, hourly rates, along and discounts the company has previously achieved. The internal site will provide GE lawyers with a better handle on discounts they can negotiate with outside law firms, gain easy access to firms’ strengths and weaknesses, as well as phone numbers and emails for primary contacts, said Dan Hendy, associate general counsel at GE, who oversaw the creation of the tool. “It’s a good way to collaborate,” said Hendy, who noted that the law firms listed on the site are only GE’s preferred providers, “a little more than” 200 firms which have signed an agreement stipulating negotiated rates and possibly other benefits over a certain period of time. “It makes being a preferred provider at GE more meaningful,” said Hendy, who framed the website as “a great marketing platform” for outside firms, since preferred law firms can update their profiles with information and news about firm initiatives and matters they’re handling. So far, Hendy said that the use cases are fairly simple and it certainly isn’t being used to select counsel for bet-the-company litigation or blockbuster M&A. He estimated that as much as 80 percent of GE’s 800 lawyers have the ability to hire outside counsel directly. [ Polley : At Schlumberger, we mostly did this in 1999; then, we couldn’t get outside counsel interested.]

top

NIST introduces comprehensive cyber incident recovery guide (Federal Times, 23 Dec 2016) - Noting an overall rise in cybersecurity incidents and inconsistent response capabilities across the federal government, the National Institute of Standards and Technology has published the “Guide for Cybersecurity Event Recovery” to assist agencies in developing plans, processes and procedures to fully restore a weakened system. ”It’s no longer if you are going to have a cybersecurity event, it is when,” said computer scientist Murugiah Souppaya, one of the guide’s authors. According to the Cybersecurity Strategy and Information Plan, published by the Office of Management and Budget, recovery could involve a simple data backup or a far more complicated process of bringing a system back online in stages. The NIST guide addresses this critical facet of risk management by consolidating existing guidance on incident handling and contingency planning, while offering a framework for organizations needing to create strategic playbooks for data breaches, ransomware and other cybersecurity incidents. “To be successful, each organization needs to develop its own plan and playbooks in advance,” said Souppaya. “Then they should run the plays with tabletop exercises, work within their team to understand its level of preparation and repeat.” The NIST guide can be viewed in its entirety on their website.

top

Corporate boards aren’t prepared for cyberattacks (Computerworld, 26 Dec 2016) - Major cyberattacks against organizations of all sizes seem to happen almost weekly. On Dec. 14, Yahoo announced the largest-ever data breach, involving more than 1 billion customer accounts. Despite the scale and potential harm from such attacks, there’s wide recognition that corporate leaders, especially boards of directors, aren’t taking the necessary actions to defend their companies against such attacks. It’s not just a problem of finding the right cyber-defense tools and services, but also one of management awareness and security acumen at the highest level, namely corporate boards. * * * [W]orries seem to have reached some quarters of the corporate governance community. The National Association of Corporate Directors (NACD) recently released a survey of more than 600 corporate board directors and professionals that found only 19% believe their boards have a high level of understanding of cybersecurity risks. That’s an improvement from 11% in a similar poll conducted a year earlier. The survey also found that 59% of respondents find it challenging to oversee cyber risk. The nonprofit NACD, which has 17,000 members, is working with security awareness firm Ridge Global and Carnegie Mellon University to create a Cyber-Risk Oversight program to educate corporate directors about the systemic risks of cyberattacks.

top

New cybersecurity guidelines for medical devices tackle evolving threats (The Verge, 27 Dec 2016) - Today, the US Food and Drug Administration released its recommendations for how medical device manufacturers should maintain the security of internet-connected devices, even after they’ve entered hospitals, patient homes, or patient bodies. Unsecured devices can allow hackers to tamper with how much medication is delivered by the device — with potentially deadly results. First issued in draft form last January , this guidance is more than a year in the making. The 30-page document encourages manufacturers to monitor their medical devices and associated software for bugs, and patch any problems that occur. But the recommendations are not legally enforceable — so they’re largely without teeth. The FDA has been warning the health care industry for years that medical devices are vulnerable to cyberattacks. It’s a legitimate concern: researchers have managed to remotely tamper with devices like defibrillators, pacemakers, and insulin pumps . In 2015, FDA warned hospitals that the Hospira infusion pump , which slowly releases nutrients and medications into a patient’s body, could be accessed and controlled through the hospital’s network. * * * The FDA issued an earlier set of recommendations in October 2014 , which recommended ways for manufacturers to build cybersecurity protections into medical devices as they’re being designed and developed. Today’s guidance focuses on how to maintain medical device cybersecurity after devices have left the factory. The guidelines lay out steps for recognizing and addressing ongoing vulnerabilities. And they recommend that manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share details about security risks and responses as they occur.

top

Another state adopts duty of technology competence; makes it 26 (Bob Ambrogi, 28 Dec 2016) - As this blog continues to follow the states that adopt the duty of technology competence for lawyers, there is another to add: Colorado. That brings to 26 the number of states that have adopted some version of Comment 8 to ABA Model Rule 1.1. Colorado’s version of Comment 8, which was adopted and became effective on April 6, 2016, differs from the Model Rule. Colorado’s version says: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, and changes in communications and other relevant technologies , engage in continuing study and education, and comply with all continuing legal education requirements to which the lawyer is subject. See Comments [18] and [19] to Rule 1.6.” (Emphasis added.) The ABA version says: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology , engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. (Emphasis added.)” Note that the Colorado version cross-references Comments 18 and 19 to Rule 1.6. That rule pertains to confidentiality of client information. The comments advise that lawyers must “make reasonable efforts” to safeguard client information “against unauthorized access by third parties and against inadvertent or unauthorized disclosure.”

top

New York eases proposed cyber regulations after industry complaints (Reuters, 28 Dec 2016) - New York state’s financial regulator on Wednesday issued a revised proposal for the nation’s first cyber security rules for banks and insurers, loosening some security requirements and delaying implementation by two months to March 1. The rules from the New York State Department of Financial Services are being closely because they lay out unprecedented requirements on steps that financial firms must take to protect their networks and customer data from hackers and disclose cyber events to state regulators. “Many organizations are going to have a lot of work to do to come into compliance with these revised regulations,” said Jed Davis, a partner with law firm Day Pitney and former U.S. federal cyber crimes prosecutor. The state revised the rules in response to more than 150 comments on its initial proposed regulations. The New York Insurance Association in one letter called the regulation “too much of a ‘one size fits all’ rule” that was overly specific and too broad. A New York Bankers Association letter warned of unintended consequences that would “hamper efforts to protect the public and may defy its purpose of preventing cyber attacks.” The revised regulations include easing some timelines and requirements, including standards for encrypting data and authenticating access to networks. They also provide more time for compliance, expanding the transition from six months to as long as two years.

top

New French law bars work email after hours (Fortune, 1 Jan 2017) - A new French law establishing workers’ “right to disconnect” goes into effect today. The law requires companies with more than 50 employees to establish hours when staff should not send or answer emails. The goals of the law include making sure employees are fairly paid for work, and preventing burnout by protecting private time. French legislator Benoit Hamon, speaking to the BBC, described the law as an answer to the travails of employees who “leave the office, but they do not leave their work. They remain attached by a kind of electronic leash—like a dog.” While the measure may seem like a boon to workers, it was reportedly the most broadly supported measure of a comprehensive labor package passed in May. The package as a whole was primarily oriented to liberalizing France’s job market, including by making it easier to fire workers, and sparked widespread protests. The email restrictions could provide a benefit to both workers and businesses, by making employees more relaxed and effective. As NPR points out, academic studies have found that workplace email is a significant source of stress. A group of Stanford business professors have estimated that workplace stress added between $125 and $190 billion dollars per year to America’s healthcare costs, amounting to between 5 and 8% of total costs. Overwork accounted for $48 billion of that. Those healthcare costs are largely borne by employers, along with the drag of irritable or absent employees worn down by the colonization of their private lives.

top

US Treasury makes standalone cyber insurance policies more valuable (Aon, 3 Jan 2017) - The United States Department of the Treasury issued a “Notice of Guidance” December 27, 2016, which clarifies that stand-alone “Cyber Liability” insurance policies are included under the Terrorism Risk Insurance Act of 2002, as amended (“TRIA”). TRIA requires insurers to “make available” terrorism risk insurance for commercial property and casualty losses resulting from certified acts of terrorism (insured losses), and provides for shared public and private compensation for such insured losses. Effective April 1, 2017, and consistent with TRIA and the TRIA program regulations, an insurer must provide disclosures and offers that comply with TRIA and the program regulations on any new or renewal policies reported as standalone Cyber Liability insurance. * * *

top

MN Bar returns to Fastcase, six months after switching to Casemaker (Bob Ambrogi, 3 Jan 2017) - In their ongoing competition to win over bar associations as the legal-research member benefit, Fastcase is starting 2017 with an unprecedented victory over Casemaker. Just six months after the Minnesota State Bar Association left Fastcase and switched to Casemaker, it is going back to Fastcase in response to demand by its members. “Our members offered a clear preference for Fastcase,” Gerry Ford, MSBA membership director, told me in an email. “Their most common theme was ease of use. MSBA members find Fastcase to be more user-friendly and its interface to be more intuitive.” I have reported here on other bars switching from Casemaker to Fastcase — such as my own state’s bar in December 2015. But when the MSBA switched last July after having been with Fastcase since 2007, it was the first bar to go from Fastcase to Casemaker. Now, as it switches back just six months later, I can think of no precedent for such a rapid turnabout.

top

A warning about Tallinn 2.0 … whatever it says (Lawfare, 4 Jan 2017) - The Tallinn Manual on the International Law Applicable to Cyber Warfare is the most comprehensive and thoughtful work to date on the applicability of existing international law to cyber warfare. It is routinely referenced and relied upon by civilian and military practitioners across the globe and—if it has not already done so—it may very well achieve the authors’ objective of joining the ranks of the San Remo Manual on International Law Applicable to Armed Conflicts at Sea and the Manual on International Law Applicable to Air and Missile Warfare as one of the authoritative (albeit non-binding) manuals detailing the manner in which international law applies to particular forms of warfare. No doubt the soon-to-be-released Tallinn 2.0 will prove to be equally well received. And that is precisely the problem. Despite the benefits of the Tallinn Manual —a proffer of increased certainty for States that international law does apply to cyber activities; a framework that adopts and applies international legal norms; the general utility of a ready reference for government officials, operators, and legal advisers; and the recording of a group of experts’ opinions that can be scrutinized by others in ways that might help to develop long-term legal consensus—the Tallinn Manual presents two dangers that we should hope Tallinn 2.0 avoids.

top

California law makes ransomware use illegal (On the Wire, 4 Jan 2017) - It was nice to see the calendar turn over to 2017, for a lot of reasons, not the least of which is that on Jan. 1 a new law went into effect in California that outlaws the use of ransomware. The idea of needing a new law to make a form of hacking illegal may seem counterintuitive, but ransomware is a case of criminals outflanking the existing laws. Ransomware emerged in a big way a few years ago and the law enforcement community was not prepared for the explosion of infections. While there have been takedowns of ransomware gangs, they often involve charges of money laundering or other crimes, not the installation of the ransomware itself. In September, California Gov. Jerry Brown signed into law a bill that made the use of ransomware a crime, essentially a form of extortion. The law went into effect on Jan. 1. The new law in California makes the use of ransomware a felony that is punishable by up to four years in prison.

top

Ten worst Section 230 rulings of 2016 (plus the five best) (Eric Goldman, 4 Jan 2017) - 2016 was a tough year in many respects (check out the #Fuck2016 hashtag ), including a swarm of adverse Section 230 rulings. Even in paradigms where the immunity still functions reasonably well, such as user comments on message boards or online marketplace operator liability, rulings this year provided plaintiffs/regulators with powerful tools to undermine the immunity. As bad as 2016 was, after we see the full effects of this year’s rulings, I think we’ll look back nostalgically at 2016 as Section 230’s high-water mark. How’s that for a “happy” new year? So rather than enumerate the 10 most important Section 230 rulings, I’ve cynically decided to just list out the 10 worst rulings this year. For those looking for a ray of optimism, the 5 best rulings are at the end of this post. * * *

top

Massachusetts makes data breach records public online (Infosecurity, 4 Jan 2016) - The state of Massachusetts has upped the ante on data breach transparency: The Office of Consumer Affairs and Business Regulation has decided to make reports of potential identity theft available to the public on its website. Previously, those reports could only be accessed by a public records request. State law requires that any organization that keeps personal information about a Massachusetts resident notify state officials, as well as affected customers, any time that information is compromised. This includes external hacking incidents, unintentional data leakage and insider mistakes, among other scenarios. It also includes incidents outside of the cyberworld—say, if a briefcase with papers is stolen or misplaced. Hundreds of data breaches affecting thousands of Massachusetts residents were reported to the state in 2016, and information on all of them is now available in a handy spreadsheet format that details how many residents were affected, what kind of information was lost, whether the organization in question provided credit monitoring, and more. Massachusetts has been out on front in cybersecurity, recently offering a $5 million grant that will be used to bolster cyber-research and the computing technology used by the University of Massachusetts.

top

RESOURCES

New Technology on the Block: Exploring the legal and regulatory implications of the blockchain (Harvard Law Today, Fall 2016) - * * * The blockchain raises fascinating legal questions, about both transactions and property, says Patrick Murck, a fellow at the Berkman Klein Center, who previously was co-founder of the Bitcoin Foundation (it paid him entirely in bitcoin, which worked fine until his kids started going to day care, he quipped). “Bitcoin is interesting not because it’s digital money but because it’s digi­tal property,” says Murck, noting that bitcoins are actually tokens generated and validated by computer, and property rights can be tied to those tokens. While the blockchain is most closely associated with bitcoin—the two were released together in 2009—its use is not limited to currency. Music companies are experimenting with using it for tracking online transactions, and an open source group called Ethereum has built a blockchain-based platform for managing contracts that also includes a digital currency, or token, called Ether. What it doesn’t have is much of a legal framework. De Filippi and, separately, Murck convened a series of meetings over the last few years to address that. De Filippi’s initially involved mostly Boston-area participants from the Berkman Klein Center and the HLS community and MIT (for example: bit.ly/coalaworkshop), before she broadened the gatherings’ scope. Murck brought together members of the bitcoin community with financial companies, technology firms, lawyers and regulators for a series of meetings called Shared Ledgers Roundtables. All of the meetings were designed to explore the legal framework needed for the blockchain to work safely, and to prevent fraud. * * *

top

Basu on Copyright Law & the Drummer (MLPB, 5 Jan 2017) - Ronojoy Basu, University of Toronto, has published Copyright Law & The Drummer . Here is the abstract: Recent relevant judicial decisions in the US suggest that the question of subsistence of originality in drum beats remains a subject of debate. Unbeknownst to the non-musical world, this question continues to gather momentum and poses some rather interesting questions about degree and threshold of creativity and applicability of Copyright law. This paper explores the copyright-ability of drum patterns, the position of US and Canadian laws on the subject and under what circumstances may such beats be accorded copyright protection.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Big sister Clinton (2.0) (New York Times, 19 March 2007) -- Wondering what this presidential campaign might look like in the world of “Web 2.0” social networking sites? We have our answer: The buzz-generating Internet ad featuring Senator Hillary Rodham Clinton as a scary Big Brother figure, conducting her presidential campaign “conversation” on a giant screen to drone-like humans. The ad, a near-copy of an Apple spot for Macintosh in 1984, has drawn more than 438,00 viewers on YouTube in the last two weeks, (and linked by hundreds of blogs), showing the potential reach of such guerilla ad campaigns. It ends with a female athlete (who seems to be wearing an iPod) smashing the screen image of Mrs. Clinton’s face with a hammer. Then these words appear — “On January 14th the Democratic primary will begin. And you’ll see why 2008 isn’t going to be like ‘1984′” — followed by the closing text, BarackObama.com. Mr. Obama’s camp has disavowed responsibility for the ad, although there are links to it on community pages on Mr. Obama’s Web site. (And, it was apparently mashed by a 59-year-old with the YouTube username ParkRidge47; Mrs. Clinton was born in 1947 and grew up in Park Ridge, Ill., by the way.) A spokesman for Mrs. Clinton had no comment. YouTube clip at http://www.youtube.com/watch?v=6h3G-lMZxjo ; creator unmasked: http://www.newsday.com/news/nationworld/nation/ny-usdems225139825mar22,0,1775351.story?coll=ny-uspolitics-headlines

top

Missing e-mail may be related to prosecutors (New York Times, 13 April 2007) -- The White House said Thursday that missing e-mail messages sent on Republican Party accounts may include some relating to the firing of eight United States attorneys. The disclosure became a fresh political problem for the White House, as Democrats stepped up their inquiry into whether Karl Rove and other top aides to President Bush used the e-mail accounts maintained by the Republican National Committee to circumvent record-keeping requirements. It also exposed the dual electronic lives led by Mr. Rove and 21 other White House officials who maintain separate e-mail accounts for government business and work on political campaigns — and raised serious questions, in the eyes of Democrats, about whether political accounts were used to conduct official work without leaving a paper trail. The clash also seemed to push the White House and Democrats closer to a serious confrontation over executive privilege, with the White House counsel, Fred F. Fielding, asserting that the administration has control over countless other e-mail messages that the Republican National Committee has archived. Democrats are insisting that they are entitled to get the e-mail messages directly from the national committee. Representative Henry A. Waxman, the California Democrat who is chairman of a House committee looking into the use of political e-mail accounts, wrote a letter to the attorney general on Thursday saying he had “particular concerns about Karl Rove” after a briefing his aides received from Rob Kelner, a lawyer for the Republican National Committee. Mr. Rove uses several e-mail accounts, including one with the Republican National Committee, one with the White House and a private domain account that is registered to the political consulting company he once owned.

top

World faces “cyber cold war” threat ( Reuters, 29 Nov 2007) - A “cyber cold war” waged over the world’s computers threatens to become one of the biggest threats to security in the next decade, according to a report published on Thursday. About 120 countries are developing ways to use the Internet as a weapon to target financial markets, government computer systems and utilities, Internet security company McAfee said in an annual report. Intelligence agencies already routinely test other states’ networks looking for weaknesses and their techniques are growing more sophisticated every year, it said. Governments must urgently shore up their defenses against industrial espionage and attacks on infrastructure. The report said China is at the forefront of the cyber war. It said China has been blamed for attacks in the United States, India and Germany. China has repeatedly denied such claims. The report was compiled with input from academics and officials from Britain’s Serious Organised Crime Agency, the U.S. Federal Bureau of Investigation and NATO. Cyber-attacks on private and government Web sites in Estonia in April and May this year were “just the tip of the iceberg,” the report warned. Estonia said thousands of sites were affected in attacks aimed at crippling infrastructure in a country heavily dependent on the Internet. The attacks appeared to have stemmed initially from Russia although the Kremlin denied any wrongdoing. “The complexity and coordination seen was new,” the report quoted an unnamed NATO source as saying. “There were a series of attacks with careful timing using different techniques and specific targets.” EU Information Society commissioner Viviane Reding said in June that what happened in Estonia was a wake-up call. NATO said “urgent work” was needed to improve defenses. The McAfee report predicted that future attacks would be even more sophisticated. “Attacks have progressed from initial curiosity probes to well-funded and well-organised operations for political, military, economic and technical espionage,” it said.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word “MIRLN” in the subject line. Unsubscribe by sending email to Vince with the words “MIRLN REMOVAL” in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon’s Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman’s Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation’s Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers’ submissions, and the editor’s discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top