Saturday, April 22, 2017

MIRLN --- 2-22 April 2017 (v20.06)

MIRLN --- 2-22 April 2017 (v20.06) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

UK barrister fined after 'confidential' information leaked in home computer update (LegalTechNews, 27 March2017) - A recent decision and fine against a barrister by the U.K.'s Information Commissioner regarding confidential information provides some important lessons for both U.S. and U.K. attorneys. The confidential information belonged to as many as 250 individuals, "including vulnerable adults and children," and was "uploaded to the internet when the barrister's husband updated software on the couple's home computer," according to a statement from the Information Commissioner's Office (ICO) which is the data protection authority in the U.K. The lawyer, described as a "senior barrister" who specializes in family law, was fined £1,000 by the ICO. In addition, Kim Roberts, counsel at King & Spalding's U.K. office, said the ICO's action shows the office "will intervene to fine organizations and individuals and will exemplify cases where careless practices fail to protect personal data, particularly where that data is sensitive in nature." It is noteworthy, too, the lawyer was self-employed. "Even as in this case, where the lawyer was a self-employed barrister rather than working in a corporate environment, he or she must follow practices which protect the personal data of clients in carrying out their work," Roberts cautioned. "In this case, insufficient care was taken when using a home computer which failed to protect the data concerned. The barrister, although self-employed, was subject to the guidelines that had been set down by the governing professional body and which were not fully followed." [ Polley : Odd reporting; it seems that the lawyer's spouse updated software on the lawyer's computer, which caused the compromise.]

top

First Amendment institute sues government over records related to border device searches (TechDirt, 31 March 2017) - Columbia University's Knight First Amendment Institute wants to know why device searches at the border have skyrocketed since the beginning of this year. As was reported earlier this month, the number of devices searched in February 2017 equals the total searched in all of 2015. Even last year's jump from 5,000 to 25,000 searches looks miniscule in comparison. Border device searches are on track to more than double last year's numbers. The Knight First Amendment Institute filed FOIA requests with the DHS, ICE, and CBP for "statistical, policy, and assessment records" related to the steep increase in device searches. It's also looking for any legal interpretations the agencies might have on hand that explain their take on the Supreme Court's Riley decision, which instituted a warrant requirement for cell phone searches. It asked for expedited handling given the significant public interest in all things immigration and border-related, which has climbed along with the device searches thanks to several presidential directives, some of which are being challenged in court. As the lawsuit [PDF] notes, the public definitely should be apprised of the policies and procedures governing border device searches. If there's been an increase in searches, the public should be made aware of why this is happening, as well as their rights and remedies when it comes to entering or leaving the United States. The suit also points out that several recent reports suggest devices have been taken by government agents by force, or "consent" obtained through threats of further detention and/or violence.

top

Microsoft closing down CodePlex, tells devs to move to GitHub (ArsTechnica, 31 March 2017) - Microsoft announced Friday that CodePlex, the company's open source project-hosting service, will be closed down. Started in 2006 , the service offered an alternative to SourceForge. It was based initially on Microsoft's Team Foundation Server source control and later added options to use Subversion, Mercurial, and Git . At the time, there weren't a tremendous number of good options for hosting projects. SourceForge was the big one, but it always seemed light on feature development and heavy on advertising. CodePlex on the Web was much more attractive and less cluttered. The use of TFS for source control meant it also had strong integration in Visual Studio. But these days, GitHub is the default choice for most open source projects. This applies to Microsoft, too; the company is using GitHub to host projects such as .NET and its Chakra JavaScript engine . Activity on CodePlex has declined, with fewer than 350 projects seeing code commits over the last 30 days. Accordingly, Microsoft has decided to stop running the service. From today, new projects can no longer be created. In October, all projects will be set to read-only. On December 15, CodePlex will be shut down completely, and the website will be replaced with a static archive. Projects and sources will still be browsable online, but the source control system will no longer be operational. GitHub is the preferred new home for CodePlex projects, and there's a straightforward import process that will copy CodePlex-hosted source and documentation to GitHub. Microsoft is also building a tool to migrate issues, though that's not ready yet. Projects can also be migrated to services such as Bitbucket. This will be appealing to those using Mercurial source control with CodePlex, as Bitbucket supports Mercurial in addition to the more common Git.

top

Indiana: Ban on broadcasting trials doesn't bar live-tweeting (Volokh/WaPo, 3 April 2017) - So an Indiana judicial ethics commission opined in an opinion that was posted on Westlaw: Rule 2.17 of the Code of Judicial Conduct requires judges to prohibit the broadcast of court proceedings except under a narrow set of exceptions. … The Commission's view is that microblogging, tweeting, or electronically relaying a written message does not constitute broadcasting under Rule 2.17, unless the transmitted message contains video or audio of court proceedings or a link to videotaped court testimony. I leave to others the question of whether outright broadcasting of trials should be allowed, but I thought this interpretation of what counts as "broadcast[ing]" in the Twitter age was interesting (and, I think, correct).

top

- and -

Texas Supreme Court is skeptical about Wikipedia as a dictionary (Eric Goldman on TechDirt, 12 April 2017) - This is an interesting opinion from the Texas Supreme Court on citing Wikipedia as a dictionary . The underlying case involves an article in D Magazine titled "The Park Cities Welfare Queen." The article purports to show that the plaintiff, Rosenthal, "has figured out how to get food stamps while living in the lap of luxury." After publication, evidence emerged that the plaintiff had not committed welfare fraud. She sued the magazine for defamation. The appeals court denied the magazine's anti-SLAPP motion in part because it held the term "Welfare Queen," as informed by the Wikipedia entry, could be defamatory. The Texas Supreme Court affirms the anti-SLAPP denial, but it also criticizes the appeals court for not sufficiently examining the entire article's gist. Along the way, the court opines on the credibility and validity of Wikipedia as a dictionary. TL;DR = the Supreme Court says don't treat Wikipedia like a dictionary.

top

Encryption policy and freedom of the press (Schneier, 4 April 2017) - Interesting law journal article: " Encryption and the Press Clause ," by D. Victoria Barantetsky. Abstract: Almost twenty years ago, a hostile debate over whether government could regulate encryption -- later named the Crypto Wars -- seized the country. At the center of this debate stirred one simple question: is encryption protected speech? This issue touched all branches of government percolating from Congress, to the President, and eventually to the federal courts. In a waterfall of cases, several United States Court of Appeals appeared to reach a consensus that encryption was protected speech under the First Amendment, and with that the Crypto Wars appeared to be over, until now. Nearly twenty years later, the Crypto Wars have returned. Following recent mass shootings, law enforcement has once again questioned the legal protection for encryption and tried to implement "backdoor" techniques to access messages sent over encrypted channels. In the case, Apple v. FBI, the agency tried to compel Apple to grant access to the iPhone of a San Bernardino shooter. The case was never decided, but the legal arguments briefed before the court were essentially the same as they were two decades prior. Apple and amici supporting the company argued that encryption was protected speech. While these arguments remain convincing, circumstances have changed in ways that should be reflected in the legal doctrines that lawyers use. Unlike twenty years ago, today surveillance is ubiquitous, and the need for encryption is no longer felt by a seldom few. Encryption has become necessary for even the most basic exchange of information given that most Americans share "nearly every aspect of their lives ­-- from the mundane to the intimate" over the Internet, as stated in a recent Supreme Court opinion. Given these developments, lawyers might consider a new justification under the Press Clause. In addition to the many doctrinal concerns that exist with protection under the Speech Clause, the Press Clause is normatively and descriptively more accurate at protecting encryption as a tool for secure communication without fear of government surveillance. This Article outlines that framework by examining the historical and theoretical transformation of the Press Clause since its inception.

top

Susman Godfrey is sanctioned for wrong line spacing in brief (ABA Journal, 4 April 2017) - A federal judge in Manhattan has fined Susman Godfrey $1,048.09 for wrong spacing in a brief that allowed the law firm to cram more words into its argument on behalf of Amazon Web Services Inc. U.S. District Judge Victor Marrero said the law firm used 24-point spacing, rather than double spacing, allowing it to exceed the court's 25-page limit, Law360 (sub. req.) reports. According to Marrero, the court's individual rules of practice require all memoranda to be "double-spaced and in 12-point font with 1-inch margins."

top

New insurance covers cyber risks for the wealthy (Cyberscoop, 5 April 2017) - Some of the wealthiest Americans can now expand their home insurance packages to include expert advice and technology to protect them against cyberattacks, as well as a variety of complimentary or reimbursable services if they do get hacked. AIG said it this week would be offering a "Family CyberEdge" product to existing customers of their Private Client Group, as an add-on to the home insurance packages it already sells. The Private Client Group caters to families with a net worth of more than $1 million and includes 40 percent of the individuals on the Forbes 400 list of the richest Americans. The Family CyberEdge package includes a wide range of "risk mitigation services," including an audit of personal mobile devices, home networks, wireless access points and social media, banking and other secure online accounts. There is training and advice for family members about online security, and continuous monitoring that assesses the security for, and tracks the availability of, personal information online. Advice provided by fraud and ID theft experts from the identity and data defense specialist CyberScout; and threat intelligence from K2 Intelligence - an investigative, compliance and cyberdefense services firm - rounds out the preventive end of the package.

top

Programmer faces federal charges for creating software used by hackers (ABA Journal, 5 April 2017) - An Arkansas programmer who created software that is popular with hackers is facing federal charges of conspiracy, and aiding and abetting computer intrusions. Taylor Huddleston created a remote administration tool called NanoCore that has been linked to computer hacks in at least 10 countries, the Daily Beast reports. The case raises a novel question, according to the article: When is a programmer criminally responsible for the actions of their users? Huddleston, a high school dropout, developed the program in hopes that it could lift him out of poverty and get him out of a run-down trailer where he lived on his mother's property. His hope, he said, was that his $25 program could be used by IT administrators, parents keeping track of their children's online activity, and others who didn't have a lot of money to spend on remote-access capability. He eventually bought a $60,000 home with proceeds from NanoCore and an anti-piracy program he created called Net Seal. Prosecutors pointed out that Huddleston announced and supported NanoCore on HackForums.net. They raided his home in December, arrested him in February, and are seeking forfeiture of his home in Hot Springs, Arkansas. "It would soon become clear," the Daily Beast reports, that HackForums "was a terrible place to launch a legitimate remote administration tool. There aren't a lot of corporate procurement officers on HackForums. Instead, many of Huddleston's new customers had purely illicit uses for a slick remote-access tool. In short order, Huddleston found himself routinely admonishing people not to use his software for crime." Huddleston eventually removed his product's capability to steal passwords and log keystrokes, and he would log in and disable the software when he discovered a buyer was using it for hacking. Unhappy hackers eventually distributed pirated versions of Huddleston's software online.

top

Canadian Mounties own up: Yes, we own 10 IMSI-catchers (The Register, ­5 April 2017) - The Royal Canadian Mounted Police has 'fessed up to a long-held suspicion that it uses Stingray-style equipment to track mobile phones. At the same time, in an interview with public broadcaster CBC, Chief Superintendent Jeff Adam says IMSI (international mobile subscriber identity)-catchers that CBC News believes it spotted in Ottawa didn't belong to any government agency - sparking concerns about who might have been snooping on government or commercial communications in the capital. The RCMP says its use of IMSI-catchers is limited: it deployed the fake base stations 24 times in 2015 and 19 times in 2016, said Adam - whose remit includes technical investigation services - in the hour-long interview. CBC News kicked off a furore when it reported evidence of IMSI-catchers in the vicinity of government buildings in Ottawa. Security minister Ralph Goodall has referred the matter to the Mounties and the Canadian Security Intelligence Service for investigation. Adam told CBC that "It's a security risk when it is used in proximity to government and/or any other commercial enterprises." Without specifying his concerns in detail, Adam warned that those deploying IMSI-catchers could be attempting more than surveillance: "There is equipment out there that is not limited in its capturing of communications between devices."

top

Unpaywall scours the web for free versions of scientific papers (TechCrunch, 5 April 2017) - The science publishing world is a complex one, but the pendulum is currently swinging away from the paywalled mega-journals of the last decade to a more open model - but it can still be hard to find a full copy of an article you need on short notice. Unpaywall is a browser plug-in that identifies the paper you're looking for, then checks whether it's available for free anywhere on the web. Install the plug-in in Firefox or Chrome, and when you arrive at a page summarizing or showing part of an article, a little lock icon appears telling you whether you can get it somewhere else for free. For instance, on this paper the icon is grey (it's still only available behind the paywall), but here (also at Nature), it's green. Clicking it brings me to a PDF version hosted at Arxiv. * * *

top

- and -

European Commission may join Gates Foundation and Wellcome Trust in becoming an open access publisher (TechDirt, 6 April 2017) - Open access isn't a new idea -- the term was first defined back in 2002 , and arguably the first examples go back even further to the founding of arXiv.org in 1991 (pdf). And yet progress towards making all academic knowledge freely available has been frustratingly slow, largely because hugely-profitable publishers have been fighting it every inch of the way. In response to that intransigence, academics have come up with a variety of approaches, including boycotts , mass cancellation of subscriptions, new kinds of overlay journals and simply making everything available with or without permission. Here's another interesting move to open up publishing , reported by the journal Science: One of Europe's biggest science spenders could soon branch out into publishing. The European Commission, which spends more than €10 billion annually on research, may follow two other big league funders, the Wellcome Trust and the Bill & Melinda Gates Foundation, and set up a "publishing platform" for the scientists it funds, in an attempt to accelerate the transition to open-access publishing in Europe. It was quite surprising to see the Wellcome Trust start its own rapid-publishing unit, called Wellcome Open Research , a move that seems to have encouraged the Bill & Melinda Gates Foundation to follow suit with the similar Gates Open Research platform, due to start publishing later this year. For the EU's main executive body to do the same is even more extraordinary. It's true that there has been no official announcement about the European Commission's publishing move, but the Science article suggests that it is likely: * * *

top

- and -

Institute announces new open access policy for all MIT authors (MIT News, 6 April 2017) - Thanks to the efforts of Cara Manning PhD '16, the MIT Libraries, and many others across the Institute, MIT is launching a new way for authors of scholarly articles to legally hold onto rights to reuse and post their articles, and for others to more easily build on that work. As of this month, all MIT authors, including students, postdocs, and staff, can opt in to an open access license . * * * "We'd long heard from MIT authors who were not faculty that they'd like a policy so they would be more assured of their rights to share their work. But there was no clear path to extend the policy to those authors," says Ellen Finnie, head of scholarly communications and collections strategy at the MIT Libraries. "The faculty adopted the policy in 2009 as a faculty policy, and they were not positioned to create a blanket policy for other groups at MIT. There were governance questions about who could create a policy that would apply by default for graduate students." After Manning and Finnie met in 2015, Finnie and attorney Jay Wilcoxson from the Office of General Counsel came up with the idea for an opt-in license - a voluntary agreement that an individual MIT author can sign and that applies to scholarly articles written while at MIT. "We thought that an optional license would offer the power of an open access policy for authors not covered by the faculty policy. It's exciting to see the license now available to all MIT authors," says Finnie. The opt-in language mirrors that of the faculty policy and was vetted across campus by groups including the Office of General Counsel, Faculty Policy Committee, Committee on Intellectual Property, and Graduate Student Council, which has long supported making student work more accessible to the public. The license can be used by authors who are employed by, have an academic instructional staff or academic research staff (e.g., postdoc) appointment from, or are registered as a student at MIT, and applies to articles written while at the Institute.

top

- and -

Tearing down science's citation paywall, one link at a time (Wired, 7 April 2017) - To scientists, citations are currency. No, you can't use them to put gas in your car or food on your table. But surviving in academia means publishing papers people want to read and, more to the point, cite in their own research. Citations establish credibility, and determine the impact of a given paper, researcher, and institution. Simply put, they fundamentally shape what people believe. The problem with this lies in determining who's citing whom. Over the last few decades, only researchers with subscriptions to two proprietary databases, Web of Science and Scopus, have been able to track citation records and measure the influence of a given article or scientific idea. This isn't just a problem for scientists trying to get their resumes noticed; a citation trail tells the general public how it knows what it knows, each link a breadcrumb back to a foundational idea about how the world works. On Thursday, a coalition of open data advocates, universities, and 29 journal publishers announced the Initiative for Open Citations with a commitment to make citation data easily available to anyone at no cost. "This is the first time we have something at this scale open to the public with no copyright restrictions," says Dario Taraborelli, head of research at the Wikimedia Foundation, a founding member of the initiative. "Our long-term vision is to create a clearinghouse of data that can be used by anyone, not just scientists, and not just institutions that can afford licenses."

top

FBI, DHS disagree on when to tell victims they've been hacked (Cyberscoop, 6 April 2017) - Competing interests exist between two of the predominant federal agencies tasked with stopping hackers from attacking the U.S., officials say, and that dynamic shapes how and when the government notifies Americans if they've been breached. The Homeland Security Department and FBI follow distinctly different missions, and this extends into cyberspace, according to John Felker, director of the National Cybersecurity and Communications Integration Center. NCCIC is DHS's around-the-clock office for incident awareness and response. Occasionally, DHS's efforts to rapidly deploy software updates and immediately notify a victim when a cybersecurity incident occurs clashes with the FBI's work to fully investigate and ultimately prosecute cybercriminals, Felker said Thursday. "There's always going to be some tension between our mission space at DHS, which is asset response, threat mitigation - stop the bleeding, if you will - and law enforcement's threat response, which is to catch a bad guy and make a successful prosecution," Felker said during McAfee's Security through Innovation conference hosted by CyberScoop and FedScoop. "It's not easy and it's case-by-case. The challenge we have is to keep a relationship that is open and honest and transparent between us." "Even in the last couple weeks we've had a few knock-down, drag-outs about cases that are going on, but it is what it is," Felker said. "We'll work through it." Ongoing negotiations effectively determine when DHS will rapidly reach out to a victim or, on the other hand, if the FBI will be afforded a grace period to collect evidence and gain new insight.

top

New Tenn. law: No breach notice needed if data encrypted (Bloomberg, 6 April 2017) - Companies don't need to notify Tennessee citizens of personal data breaches if the information was encrypted, under a new law that took effect April 4 and clarifies confusion created by a 2016 amendment. The measure reinstates language in the state's data breach notice law to remove any doubt that companies do not need to give notice of an encrypted data breach, unless the encryption key is also breached. It took effect with Gov. Bill Haslam's (R) signature. Tennessee adopted a breach notification law in 2005 that specifically exempted to providing notice if the breached data were encrypted. But in 2016, the law was amended to remove the exemption. The 2016 amended law, however, still mentioned in another section that encryption was a positive means of protecting data. This created confusion for companies about whether they could still avoid providing notice if the data were encrypted.

top

Company boards lack deep security knowledge - survey (BizCommunity, 7 April 2017) - According to a recent National Association of Corporate Directors (NACD) survey, although almost 90% of directors at public companies claim their board discusses cyber risk regularly, only 14% have deep knowledge of the topic. Lutz Blaeser, MD of Intact Software Distribution, says that 60% of respondents said they find overseeing cyber risk a challenge. "Just over half of publicly listed companies, reported that cyber risk oversight falls on the audit committee, and 96% of directors that took the survey said the full board takes on the big picture risks that could impact their organisation's strategic direction." The survey, says Blaeser, also highlighted that the most common board cyber-risk oversight practices are reviewing the organisation's approach to protecting its most critical assets, followed by reviewing the technical infrastructure used to protect those assets.

top

Roku TVs can now detect what you're watching on cable to see if it's available on Netflix (The Verge, 11 April 2017) - Televisions with Roku's software preinstalled can now automatically detect what you're watching via cable, satellite, or an antenna. The new feature, coming to Roku TVs as part of a the latest operating system update , is called "More Ways to Watch" and is designed to show you whenever a show or movie you've got on can also be streamed using popular services like Netflix, Hulu, and Amazon Video. This could allow you to watch an in-progress episode from the beginning, find other episodes of a series, or view recommendations for similar content. Roku uses Automatic Content Recognition (ACR) technology to recognize what's currently being viewed in your living room. Somewhat creepy, yet also helpful! Not that the creepy side is stopping other companies from doing the same thing. Roku is at least being careful about how it's all being implemented. More Ways to Watch requires customers to opt-in once the feature is rolled out or whenever they perform an initial out-of-box setup on a Roku TV. Only Roku TVs are doing this right now; your streaming set-top box isn't (yet) detecting what you're watching.

top

Uber reportedly tracked Lyft drivers using a secret software program named 'Hell' (TechCrunch, 12 April 2017) - Another day, another revelation of an ethically questionable business practice by Uber. This time The Information reports that Uber secretly tracked Lyft drivers using an internal software program it dubbed Hell. Hell not only let Uber see how many Lyft drivers were available for rides and what their prices were, but also figure out which ones were double-dipping by driving for Uber, too. This meant Uber had data that made it easier to offer those drivers incentives to switch over to Uber exclusively. The software was called Hell in reference to "God View," its tool for tracking the location of customers (God View, also called "Heaven," was infamously abused by Uber employees to stalk journalists, celebrities and ex-girlfriends). Hell originated after Uber created fake rider accounts on Lyft and used software to trick Lyft's system into thinking those riders were in certain locations. This allowed Uber to see the eight closest available Lyft drivers to each fake rider. Then Uber executives realized that Lyft had assigned a numerical user ID to each of its drivers. This bonanza allowed them to start long-term tracking of Lyft drivers and deduce who also drove for Uber. Once Uber knew when and where they tended to log onto Lyft, the company was able to offer drivers incentives-including financial bonuses-created to convince them to use only Uber.

top

Inmates built computers hidden in ceiling, connected them to prison network (ArsTechnica, 12 April 2017) - Inmates at a medium-security Ohio prison secretly assembled two functioning computers, hid them in the ceiling, and connected them to the Marion Correctional Institution's network. The hard drives were loaded with pornography, a Windows proxy server, VPN, VOIP and anti-virus software, the Tor browser, password hacking and e-mail spamming tools, and the open source packet analyzer Wireshark. That's according to a new report (PDF) from the Ohio Office of the Inspector General, which concluded that the geeky inmates obtained the parts from an onsite computer skills and electronics recycling program. The agency's IT department, according to the report, initially was alerted to a connected device, using a contractor's stolen credentials, that had "exceeded a daily Internet usage threshold." The computers were operational for about four months. After a three-week search, they were discovered above a training room closet in an area off limits to unsupervised inmates. Ultimately, the authorities traced cable from a networking switch to find the devices that were assembled with discarded computers from an Ohio aircraft parts company and an Ohio school district. A forensic analysis of the hard drives found that they were loaded with "malicious" software and that inmates used the computers to apply for credit cards, research tax-refund fraud, search inmate records, and obtain prison access passes for restricted areas. "Additionally, articles about making home-made drugs, plastics, explosives, and credit cards were discovered," according to the report.

top

How The New York Times decides which stories to link to (and which ones to match) (Poynter, 17 April 2017) - Even though The New York Times has a staff of more than 1,000 journalists that produce roughly 230 articles per day - the equivalent of a daily Harry Potter book - there's some stories they just can't get. Controversial (but worthy) opinion pieces, harrowing first-person accounts and profiles of reclusive celebrities all exist beyond the walled garden of nytimes.com. In years past, The Times might've ignored these stories, rolled them into a longer article or tried to match them. Now, they just link out. Along with colleague Michelle Dozois, Times Senior Digital Strategist Anna Dubenko publishes a twice-weekly roundup of stories under a made-to-share headline that signals temporary relief from the unending torrent of news from the capital: " 15 great stories that have nothing to do with politics ," reads one. " Take a break from politics with these 12 stories. " " Sick of politics? Try these great reads ." The curation strategy might seem contradictory for a newspaper whose business depends on attracting readers and holding them on The Times' owned-and-operated platforms. Why link out when you could flood the masses with Times journalism? But the articles are part of a plan to create habitual users of The New York Times who will return to the newspaper for news they actually want to consume - regardless of who made it. "It might sound a bit ambitious or crazy to say, but it's sort of my dream to really compete with what I think is a broken News Feed," Dubenko said. "...The idea behind curation at The Times is: What if your really smart, funny, charming, friend - me - gave you recommendations of what to read without all of the craziness that you might get in your News Feed?" The latest of these efforts is " Right and Left: Partisan Writing You Shouldn't Miss ," a twice-weekly roundup of political writing from both sides of the ideological spectrum. With the debut of hyperpartisan news sites and the rise of filter bubbles on social media, many centrist news organizations have launched initiatives aimed at dispelling the political myopia that afflicts us all. BuzzFeed has "Outside Your Bubble," a feature that exposes its audience to viewpoints outside their personal ideologies. The Guardian has " Burst Your Bubble ," a weekly guide to the right-wing media commentariat. But where The New York Times roundup differs from its competition is that Dubenko is interested in both the left- and the right-wing. And she's trying to find writers who are actually interested in convincing readers who may not agree with them. * * * [ Polley : very interesting]

top

Another trick to try to get mainstream media articles deindexed by Google (Volokh/WaPo, 18 April 2017) - I've been blogging over the past several months about people using various tactics to try to get Google to "deindex" Web pages - remove them from Google indexes, so that Google users won't see them in search results. If you send Google a court order finding the material on some pages to be defamatory, Google will consider deindexing those pages, on the theory that the court order is fairly reliable evidence that the pages are indeed inaccurate and libelous. But the consequence is that people have been using various stratagems to deindex material even when there's little reason for such confidence. Here's another twist, which some people have used to try to deindex mainstream news articles (though without any success, to my knowledge, because Google seems skeptical of these particular requests) - they (a) sue the people quoted in the articles, (b) get stipulations from the people recanting their allegations, (c) get court orders based on those recantations and then (d) try to use those court orders to deindex an entire article. Now, if a media organization gets such a recantation from one of the sources they quote, the editors would reasonably ask: Was the source lying then, or is he lying now? If the editors are persuaded that the recantation is accurate, they might well publish a correction, or revise or even take down the original article. But if they think that the original report was accurate, and the recantation was coerced using a lawsuit, they might stand by their story. When a plaintiff sues the source, though, gets a stipulation and submits the order to Google with a deindexing request, the plaintiff is trying to short-circuit the news organization's review of the matter. Instead, the plaintiff wants to just get the original story hidden, with no independent evaluation of whether the story was and continues to be correct. Consider, for example, Ball v. Saurman . A Ventura County Star article had quoted Sandee Saurman as sharply criticizing J. Kiely Ball's hearing aid company. Ball sued Saurman, who eventually agreed to a stipulation in which she stated that her original allegations were false. A court then issued an injunction, which was submitted to Google for deindexing of the newspaper article. If the Court of Appeal decision were upheld, Google would have had to deindex the Ventura County Star article even though neither the Star nor Google had an opportunity to independently examine Saurman's recantation. * * *

top

New apps from MIT fill your waiting moments with learning opportunities (TechCrunch, 18 April 2017) - MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) has come up with a way to fill those few seconds of waiting everyone experiences while their social media apps load, or their phone connects to WiFi. It may not seem like much, but filling these gaps can [have] a significant aggregate effect, given how much time we spend on our devices. To fill this time with productive learning opportunities, CSAIL came up with WaitSuite, a collection of apps that work on desktop or mobile, offering up educational micro-moments where you can brush up on second language vocab skills and more in the time between everything else. MIT's work here isn't unprecedented: They cite apps like Duolingo that already offer up short-term learning opportunities tied to devices like smartphones that we have with us everywhere. WaitSuite targets even more fleeting moments, like while you're waiting for your phone or computer to connect to a WiFi network, or while you're waiting for someone to text you back. WaitSuite also covers the time spent fetching emails, waiting for an elevator to arrive, and waiting for various kinds of content to load on your phone. The system is simple, and basically presents you with a vocabulary word to translate, with a simple text entry field. This could be repurposed to learn specific lingo for various fields of study and work, or for SAT prep and more, but language learning was an easy target because of the flash card-like experience. The system also automatically detects if your device is looking for a WiFi connection, or if your phone can detect Bluetooth iBeacons that indicate you're near an elevator, and the automatic nature is key - users don't have to think about what app to open, it's presented instantly, letting them direct their full attention to that learning task for the few seconds they typically have to wait during these activities. A side benefit of the apps was that users still paid attention to their original task: When they fill these moments with things like browsing social media, they tend to get lost in that secondary activity, but with these quick learning moments, they return their attention more fully to what they were doing in the first place.

top

Who controls the blockchain? (HBR, 19 April 2017) - Blockchain networks tend to support principles, like open access and permissionless use, that should be familiar to proponents of the early internet. To protect this vision from political pressure and regulatory interference, blockchain networks rely on a decentralized infrastructure that can't be controlled by any one person or group. Unlike political regulation, blockchain governance is not emergent from the community. Rather, it is ex ante, encoded in the protocols and processes as an integral part of the original network architecture. To be a part of a community supporting a blockchain is to accept the rules of the network as they were originally established. In a blockchain transaction, you don't have to trust your counterpart to perform their obligations or properly record transactional data, since these processes are standardized and automated, but you do have to trust that the code and the network will function as you expect. And just how immutable are blockchain ledger entries if the network becomes politicized? As it turns out, not very. * * * [ Polley : First time I've seen a blockchain article in Harvard Business Review.]

top

RESOURCES

Fair Use, Notice Failure, and the Limits of Copyright as Property (BU Law Review) - Abstract: If we start with the assumption that copyright law creates a system of property rights, to what extent does this system give adequate notice to third parties regarding the scope of such rights, particularly given the prominent role played by the fair use doctrine? This essay argues that, although the fair use doctrine may provide adequate notice to sophisticated third parties, it fails to provide adequate notice to less sophisticated parties. Specifically, the fair use doctrine imposes nearly insuperable informational burdens upon the general public regarding the scope of the property entitlement and the corresponding duty to avoid infringement. Moreover, these burdens have only increased with changes in technology that enable more, and more varied, uses of copyrighted works. The traditional response to uncertainty in fair use has been to suggest ways of curing the notice failure by providing clearer rules about what is and is not permitted. This essay suggests, however, that these efforts to reinforce the property framework feel increasingly strained and fail to reflect how copyright law is actually experienced by the general public. Indeed, the extent of the notice failure is such that it may be time to stop treating copyright like a property right, at least for certain classes of users. The essay ends by suggesting a number of alternative frameworks that would seek to regulate public behavior regarding copyrighted works without imposing the unrealistic informational burdens required by a system of property rights.

top

Encryption Workarounds (Bruce Schneier & Orin Kerr, Georgetown Law Journal) - Abstract: The widespread use of encryption has triggered a new step in many criminal investigations: the encryption workaround. We define an encryption workaround as any lawful government effort to reveal an unencrypted version of a target's data that has been concealed by encryption. This essay provides an overview of encryption workarounds. It begins with a taxonomy of the different ways investigators might try to bypass encryption schemes. We classify six kinds of workarounds: find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. For each approach, we consider the practical, technological, and legal hurdles raised by its use. The remainder of the essay develops lessons about encryption workarounds and the broader public debate about encryption in criminal investigations. First, encryption workarounds are inherently probabilistic. None work every time, and none can be categorically ruled out every time. Second, the different resources required for different workarounds will have significant distributional effects on law enforcement. Some techniques are inexpensive and can be used often by many law enforcement agencies; some are sophisticated or expensive and likely to be used rarely and only by a few. Third, the scope of legal authority to compel third-party assistance will be a continuing challenge. And fourth, the law governing encryption workarounds remains uncertain and underdeveloped. Whether encryption will be a game-changer or a speed bump depends on both technological change and the resolution of important legal questions that currently remain unanswered.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Public access group defies copyright to post Smithsonian images online (Canada.com, 18 May 2007) -- Grabbing pictures of iconic Smithsonian Institution artifacts just got a whole lot easier. Before, if you wanted to get a picture of the Wright Brothers' plane, you could go to the Smithsonian Images website and pay for a print or high-resolution image after clicking through several warnings about copyrights and other restrictions - and only if you were a student, teacher or pledging not to use it to make money. Now, you can just go to the free photo-sharing website flickr.com. A nonprofit group is challenging the copyrights and restrictions on images being sold by the Smithsonian. But instead of going to court, the group downloaded all 6,288 photos online and posted them Wednesday night on the free Internet site. "I don't care if they sell the photos, but then once they sell it, they can't say you can't reuse this photo," said Carl Malamud, co-founder of the group Public.Resource.Org, advocates for posting more government information online. "You're not allowed to chill debate by telling people they can't use something because it's under copyright when that's not true." Most images the Smithsonian is selling, including photos of artifacts and historic figures, are not protected by copyright, Malamud said. But the Smithsonian site carries copyright notices and other warnings that would discourage most people from using historic images that should be publicly available, he said.

top

State Department launches first blog (US Department of State, 25 Sept 2007) - Welcome to the State Department's first-ever blog, Dipnote. As a communicator for the Department, I have the opportunity to do my fair share of talking on a daily basis. With the launch of Dipnote, we are hoping to start a dialogue with the public. More than ever, world events affect our daily lives-what we see and hear, what we do, and how we work. I hope Dipnote will provide you with a window into the work of the people responsible for our foreign policy, and will give you a chance to be active participants in a community focused on some of the great issues of our world today… [ Polley (in 2017): ironic that the link has rotted.]

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, April 01, 2017

MIRLN --- 12 March – 1 April 2017 (v20.05)

MIRLN --- 12 March - 1 April 2017 (v20.05) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

France drops electronic voting for citizens abroad over cybersecurity fears (Fortune, 6 March 2017) - France's government has dropped plans to let its citizens abroad vote electronically in legislative elections in June because of concern about the risk of cyber attacks, the Foreign Ministry said on Monday. The National Cybersecurity Agency believed there was an "extremely high risk" of cyber attacks. "In that light, it was decided that it would be better to take no risk that might jeopardise the legislative vote for French citizens residing abroad," the ministry said in a statement. Since 2012, French citizens abroad had been allowed to vote electronically in legislative elections, but not in the presidential vote. France will elect a new president in a two-round ballot in April and May.

top

DHS finalizing best practices for notifying victims of major cyber breaches (Federal News Radio, 6 March 2017) - The Homeland Security Department is finalizing best practices that agencies, state and local governments and other organizations involved in a cyber breach can use to notify victims. The guidance lends suggestions on the decision-making process for notifying impacted individuals, preparing and delivering notices, concerns about "over-notifying" and additional support for victims. The DHS Data Privacy and Integrity Advisory Committee drafted the document after former DHS Chief Privacy Officer Karen Neuman asked the committee in September 2015 to develop written best practices for notifying data breach victims. The committee made minor changes to and approved a final draft of best practices at a committee meeting Feb. 21.

top

Home Depot to pay $25M in breach settlement (SC Magazine, 10 March 2017) - Following a massive breach, retailer Home Depot has agreed to pay off a settlement of $25 million for damages resulting from the incursion in 2014 that exposed personal information of more than 50 million customers. Hackers managed to infiltrate the chain store's self check-out terminals to purloin email and credit card data Under terms of the agreement, Home Depot also must improve its cybersecurity implementations, including tighter oversight of its vendors. Home Depot is already out of pocket some $134.5 million which it paid in compensation to card brands and financial institutions. As well, it agreed last year to compensate affected customers to the tune of $19.5 million. The cost of the breach is currently running around $179 million, based on figures in court documents, Fortune reported. But, that figure is expected to rise considerably factoring in legal fees and other charges.

top

Judge says cops can search BitTorrent shared files without a warrant (Motherboard, 10 March 2017) - A judge in Baton Rouge, Louisiana, has ruled that an alleged child pornographer had no expectation of privacy in the files he shared via BitTorrent because those files were accessible to anyone on the popular peer-to-peer file-sharing network. In 2015, a police detective in Louisiana used a piece of software called Torrential Downpour, which is sold exclusively to law enforcement, to scan the BitTorrent network for child pornography. That's how the cops found Justin Landry, a 36-year-old from Prairieville, who allegedly had videos of children being raped on his BitTorrent shared folder, which allows users to make their own files available for download to others on the internet. Judge John W. deGravelles, of the United States District Court for the Middle District in Baton Rouge ruled on Thursday that the undercover cop investigating the case didn't need a warrant to search Landry's files, because Landry wasn't protected by the 4th Amendment's prohibition against unreasonable search and seizure when it came to the videos and pictures he was sharing on BitTorrent. "Files which an individual voluntarily places in a shared folder on a peer-to-peer network are considered publicly available," the judge wrote in the ruling, which denied Landry's request to suppress the evidence gathered in the search, and was spotted by USA Today investigative reporter Brad Heath.

top

- and -

Microsoft pulls then revives Docs.com search after complaints of exposed sensitive files (ZDnet, 26 March 2017) - Microsoft has quietly removed a feature on its document sharing site Docs.com that allowed anyone to search through millions of files for sensitive and personal information. Users had complained over the weekend on Twitter that anyone could use the site's search box to trawl through publicly-accessible documents and files stored on the site, which were clearly meant to remain private. Among the files reviewed by ZDNet, and seen by others who tweeted about them , included password lists, job acceptance letters, investment portfolios, divorce settlement agreements, and credit card statements -- some of which contained Social Security and driving license numbers, dates of birth, phone numbers, and email and postal addresses. The company removed the site's search feature late on Saturday, but others observed that the files were still cached in Google's search results, as well as Microsoft's own search engine, Bing.

top

Malware found preinstalled on 38 Android phones used by 2 companies (ArsTechnica, 10 March 2017) - A commercial malware scanner used by businesses has recently detected an outbreak of malware that came preinstalled on more than three dozen Android devices. An assortment of malware was found on 38 Android devices belonging to two unidentified companies. This is according to a blog post published Friday by Check Point Software Technologies, maker of a mobile threat prevention app. The malicious apps weren't part of the official ROM firmware supplied by the phone manufacturers but were added later somewhere along the supply chain. In six of the cases, the malware was installed to the ROM using system privileges, a technique that requires the firmware to be completely reinstalled for the phone to be disinfected. Most of the malicious apps were info stealers and programs that displayed ads on the phones. One malicious ad-display app, dubbed "Loki," gains powerful system privileges on the devices it infects. Another app was a mobile ransomware title known as "Slocker," which uses Tor to conceal the identity of its operators.

top

Facebook says police can't use its data for 'surveillance' (WaPo, 13 March 2017) - Facebook is cutting police departments off from a vast trove of data that has been increasingly used to monitor protesters and activists. The move, which the social network announced Monday, comes in the wake of concerns over law enforcement's tracking of protesters' social media accounts in places such as Ferguson, Mo., and Baltimore. It also comes at a time when chief executive Mark Zuckerberg says he is expanding the company's mission from merely "connecting the world" into friend networks to promoting safety and community. Although the social network's core business is advertising, Facebook, along with Twitter and Facebook-owned Instagram, also provides developers access to users' public feeds. The developers use the data to monitor trends and public events. For example, advertisers have tracked how and which consumers are discussing their products, while the Red Cross has used social data to get real-time information during disasters such as Hurricane Sandy. But the social networks have come under fire for working with third parties who market the data to law enforcement. Last year, Facebook, Instagram and Twitter cut off access to Geofeedia, a start-up that shared data with law enforcement, in response to an investigation by the American Civil Liberties Union. The ACLU published documents that made references to tracking activists at protests in Baltimore in 2015 after the death of a black man, Freddie Gray, while in police custody and also to protests in Ferguson, Mo., in 2014 after the police shooting of Michael Brown, an unarmed black 18-year-old. On Monday, Facebook updated its instructions for developers to say that they cannot "use data obtained from us to provide tools that are used for surveillance." The company also said, in an accompanying blog post, that it had kicked other developers off the platform since it had cut ties with Geofeedia.

top

Phone searches now default mode at the border; more searches last month than in all of 2015 (TechDirt, 14 March 2017) - The Constitution -- which has always been malleable when national security interests are in play -- simply no longer applies at our nation's borders. Despite the Supreme Court's finding that cell phone searches require warrants, the DHS and CBP have interpreted this to mean it doesn't apply to searches of devices entering/leaving the country. For the past 15 years, the government has won 9/10 constitutional-violation edge cases if they occurred within 100 miles of our borders -- a no man's land colloquially referred to as the "Constitution-free zone." But the pace of device searches has increased exponentially over the last couple of years. The "border exception" is no longer viewed as an "exception" -- something to be deployed only when customs officers had strong suspicions about a person or their devices. Now, it's the rule, as NBC News reports: Data provided by the Department of Homeland Security shows that searches of cellphones by border agents has exploded, growing fivefold in just one year, from fewer than 5,000 in 2015 to nearly 25,000 in 2016. According to DHS officials, 2017 will be a blockbuster year. Five-thousand devices were searched in February alone, more than in all of 2015.

top

20,000 worldclass university lectures made illegal, so we irrevocably mirrored them (LBRY, 15 March 2017) - Today, the University of California at Berkeley has deleted 20,000 college lectures from its YouTube channel. Berkeley removed the videos because of a lawsuit brought by two students from another university under the Americans with Disabilities Act. We copied all 20,000 and are making them permanently available for free via LBRY. This makes the videos freely available and discoverable by all, without reliance on any one entity to provide them (even us!). The full catalog is over 4 TB and will be synced over the next several days. Until LBRY launches to the public in April, the videos are only accessible to technical users via the command line. If you already have access to LBRY, go to lbry://ucberkeley to see the full catalog. If you want to be notified as soon as the videos are made public to everyone, sign up here . If you're command-line-capable but new to LBRY, follow this guide , then access lbry://ucberkeley . The vast majority of the lectures are licensed under a Creative Commons license that allows attributed, non-commercial redistribution. The price for this content has been set to free and all LBRY metadata attributes it to UC Berkeley. When publishing the lectures to LBRY, the content metadata is written to a public blockchain, making it permanently public and robust to interference. Then, the content data itself is hosted via a peer-to-peer data network that offers economic incentives to ensure the data remains viable. This is superior to centralized or manual hosting, which is vulnerable to technical failure or other forms of attrition. [ see also , 'No plans' to delete free content (InsideHigherEd, 14 March 2017)]

top

U.S. judge rejects Google email scanning settlement (Reuters, 16 March 2017) - A federal judge rejected Google's proposed class-action settlement with non-Gmail users who said it illegally scanned their emails to Gmail users to create targeted advertising. In a decision on Wednesday night, U.S. District Judge Lucy Koh in San Jose, California, said it was unclear that the accord, which provided no money for plaintiffs but up to $2.2 million in fees and expenses for their lawyers, would ensure Google's compliance with federal and state privacy laws. Koh called the proposed disclosure notice inadequate. She said this was because it did not clearly reveal any technical changes that Google would make, or that Google scans non-Gmail users' emails to create ads for Gmail users. The judge also said the notice did not make clear that Google could still extract data for the "dual purpose" of creating targeted ads and detecting spam and malware, and then use that data once emails went into storage after being transmitted. "In sum, based on the parties' current filings, the court cannot conclude that the settlement is fundamentally fair, adequate, and reasonable," Koh wrote.

top

- and -

Google starts flagging offensive content in search results (USA Today, 16 March 2017) - With growing criticism over misinformation in search results, Google is taking a harder look at potentially "upsetting" or "offensive" content, tapping humans to aid its computer algorithms to deliver more factually accurate and less inflammatory results. The humans are Google's 10,000 independent contractors who work as what Google calls quality raters. They are given searches based on real queries to score the results, and they operate based on guidelines provided by Google. On Tuesday they were handed a new one: to hunt for "Upsetting-Offensive" content such as hate or violence against a group of people, racial slurs or offensive terminology, graphic violence including animal cruelty or child abuse or explicit information about harmful activities such as human trafficking, according to guidelines posted by Google. The goal: to steer people with queries such as "did the Holocaust happen" to trustworthy websites and not to websites that engage in falsehoods or hate speech. How it works: Google, for example, advises its quality raters that a search result from white supremacist website Stormfront that denies the Holocaust happened should be flagged as upsetting or offensive content while a result from the History Channel describing what happened during the Holocaust should not. Quality raters don't have the ability to change how search results are ranked but feedback from these contractors is used by engineers and machine learning systems to improve search results, according to Google. It declined to comment on the new guideline.

top

Blockchain & corporate records: DGCL amendments would open the door (Corporate Counsel, 17 March 2017) - Posted in our "Blockchain" Practice Area , this Cooley memo notes that this year's proposed DGCL amendments would grant statutory authority for the use of "blockchain" or "distributed ledger" technology for the administration of corporate records. Last year, Broc blogged about a possible move by Delaware in this direction. Blockchain technology allows for the creation of an "open ledger" shared among a network of participants, instead of relying on a single, central ledger. Information is stored in "blocks" that record all network transactions and permit the ownership and existence of assets to be independently validated. Advocates of the technology see great potential for using it to address the shortcomings of the current stock transfer and record-keeping process. The amendments would allow a Delaware corporation to rely on the contents of a distributed ledger as its stock ledger. But the memo points out that the distributed ledger must meet several requirements: * * *

top

- and -

Treatment of bitcoin under US property law (Perkins Coie whitepaper, 29 March 2017) - In this recently published Perkins Coie whitepaper, the authors analyze the treatment of bitcoin under applicable U.S. property law. The authors conclude that property interests should exist in bitcoin under such law, and that multiple sources of persuasive authority provide additional support for that conclusion. The paper is divided into 5 parts: (1) Treatment of bitcoin under U.S. state property law - an illustrative analysis using California law; (2) Scholarly consideration of bitcoin ownership rights under property law generally; (3) Treatment of bitcoin as property under other U.S. legal regimes; (4) Possible challenges to treating bitcoin as property; and (5) Property interest in bitcoins held in custody. Each part offers an in-depth analysis of legal issues. For example, under the discussion of property interests in bitcoins held in custody, the authors discuss the differences between specific and general deposits and how these concepts could be applied to deposited bitcoin in a custodial arrangement.

top

Behind Booz Allen's effort to get carmakers to work together against hackers (WaPo, 19 March 2017) - As the idea of a mass-marketed driverless car nudges closer to reality, automakers are increasingly coming to terms with the need to address the threat that onboard technology could be targeted by hackers. So far there has not been a catastrophic attack, but the growing array of potential connections for cars to the Internet - and at least one hacking-related recall - have pushed the industry toward taking action. One company that sees a potentially lucrative new market is McLean, Va.-based Booz Allen Hamilton, whose employees have long teamed with the intelligence community on classified cybersecurity work. The 103-year-old management and technology consulting firm has been tapped by an auto industry trade group to set up a system for companies to share potential vulnerabilities, an operation that is being run out of Booz Allen's new innovation center in downtown Washington. Booz Allen said that nearly all major car manufacturers are working with the Automotive Information Sharing and Analysis Center, known as Auto-ISAC. The chief challenge is reaching out to the vast network of suppliers that provide parts for what is coming to be called "the connected car" - components of the modern automobile that send and/or receive information over the Internet. That list is surprisingly long. Some bumpers and engine parts have sensors that communicate with other parts of the car or with other automobiles. Even tires have small pressure sensors, which security researchers have used to take control of other parts of the car. Taking inventory of all these possible access points and understanding their potential vulnerabilities is likely to become increasingly important. Last month, seven more suppliers said they were joining the program: Bosch Mobility Solutions, Cooper Standard, Honeywell, Hyundai, Lear Corp., LG Electronics, NXP Semiconductors, and Japanese manufacturer Sumitomo Electric Industries. All of them produce electronic parts. Bosch makes car systems that communicate electronically from one vehicle to the next, as well as vehicle safety systems. Cooper Standard makes fuel and brake lines, and Hyundai is working on self-driving car systems.

top

Hacking tools get peer reviewed, too (The Atlantic, 20 March 2017) - In September 2002, less than a year after Zacarias Moussaoui was indicted by a grand jury for his role in the 9/11 attacks, Moussaoui's lawyers lodged an official complaint about how the government was handling digital evidence. They questioned the quality of the tools the government had used to extract data from some of the more than 200 hard drives that were submitted as evidence in the case-including one from Moussaoui's own laptop. When the government fired back, it leaned on a pair of official documents for backup: two reports produced by the National Institute of Standards and Technology (NIST) that described the workings of the software tools in detail. The documents showed that the tools were the right ones for extracting information from those devices, the government lawyers argued, and that they had a track record of doing so accurately. In September 2002, less than a year after Zacarias Moussaoui was indicted by a grand jury for his role in the 9/11 attacks, Moussaoui's lawyers lodged an official complaint about how the government was handling digital evidence. They questioned the quality of the tools the government had used to extract data from some of the more than 200 hard drives that were submitted as evidence in the case-including one from Moussaoui's own laptop. When the government fired back, it leaned on a pair of official documents for backup: two reports produced by the National Institute of Standards and Technology (NIST) that described the workings of the software tools in detail. The documents showed that the tools were the right ones for extracting information from those devices, the government lawyers argued, and that they had a track record of doing so accurately. In addition to setting standards for digital evidence-gathering, the reports help users decide which tool they should use, based on the electronic device they're looking at and the data they want to extract. They also help software vendors correct bugs in their products. Today, the CFTT's decidedly retro webpage -emblazoned with a quote from an episode of Star Trek: The Next Generation-hosts dozens of detailed reports about various forensics tools. Some reports focus on tools that recover deleted files, while others cover "file carving," a technique that can reassemble files that are missing crucial metadata. * * *

top

Bill would compel firms to say if cybersec expert sits on board (BankInfoSecurity, 20 March 2017) - Legislation introduced in the Senate would require publicly traded companies to disclose to regulators whether any members of their boards of directors have cybersecurity expertise. The Cybersecurity Disclosure Act of 2017 , or S. 536, would not require companies to have a cybersecurity expert on their boards. Instead, it would require them to explain in its filings with the Securities and Exchange Commission whether such expertise exists on their boards and, if not, why this expertise is unnecessary because of other steps taken by the company. The bill's sponsors - Democrats Mark Warner of Virginia and Jack Reed of Rhode Island and Republican Susan Collins of Maine - characterize the legislation as a consumer- and shareholder-protection measure. * * * According to a 2015 report published by the Georgia Institute of Technology , fewer than one-quarter of boards of directors had a member with cybersecurity expertise. The report's author, Jody Westby, says she believes that percentage likely has not changed much since the report was published.

top

Google vows to fight search warrant seeking the names of everyone who Googled crime victim (ABA Journal, 20 March 2017) - Google says it will fight a search warrant seeking information about anyone who searched the name of a financial crime victim on the search engine in December and early January. Judge Gary Larson of Hennepin County, Minnesota, issued the warrant in February, report the Minneapolis Star Tribune , Ars Technica and TonyWebster.com , which was first to publicize the warrant. Police in Edina, Minnesota, told the judge they found that a fake photo used in a phony passport was available through Google images, but not through Yahoo or Bing. The fraudster used the passport to obtain $28,500 through a line of credit with the crime victim's credit union. The warrant application is here . The photo on the passport wasn't the crime victim's image, but it was an image of someone who is similar in age. Police believe the fraudster believed the photo he or she obtained was that of the victim. The fraudster transferred the line of credit money into the victim's savings account, and then into another account at Bank of America. Police want the internet address for people conducting the search, as well as their Social Security numbers and account and payment information. Police obtained the search warrant from the judge after Google objected to an administrative subpoena seeking the information.

top

GitHub now lets its workers keep the IP when they use company resources for personal projects (Quartz, 21 March 2017) - If it's on company time, it's the company's dime. That's the usual rule in the tech industry-that if employees use company resources to work on projects unrelated to their jobs, their employer can claim ownership of any intellectual property (IP) they create. But GitHub is throwing that out the window. Today the code-sharing platform announced a new policy , the Balanced Employee IP Agreement (BEIPA). This allows its employees to use company equipment to work on personal projects in their free time, which can occur during work hours, without fear of being sued for the IP. As long as the work isn't related to GitHub's own "existing or prospective" products and services, the employee owns it. * * * GitHub's new agreement doesn't explicitly state that employees can use company time to develop their own IP, but does say employees can own any work they produce in their "free time." According to Mike Linksvayer, head of open source policy at GitHub, that can include downtime during work hours. As long as the work doesn't step on the company's toes, Linksvayer said, "we don't want to restrain creativity if it's not something we're interested in."

top

New paper on encryption workarounds (Bruce Schneier, 22 March 2017) - I have written a paper with Orin Kerr on encryption workarounds. Our goal wasn't to make any policy recommendations. (That was a good thing, since we probably don't agree on any.) Our goal was to present a taxonomy of different workarounds, and discuss their technical and legal characteristics and complications. Abstract: The widespread use of encryption has triggered a new step in many criminal investigations: the encryption workaround. We define an encryption workaround as any lawful government effort to reveal an unencrypted version of a target's data that has been concealed by encryption. This essay provides an overview of encryption workarounds. It begins with a taxonomy of the different ways investigators might try to bypass encryption schemes. We classify six kinds of workarounds: find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. For each approach, we consider the practical, technological, and legal hurdles raised by its use. The remainder of the essay develops lessons about encryption workarounds and the broader public debate about encryption in criminal investigations. First, encryption workarounds are inherently probabilistic. None work every time, and none can be categorically ruled out every time. Second, the different resources required for different workarounds will have significant distributional effects on law enforcement. Some techniques are inexpensive and can be used often by many law enforcement agencies; some are sophisticated or expensive and likely to be used rarely and only by a few. Third, the scope of legal authority to compel third-party assistance will be a continuing challenge. And fourth, the law governing encryption workarounds remains uncertain and underdeveloped. Whether encryption will be a game-changer or a speed bump depends on both technological change and the resolution of important legal questions that currently remain unanswered. The paper is finished, but we'll be revising it once more before final publication. Comments are appreciated.

top

Walmart's Vudu app now converts your physical movies to digital for $2 each (TechCrunch, 23 March 2017) - Want to build a movie library without having to re-purchase all the DVDs and Blu-rays you already purchased? Walmart's streaming video service Vudu has you covered, with a new feature available via its iPhone and Android mobile apps. The new "Disc-to-Digital" feature allows users to scan the barcode on the case for their DVD or Blu-Ray movies, pay a $2 per movie fee for the transfer, and optionally upgrade DVD titles to HD quality for $5 per title. It's a smart feature that offers a deep discount to users versus buying digital copies of these movies all over again, and the upgrade option is still cheaper than it'll be in most cases to buy a new HD-quality copy of a film. The service is available for around 8,000 movies from a variety of studios, including Paramount, Sony, Twentieth Century Fox, Universal and Warner Bros., and Walmart says more movies will be added to the library over time, too. Digitized movies are loaded into a user's library automatically, and then made available wherever they can access the Vudu service. There's a catch that prevents you from just running around scanning all the DVDs and Blu-rays you can find, however: The Disc-to-Digital option is only available when the app can determine via geolocation that it's at the user's home billing address, so kill that plan to hop over to Best Buy's video section before it develops any further.

top

Amazon will collect sales taxes nationwide on April 1 (CNBC, 24 March 2017) - Amazon , the online merchandise juggernaut, will collect sales taxes from all states with a sales tax starting April 1. Tax-free shopping will be over as of next month in Hawaii, Idaho, Maine and New Mexico, the four remaining holdouts. Since the beginning of this year, Amazon has added a number of states to its roster of jurisdictions where it collects sales taxes . After April, the only states in which Amazon won't collect taxes are Alaska, Delaware, Oregon, Montana and New Hampshire. These five states don't have sales levies.

top

Court says posting Georgia's official annotated laws is not fair use, and thus infringing (TechDirt, 27 March 2017) - We've written a number of times about Carl Malamud and his organization Public.Resource.org, a nonprofit that focuses on making the world's laws more readily accessible to the people governed by those laws. You'd think that people would be excited about this, but instead, Carl just keeps getting sued. All the way back in 2013, the state of Georgia first threatened Carl for daring to publish online the "Official Code of Georgia Annotated." Two years later the state did, in fact, sue Carl for copyright infringement . The case is, at least somewhat tricky and nuanced -- even if it shouldn't be. The key issue is the annotations and other additions to the official laws created by the legislature (the state of Georgia claims that "names of titles, chapter, articles, parts and subparts, history lines, editor notes, Code Commission notes, annotations, research references, cross-references, indexes and other such materials" are all covered by copyright). Obviously, it's crazy to think the underlying law itself is covered by copyright and unpublishable, but this has to focus on the annotations -- which are the various notes and links to relevant case law that add important context to the code itself. As people studying the law quickly learn, "the law" is not just the regulations written down by legislators, but also the relevant caselaw that interprets the laws and sets key standards and makes decisions that influence what the written code actually means. I don't think anyone disagrees that a private party who develops useful and creative works as annotations could potentially hold a copyright on the creative elements of that work (merely listing relevant cases, probably not, but a deeper explanation, sure...). And here, these annotations are developed by a private company: LexisNexis. The issue is the "official" part. Under contract with the state, LexisNexis creates the annotations, gets the copyright, and then assigns the copyright to the state of Georgia on those annotations, with Georgia releasing it as "the Official Code of Georgia Annotated." Also, as noted above, it's not just the "annotations" here -- but as the state claims, the "Code Commission" notes. That seems like fairly relevant information created by the government. Either way, the state of Georgia views the entire "Official Code of Georgia Annotated" as its one true source of law, and it's not available to the public. While the state has responded that (via LexisNexis) it does offer a website with the unannotated code, that website requires that you agree to LexisNexis' overly broad terms and conditions, which include all sorts of crazy demands, including insisting that if they ask you not to link to them, you have to stop linking. Also, even though this is Georgia's state laws, you agree that any dispute over the website will be in a New York jurisdiction. Oh, and the actual website with the law is basically unusable. Malamud and his legal team argued that (1) due to the nature of this odd relationship, the work cannot be covered by copyright and (2) that, if it was covered by copyright, republishing this annotated code was fair use. Unfortunately Judge Richard Story, in the federal district court in Atlanta, has rejected both these arguments and found that the posting of the work was infringing.

top

Apple finally approved an app for tracking drone strikes, then immediately deleted it (Mashable, 28 March 2017) - Five years ago, Josh Begley , a data artist and editor at The Intercept , created a straightforward news app for iOS. It sent a push notification to your device each time a U.S. drone strike was reported by a news outlet. There's a map that shows you where the drone strikes occurred and a log that keeps track of each one. That's it. No pictures, no interviews. And yet, it was censored by Apple for years. Begley attempted to bring Metadata+, which was originally called Drones+, to the App Store a dozen times. It finally became available for download on Tuesday, and then was abruptly removed again five hours later. Begley received an email from Apple Tuesday afternoon, notifying him that his app was removed for containing content that "many users would find objectionable."

top

UW professor: The information war is real, and we're losing it (Seattle Times, 29 March 2017) - It started with the Boston marathon bombing, four years ago. University of Washington professor Kate Starbird was sifting through thousands of tweets sent in the aftermath and noticed something strange. Too strange for a university professor to take seriously. "There was a significant volume of social-media traffic that blamed the Navy SEALs for the bombing," Starbird told me the other day in her office. "It was real tinfoil-hat stuff. So we ignored it." Same thing after the mass shooting that killed nine at Umpqua Community College in Oregon: a burst of social-media activity calling the massacre a fake, a stage play by "crisis actors" for political purposes. "After every mass shooting, dozens of them, there would be these strange clusters of activity," Starbird says. "It was so fringe we kind of laughed at it. "That was a terrible mistake. We should have been studying it." Starbird is in the field of "crisis informatics," or how information flows after a disaster. She got into it to see how social media might be used for the public good, such as to aid emergency responders. Starbird argues in a new paper , set to be presented at a computational social-science conference in May , that these "strange clusters" of wild conspiracy talk, when mapped, point to an emerging alternative media ecosystem on the web of surprising power and reach. There are dozens of other conspiracy-propagating websites such as beforeitsnews.com, nodisinfo.com and veteranstoday.com. Starbird cataloged 81 of them, linked through a huge community of interest connected by shared followers on Twitter, with many of the tweets replicated by automated bots. [Starbird's paper is here .]

top

Cybersecurity guidance for law firms is nothing to argue about (BNA, 30 March 2017) - Lawyers are the gatekeepers of client information including corporate clients put great trust in-and spend countless dollars on-both their inside and outside counsel to protect confidential communications and trade secrets. Corporate intellectual property and confidential communications aren't just valuable to organizations but also to hackers. It is one of the reasons why companies tell their corporate counsel that cybersecurity "chief concerns" when sharing sensitive data with their attorneys, according recent data security guidance from the Association of Corporate Counsel (ACC). The aim of the guidance is to help in-house counsel use data security controls when interacting with outside counsel and other third-party vendors, the report said. The guidelines for "outside counsel who have access to sensitive company data" encompass topics such as "information retention/return/destruction, data handling and encryption, data breach reporting, physical security, employee background screening, and cyber liability insurance," the ACC said in a statement. For example, the guidance calls for the use of the encryption solutions for data at-rest, data transmitted over non-secure channels and mobile devices certified against the National Institute of Standards and Technology's (NIST) Federal Information Processing Standard (FIPS) 140-2. The guidelines will put in-house counsel and outside counsel in the position to take "the lead on sharing established best practices to promote data security," Amar D. Sarway, vice president and chief legal strategist at ACC said in a statement.

top

RESOURCES

Law, Virtual Reality, and Augmented Reality (Mark Lemley and Eugene Volokh, 17 March 2017) - Abstract: Virtual Reality (VR) and Augmented Reality (AR) are going to be big -- not just for gaming but for work, for social life, and for evaluating and buying real-world products. Like many big technological advances, they will in some ways challenge legal doctrine. In this Article, we will speculate about some of these upcoming challenges, asking: (1) How might the law treat "street crimes" in VR and AR -- behavior such as disturbing the peace, indecent exposure, deliberately harmful visuals (such as strobe lighting used to provoke seizures in people with epilepsy), and "virtual groping"? Two key aspects of this, we will argue, are the Bangladesh problem (which will make criminal law very hard to practically enforce) and technologically enabled self-help (which will offer an attractive alternative protection to users, but also a further excuse for real-world police departments not to get involved). (2) How might the law handle tort lawsuits, by users against users, users against VR and AR environment operators, outsiders (such as copyright owners whose works are being copied by users) against users, and outsiders against the environment operators? (3) How might the law treat users' alteration of other users' avatars, or creation of their own avatars that borrow someone else's name and likeness? (4) How might privacy law deal with the likely pervasive storage of all the sensory information that VR and AR systems present to their users, and that they gather from the users in the course of presenting it? (5) How might these analyses reflect on broader debates even outside VR and AR, especially order without law and the speech-conduct distinction?

top

Fishman on Music as a Matter of Law (Harvard Law Review, March 2017) - Joseph Fishman, Vanderbilt University Law School, is publishing Music as a Matter of Law in volume 131 of the Harvard Law Review. Here is the abstract: What is a musical work? Philosophers debate it, but for judges the answer has long been simple: music means melody. Though few recognize it today, that answer goes all the way back to the birth of music copyright litigation in the nineteenth century. Courts adopted the era's dominant aesthetic view identifying melody as the site of originality and, consequently, the litmus test for similarity. Surprisingly, music's single-element test has persisted as an anomaly within the modern copyright system, where typically multiple features of eligible subject matter are eligible for protection. Yet things are now changing. Recent judicial decisions are beginning to break down the old definitional wall around melody, looking elsewhere within the work to find protected expression. Many have called this increasing scope problematic. This Article agrees-but not for the reason that most people think. The problem is not, as is commonly alleged, that these decisions are unfaithful to bedrock copyright doctrine. A closer inspection reveals that, if anything, they are in fact more faithful than their predecessors. The problem, rather, is that the bedrock doctrine itself is misguided. Copyright law, unlike patent law, has never shown any interest in trying to increase the predictability of its infringement test, leaving second comers to speculate as to what might or might not be allowed. But the history of music copyright offers a valuable look at a path not taken, an accidental experiment where predictability was unwittingly achieved by consistently emphasizing a single element out of a multi-element work. As a factual matter, the notion that melody is the primary locus of music's value is a fiction. As a policy matter, however, that fiction has turned out to be useful. While its original, culturally-myopic rationale should be discarded, music's unidimensional test still offers underappreciated advantages over the "everything counts" analysis that the rest of the copyright system long ago chose.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Apple introduced iTunes U (InsideHigherEd, 31 May 2007) -- Apple introduced iTunes U, a new section within its music software where universities can publish lecture audio, promotional videos and other downloadable media for current and prospective students. Top downloads on Wednesday included a "What Is Existentialism?" lecture from the University of California at Berkeley and another called "Technical Aspects of Biofuel Development" at Stanford University. Unlike traditional podcasts, not just anyone can post material to iTunes U - universities control the content, and institutions can sign up to publish their own media relatively easily, according to Chris Bell, Apple's director of worldwide marketing for iTunes. The new initiative to bring content from institutions of higher learning together into a unified interface stemmed in part from a program that began with Stanford in 2005, in which colleges could offer course content available only to their students. iTunes U was developed in collaboration with many of those colleges and universities, Bell added. "It's free to the university, it's free to the end user, and we think it's a great way to take the assets that universities have and really serve the public," he said.

top

Site plans to sell hacks to highest bidder (Washington Post, 12 July 2007) - A Swiss Internet start-up is raising the ire and eyebrows of the computer security community with the launch of an online auction house where software vulnerabilities are sold to the highest bidder. The founders of WabiSabiLabi.com (pronounced wobby-sobby-lobby) say they hope the service presents a legitimate alternative for security researchers who might otherwise be tempted to sell their discoveries to criminals. Several established vulnerability management companies already purchase information about software flaws from researchers, yet the terms of those deals are private and generally set by the companies. Letting all interested parties bid on security vulnerabilities in an "eBay"-style auction assures that researchers receive the fair market value for the work they do in finding the flaws, said Herman Zampariolo, WabiSabiLabi's chief executive.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top