MIRLN --- 12 March – 1 April 2017 (v20.05)

MIRLN --- 12 March - 1 April 2017 (v20.05) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

• France drops electronic voting for citizens abroad over cybersecurity fears
• DHS finalizing best practices for notifying victims of major cyber breaches
• Home Depot to pay $25M in breach settlement
• Judge says cops can search BitTorrent shared files without a warrant
• Microsoft pulls then revives Docs.com search after complaints of exposed sensitive files
• Malware found preinstalled on 38 Android phones used by 2 companies
• Facebook says police can't use its data for 'surveillance'
• Phone searches now default mode at the border; more searches last month than in all of 2015
• 20,000 worldclass university lectures made illegal, so we irrevocably mirrored them
• U.S. judge rejects Google email scanning settlement
• Google starts flagging offensive content in search results
• Blockchain & corporate records: DGCL amendments would open the door
• Treatment of bitcoin under US property law
• Behind Booz Allen's effort to get carmakers to work together against hackers
• Hacking tools get peer reviewed, too
• Bill would compel firms to say if cybersec expert sits on board
• Google vows to fight search warrant seeking the names of everyone who Googled crime victim
• GitHub now lets its workers keep the IP when they use company resources for personal projects
• New paper on encryption workarounds
• Walmart's Vudu app now converts your physical movies to digital for $2 each
• Amazon will collect sales taxes nationwide on April 1
• Court says posting Georgia's official annotated laws is not fair use, and thus infringing
• Apple finally approved an app for tracking drone strikes, then immediately deleted it
• UW professor: The information war is real, and we're losing it
• Cybersecurity guidance for law firms is nothing to argue about

France drops electronic voting for citizens abroad over cybersecurity fears (Fortune, 6 March 2017) - France's government has dropped plans to let its citizens abroad vote electronically in legislative elections in June because of concern about the risk of cyber attacks, the Foreign Ministry said on Monday. The National Cybersecurity Agency believed there was an "extremely high risk" of cyber attacks. "In that light, it was decided that it would be better to take no risk that might jeopardise the legislative vote for French citizens residing abroad," the ministry said in a statement. Since 2012, French citizens abroad had been allowed to vote electronically in legislative elections, but not in the presidential vote. France will elect a new president in a two-round ballot in April and May.

top

DHS finalizing best practices for notifying victims of major cyber breaches (Federal News Radio, 6 March 2017) - The Homeland Security Department is finalizing best practices that agencies, state and local governments and other organizations involved in a cyber breach can use to notify victims. The guidance lends suggestions on the decision-making process for notifying impacted individuals, preparing and delivering notices, concerns about "over-notifying" and additional support for victims. The DHS Data Privacy and Integrity Advisory Committee drafted the document after former DHS Chief Privacy Officer Karen Neuman asked the committee in September 2015 to develop written best practices for notifying data breach victims. The committee made minor changes to and approved a final draft of best practices at a committee meeting Feb. 21.

top

Home Depot to pay $25M in breach settlement (SC Magazine, 10 March 2017) - Following a massive breach, retailer Home Depot has agreed to pay off a settlement of $25 million for damages resulting from the incursion in 2014 that exposed personal information of more than 50 million customers. Hackers managed to infiltrate the chain store's self check-out terminals to purloin email and credit card data Under terms of the agreement, Home Depot also must improve its cybersecurity implementations, including tighter oversight of its vendors. Home Depot is already out of pocket some $134.5 million which it paid in compensation to card brands and financial institutions. As well, it agreed last year to compensate affected customers to the tune of $19.5 million. The cost of the breach is currently running around $179 million, based on figures in court documents, Fortune reported. But, that figure is expected to rise considerably factoring in legal fees and other charges.

top

Judge says cops can search BitTorrent shared files without a warrant (Motherboard, 10 March 2017) - A judge in Baton Rouge, Louisiana, has ruled that an alleged child pornographer had no expectation of privacy in the files he shared via BitTorrent because those files were accessible to anyone on the popular peer-to-peer file-sharing network. In 2015, a police detective in Louisiana used a piece of software called Torrential Downpour, which is sold exclusively to law enforcement, to scan the BitTorrent network for child pornography. That's how the cops found Justin Landry, a 36-year-old from Prairieville, who allegedly had videos of children being raped on his BitTorrent shared folder, which allows users to make their own files available for download to others on the internet. Judge John W. deGravelles, of the United States District Court for the Middle District in Baton Rouge ruled on Thursday that the undercover cop investigating the case didn't need a warrant to search Landry's files, because Landry wasn't protected by the 4th Amendment's prohibition against unreasonable search and seizure when it came to the videos and pictures he was sharing on BitTorrent. "Files which an individual voluntarily places in a shared folder on a peer-to-peer network are considered publicly available," the judge wrote in the ruling, which denied Landry's request to suppress the evidence gathered in the search, and was spotted by USA Today investigative reporter Brad Heath.

top

- and -

Microsoft pulls then revives Docs.com search after complaints of exposed sensitive files (ZDnet, 26 March 2017) - Microsoft has quietly removed a feature on its document sharing site Docs.com that allowed anyone to search through millions of files for sensitive and personal information. Users had complained over the weekend on Twitter that anyone could use the site's search box to trawl through publicly-accessible documents and files stored on the site, which were clearly meant to remain private. Among the files reviewed by ZDNet, and seen by others who tweeted about them , included password lists, job acceptance letters, investment portfolios, divorce settlement agreements, and credit card statements -- some of which contained Social Security and driving license numbers, dates of birth, phone numbers, and email and postal addresses. The company removed the site's search feature late on Saturday, but others observed that the files were still cached in Google's search results, as well as Microsoft's own search engine, Bing.

top

Malware found preinstalled on 38 Android phones used by 2 companies (ArsTechnica, 10 March 2017) - A commercial malware scanner used by businesses has recently detected an outbreak of malware that came preinstalled on more than three dozen Android devices. An assortment of malware was found on 38 Android devices belonging to two unidentified companies. This is according to a blog post published Friday by Check Point Software Technologies, maker of a mobile threat prevention app. The malicious apps weren't part of the official ROM firmware supplied by the phone manufacturers but were added later somewhere along the supply chain. In six of the cases, the malware was installed to the ROM using system privileges, a technique that requires the firmware to be completely reinstalled for the phone to be disinfected. Most of the malicious apps were info stealers and programs that displayed ads on the phones. One malicious ad-display app, dubbed "Loki," gains powerful system privileges on the devices it infects. Another app was a mobile ransomware title known as "Slocker," which uses Tor to conceal the identity of its operators.

top

Facebook says police can't use its data for 'surveillance' (WaPo, 13 March 2017) - Facebook is cutting police departments off from a vast trove of data that has been increasingly used to monitor protesters and activists. The move, which the social network announced Monday, comes in the wake of concerns over law enforcement's tracking of protesters' social media accounts in places such as Ferguson, Mo., and Baltimore. It also comes at a time when chief executive Mark Zuckerberg says he is expanding the company's mission from merely "connecting the world" into friend networks to promoting safety and community. Although the social network's core business is advertising, Facebook, along with Twitter and Facebook-owned Instagram, also provides developers access to users' public feeds. The developers use the data to monitor trends and public events. For example, advertisers have tracked how and which consumers are discussing their products, while the Red Cross has used social data to get real-time information during disasters such as Hurricane Sandy. But the social networks have come under fire for working with third parties who market the data to law enforcement. Last year, Facebook, Instagram and Twitter cut off access to Geofeedia, a start-up that shared data with law enforcement, in response to an investigation by the American Civil Liberties Union. The ACLU published documents that made references to tracking activists at protests in Baltimore in 2015 after the death of a black man, Freddie Gray, while in police custody and also to protests in Ferguson, Mo., in 2014 after the police shooting of Michael Brown, an unarmed black 18-year-old. On Monday, Facebook updated its instructions for developers to say that they cannot "use data obtained from us to provide tools that are used for surveillance." The company also said, in an accompanying blog post, that it had kicked other developers off the platform since it had cut ties with Geofeedia.

top

Phone searches now default mode at the border; more searches last month than in all of 2015 (TechDirt, 14 March 2017) - The Constitution -- which has always been malleable when national security interests are in play -- simply no longer applies at our nation's borders. Despite the Supreme Court's finding that cell phone searches require warrants, the DHS and CBP have interpreted this to mean it doesn't apply to searches of devices entering/leaving the country. For the past 15 years, the government has won 9/10 constitutional-violation edge cases if they occurred within 100 miles of our borders -- a no man's land colloquially referred to as the "Constitution-free zone." But the pace of device searches has increased exponentially over the last couple of years. The "border exception" is no longer viewed as an "exception" -- something to be deployed only when customs officers had strong suspicions about a person or their devices. Now, it's the rule, as NBC News reports: Data provided by the Department of Homeland Security shows that searches of cellphones by border agents has exploded, growing fivefold in just one year, from fewer than 5,000 in 2015 to nearly 25,000 in 2016. According to DHS officials, 2017 will be a blockbuster year. Five-thousand devices were searched in February alone, more than in all of 2015.

top

20,000 worldclass university lectures made illegal, so we irrevocably mirrored them (LBRY, 15 March 2017) - Today, the University of California at Berkeley has deleted 20,000 college lectures from its YouTube channel. Berkeley removed the videos because of a lawsuit brought by two students from another university under the Americans with Disabilities Act. We copied all 20,000 and are making them permanently available for free via LBRY. This makes the videos freely available and discoverable by all, without reliance on any one entity to provide them (even us!). The full catalog is over 4 TB and will be synced over the next several days. Until LBRY launches to the public in April, the videos are only accessible to technical users via the command line. If you already have access to LBRY, go to lbry://ucberkeley to see the full catalog. If you want to be notified as soon as the videos are made public to everyone, sign up here . If you're command-line-capable but new to LBRY, follow this guide , then access lbry://ucberkeley . The vast majority of the lectures are licensed under a Creative Commons license that allows attributed, non-commercial redistribution. The price for this content has been set to free and all LBRY metadata attributes it to UC Berkeley. When publishing the lectures to LBRY, the content metadata is written to a public blockchain, making it permanently public and robust to interference. Then, the content data itself is hosted via a peer-to-peer data network that offers economic incentives to ensure the data remains viable. This is superior to centralized or manual hosting, which is vulnerable to technical failure or other forms of attrition. [ see also , 'No plans' to delete free content (InsideHigherEd, 14 March 2017)]

top

U.S. judge rejects Google email scanning settlement (Reuters, 16 March 2017) - A federal judge rejected Google's proposed class-action settlement with non-Gmail users who said it illegally scanned their emails to Gmail users to create targeted advertising. In a decision on Wednesday night, U.S. District Judge Lucy Koh in San Jose, California, said it was unclear that the accord, which provided no money for plaintiffs but up to $2.2 million in fees and expenses for their lawyers, would ensure Google's compliance with federal and state privacy laws. Koh called the proposed disclosure notice inadequate. She said this was because it did not clearly reveal any technical changes that Google would make, or that Google scans non-Gmail users' emails to create ads for Gmail users. The judge also said the notice did not make clear that Google could still extract data for the "dual purpose" of creating targeted ads and detecting spam and malware, and then use that data once emails went into storage after being transmitted. "In sum, based on the parties' current filings, the court cannot conclude that the settlement is fundamentally fair, adequate, and reasonable," Koh wrote.

top

- and -

Google starts flagging offensive content in search results (USA Today, 16 March 2017) - With growing criticism over misinformation in search results, Google is taking a harder look at potentially "upsetting" or "offensive" content, tapping humans to aid its computer algorithms to deliver more factually accurate and less inflammatory results. The humans are Google's 10,000 independent contractors who work as what Google calls quality raters. They are given searches based on real queries to score the results, and they operate based on guidelines provided by Google. On Tuesday they were handed a new one: to hunt for "Upsetting-Offensive" content such as hate or violence against a group of people, racial slurs or offensive terminology, graphic violence including animal cruelty or child abuse or explicit information about harmful activities such as human trafficking, according to guidelines posted by Google. The goal: to steer people with queries such as "did the Holocaust happen" to trustworthy websites and not to websites that engage in falsehoods or hate speech. How it works: Google, for example, advises its quality raters that a search result from white supremacist website Stormfront that denies the Holocaust happened should be flagged as upsetting or offensive content while a result from the History Channel describing what happened during the Holocaust should not. Quality raters don't have the ability to change how search results are ranked but feedback from these contractors is used by engineers and machine learning systems to improve search results, according to Google. It declined to comment on the new guideline.

top

Blockchain & corporate records: DGCL amendments would open the door (Corporate Counsel, 17 March 2017) - Posted in our "Blockchain" Practice Area , this Cooley memo notes that this year's proposed DGCL amendments would grant statutory authority for the use of "blockchain" or "distributed ledger" technology for the administration of corporate records. Last year, Broc blogged about a possible move by Delaware in this direction. Blockchain technology allows for the creation of an "open ledger" shared among a network of participants, instead of relying on a single, central ledger. Information is stored in "blocks" that record all network transactions and permit the ownership and existence of assets to be independently validated. Advocates of the technology see great potential for using it to address the shortcomings of the current stock transfer and record-keeping process. The amendments would allow a Delaware corporation to rely on the contents of a distributed ledger as its stock ledger. But the memo points out that the distributed ledger must meet several requirements: * * *

top

- and -

Treatment of bitcoin under US property law (Perkins Coie whitepaper, 29 March 2017) - In this recently published Perkins Coie whitepaper, the authors analyze the treatment of bitcoin under applicable U.S. property law. The authors conclude that property interests should exist in bitcoin under such law, and that multiple sources of persuasive authority provide additional support for that conclusion. The paper is divided into 5 parts: (1) Treatment of bitcoin under U.S. state property law - an illustrative analysis using California law; (2) Scholarly consideration of bitcoin ownership rights under property law generally; (3) Treatment of bitcoin as property under other U.S. legal regimes; (4) Possible challenges to treating bitcoin as property; and (5) Property interest in bitcoins held in custody. Each part offers an in-depth analysis of legal issues. For example, under the discussion of property interests in bitcoins held in custody, the authors discuss the differences between specific and general deposits and how these concepts could be applied to deposited bitcoin in a custodial arrangement.

top

Behind Booz Allen's effort to get carmakers to work together against hackers (WaPo, 19 March 2017) - As the idea of a mass-marketed driverless car nudges closer to reality, automakers are increasingly coming to terms with the need to address the threat that onboard technology could be targeted by hackers. So far there has not been a catastrophic attack, but the growing array of potential connections for cars to the Internet - and at least one hacking-related recall - have pushed the industry toward taking action. One company that sees a potentially lucrative new market is McLean, Va.-based Booz Allen Hamilton, whose employees have long teamed with the intelligence community on classified cybersecurity work. The 103-year-old management and technology consulting firm has been tapped by an auto industry trade group to set up a system for companies to share potential vulnerabilities, an operation that is being run out of Booz Allen's new innovation center in downtown Washington. Booz Allen said that nearly all major car manufacturers are working with the Automotive Information Sharing and Analysis Center, known as Auto-ISAC. The chief challenge is reaching out to the vast network of suppliers that provide parts for what is coming to be called "the connected car" - components of the modern automobile that send and/or receive information over the Internet. That list is surprisingly long. Some bumpers and engine parts have sensors that communicate with other parts of the car or with other automobiles. Even tires have small pressure sensors, which security researchers have used to take control of other parts of the car. Taking inventory of all these possible access points and understanding their potential vulnerabilities is likely to become increasingly important. Last month, seven more suppliers said they were joining the program: Bosch Mobility Solutions, Cooper Standard, Honeywell, Hyundai, Lear Corp., LG Electronics, NXP Semiconductors, and Japanese manufacturer Sumitomo Electric Industries. All of them produce electronic parts. Bosch makes car systems that communicate electronically from one vehicle to the next, as well as vehicle safety systems. Cooper Standard makes fuel and brake lines, and Hyundai is working on self-driving car systems.

top

Hacking tools get peer reviewed, too (The Atlantic, 20 March 2017) - In September 2002, less than a year after Zacarias Moussaoui was indicted by a grand jury for his role in the 9/11 attacks, Moussaoui's lawyers lodged an official complaint about how the government was handling digital evidence. They questioned the quality of the tools the government had used to extract data from some of the more than 200 hard drives that were submitted as evidence in the case-including one from Moussaoui's own laptop. When the government fired back, it leaned on a pair of official documents for backup: two reports produced by the National Institute of Standards and Technology (NIST) that described the workings of the software tools in detail. The documents showed that the tools were the right ones for extracting information from those devices, the government lawyers argued, and that they had a track record of doing so accurately. In September 2002, less than a year after Zacarias Moussaoui was indicted by a grand jury for his role in the 9/11 attacks, Moussaoui's lawyers lodged an official complaint about how the government was handling digital evidence. They questioned the quality of the tools the government had used to extract data from some of the more than 200 hard drives that were submitted as evidence in the case-including one from Moussaoui's own laptop. When the government fired back, it leaned on a pair of official documents for backup: two reports produced by the National Institute of Standards and Technology (NIST) that described the workings of the software tools in detail. The documents showed that the tools were the right ones for extracting information from those devices, the government lawyers argued, and that they had a track record of doing so accurately. In addition to setting standards for digital evidence-gathering, the reports help users decide which tool they should use, based on the electronic device they're looking at and the data they want to extract. They also help software vendors correct bugs in their products. Today, the CFTT's decidedly retro webpage -emblazoned with a quote from an episode of Star Trek: The Next Generation-hosts dozens of detailed reports about various forensics tools. Some reports focus on tools that recover deleted files, while others cover "file carving," a technique that can reassemble files that are missing crucial metadata. * * *

top

Bill would compel firms to say if cybersec expert sits on board (BankInfoSecurity, 20 March 2017) - Legislation introduced in the Senate would require publicly traded companies to disclose to regulators whether any members of their boards of directors have cybersecurity expertise. The Cybersecurity Disclosure Act of 2017 , or S. 536, would not require companies to have a cybersecurity expert on their boards. Instead, it would require them to explain in its filings with the Securities and Exchange Commission whether such expertise exists on their boards and, if not, why this expertise is unnecessary because of other steps taken by the company. The bill's sponsors - Democrats Mark Warner of Virginia and Jack Reed of Rhode Island and Republican Susan Collins of Maine - characterize the legislation as a consumer- and shareholder-protection measure. * * * According to a 2015 report published by the Georgia Institute of Technology , fewer than one-quarter of boards of directors had a member with cybersecurity expertise. The report's author, Jody Westby, says she believes that percentage likely has not changed much since the report was published.

top

Google vows to fight search warrant seeking the names of everyone who Googled crime victim (ABA Journal, 20 March 2017) - Google says it will fight a search warrant seeking information about anyone who searched the name of a financial crime victim on the search engine in December and early January. Judge Gary Larson of Hennepin County, Minnesota, issued the warrant in February, report the Minneapolis Star Tribune , Ars Technica and TonyWebster.com , which was first to publicize the warrant. Police in Edina, Minnesota, told the judge they found that a fake photo used in a phony passport was available through Google images, but not through Yahoo or Bing. The fraudster used the passport to obtain $28,500 through a line of credit with the crime victim's credit union. The warrant application is here . The photo on the passport wasn't the crime victim's image, but it was an image of someone who is similar in age. Police believe the fraudster believed the photo he or she obtained was that of the victim. The fraudster transferred the line of credit money into the victim's savings account, and then into another account at Bank of America. Police want the internet address for people conducting the search, as well as their Social Security numbers and account and payment information. Police obtained the search warrant from the judge after Google objected to an administrative subpoena seeking the information.

top

GitHub now lets its workers keep the IP when they use company resources for personal projects (Quartz, 21 March 2017) - If it's on company time, it's the company's dime. That's the usual rule in the tech industry-that if employees use company resources to work on projects unrelated to their jobs, their employer can claim ownership of any intellectual property (IP) they create. But GitHub is throwing that out the window. Today the code-sharing platform announced a new policy , the Balanced Employee IP Agreement (BEIPA). This allows its employees to use company equipment to work on personal projects in their free time, which can occur during work hours, without fear of being sued for the IP. As long as the work isn't related to GitHub's own "existing or prospective" products and services, the employee owns it. * * * GitHub's new agreement doesn't explicitly state that employees can use company time to develop their own IP, but does say employees can own any work they produce in their "free time." According to Mike Linksvayer, head of open source policy at GitHub, that can include downtime during work hours. As long as the work doesn't step on the company's toes, Linksvayer said, "we don't want to restrain creativity if it's not something we're interested in."

top

New paper on encryption workarounds (Bruce Schneier, 22 March 2017) - I have written a paper with Orin Kerr on encryption workarounds. Our goal wasn't to make any policy recommendations. (That was a good thing, since we probably don't agree on any.) Our goal was to present a taxonomy of different workarounds, and discuss their technical and legal characteristics and complications. Abstract: The widespread use of encryption has triggered a new step in many criminal investigations: the encryption workaround. We define an encryption workaround as any lawful government effort to reveal an unencrypted version of a target's data that has been concealed by encryption. This essay provides an overview of encryption workarounds. It begins with a taxonomy of the different ways investigators might try to bypass encryption schemes. We classify six kinds of workarounds: find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. For each approach, we consider the practical, technological, and legal hurdles raised by its use. The remainder of the essay develops lessons about encryption workarounds and the broader public debate about encryption in criminal investigations. First, encryption workarounds are inherently probabilistic. None work every time, and none can be categorically ruled out every time. Second, the different resources required for different workarounds will have significant distributional effects on law enforcement. Some techniques are inexpensive and can be used often by many law enforcement agencies; some are sophisticated or expensive and likely to be used rarely and only by a few. Third, the scope of legal authority to compel third-party assistance will be a continuing challenge. And fourth, the law governing encryption workarounds remains uncertain and underdeveloped. Whether encryption will be a game-changer or a speed bump depends on both technological change and the resolution of important legal questions that currently remain unanswered. The paper is finished, but we'll be revising it once more before final publication. Comments are appreciated.

top

Walmart's Vudu app now converts your physical movies to digital for $2 each (TechCrunch, 23 March 2017) - Want to build a movie library without having to re-purchase all the DVDs and Blu-rays you already purchased? Walmart's streaming video service Vudu has you covered, with a new feature available via its iPhone and Android mobile apps. The new "Disc-to-Digital" feature allows users to scan the barcode on the case for their DVD or Blu-Ray movies, pay a $2 per movie fee for the transfer, and optionally upgrade DVD titles to HD quality for $5 per title. It's a smart feature that offers a deep discount to users versus buying digital copies of these movies all over again, and the upgrade option is still cheaper than it'll be in most cases to buy a new HD-quality copy of a film. The service is available for around 8,000 movies from a variety of studios, including Paramount, Sony, Twentieth Century Fox, Universal and Warner Bros., and Walmart says more movies will be added to the library over time, too. Digitized movies are loaded into a user's library automatically, and then made available wherever they can access the Vudu service. There's a catch that prevents you from just running around scanning all the DVDs and Blu-rays you can find, however: The Disc-to-Digital option is only available when the app can determine via geolocation that it's at the user's home billing address, so kill that plan to hop over to Best Buy's video section before it develops any further.

top

Amazon will collect sales taxes nationwide on April 1 (CNBC, 24 March 2017) - Amazon , the online merchandise juggernaut, will collect sales taxes from all states with a sales tax starting April 1. Tax-free shopping will be over as of next month in Hawaii, Idaho, Maine and New Mexico, the four remaining holdouts. Since the beginning of this year, Amazon has added a number of states to its roster of jurisdictions where it collects sales taxes . After April, the only states in which Amazon won't collect taxes are Alaska, Delaware, Oregon, Montana and New Hampshire. These five states don't have sales levies.

top

Court says posting Georgia's official annotated laws is not fair use, and thus infringing (TechDirt, 27 March 2017) - We've written a number of times about Carl Malamud and his organization Public.Resource.org, a nonprofit that focuses on making the world's laws more readily accessible to the people governed by those laws. You'd think that people would be excited about this, but instead, Carl just keeps getting sued. All the way back in 2013, the state of Georgia first threatened Carl for daring to publish online the "Official Code of Georgia Annotated." Two years later the state did, in fact, sue Carl for copyright infringement . The case is, at least somewhat tricky and nuanced -- even if it shouldn't be. The key issue is the annotations and other additions to the official laws created by the legislature (the state of Georgia claims that "names of titles, chapter, articles, parts and subparts, history lines, editor notes, Code Commission notes, annotations, research references, cross-references, indexes and other such materials" are all covered by copyright). Obviously, it's crazy to think the underlying law itself is covered by copyright and unpublishable, but this has to focus on the annotations -- which are the various notes and links to relevant case law that add important context to the code itself. As people studying the law quickly learn, "the law" is not just the regulations written down by legislators, but also the relevant caselaw that interprets the laws and sets key standards and makes decisions that influence what the written code actually means. I don't think anyone disagrees that a private party who develops useful and creative works as annotations could potentially hold a copyright on the creative elements of that work (merely listing relevant cases, probably not, but a deeper explanation, sure...). And here, these annotations are developed by a private company: LexisNexis. The issue is the "official" part. Under contract with the state, LexisNexis creates the annotations, gets the copyright, and then assigns the copyright to the state of Georgia on those annotations, with Georgia releasing it as "the Official Code of Georgia Annotated." Also, as noted above, it's not just the "annotations" here -- but as the state claims, the "Code Commission" notes. That seems like fairly relevant information created by the government. Either way, the state of Georgia views the entire "Official Code of Georgia Annotated" as its one true source of law, and it's not available to the public. While the state has responded that (via LexisNexis) it does offer a website with the unannotated code, that website requires that you agree to LexisNexis' overly broad terms and conditions, which include all sorts of crazy demands, including insisting that if they ask you not to link to them, you have to stop linking. Also, even though this is Georgia's state laws, you agree that any dispute over the website will be in a New York jurisdiction. Oh, and the actual website with the law is basically unusable. Malamud and his legal team argued that (1) due to the nature of this odd relationship, the work cannot be covered by copyright and (2) that, if it was covered by copyright, republishing this annotated code was fair use. Unfortunately Judge Richard Story, in the federal district court in Atlanta, has rejected both these arguments and found that the posting of the work was infringing.

top

Apple finally approved an app for tracking drone strikes, then immediately deleted it (Mashable, 28 March 2017) - Five years ago, Josh Begley , a data artist and editor at The Intercept , created a straightforward news app for iOS. It sent a push notification to your device each time a U.S. drone strike was reported by a news outlet. There's a map that shows you where the drone strikes occurred and a log that keeps track of each one. That's it. No pictures, no interviews. And yet, it was censored by Apple for years. Begley attempted to bring Metadata+, which was originally called Drones+, to the App Store a dozen times. It finally became available for download on Tuesday, and then was abruptly removed again five hours later. Begley received an email from Apple Tuesday afternoon, notifying him that his app was removed for containing content that "many users would find objectionable."

top

UW professor: The information war is real, and we're losing it (Seattle Times, 29 March 2017) - It started with the Boston marathon bombing, four years ago. University of Washington professor Kate Starbird was sifting through thousands of tweets sent in the aftermath and noticed something strange. Too strange for a university professor to take seriously. "There was a significant volume of social-media traffic that blamed the Navy SEALs for the bombing," Starbird told me the other day in her office. "It was real tinfoil-hat stuff. So we ignored it." Same thing after the mass shooting that killed nine at Umpqua Community College in Oregon: a burst of social-media activity calling the massacre a fake, a stage play by "crisis actors" for political purposes. "After every mass shooting, dozens of them, there would be these strange clusters of activity," Starbird says. "It was so fringe we kind of laughed at it. "That was a terrible mistake. We should have been studying it." Starbird is in the field of "crisis informatics," or how information flows after a disaster. She got into it to see how social media might be used for the public good, such as to aid emergency responders. Starbird argues in a new paper , set to be presented at a computational social-science conference in May , that these "strange clusters" of wild conspiracy talk, when mapped, point to an emerging alternative media ecosystem on the web of surprising power and reach. There are dozens of other conspiracy-propagating websites such as beforeitsnews.com, nodisinfo.com and veteranstoday.com. Starbird cataloged 81 of them, linked through a huge community of interest connected by shared followers on Twitter, with many of the tweets replicated by automated bots. [Starbird's paper is here .]

top

Cybersecurity guidance for law firms is nothing to argue about (BNA, 30 March 2017) - Lawyers are the gatekeepers of client information including corporate clients put great trust in-and spend countless dollars on-both their inside and outside counsel to protect confidential communications and trade secrets. Corporate intellectual property and confidential communications aren't just valuable to organizations but also to hackers. It is one of the reasons why companies tell their corporate counsel that cybersecurity "chief concerns" when sharing sensitive data with their attorneys, according recent data security guidance from the Association of Corporate Counsel (ACC). The aim of the guidance is to help in-house counsel use data security controls when interacting with outside counsel and other third-party vendors, the report said. The guidelines for "outside counsel who have access to sensitive company data" encompass topics such as "information retention/return/destruction, data handling and encryption, data breach reporting, physical security, employee background screening, and cyber liability insurance," the ACC said in a statement. For example, the guidance calls for the use of the encryption solutions for data at-rest, data transmitted over non-secure channels and mobile devices certified against the National Institute of Standards and Technology's (NIST) Federal Information Processing Standard (FIPS) 140-2. The guidelines will put in-house counsel and outside counsel in the position to take "the lead on sharing established best practices to promote data security," Amar D. Sarway, vice president and chief legal strategist at ACC said in a statement.

top

RESOURCES

Law, Virtual Reality, and Augmented Reality (Mark Lemley and Eugene Volokh, 17 March 2017) - Abstract: Virtual Reality (VR) and Augmented Reality (AR) are going to be big -- not just for gaming but for work, for social life, and for evaluating and buying real-world products. Like many big technological advances, they will in some ways challenge legal doctrine. In this Article, we will speculate about some of these upcoming challenges, asking: (1) How might the law treat "street crimes" in VR and AR -- behavior such as disturbing the peace, indecent exposure, deliberately harmful visuals (such as strobe lighting used to provoke seizures in people with epilepsy), and "virtual groping"? Two key aspects of this, we will argue, are the Bangladesh problem (which will make criminal law very hard to practically enforce) and technologically enabled self-help (which will offer an attractive alternative protection to users, but also a further excuse for real-world police departments not to get involved). (2) How might the law handle tort lawsuits, by users against users, users against VR and AR environment operators, outsiders (such as copyright owners whose works are being copied by users) against users, and outsiders against the environment operators? (3) How might the law treat users' alteration of other users' avatars, or creation of their own avatars that borrow someone else's name and likeness? (4) How might privacy law deal with the likely pervasive storage of all the sensory information that VR and AR systems present to their users, and that they gather from the users in the course of presenting it? (5) How might these analyses reflect on broader debates even outside VR and AR, especially order without law and the speech-conduct distinction?

top

Fishman on Music as a Matter of Law (Harvard Law Review, March 2017) - Joseph Fishman, Vanderbilt University Law School, is publishing Music as a Matter of Law in volume 131 of the Harvard Law Review. Here is the abstract: What is a musical work? Philosophers debate it, but for judges the answer has long been simple: music means melody. Though few recognize it today, that answer goes all the way back to the birth of music copyright litigation in the nineteenth century. Courts adopted the era's dominant aesthetic view identifying melody as the site of originality and, consequently, the litmus test for similarity. Surprisingly, music's single-element test has persisted as an anomaly within the modern copyright system, where typically multiple features of eligible subject matter are eligible for protection. Yet things are now changing. Recent judicial decisions are beginning to break down the old definitional wall around melody, looking elsewhere within the work to find protected expression. Many have called this increasing scope problematic. This Article agrees-but not for the reason that most people think. The problem is not, as is commonly alleged, that these decisions are unfaithful to bedrock copyright doctrine. A closer inspection reveals that, if anything, they are in fact more faithful than their predecessors. The problem, rather, is that the bedrock doctrine itself is misguided. Copyright law, unlike patent law, has never shown any interest in trying to increase the predictability of its infringement test, leaving second comers to speculate as to what might or might not be allowed. But the history of music copyright offers a valuable look at a path not taken, an accidental experiment where predictability was unwittingly achieved by consistently emphasizing a single element out of a multi-element work. As a factual matter, the notion that melody is the primary locus of music's value is a fiction. As a policy matter, however, that fiction has turned out to be useful. While its original, culturally-myopic rationale should be discarded, music's unidimensional test still offers underappreciated advantages over the "everything counts" analysis that the rest of the copyright system long ago chose.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Apple introduced iTunes U (InsideHigherEd, 31 May 2007) -- Apple introduced iTunes U, a new section within its music software where universities can publish lecture audio, promotional videos and other downloadable media for current and prospective students. Top downloads on Wednesday included a "What Is Existentialism?" lecture from the University of California at Berkeley and another called "Technical Aspects of Biofuel Development" at Stanford University. Unlike traditional podcasts, not just anyone can post material to iTunes U - universities control the content, and institutions can sign up to publish their own media relatively easily, according to Chris Bell, Apple's director of worldwide marketing for iTunes. The new initiative to bring content from institutions of higher learning together into a unified interface stemmed in part from a program that began with Stanford in 2005, in which colleges could offer course content available only to their students. iTunes U was developed in collaboration with many of those colleges and universities, Bell added. "It's free to the university, it's free to the end user, and we think it's a great way to take the assets that universities have and really serve the public," he said.

top

Site plans to sell hacks to highest bidder (Washington Post, 12 July 2007) - A Swiss Internet start-up is raising the ire and eyebrows of the computer security community with the launch of an online auction house where software vulnerabilities are sold to the highest bidder. The founders of WabiSabiLabi.com (pronounced wobby-sobby-lobby) say they hope the service presents a legitimate alternative for security researchers who might otherwise be tempted to sell their discoveries to criminals. Several established vulnerability management companies already purchase information about software flaws from researchers, yet the terms of those deals are private and generally set by the companies. Letting all interested parties bid on security vulnerabilities in an "eBay"-style auction assures that researchers receive the fair market value for the work they do in finding the flaws, said Herman Zampariolo, WabiSabiLabi's chief executive.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top