Saturday, August 26, 2017

MIRLN --- 6-26 August 2017 (v20.12)

MIRLN --- 6-26 August 2017 (v20.12) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

Estonia steps up plan to counter cyber attacks by siting critical systems offshore (ZDnet, 3 Aug 2017) - To thwart a cyber-attack on its national infrastructure or even an invasion, Estonia is getting ready to open its first data embassy overseas. In 2014, Estonia introduced initial plans to create 'data embassies ' capable of running duplicates of its critical systems, including databases and services, in secure data centers on foreign soil. Now, three years on, the then seemingly utopian plan is becoming a reality. Estonia has signed its first official contract with Luxembourg to guarantee diplomatic immunity for all the Baltic state's systems that are to be duplicated and run from a data center in the principality. "Next, we have to sign rental and service contracts to use Luxembourg's national data center and then we can start building the technology and 'furnishing' the data embassy," Mikk Lellsaar, ministry of economic affairs and communications executive specialist tells ZDNet. He says the embassy in Luxembourg is going to mirror many data systems of critical importance, such as the state treasury information system, state pension insurance registry, identity documents registry, business register, land register, and land cadastre among many others. top

Facebook is starting to put more posts from local politicians into people's News Feed (ReCode, 4 Aug 2017) - Facebook is testing a new feature that inserts posts from local politicians into users' News Feeds, even if they don't necessarily follow those politicians. The new feature, which was first noticed by one of my Recode colleagues, included a label titled "This week in your government." A Facebook spokesperson confirmed that the feature is a test. "We are testing a new civic engagement feature that shows people on Facebook the top posts from their elected officials," this spokesperson said in a statement. "Our goal is to give people a simple way to learn about what's happening at all levels of their government." The feature will appear, at most, once per week, and only for users who follow at least one local, state or federal representative from their area. Facebook knows who your local reps are if you handed over your address to use the company's voting plan feature - or its "Town Hall" feature, which helps people find and follow their elected officials. Otherwise, you'll just see posts from politicians at the state and federal levels. Facebook has been active in the past year about getting its user base more involved in politics. In addition to the features mentioned above, which were rolled out before the November presidential election, Facebook also let users register to vote via the social network, and CEO Mark Zuckerberg claims more than two million people did so. Adding this new feature might inspire more politicians to post to Facebook, especially if they think their posts will be promoted to more voters. It's unclear if Facebook takes political affiliation into account when deciding which posts to show people, but if it does not, it could also be a way for politicians to get their message to voters across the aisle. top

Your voter records are compromised. Can you sue? Theories of harm in data-breach litigation (Lawfare, 7 Aug 2017) - Last year, the Republican National Committee hired a firm called Deep Root Analytics to collect voter information. The firm accidentally exposed approximately 198 million personal voter records. This was 1.1 terabytes of personal information that the company left on a cloud server without password protection for two weeks. On June 21 of this year, victims filed a class action in Florida court against Deep Root Analytics for harm resulting from a data breach. Donald Trump has denounced such breaches as "gross negligence." The Deep Root lawsuit took him at his word, using that quote as evidence to make a claim on the legal theory of negligence. The complaint demands more than $5 million in damages. Defendants in data-breach cases (in this case, Deep Root Analytics is the defendant) often challenge a claim on the grounds that the pleading does not include an injury that is (1) "concrete, particularized and actual or imminent," (2) caused by the defendant, and (3) redressable by a court of law. * * * top

Gov. Rauner signs bill to protect Illinois from cyberthreats (Illinois.gov, 7 Aug 2017) - Today, Governor Rauner signed House Bill 2371, requiring all executive branch State of Illinois employees responsible to the Governor, not including public university employees, to undergo annual cybersecurity training to understand the risks, threats and best practices to defend against cyber threats." Hackers and cyber criminals continually grow more sophisticated in their attempts to steal sensitive data and infect state computer systems. It is crucial that state employees have knowledge to protect themselves and the state from the impact of cyber-attacks. This legislation is another advancement in the governor's vision for a cyber-secure Illinois to better protect the personal information of state residents and ensure critical state services are not interrupted. top

Harvard goes outside to go online (InsideHigherEd, 8 Aug 2017) - If any American university might be positioned to begin a new online program all by itself, Harvard University -- with its world-famous brand, many-billion-dollar endowment and founding relationship with the online course provider edX -- might be it. But the university announced Monday that three of its schools would create a new business analytics certificate program with 2U, the online program management company. A collaboration between 2U and professors at the Harvard Business School, the John A. Paulson School of Engineering and Applied Sciences, and the department of statistics in Harvard's main college, the Faculty of Arts and Sciences, the program will teach students how to leverage data and analytics to drive business growth. Aimed at executives in full-time work, the program will be delivered through 2U's online platform and will feature live, seminar-style classes with Harvard faculty members. The program will cost around $50,000 for three semesters, with an estimated time requirement of 10 hours per week. Chip Paucek, CEO of 2U, said the technology 2U can offer universities goes far beyond "just what the student sees." The company can use analytics to predict things such as enrollment and completion of courses, in addition to making programs widely accessible, and securing content from cyberattack. Aside from technology, 2U also offers up-front money. The company "invests heavily in each of its partnerships," said Paucek, typically spending between $5 million and $10 million in the first few years. Each 2U partnership lasts a minimum of 10 years to give the company time to recoup its investment from a significant slice of the student enrollment fees. Paucek said the partnership with Harvard was a high point in the company's 10-year history, and that the company was "honored to be a brand ambassador for one of the best-known brands in the world." Deciding to work with 2U was "not a trivial decision" for Harvard, said Paucek, adding that university officials "were clear they would not commit to it if it was not one of the world's best programs." Conversations about working together began around five years ago, according to Paucek. But it was not until two years ago that talks centered specifically on creating a business analytics program. top

EFF to court: Border agents need warrants to search contents of digital devices (EFF, 8 Aug 2017) - Searches of mobile phones, laptops, and other digital devices by federal agents at international airports and U.S. land borders are highly intrusive forays into travelers' private information that require a warrant, the Electronic Frontier Foundation (EFF) said in a court filing yesterday. EFF urged the U.S. Circuit Court of Appeals for the Fifth Circuit to require law enforcement officers at the border to obtain a warrant before performing manual or forensic searches of digital devices . Warrantless border searches of backpacks, purses, or luggage are allowed under an exception to the Fourth Amendment for routine immigration and customs enforcement. Yet EFF argues that, since digital devices can provide so much highly personal, private information-our contacts, our email conversations, our work documents, our schedules-agents should be required to show they have probable cause to believe that the device contains evidence of a violation of the immigration or customs laws. Only after a judge has signed off on a search warrant should border agents be allowed to rifle through the contents of cell phones, laptops, or tablets. Digital device searches at the border have more than doubled since the inauguration of President Trump. top

Two studies suggest trouble ahead for paywall journals (Phys.org, 8 Aug 2017) - Two independent studies looking at two aspects of paywalls versus free access to research papers suggest that trouble may lie ahead for traditional journals that continue to expect payment for access to peer-reviewed research papers. In the first study, a small team of researchers from the U.S. and Germany looked at the number of freely available papers on the internet using a web extension called Unpaywall-users enter information and the extension lists sources online for free. In the second study, a team with members from Canada, the U.S. and Germany looked at the popularity of a website known as Sci-Hub that collects and freely distributes research papers. Both groups have written papers describing their studies and results and have uploaded them to the PeerJ Preprints server. Free access to research papers is a hot topic in the research community, perhaps indicating coming changes to the status quo. The traditional model, in which a researcher pays for the privilege of reading published articles on journal sites like Science and Nature in order to cite work by others, is under fire. Many have claimed the system is unfair to those who cannot afford to pay such fees. Meanwhile, journal sites maintain their stance that the only way they can continue to exist as profitable entities is to charge access fees. They note also that they provide a valuable service-peer review. In these two new efforts, the researchers with both teams hint that the argument may soon become moot, as people who want to read research papers for free find easier access. In the first paper, the researchers worked with the team that makes the Unpaywall extension to get statistics on its use. They report finding that nearly half (47 percent) of all of the papers that people searched for using the app in 2015 were available for free. They also report that overall, users were able to find free versions of 28 percent of articles they were looking for. In the second paper , the researchers worked with the team behind Sci-Hub, which many have described as a pirating site. They report that visitors could access 85 percent of articles that were still behind a paywall. They found also that the percentage was even higher for papers held behind Elsevier paywalls. They note that the team at Sci-Hub told them that efforts to shut down their site through legal means have resulted in free press, increasing its user base-a term they described as the "Streisand Effect"-after Barbra Streisand, who famously tried to stop distribution of aerial photographs of her home several years ago, inadvertently exposing the photographs to many more people. top

Parting with our books (InsideHigherEd, 8 Aug 2017) - A few weeks ago, we moved into a new house-one much smaller than the home we lived in for 14 years before moving out of state. As part of our family's move to our transitional housing after taking a new job out of state last year, we downsized considerably. We gave away furniture, mementos that meant less and less as more and more time had passed by. We discarded the kids' first outfits from the hospital after their birth, their finger paintings, their first attempts at coloring within the lines, their first try at writing their own names, and a multitude of certificates of accomplishments. In fact, I managed to throw away a purse with my daughter's life fortune, a few hundred dollars that she will never forgive me for accidentally discarding. Disposing of these old and generally-considered sentimental items was nowhere near what it felt like giving away old my old books. The first time I went through the book purge, it was hard. I hate moving and wanted to be done with it! Getting rid of old textbooks on building democratic societies, the fall of the Soviet Union, the rise of the Tiger economies, Mexican political history, economics and econometrics, and even most of my Dostoyevsky collection was somewhat painful, but practical. I knew then that, wherever we would end up living, most of the rooms would not have floor-to-ceiling bookcases as we had in most rooms of the home in which we had thought we would die. It was painful, but it had to be done. Moving into a permanent home now, I went through the book purge again. This time, I gave away more recent books, including some that I had not yet read. When my one of my best friends was writing her dissertation on French and Caribbean literature, I bought so many of the books that she found interesting and I found interesting when she talked about them. They were fiction, which I generally find difficult to read. I bought a ton of them, but read few. This weekend, as I packed those books in French and English, I wondered if there would come a day when I would ever finish Simone de Beauvoir's Le Deuxieme Sexe or the Marie Vieux Chauvet, Jacques Roumain, Rene Depestre and so many other books that I bought a decade ago. The truth is that the probability of me ever finishing or even starting some of those books was very slim-statistically insignificant from zero. So, I packed them feeling never more grateful for my undergraduate, liberal education that exposed me to so much more than statistical methods and measurement, where my reading interests were parked for a very long time. Had it not been for those general education courses, I would have likely stopped reading fiction and literature after high school. I would lack culture (though I can't claim to have a ton of it now). I realized as I packed these new sets of books to give away that, by the time I should ever want to read them, they will be available electronically or in some other form that I can't even imagine now. In many ways, I am old-fashioned. I cannot read books on a Kindle and I never learned how to type, so I pick the letters one by one even as I write this post. This made parting with those books even more emotional. The world is changing, but we don't know what the change will look like exactly. Maybe letting go of the books is somewhat symbolic of letting go of an unrealized aspiration of the cultured person I had the potential of becoming. The universe of things I read about now seems both broader and narrower at the same time. Perhaps, this post should have been titled "In Praise of Liberal Education," but there are so many of those essays already. Parting with our books is hard, but the technology that exists today and will soon come will make it easier to go back to that person that I was becoming. [ Polley : strongly resonated with me.] top

Ratings principles: Now coming to cybersecurity (CorporateCounsel.net, 9 Aug 2017) - Recently, a group of more than 40 prominent banks, retailers & tech companies released these " Principles for Fair & Accurate Securities Ratings ." Here's a teaser from this BakerHostetler blog (also see this Reuters article ): The principles are designed to promote fair and accurate cybersecurity ratings - in response to the recent emergence of several ratings companies that collect and analyze publicly accessible data to analyze a company's cybersecurity risk posture. The ratings are increasingly used by insurers - as well as in M&A and other business decisions. The data for risk ratings is typically collected without the target company's knowledge and comes from a variety of sources - e.g. hackers' forums, darknet data, Internet traffic stats, port-scanning tools & open-source malware intelligence sources. Ratings companies then use proprietary methodologies and algorithms to analyze the data and assign a grade. Importantly, however, cybersecurity ratings have the potential for being inaccurate, incomplete, unverifiable and unreliable - if, for example, the source data is inaccurate or the methodology doesn't account for risk mitigations in place at a company. The principles developed by the consortium were designed to increase confidence in and the usability of fair and accurate cybersecurity ratings by addressing the potential problems. The principles were modeled after the Fair Credit Reporting Act. We don't know if cybersecurity risk ratings will become anywhere near as important as credit ratings - but keep them on your radar. The signatories to the principles include Aetna, American Express, Bank of America, Chevron, Eli Lilly, Fannie Mae, FICO, Goldman Sachs, Home Depot, Honeywell, JP Morgan, Microsoft, State Street & lots of other big names. top

- and -

When is "Hacking Disclosure" required in SEC filings? (CorporateCounsel.net, 9 Aug 2017) - By now, most companies have a cyber incident response plan - which should include contacting a securities lawyer to evaluate disclosure requirements. As outlined in this Goodwin memo , these decisions continue to depend on a fact-specific materiality analysis: What is "material" ends up being far less clear, and there is plenty of room for a public company to determine in good faith that a specific cyber incident does not require separate disclosure. Where the obligation is unclear, a company's reluctance to disclose is understandable: Disclosure may highlight vulnerabilities, and will bring unwelcome attention from customers, regulators and others. The plaintiffs' bar will also circle, smelling the possibility of a class action, and they will not view the company and its managers as the victims. While the SEC won't second-guess a good-faith analysis, they also won't shy away from investigating disclosure lags - see this WSJ article about whether Yahoo's data breach should've been reported sooner to investors. The memo identifies factors affecting disclosure decisions - such as the significance of other notice obligations, existing risk factors & potential remediation costs. Since the decision will probably have to be made quickly, it's not a bad idea to create a decision tree in advance. Our " Cybersecurity Disclosure Checklist " is a good starting point, and check out this blog as well… top

- and -

SEC observations on cybersecurity Sweep 2 (Artemis, 14 Aug 2017) - On Monday, the SEC released "Observations" on the seminal 2015 Cybersecurity Examination Initiative or what they are now referring to as "Sweep 2." While we find this document to be an unremarkable kitchen-sink of cyber-findings, the SEC has offered a concept for what they consider to be robust practices and perhaps a roadmap for achieving a higher level of Cybersecurity maturity for firms. We have reviewed the release and have distilled what we believe to be the key takeaways and suggestions for improving your program. To the degree that observations on a near two-year old examination period are accurate or relevant is questionable. A whole new class of security tools is available, infrastructure and movement toward cloud-based services continues, and firms have been plodding forward on information security practices despite the SEC's nearly two-year silence on the subject. This is not completely fair as the SEC did include Cybersecurity as a concern under "Assessing Market-Wide Risks" in the 2017 Examination Priorities and issued a more timely, May 17 Risk Alert on Ransomware in the wake of WannaCry attacks. There is progression in the SEC's approach to Cybersecurity and now fourth Risk Alert, and the Commission has been clear that they are still finding facts and learning in an area of persistent high risk and developing regulatory scrutiny. The SEC started the initiative with a clear focus on Policies and Procedures and fundamental identification and protection practices. IT security evolves organically from basic blocking and tackling of controls to more advanced practices such as monitoring/detection and testing/validation. The SEC's understanding and corresponding expectations of financial services firms appears to be developing along similar lines - to a call for greater granularity and specificity in certain IT security activities. * * * top

AVVO blasts new ethics opinions on attorney match services (New York Law Journal, 9 Aug 2017) - New York has become the latest state to target attorney match service Avvo Inc. for ethical violations. A new bar association ethics opinion says a lawyer paying Avvo's marketing fee to participate in its legal services program is making an improper payment for a recommendation, in violation of state ethics rules. The New York State Bar Association released the opinion by its committee on professional ethics on Wednesday. While the state bar's ethics opinions are advisory only, they are widely read and followed. Lawyers who continue to participate in Avvo's legal services program "do so at their own peril," said state bar president Sharon Stern Gerstman, counsel at Buffalo law firm Magavern Magavern Grimm. But in an interview, Avvo's chief legal counsel, Josh King, encouraged New York lawyers to continue participating, adding that Avvo would back any lawyer facing disciplinary action for his or her participation. To date, King said he is not aware of any attorney in such a position. The ethics opinion examines Avvo Legal Services, which King said has existed for about a year and a half and is only a narrow portion of Avvo's business. Although he declined to say how many New York attorneys participated, he said it can be measured in the "hundreds" and less than 2,000. The New York ethics opinion follows recent actions in other states such as New Jersey, where a joint opinion by three state's Supreme Court committees has blacklisted three web-based services that match litigants with attorneys, including Avvo, because of concerns over illicit fee-sharing and referral fees. Other states with ethics concerns over lawyer website services include Ohio, Pennsylvania and South Carolina. top

Bloomberg Law adds practice center devoted to e-discovery (Bob Ambrogi, 9 Aug 2017) - Bloomberg Law today is officially announcing the addition to its research platform of the E-Discovery Practice Center, a curated collection of a range of court opinions, tools, sample forms, news and expert guidance related to both federal and state e-discovery practice. The practice center is available to all Bloomberg Law subscribers at no additional cost. Bloomberg says it is the only legal research platform to have a resource of this kind devoted to e-discovery. Bloomberg "soft launched" the practice center for some customers at the recent annual meeting of the American Association of Law Libraries, but today is formally announcing its availability to all customers. The practice center's main page includes federal and state court opinions related to e-discovery, federal and state rules and laws related to e-discovery, news and law reports, and BNA's E-Discovery Portfolio series, which provides an entry point to resources such as practice guides, books and treatises, and law reviews, as well as specific guidance on such issues as understanding and preventing spoliation. E-discovery rules for all states are included. Another section of the practice center provides materials grouped by stage of e-discovery, such as preservation, production and technology-assisted review. Here you can find resources such as a checklist for preparing for a Rule 26 meeting and a guide to preparing a legal hold notice, as well as sample forms for legal holds. top

US judge says LinkedIn cannot block startup from public profile data (Reuters, 14 Aug 2017) - A U.S. federal judge on Monday ruled that Microsoft Corp's (MSFT.O) LinkedIn unit cannot prevent a startup from accessing public profile data, in a test of how much control a social media site can wield over information its users have deemed to be public. U.S. District Judge Edward Chen in San Francisco granted a preliminary injunction request brought by hiQ Labs, and ordered LinkedIn to remove within 24 hours any technology preventing hiQ from accessing public profiles. The case is considered to have implications beyond LinkedIn and hiQ Labs and could dictate just how much control companies have over publicly available data that is hosted on their services. "To the extent LinkedIn has already put in place technology to prevent hiQ from accessing these public profiles, it is ordered to remove any such barriers," Chen's order reads. HiQ Labs called the decision an important victory for companies that rely on publicly available data for their businesses. "HiQ believes that public data must remain public, and innovation on the internet should not be stifled by legal bullying or the anti-competitive hoarding of public data by a small group of powerful companies," the company said in a statement Monday evening. That sentiment was echoed by Falon Fatemi, chief executive of Node, a San Francisco startup that uses publicly available data and artificial intelligence to help companies identify potential customers. "If LinkedIn is going to allow profiles to be indexed by search engines to benefit their platform then why shouldn't the rest of the internet benefit from that as well?" she said. The dispute between the two tech companies has been going on since May, when LinkedIn issued a letter to hiQ Labs instructing the startup to stop scraping data from its service. HiQ Labs responded by filing a lawsuit against LinkedIn in June, alleging that the Microsoft-owned social network was in violation of antitrust laws. top

LinkedIn connection request doesn't violate non-solicitation clause (Eric Goldman, 14 Aug 2017) - This is another case considering when LinkedIn activity violates a non-solicitation clause. Bankers Life, a company that sells insurance and financial products, sued one of its ex-employees (and his new employer, ASB) alleging among other things that the ex-employee violated his non-solicitation covenant through his communications on social media. * * * Gelineau's alleged violation? He sent LinkedIn requests to three Bankers Life employees who could "then click on to Gelineau's profile and . . . see a job posting for ASB." Bankers Life also alleged that Gelineau instructed another ASB employee to solicit Bankers Life employees, but the court found Bankers Life's evidence insufficient with respect to this claim. * * * This case is a nice complement to the Mobile Mini case I blogged about last month. There, the posts in question were essentially sales pitches, and the court says they likely violate the non-solicitation clause, whether sent as direct messages or not. Here, the LinkedIn messages had no call to action other than to connect. So it's not unexpected that the court finds there is no violation. It's surprising to see an employer think that a generic "let's connect!" email campaign could violate a non-solicitation clause. But Bankers Life did, and the court rightly shut it down. top

ABA and Jones Day launch website to connect veterans to legal services (Bob Ambrogi, 14 Aug 2017) - At its annual meeting in New York Saturday, the American Bar Association announced the launch of VetLex.org , a website, developed in partnership with the law firm Jones Day , that matches veterans in need of pro bono legal services with attorneys willing to provide such services. For now, the new site is only accepting registrations from attorneys, law firms and legal organizations interesting in providing services. By Veterans Day, the site will open on a pilot basis in a limited number of cities and states to accept veterans' cases. The site will become fully operational nationally in 2018, the ABA's announcement said. Once the site opens to veterans, it will provide an online too for them to obtain pro bono counsel for their specific legal needs, including civil, criminal or administrative matters. It will also provide educational information on basic legal concepts, and serve as a repository for paperwork, such as DD 214s, that is required by various service providers. The ABA expects that the site will also be used by organizations that serve veterans in helping them find lawyers to assist their clients. Lawyers who register at the site will be asked to create a profile that defines the kinds of cases they are willing to take. The site will also provide training in handling certain kinds of kinds. * * * top

The Miami Heat are switching to smartphone-only tickets for home games this season (The Verge, 14 Aug 2017) - If you're planning on attending a Miami Heat game at the team's home court American Airlines Arena this coming season, you'll need to own a smartphone. The basketball team announced last week that it would be switching over to mobile-based tickets for entry at home games, becoming the first in the NBA to enact such a policy, via ESPN . According to a statement from the team, the new policy is due to the fact that roughly one in every three fans used mobile tickets to attend games last season. While other teams in the NBA like the Timberwolves and the Cavaliers have primarily switched over to mobile tickets, those teams still offer the option for fans use a driver's license and credit card to get into the stadium. The new policy applies to all Heat tickets, too. So, if you walk up to American Airlines Arena and buy tickets at the box office, you'll still get them on your phone now. top

Massive new searchable database of federal court opinions, including ones that haven't been formally published (WaPo Eugene Volokh, 15 Aug 2017) - The Free Law Project, famous for its RECAP browser extension for PACER users , has now scraped all the federal court opinions available for free on PACER, and put them in a free database with a fairly powerful search engine : At Free Law Project, we have gathered millions of court documents over the years, but it's with distinct pride that we announce that we have now completed our biggest crawl ever. After nearly a year of work, and with support from the U.S. Department of Labor and Georgia State University, we have collected every free written order and opinion that is available in PACER. To accomplish this we used PACER's "Written Opinion Report," which provides many opinions for free. This collection contains approximately 3.4 million orders and opinions from approximately 1.5 million federal district and bankruptcy court cases dating back to 1960. More than four hundred thousand of these documents were scanned and required OCR, amounting to nearly two million pages of text extraction that we completed for this project. All of the documents amassed are available for search in the RECAP Archive of PACER documents and via our APIs. New opinions will be downloaded every night to keep the collection up to date. top

Tech companies urge Supreme Court to boost cellphone privacy (Reuters, 15 Aug 2017) - More than a dozen high technology companies and the biggest wireless operator in the United States, Verizon Communications Inc., have called on the U.S. Supreme Court to make it harder for government officials to access individuals' sensitive cellphone data. The companies filed a 44-page brief with the court on Monday night in a high-profile dispute over whether police should have to get a warrant before obtaining data that could reveal a cellphone user's whereabouts. Signed by some of Silicon Valley's biggest names, including Apple, Facebook, Twitter, Snap and Alphabet's Google, the brief said that as individuals' data is increasingly collected through digital devices, greater privacy protections are needed under the law. "That users rely on technology companies to process their data for limited purposes does not mean that they expect their intimate data to be monitored by the government without a warrant," the brief said. * * * Nathan Freed Wessler, an attorney with the American Civil Liberties Union who is representing Carpenter, said the companies' brief represented a "robust defense of their customers' privacy rights in the digital age." Verizon's participation in the brief was important, he added, given that it receives, like other wireless carriers, thousands of requests for cellphone location records every year from law enforcement. The requests are routinely granted. top

- and -

Verizon-yes, Verizon-just stood up for your privacy (Wired, 16 Aug 2017)] - Fourteen of the biggest US tech companies filed a brief with the Supreme Court on Monday supporting more rigorous warrant requirements for law enforcement seeking certain cell phone data, such as location information. In the statement, the signatories-Google, Apple, Facebook, and Microsoft among them-argue that the government leans on outdated laws from the 1970s to justify Fourth Amendment overreach. One perhaps surprising voice in the chorus of protesters? Verizon. Verizon's support means that the largest wireless service provider in the US, and a powerful force in Silicon Valley, has bucked a longtime trend of telecom acquiescence. While carriers have generally been willing to comply with a broad range of government requests-even building out extensive infrastructure to aid surveillance-Verizon has this time joined with academics, analysts, and the company's more privacy-focused corporate peers. Carpenter v. United States is "one of the most important Fourth Amendment cases in recent memory," Craig Silliman, Verizon's executive vice president for public policy and general counsel, wrote on Monday. "Although the specific issue presented to the Court is about location information, the case presents a broader issue about a customer's reasonable expectation of privacy for other types of sensitive data she shares with any third party.… Our hope is that when it decides this case, the Court will help us better apply old Fourth Amendment doctrines to an evolving digital era." Carpenter v. United States, which the Supreme Court will hear this fall, relates to the acquisition, without a warrant, of months of individuals' location records by law enforcement officials in 2011. Officials looked back on 12,898 location records, spanning a four-month period, of one of these individuals, Timothy Carpenter, to build their case; Carpenter was eventually convicted. His appeal argues that location-data collection by law enforcement without a warrant violates his Fourth Amendment rights-and Verizon agrees. top

Justice Department fights web hosting company for Trump protester information (Lawfare, 15 Aug 2017) - The Justice Department is fighting for information on all of the visitors to the website disruptj20.org , as well as log files on when and from where the visitors logged onto the site, what they looked at, and emails related to the site. The site at the center of the storm bills itself as a platform connecting Trump protesters and "support[ing] the massive and spontaneous eruption of resistance across the United States that's happened since the election." At the New York Times , Charlie Savage reports that federal investigators have issued a search warrant to the internet hosting company DreamHost, which is now challenging the warrant as unconstitutionally broad-complying with it would allegedly require handing over 1.3 million visitor IP addresses and the information, emails and photos of thousands of users. Also see the Washington Post story last night from Ellen Nakashima. Dreamhost announced the fight yesterday in a blog post entitled "We Fight for the Users." Here are the key documents: the search warrant ; the Justice Department's motion to show cause ; and DreamHost LLC's third-party response in opposition to the Department's motion. [ Polley : see also Justice Dept. demands data on visitors to anti-Trump website, sparking fight (NYT, 15 Aug 2017)] top

- and -

Justice Department walks back demand for information on anti-Trump website (The Berge, 22 Aug 2017) - After controversy over a broad search warrant that could have identified visitors to an anti-Trump website, the Justice Department says it's scaling back a demand for information from hosting service DreamHost. Last week, DreamHost disclosed that it was involved in a legal dispute with the department over access to records on the website "disruptj20.org," which organized protests tied to Donald Trump's inauguration. The warrant issued by the department was so broad, DreamHost said, that it was effectively requesting information that could identify lawful protestors - including information on more than 1.3 million IP addresses from visitors to the site. The warrant immediately drew condemnation from some privacy law experts. In a legal filing today , the Justice Department argues that the warrant was proper, but also says DreamHost has since brought up information that was previously "unknown." In light of that, it has offered to carve out information demanded in the warrant, specifically pledging to not request information like HTTP logs tied to IP addresses. The department says it is only looking for information related to criminal activity on the site, and says that "the government is focused on the use of the Website to organize, to plan, and to effect a criminal act - that is, a riot." Peaceful protestors, the government argues, are not the targets of the warrant. The filing asks the court to proceed with the new, less burdensome request, which, apart from the carved-out sections, still requests "all records or other information, pertaining to the Account, including all files, databases, and database records stored by DreamHost in relation to that Account." It's unclear if DreamHost will continue to fight the new demand. The company did not immediately respond to a request for comment. top

NotPetya ransomware attack cost us $300m - shipping giant Maersk (The Register, 16 Aug 2017) - The world's largest container shipping biz has revealed the losses it suffered after getting hit by the NotPetya ransomware outbreak, and the results aren't pretty. The malware surfaced in Ukraine in June after being spread by a malicious update to MeDoc, the country's most popular accounting software. Maersk picked up an infection that hooked into its global network and shut down the shipping company, forcing it to halt operations at 76 port terminals around the world. "In the last week of the quarter we were hit by a cyber-attack, which mainly impacted Maersk Line, APM Terminals and Damco," CEO Soren Skou said in a statement today. "Business volumes were negatively affected for a couple of weeks in July and as a consequence, our Q3 results will be impacted. We expect that the cyber-attack will impact results negatively by USD 200-300m." Admittedly Maersk is massive - it's responsible for around 15 per cent of the world's entire shipping network - but that kind of financial damage is close to a record for such an attack. Then again, the company's entire network was down for days, Skou told the Financial Times. top

Fitch: NAIC rules may boost US insurers' cyber risk management (FitchRatings, 16 Aug 2017) - The National Association of Insurance Commissioner's (NAIC) CyberSecurity Working Group approved the Insurance Data Security Model Law, which if approved by the NAIC Executive Committee, will promote more rigorous cyber risk management practices in the U.S. insurance market, Fitch Ratings says. At the same time it will add to insurers' compliance costs and associated risks of penalties for compliance violations. In its current form the proposed model law is credit-neutral for the U.S insurance sector. It is largely complementary to other federal and state regulations for cybersecurity, including the New York State Department of Financial Services cybersecurity regulations from March 1, 2017, which apply to more than 3,000 financial service firms doing business in New York. The proposed model law still needs approval of the Innovation and Technology Task Force and NAIC Executive Committee to be a considered a model law. Application of model laws require state-by-state approval, which will take considerable time, and some individual states may adopt their own approaches to regulating insurers' cybersecurity. The NAIC's framework establishes industry standards for data security that will apply to a broad range of parties including insurance companies, agents and brokers. Organizations will be required to have a written information security program for protecting sensitive data, including incident response and data recovery plans to demonstrate their preparedness for cyber events. Companies will have to certify compliance annually to their state insurance commissioner and give notification of data breaches within 72 hours. The model law will also motivate insurers to incorporate cybersecurity into their overall enterprise risk management and corporate governance practices. Key provisions include minimum practices of board and senior management reporting and oversight of information security practices, and monitoring of third party service provider arrangements and the outcome of cybersecurity events. top

Berkman Klein study finds partisan right-wing websites shaped mainstream press coverage before 2016 election (Harvard, 16 Aug 2017) - The Berkman Klein Center for Internet & Society at Harvard University today released a comprehensive analysis of online media and social media coverage of the 2016 presidential campaign. The report, " Partisanship, Propaganda, and Disinformation: Online Media and the 2016 U.S. Presidential Election ," documents how highly partisan right-wing sources helped shape mainstream press coverage and seize the public's attention in the 18-month period leading up to the election. "In this study, we document polarization in the media ecosystem that is distinctly asymmetric. Whereas the left half of our spectrum is filled with many media sources from center to left, the right half of the spectrum has a substantial gap between center and right. The core of attention from the center-right to the left is large mainstream media organizations of the center-left. The right-wing media sphere skews to the far right and is dominated by highly partisan news organizations," co-author and principal investigator Yochai Benkler stated. The study found that on the conservative side, more attention was paid to pro-Trump, highly partisan media outlets. On the liberal side, by contrast, the center of gravity was made up largely of long-standing media organizations. Robert Faris, the Berkman Klein Center's research director, noted, "Consistent with concerns over echo chambers and filter bubbles, social media users on the left and the right rarely share material from outside their respective spheres, except where they find coverage that is favorable to their choice of candidate. A key difference between the right and left is that Trump supporters found substantial coverage favorable to their side in left and center-left media, particularly coverage critical of Clinton. In contrast, the messaging from right-wing media was consistently pro-Trump." top

ILTA 2017: Where have all the lawyers gone? (Lawyerist, 17 Aug 2017) - In looking at this year's International Legal Technology Association (ILTA) attendance list, I saw lots of legal professionals from well-known and well-heeled law firms, a big group of big tech vendors, a few legal startups, and very few practicing lawyers. Why aren't there more practicing lawyers here? Indeed, I seem to be one of the few outside practicing lawyers in attendance. So much so in meet ups and informal chats, when I tell people I am an active practitioner, I am usually met with raised eyebrows. ILTA touts that the conference "is the premier educational and networking event for the legal sector" that "empowers us to share what works, what doesn't and what's next." If that's the case, it would seem to be one of the more important events for practicing lawyers to attend. * * * There was even a session where in-house counsel from such companies as Microsoft, Exelon, and Sanofi, offered their opinions on what they wanted from their law firms. I think I was the only practicing lawyer in the room. It's as if the big firms for whom most of the legal professionals here work for have basically farmed out all things tech and don't want to get their hands dirty. And therein lies the problem: by creating this gap between the lawyers using the technology and what some lawyers call "staff" a lack of understanding and communication exists. Warren Rheaume of Davis Wright Tremaine, a speaker on the politics of change-and one of the few other practitioners in attendance-calls it a crisis. top

Consortium formed to drive blockchain adoption in legal industry (Bob Ambrogi, 17 Aug 2017) - Bob Craig, chief information officer at Baker Hostetler, has a vision of a technology that will transform the business of law. That technology is blockchain. Craig and his firm are part of a group of law firms and technology companies that this week announced the formation of the Global Legal Blockchain Consortium . The consortium will work to drive the adoption and standardization of blockchain in the legal industry, with the larger goal of improving the security and interoperability of the global legal technology ecosystem. Members of the consortium include the law firms Baker Hostetler and Orrick, IBM Watson Legal, and the newly formed company Integra Ledger , which is hoping to become the ledger used throughout the legal industry for blockchain digital identities. At an event Tuesday to announce the consortium's formation, Craig said that establishment of consortia has become common in many industries as a way to get the right people around the table to explore how blockchain technology can solve real-world business problems or, in this case, real-world legal problems. top

- and -

Bitcoin-accepting sites leave cookie trail that crumbles anonymity (The Register, 20 Aug 2017) - Bitcoin transactions might be anonymous, but on the Internet, its users aren't - and according to research out of Princeton University, linking the two together is trivial on the modern, much-tracked Internet. In fact, linking a user's cookies to their Bitcoin transactions is so straightforward, it's almost surprising it took this long for a paper like this to be published. The paper sees privacy researcher Dillon Reisman and Princeton's Steven Goldfeder, Harry Kalodner and Arvind Narayanan demonstrate just how straightforward it can be to link cookies to cryptocurrency transactions: Only small amounts of transaction information need to leak, they write, in order for "Alice" to be associated with her Bitcoin transactions. It's possible to infer the identity of users if they use privacy-protecting services like CoinJoin, a protocol designed to make Bitcoin transactions more anonymous. The protocol aims is to make it impossible to infer which inputs and outputs belong to each other. Of 130 online merchants that accept Bitcoin, the researchers say, 53 leak payment information to 40 third parties, "most frequently from shopping cart pages," and most of these on purpose (for advertising, analytics and the like). Worse, "many merchant websites have far more serious (and likely unintentional) information leaks that directly reveal the exact transaction on the blockchain to dozens of trackers". top

- and -

IRS now has a tool to unmask bitcoin tax cheats (Daily Beast, 22 Aug 2017) - You can use bitcoin . But you can't hide from the taxman. At least, that's the hope of the Internal Revenue Service, which has purchased specialist software to track those using bitcoin, contract obtained by The Daily Beast. The document highlights how law enforcement isn't only concerned with criminals accumulating bitcoin from selling drugs or hacking targets, but also those who use the currency to hide wealth or avoid paying taxes. The IRS has claimed that only 802 people declared bitcoin losses or profits in 2015; clearly fewer than the actual number of people trading the cryptocurrency-especially as more investors dip into the world of cryptocurrencies, and the value of bitcoin punches past the $4,000 mark. Maybe lots of bitcoin traders didn't realize the government expects to collect tax on their digital earnings, or perhaps some thought they'd be able to get away with stockpiling bitcoin thanks to the perception that the cryptocurrency is largely anonymous. "The purpose of this acquisition is… to help us trace the movement of money through the bitcoin economy," a section of the contract reads. The Daily Beast obtained the document through the Freedom of Information Act. The contractor in this case is Chainalysis, a startup offering its "Reactor" tool to visualize, track, and analyze bitcoin transactions. Chainalysis' include law enforcement agencies, banks, and regulatory entities . The software can follow bitcoin as it moves from one wallet to another, and eventually to an exchange where the bitcoin user will likely cash out into dollars or another currency. This is the point law enforcement could issue a subpoena to the exchange and figure out who is really behind the bitcoin. top

- and -

Hacking Coinbase: The great bitcoin bank robbery (Fortune, 22 Aug 2017) - Sean Everett wasn't sure how his bullish bet on cryptocurrency would turn out. But he definitely didn't expect it to be over so soon. In March, he sold all his stocks, including Apple and Amazon, and used a chunk of the proceeds to buy Bitcoin and Ethereum on a site called Coinbase. The decision made Everett, the CEO of artificial intelligence startup Prome, almost instantly richer, as the blockchain-based currencies' value rocketed up exponentially over the next several weeks. But then, while he was out walking the dog after 10 p.m. on Wednesday, May 17, Everett got the call. It was T-Mobile, ringing him to confirm that it was switching his phone number to a different device. It was a suspicious move that Everett had most certainly not requested. But even as he pleaded with the agent to block the switch, it was too late. Less than five minutes later, Everett's cell service abruptly shut off, and as he rushed to his computer, he saw himself being robbed in real time. A raft of email notifications confirmed that someone had taken control of his main Gmail account, then broken into his Coinbase "wallet." They'd gotten in with the help of his switched-over phone number: Everett's account required him to log in with a two-factor authentication code sent by text message, as a second safeguard-and now the text had gone straight to the thief. * * * [ Polley : Long, and fascinating; see also Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency (NYT, 22 Aug 2017)] top

New NIST draft embeds privacy into US govt security for the first time (The Register, 18 Aug 2017) - A draft of new IT security measures by the US National Institute of Standards and Technology (NIST) has for the first time pulled privacy into its core text as well as expanded its scope to include the internet of things and smart home technology. The proposed "Security and Privacy Controls for Information Systems and Organizations" will be the go-to set of standards and guidelines for US federal agencies and acts as a baseline for broader industry. As such, it has a huge impact on how technology is used and implemented across America This version of the document - its fifth draft - concerns itself with edge computing: the rapidly expanding world of interconnected systems and devices that continue to be added to IT systems and the broader internet. With so many of these powerful computing devices now in the hands of millions of private citizens, that review has inevitably led NIST to consider privacy implications and for the first time privacy has gone from being an appendix to being pulled into the main body of the document. "The ultimate objective is to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable," the document states. Another interesting side effect of the new focus is that NIST has stopped pretending that it is only influencing federal agencies (all federal agencies will now be required to follow this NIST guidance following executive action by President Trump) and is actively pitching its contents to private enterprise in the hope of building a more resilient overall network. Major changes include: * * * top

Law firms, legal departments predicted to focus more on IT risk (LegalTech, 21 Aug 2017) - Legal departments and law firms are likely to continue to focus more on information technology risk, given a recent projection that global spending on information security services and products will continue to rise. According to a recent Gartner study , overall global spending in the sector will total $86.4 billion this year, an increase of 7 percent over last year. Similarly, spending is predicted to jump to $93 billion in 2018, the study said. "Gartner's latest report about increased spending on security comes as no surprise, given the increase in data breaches, ransomware and the introduction of GDPR [the General Data Protection Regulation] in 2018," Darren R. Hayes, a professor at Pace University, told Legaltech News. "While the liability associated with data breaches in the U.S. may be limited to reputation, the potential fines associated with the introduction of GDPR [in Europe] should be a wake-up call for multinational corporations," he said. "Google [was] … already fined $2.7 billion by an EU [European Union] antitrust ruling in June of this year so it is clear that the EU will enforce its new draconian cyber-related laws." And GDPR compliance is likely to put a strain on legal professionals. In recent years, financial institutions have prioritized regulatory compliance, as regulatory fines have reached an estimated $100 billion annually, Hayes said. Breach response costs are also increasing, and this problem will be exacerbated by GDPR. The Gartner study predicts GDPR will drive 65 percent of data loss prevention buying decisions through 2018, and security services will continue to be the fastest growing segment in the sector, especially IT consulting, outsourcing and implementation services. "Legal and compliance departments can expect to focus more on IT risk in the near future, which includes greater scrutiny of third-party IT service providers and their associated service level agreements," he added. top

The Twitter #hashtag is 10 years old (CNN, 23 Aug 2017) - The hashtag character (#) popularized on Twitter ( TWTR , Tech30 ) was tweeted for the first time by designer Chris Messina on this day in 2007. He asked his followers: "how do you feel about using # (pound) for groups. As in #barcamp [msg]?" But the hashtag wasn't born on Twitter. The hash -- also called the octothorp -- first appeared on touch-tone telephones in the 1960s. We still use the character to interact with automated phone systems. Users on Internet Relay Chat, a popular chat room software, long used the pound sign on the internet to join different channels. It's unclear who invented the IRC hashtag. Facebook adopted hashtags years later in 2013, but it serves the same purpose. top

RESOURCES

General Data Protection Regulation (GDPR) and the Proposed ePrivacy Regulation (MLPB, 18 Aug 2017) - W. Gregory Voss, Toulouse Business School, has published First the GDPR, Now the Proposed ePrivacy Regulation at 21 Journal of Internet Law 3 (July 2017). Here is the abstract: On January 10, 2017, less than nine months after the General Data Protection Regulation (GDPR) was adopted by the European Union, the European Commission issued its proposal for a new ePrivacy Regulation. In analyzing this new proposal, this article first places European Union ePrivacy legislation in context before detailing the main points of the proposed ePrivacy Regulation, including its broad territorial scope, its material scope, its interface with the GDPR, as well as provisions on cookies, confidentiality of communications, application of the concept of consent and unsolicited direct marketing communications and enforcement measures (including sanctions). Next, this article discusses advisory and industry reactions to the proposed Regulation, and outlines the legislative process, prior to making certain conclusory remarks. top

Hoofnagle on FTC Regulation of Cybersecurity and Surveillance (MLPB, 24 Aug 2017) - Chris Jay Hoofnagle, University of California, Berkeley, School of Information, and University of California, Berkeley, School of Law, is publishing FTC Regulation of Cybersecurity and Surveillance in The Cambridge Handbook of Surveillance Law (David Gray and Stephen Henderson, eds., Cambridge University Press 2017). Here is the abstract: The Federal Trade Commission (FTC) is the United States' chief consumer protection agency. Through its mandate to prevent unfair and deceptive trade practices, it both regulates surveillance and creates cybersecurity law. This chapter details how the FTC regulates private-sector surveillance and elucidates several emergent properties of the agency's activities. First, private-sector surveillance shapes individuals' reasonable expectations of privacy, and thus regulation of the private-sector has effects on the government as surveillant. The FTC's activities not only serve dignity interests in avoiding commercial inference in one's life, they also affect citizens' civil liberties posture with the state. Second, surveillance can make companies directly liable (for intrusive web monitoring, for tracking people offline, and for installing malware) or indirectly liable (for creating insecure systems, for using deception to investigate, and for mediating the surveillance of others) under the FTC Act. Third, the FTC's actions substitute plaintiffs' litigation for privacy, as the class action is burdened in novel ways. Fourth, the FTC's actions increase the quality of consent necessary to engage in surveillance, and in so doing, the FTC has made some kinds of surveillance practically impossible to implement legally. Finally, the FTC's actions make companies more responsible for their surveillance technologies in several ways-by making software vendors liable for users' activities, by imposing substantive security duties, and by narrowing internet intermediary immunity. top

Cisco 2017 Midyear Cybersecurity Report (Cisco, 24 Aug 2017) - For nearly a decade, Cisco has published comprehensive cybersecurity reports that are designed to keep security teams and the businesses they support apprised of cyber threats and vulnerabilities-and informed about steps they can take to improve security and cyber-resiliency. In these reports, we strive to alert defenders to the increasing sophistication of threats and the techniques that adversaries use to compromise users, steal information, and create disruption. With this latest report, however, we find we must raise our warning flag even higher. Our security experts are becoming increasingly concerned about the accelerating pace of change-and yes, sophistication-in the global cyber threat landscape. That is not to say defenders are not improving their ability to detect threats and prevent attacks, or to help users and organizations avoid or recover more quickly from them. But we see two dynamics undermining their hard-won successes, hindering further progress, and helping to usher in a new era of cyber risks and threats: * * * top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Settling it on the web (ABA Journal, 4 Oct 2007) - Online dispute resolution was supposed to take over the legal profession. With the rise of the Internet, ar­tificial intelligence and other clever bits of technology, lawyers would be able to solve legal disputes with computers, not courtrooms and judges. "Around 1999 or 2000 we thought this would be huge; every court would have a kiosk out front for ODR," says Colin Rule, ODR director for eBay and PayPal. But a funny thing happened after the dot-com bust. ODR seemed to fail. And now, instead of being imposed on the legal profession from the outside, it is bubbling up from within the trade. Rule says ODR is integrated into a lot of business models and has become so integral that many people might not even know it's there. "Look at me: When we started, I worked at a tiny, independent ODR company," he says. "Now I'm part of this big company that handles millions of disputes online, and nobody thinks twice about it." Web technology is now slowly making inroads into dispute resolution that had been handled offline. Dan Rainey, director of the office of alternative dispute resolution services for the National Mediation Board, a federal agency, says he hopes to soon handle 10 percent of its arbitration cases online. top

Software provider liable for unauthorized practice of law in Ninth Circuit (Findlaw.com, March 2007) -- Legal software vendors beware! The Ninth Circuit recently held that a seller of web-based bankruptcy software qualified as a bankruptcy petition preparer and, as such, engaged in fraud and the unauthorized practice of the law. Any provider of software that claims to "know the law" and offers automated form selection should examine this decision closely to make sure their activities are within legal boundaries. The suit, Frankfort Digital Services v. Kistler (In re: Reynoso), arose out of a bankruptcy proceeding, during which the petitioner paid to use browser-based software that prepared his bankruptcy petition based on information he provided. The product's web site explained that the software would choose which bankruptcy exemptions to apply for and remove any need for the petitioner to individually select which schedule to use for the various pieces of information involved. During the first meeting with the petitioner's creditors, the Chapter 7 trustee noticed mistakes, learned about the software and filed an adversary action against the software vendor alleging violations of 11 U.S.C. section 110. This action added to the list of section 110 proceedings against the software vendor, which had already run afoul of several other Chapter 7 trustees. The bankruptcy court held that collateral estoppel prevented the vendor from challenging its status as a "bankruptcy petition preparer engaged in the unauthorized practice of law," since a previous case had gone against the vendor on this point. The Bankruptcy Appellate Panel of the 9th Circuit agreed with the bankruptcy court and affirmed based on issue preclusion. The regular Ninth Circuit panel decided to address the merits of the case, however, after accepting defendant's argument that the website had changed since the previous case was decided. The court found that the vendor indeed qualified as a bankruptcy petition preparer, which was the first time that the Ninth Circuit had determined that a software-provider could qualify as such. Since bankruptcy petition preparers are, by definition, not attorneys, the court's next step was to examine California law to determine whether the vendor engaged in the unauthorized practice of the law. Case at http://caselaw.lp.findlaw.com/data2/circs/9th/0417190p.pdf top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, August 05, 2017

MIRLN --- 16 July - 5 August 2017 (v20.11)

MIRLN --- 16 July - 5 August 2017 (v20.11) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

New York DFS publishes FAQs on new cybersecurity regulations (Covington, 14 July 2017) - As our readers know , New York's Department of Financial Services ("NY DFS") released a draft of its new Cybersecurity Regulations on September 13, 2016, and the final version of the regulations went into effect on March 1, 2017 ( 23 NYCRR 500 ). Among other things, the regulations require regulated entities to conduct cyber risk assessments and to develop and implement cybersecurity programs to manage their cyber risk. Notwithstanding the fanfare surrounding the announcement of these "first-in-the-nation" regulations, there has been significant uncertainty about precisely how the regulations will be interpreted and enforced. That uncertainty has been increasing with the approach of the August 28 deadline for compliance with the first round of requirements (Section 500.22(a)). On June 29, 2017, NY DFS took steps to reduce that uncertainty by posting a " Frequently Asked Questions " section about the regulations on its website. The FAQs seek to clarify some key provisions of these regulations, including provisions regarding reporting requirements and consumer notification triggers. Some highlights below: * * * [ Polley : e.g., a possible obligation to report unsuccessful cyber attacks.] top

When do review websites commit extortion?-Icon Health v. ConsumerAffairs (Eric Goldman, 14 July 2017) - Icon Health and Fitness manufactures exercise equipment, such as the well-known NordicTrack. ConsumerAffairs is a review website. Like many other review websites, its business model is predicated on payments from reviewed businesses. However, ConsumerAffairs' specific practices raise some extra questions. The complaint made the following allegations: Defendants, through that database, favor product manufacturers who agree to pay a one-time setup fee and an ongoing monthly fee to ConsumerAffairs or Consumers Unified, LLC. ConsumerAffairs publishes an "Overall Satisfaction Rating" for each product reviewed on its website. The Overall Satisfaction Rating is expressed as a star rating out of five possible stars. ConsumerAffairs calculates the rating based on an unspecified subset of user reviews hosted on ConsumerAffairs' website. ConsumerAffairs' chooses which consumer reviews to include in given company's Overall Satisfaction Rating based solely on whether that company pays a monthly fee to ConsumerAffairs. ConsumerAffairs alters a company's Overall Satisfaction Rating by intentionally omitting or removing legitimate positive consumer-submitted reviews from pages discussing non-paying companies. * * * If these allegations are true, as a consumer I would not consider ConsumerAffairs' review database management practices credible. Nevertheless, to me, these allegations make it clear that ConsumerAffairs qualifies for Section 230 protection (see also the Fourth Circuit's Nemet Chevrolet ruling , but see the disastrous Consumer Cellular ruling ). Unfortunately, the court doesn't know what to do with these allegations. Thus, the court bifurcates its opinion into some general principles about Section 230 and then specific applications on a claim-by-claim basis. The net effect isn't too bad for ConsumerAffairs, but the opinion has many interstices. * * * top

Lloyds of London: Insure cyberattacks like natural disasters (The Hill, 17 July 2017) - Cybersecurity insurers have to become more prepared to treat global cyberattacks more like national disasters than traditional crimes, concludes a report from insurer Lloyd's of London . In a report dated last week, the United Kingdom-based firm speculates about two hypothetical "cyber events" that could cause global damage cybersecurity insurance providers may not be prepared for. The report tabulates the potential damage caused by two types of attacks. In one, hackers disrupt cloud service providers. In a second, hackers get their hands on a vulnerability for an operating system used by 45 percent of the global market. Lloyd's of London approximates that average cloud service events of varying severity range from $4.6 billion in total damages for a "large" attack to $53.1 billion for an "extreme" one. In the vulnerability example, the average costs range from $9.7 billion for a large event to $28.7 billion for an extreme one. The report notes that attacks fluctuate dramatically around that average - in the extreme cloud event that averaged $53.1 billion in damages, attacks might do as little as $15.6 billion or as much as $121.4 billion. Lloyd's notes that much of the damages would not be covered by insurance. Only around 15 percent of damages would be covered in the cloud example and 7 percent in the vulnerability example. top

Alleged retweet by judge doesn't warrant retroactive recusal, 9th Circuit rules (ABA Journal, 17 July 2017) - A federal appeals court has refused to order the retroactive recusal of a federal judge accused of retweeting a news story about a case after he denied a motion. The San Francisco-based 9th U.S. Circuit Court of Appeals said that, even if U.S. District Judge William Shubb was the owner of the anonymous Twitter account at issue, his tweet didn't warrant retroactive recusal, report the Recorder (sub. req.) the Sacramento Bee and the Metropolitan News-Enterprise . Above the Law noted the July 13 decision (PDF). Sierra Pacific had initially sought to unravel a $122 million settlement related to a massive forest fire in 2007 based on allegations about alleged government misconduct. The government had sued Sierra Pacific and other defendants to recover damages and money it spent fighting the blaze. Shubb refused to grant Sierra Pacific's motion for relief from judgment. Sierra Pacific Industries Inc. claimed Shubb was tweeting at the account @nostalgist1 . The account had followed the U.S. Attorney office, which tweeted eight times about the case after Shubb's ruling. Sierra Pacific had argued that following the account created the appearance of bias. The news article that was retweeted was headlined "Sierra Pacific still liable for Moonlight Fire damages." Sierra Pacific had objected to the headline because it didn't admit liability and the settlement had said the payment didn't constitute damages. Sierra Pacific said the retweet created an additional inference of bias and constituted an impermissible public comment. Merely following a Twitter account doesn't create a basis for recusal and doesn't constitute improper ex parte communications, the appeals court said. Nor did retweeting a news article constitute plain error requiring recusal, the appeals court also said. Though the appeals court saw no reason to require Shubb's retroactive recusal, it nonetheless said the case was "a cautionary tale about the possible pitfalls of judges engaging in social media activity relating to pending cases." top

- and -

Miami-Dade judge's Facebook 'friendship' leads to court battle (Daily Business Review, 28 July 2017) - A North Miami law firm is fighting to have a judge removed from a case for being Facebook friends with a lawyer who appeared before her. Miami-Dade Circuit Judge Beatrice Butchko is publicly linked on the social networking site with Israel Reyes, a former colleague from the bench. Reyes, now the managing partner at the Reyes Law Firm in Coral Gables, entered an appearance on behalf of a nonparty in a case before Butchko. The Facebook friendship means Reyes can "influence" Butchko, who therefore "cannot be impartial," argued Reuven Herssein, founding member of Herssein Law Group, in a motion to disqualify Butchko. She declined to recuse herself, saying the motion was legally insufficient. The fight is now before the Third District Court of Appeal, where attorneys are debating the ethics of judicial social media use nearly a decade after the state first addressed judges' Facebook friendships. Florida has relatively strict guidelines on social media connections, compared with other states. A 2009 opinion from the Florida Supreme Court's judicial ethics advisory committee said judges should not send or accept social media friend requests from lawyers who may appear before them. "The committee believes that listing lawyers who may appear before the judge as 'friends' on a judge's social networking page reasonably conveys to others the impression that these lawyer 'friends' are in a special position to influence the judge," the committee wrote, recognizing that a social media "friend" may be nothing more than a distant acquaintance. The Fourth District Court of Appeal relied on the opinion in a decision disqualifying a judge in a criminal case for being Facebook friends with the prosecutor. The court found the social media connection could "create in a reasonably prudent person a well-founded fear of not receiving a fair and impartial trial." But United States Automobile Association, the defendant in the case filed by Herssein Law Group, argues the Fourth DCA decision doesn't apply here. While a criminal defendant might reasonably fear bias in this situation, Herssein and his firm are more sophisticated than that, USAA's counsel argued. "No reasonably prudent Miami lawyer has a well-founded fear of not receiving a fair and impartial trial simply because two judges who sat on the bench in Miami-Dade County are 'friends' on Facebook," wrote Shutts & Bowen attorneys Patrick Brugger and Frank Zacherl of Miami, who did not respond to a request for comment by deadline. Eleven states have issued guidance on judicial social media use, according to the National Center for State Courts. Florida's guidelines are among the most restrictive, with states including California, Kentucky and New York opining that judges can accept Facebook friend requests from lawyers who may appear before them under certain conditions. In California, judges may add lawyers on Facebook if their pages are used only for professional activities, such as interacting with members of a law school alumni group. Other factors include how many friends the judge has, whether he or she declines some attorneys' friend requests but accepts others and how often the attorney appears before the judge. top

- and -

Court rules that politicians blocking followers violates free speech (NY Magazine, 28 July 2017) - While there is no set precedent for the issue, more and more courts are encountering a new type of lawsuit related to social-media blocking. The Knight Foundation, for instance, is suing the U.S. government on behalf of Twitter users blocked by President Donald Trump , whose Twitter account has become alarmingly vital when it comes to understanding his presidency. This week, a federal court in Virginia tackled the issue when it ruled on behalf of a plaintiff blocked by a local county politician. According to The Wall Street Journal , "Brian Davison sued the chairwoman of the Loudoun County Board of Supervisors, who temporarily banned him from her Facebook page after he posted criticism of local officials last year." Judge James Cacheris found that she had violated Davison's First Amendment rights by blocking him from leaving comment, because, in his judgment, the chairwoman, Phyllis Randall, was using her Facebook page in a public capacity. Though it was a personal account, she used it to solicit comments from constituents. "The suppression of critical commentary regarding elected officials is the quintessential form of viewpoint discrimination against which the First Amendment guards," the judge stated in his ruling. Cacheris did emphasize that his ruling should not prohibit officials from moderating comments to protect against harassment. Davison was only banned for 12 hours, and Randall faces no penalties. Still, the ruling is one of the first in a growing, thorny legal issue surrounding social media that has already reached the White house. top

Debevoise protocol to promote cybersecurity in international arbitration (Debevoise, July 2017) - As the prevalence of malicious cyberactors and cyberattacks on high-profile companies and government organizations grows, parties to commercially or politically sensitive international arbitrations increasingly express concerns with respect to cybersecurity. Cybersecurity threats may create significant operational and legal problems that can compromise the arbitral process, including loss or unauthorized disclosure of sensitive data, breaches of attorney-client confidentiality, adverse media coverage and reputational damage, costs associated with breach notification or data recovery, and legal liability. In addition to the threat cyberattacks pose to the parties to an arbitration, failing to address this problem could ultimately lead to a loss of confidence in the arbitral system. To respond to these concerns, the practitioners at Debevoise & Plimpton LLP have developed this Protocol to Promote Cybersecurity in International Arbitration. This Protocol operates on three principles: (i) Establishing Secure Protocols for the Transfer of Sensitive Information at the Outset of Proceedings, (ii) Limiting Disclosure and Use of Sensitive Information, and (iii) Developing Procedures for Disclosing Cyber Incidents. * * * top

New Zealand airports customs officials performing 'digital strip searches' of travelers' electronics (TechDirt, 17 July 2017) - Despite DHS hints that foreign airports were falling down on the "security theater" job, it appears a few customs officials are more than happy to engage in local versions of " extreme vetting ." New Zealand customs officials are way ahead of the DHS in this department, having turned airports into rights-free zones where nearly anything can happen... to travelers . According to an investigative report by New Zealand's 1 news , airport customs officials routinely force up to two travelers each day to give up their electronic devices and passwords for searching. According to the customs agents, the program is designed to look for smugglers by performing a "digital strip search" on the phones and laptops of travelers. This does not require a court order, but the agents do claim to adhere to New Zealand's privacy act. The data shows more than 1,300 people have been subjected to these suspicionless "strip searches" since 2015, with less than a third of those being New Zealand citizens. The majority of those searched are foreigners and it appears visitors to the country should somehow expect delays of up to five hours thanks to this supposedly random vetting process. And there is no option to refuse this additional, highly-invasive search. As Techspot reports, travelers refusing to hand over their electronic devices can be subject to fines of $5,000. top

- and -

NYC Bar guides attorneys on US border e-device searches (Bloomberg, 28 July 2017) - Attorneys crossing the U.S. border now have more guidance on how they should protect confidential client information stored on electronic devices from the prying eyes of customs and immigration agents. A formal opinion issued July 25 by the New York City Bar's ethics committee identifies some measures attorneys who travel internationally may take to satisfy their ethical obligations, in light of broad powers that U.S. Customs and Border Protection (CBP) agents assert they have to inspect travelers' electronic devices. The ethics opinion appears to be the first to address the topic and comes at a time when there has been uptick in U.S. border electronic devices searches by CBP agents. There were nearly 15,000 electronic devices searched during the first six month of the CBP's 2017 fiscal year, compared to only just over 8,000 searches during the previous six months, according to CBP statistics released in April. As the number of searches of electronic devices has increased, many major law firms are reevaluating what policies they should have in place in order to protect confidential information, Steven Puiszis, a Chicago-based partner at Hinshaw & Culbertson LLP, who is his firm's general counsel for privacy, security & compliance, told Bloomberg BNA. The American Bar Association has also raised concerns about the handling of privileged and confidential legal materials during border searches. In May, the ABA sent a letter to the Department of Homeland Security, asking it to revise directives on the standards and procedures that CBP and Immigration and Customs Enforcement agents must follow before the contents of a lawyer's electronic device can be searched or seized at the border. ABA asserted that DHS's interpretation of the directives has "resulted in CBP Officers and ICE Special Agents exercising sweeping powers to search electronic devices at the border, with or without reasonable suspicion of any wrongdoing." ABA urged that DHS revise the directives to state that privileged or confidential electronic documents and files on a device cannot be read, duplicated, seized, or shared unless a subpoena or warrant is first obtained. The ethics committee's opinion addresses steps attorneys can take prior to crossing the U.S. border, during border searches, and after a CBP agent reviews confidential information. The opinion provides some practical guidance and highlights an issue that attorneys should be aware of, J. Alexander Lawrence, a New York-based partner at Morrison & Foerster LLP and co-chair of its eDiscovery Task Force, told Bloomberg BNA. * * * top

FedEx on Petya attack: systems still down, no cyber insurance (CSO, 18 July 2017) - US parcel delivery giant FedEx says customers of subsidiary TNT Express are still experiencing delays due to the Petya ransomware attack and that it didn't have cyber insurance to cover the incident. The company released further details about the impact of the attack in its SEC 10-K filing today , revealing the attack affected operational, financial, back-office and secondary business systems. FedEx still does not know when some of the systems downed by the Petya ransomware can be revived. On June 28, a day after the Petya ransomware began spreading in Ukraine, FedEx trading due to an unspecified cyber attack that crippled the operations of TNT Express, its Netherlands-based subsidiary. The attack forced it to move some TNT services across to FedEx. FedEx hasn't calculated the exact damage to its balance sheet, but repeated its initial warning that it would likely materially affect its financial performance. [ Polley : from the FedEx press release re the SEC 10-K: " We do not have cyber or other insurance in place that covers this attack. " And: " In addition to financial consequences, the cyber-attack may materially impact our disclosure controls and procedures and internal control over financial reporting in future periods. "] top

Putin's hackers now under attack-from Microsoft (The Daily Beast, 20 July 2017) - A new offensive by Microsoft has been making inroads against the Russian government hackers behind last year's election meddling, identifying over 120 new targets of the Kremlin's cyber spying, and control-alt-deleting segments of Putin's hacking apparatus. How are they doing it? It turns out Microsoft has something even more formidable than Moscow's malware: Lawyers. Last year attorneys for the software maker quietly sued the hacker group known as Fancy Bear in a federal court outside Washington DC, accusing it of computer intrusion, cybersquatting, and infringing on Microsoft's trademarks. The action, though, is not about dragging the hackers into court. The lawsuit is a tool for Microsoft to target what it calls "the most vulnerable point" in Fancy Bear's espionage operations: the command-and-control servers the hackers use to covertly direct malware on victim computers. These servers can be thought of as the spymasters in Russia 's cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents. Since August, Microsoft has used the lawsuit to wrest control of 70 different command-and-control points from Fancy Bear. The company's approach is indirect, but effective. Rather than getting physical custody of the servers, which Fancy Bear rents from data centers around the world, Microsoft has been taking over the Internet domain names that route to them. These are addresses like "livemicrosoft[.]net" or "rsshotmail[.]com" that Fancy Bear registers under aliases for about $10 each. Once under Microsoft's control, the domains get redirected from Russia's servers to the company's, cutting off the hackers from their victims, and giving Microsoft a omniscient view of that servers' network of automated spies. "In other words," Microsoft outside counsel Sten Jenson explained in a court filing last year, "any time an infected computer attempts to contact a command-and-control server through one of the domains, it will instead be connected to a Microsoft-controlled, secure server." top

Court rejects cell site RF signal map in murder trial because it's evidence of nothing (TechDirt, 21 July 2017) - The Maryland Court of Special Appeals has handed down a ruling [PDF] on quasi-cell site location info. The evidence offered by the state isn't being so much suppressed as it is being rejected. The information wasn't obtained illegally and no rights were violated. Rather, the court finds the evidence to be questionable, as in "evidence of what, exactly?" [via EvidenceProf Blog ] The defendant in the case is charged with murder. Bashunn Phillips filed a motion to exclude the evidence, which was granted by the lower court. The state appealed. But there's nothing in it for the state. The "evidence" -- which is going to carry around scare quotes for the remainder of this post -- doesn't tie Phillips to anything. What was submitted isn't even the equivalent of coarse cell site location info. What the state submitted is something that can easily be obtained without a warrant… because it doesn't actually target any person at all. Phillips filed a motion in limine on August 7, 2015, seeking to exclude the RF signal propagation map and related testimony. Phillips argued that the method used to create the map was not generally accepted as reliable within the relevant scientific community under Maryland's Frye-Reed test for admissibility of evidence based on novel scientific methodology. Phillips acknowledged that cell phone tower "ping" evidence is admissible, but drew a distinction between the method used to create the RF signal propagation map and the collection of historical cell phone "ping" evidence. * * * top

Abuses hide in the silence of non-disparagement agreements (CNBC, 21 July 2017) - * * * As more harassment allegations come to light, employment lawyers say nondisparagement agreements have helped enable a culture of secrecy. In particular, the tech start-up world has been roiled by accounts of workplace sexual harassment, and nondisparagement clauses have played a significant role in keeping those accusations secret. Harassers move on and harass again. Women have no way of knowing their history. Nor do future employers or business partners. Nondisparagement clauses are not limited to legal settlements. They are increasingly found in standard employment contracts in many industries, sometimes in a simple offer letter that helps to create a blanket of silence around a company. Their use has become particularly widespread in tech employment contracts, from venture investment firms and start-ups to the biggest companies in Silicon Valley, including Google. * * * In its buyout agreements, The New York Times asks employees to agree to a limited nondisparagement clause that specifies the agreement does not prohibit people from providing information about legal violations or discrimination to the government or regulators. The terms of other nondisparagement agreements vary. top

SEC regulators are coming after ICOs (TechCrunch, 25 July 2017) - It looks like ICOs , shorthand for initial coin offerings, are about to undergo a lot more scrutiny. The SEC has concluded that the digital currency financing events will be regulated as securities, meaning unregistered offerings could be subject to criminal punishment. The decision was announced on Tuesday. To reach its findings, regulators evaluated an offering facilitated by "The DAO," which resulted in theft by hackers. The report concluded, "that issuers of distributed ledger or blockchain technology-based securities must register offers and sales of such securities unless a valid exemption applies." The SEC said its report served to remind "investors of red flags of investment fraud, and that new technologies may be used to perpetrate investment schemes that may not comply with the federal securities laws." This is a blow to many startups that had been using ICOs as an alternative way to raise capital. There have been a wave of these offerings in recent months, where people have been investing in business ideas via Bitcoin, Ethereum or other cryptocurrencies. But like all startups, these investments bear risks. And the opaque nature of the ICOs meant that there wasn't enough oversight about what the businesses did with the proceeds. Many of the coins are traded on secondary markets, which provides short-term liquidity. Although many of the ICOs have been smaller unknown companies, the difficult fundraising environment has caused some venture-backed startups to raise coin offerings for enough capital to get them to the next step. Messaging app . In anticipation of an SEC crackdown, some startups had already prohibited U.S. investors. [ Polley : See also , this blog posting from TheCorporateCounsel.net.] top

- and -

The Uniform Law Commission has given states a clear path to approach bitcoin (Coindesk, 27 July 2017) - The Uniform Law Commission (ULC), a private body of lawyers and legal academics, has voted to finalize and approve a uniform model law for the regulation of virtual currency businesses. Now an official model for states to follow, I'm hopeful that over the next year, we'll see state after state pass this language as legislation. For states with badly drafted regulations (like the New York "BitLicense" ) or vague money transmission statutes that may or may not cover bitcoin businesses (like in California), this new legislation would be a major improvement and a huge win for our community. For one thing, the model act's language is explicitly clear on what types of digital currency businesses are and are not regulated. In many states, poorly written or outdated legal language that does not account for the properties of open blockchain networks has created legal gray areas for entrepreneurs. Whether or not they even need licenses is often open to interpretation - a looming prospect that hangs over the head of anyone trying to build a business in those states. * * * top

Lawyer's e-discovery error led to release of confidential info on thousands of Wells Fargo clients (ABA Journal, 27 July 2017) - A lawyer representing Wells Fargo in a lawsuit subpoena request has explained how she inadvertently turned over confidential information about thousands of bank clients. Lawyer Angela Turiano of Bressler, Amery & Ross had overseen the e-discovery conducted by a vendor and turned over the documents to a lawyer for a defamation plaintiff without realizing she was releasing information about wealthy Wells Fargo clients, the New York Law Journal (sub. req.) reports. The plaintiff and his lawyer told the New York Times about the release. According to the Times, the information consisted of "a vast trove of confidential information about tens of thousands of the bank's wealthiest clients," including customer names, Social Security numbers and financial data. In an affidavit, Turiano said she used an e-discovery vendor's software to review what she believed to be a complete set of results and marked some documents as privileged and confidential. She did not realize she was using "a view" that showed a limited set of documents. [ Polley : May implicate the duty of technological competence.] top

Sci-Hub's cache of pirated papers is so big, subscription journals are doomed, data analyst suggests (AAAS Science, 27 July 2017) - There is no doubt that Sci-Hub, the infamous-and, according to a U.S. court, illegal-online repository of pirated research papers, is enormously popular. (See Science 's investigation last year of who is downloading papers from Sci-Hub .) But just how enormous is its repository? That is the question biodata scientist Daniel Himmelstein at the University of Pennsylvania and colleagues recently set out to answer, after an assist from Sci-Hub. Their findings, published in a preprint on the PeerJ journal site on 20 July, indicate that Sci-Hub can instantly provide access to more than two-thirds of all scholarly articles, an amount that Himmelstein says is "even higher" than he anticipated. For research papers protected by a paywall, the study found Sci-Hub's reach is greater still, with instant access to 85% of all papers published in subscription journals. For some major publishers, such as Elsevier, more than 97% of their catalog of journal articles is being stored on Sci-Hub's servers-meaning they can be accessed there for free. Given that Sci-Hub has access to almost every paper a scientist would ever want to read, and can quickly obtain requested papers it doesn't have, could the website truly topple traditional publishing? In a chat with Science Insider, Himmelstein concludes that the results of his study could mark "the beginning of the end" for paywalled research. This interview has been edited for clarity and brevity. [ Polley : very interesting.] top

- and -

Elsevier acquires bepress : Library and knowledge community respond (Kevin O'Keefe, 3 August 2017) - Elsevier , a Dutch publisher and one of the world's major providers of scientific, technical, and medical information, announced this week the acquisition of bepress , formerly the Berkeley Electronic Press, an academic repository and software firm founded by academics in 1999. Elsevier is part of Reed Elsevier, the parent of LexisNexis. Much of the publishing Elsevier sells is authored by professionals and submitted for peer review. As I understand it, the research and information then published is only available by subscription, including as to any authority who would want to access their own submissions. Elsevier has been subject to criticism of late from academic institutions worldwide, and even governmental agencies, for their having to fund research/scholarly writing, give it to Elsevier for free and then pay millions to Elsevier to get access to the research and writing. In the case of government funded schools and research centers, the taxpayers pay twice. To fund research that goes to Elsevier, then to pay Elsevier for access to the research their colleges, healthcare centers and government agencies require. Bepress, on the other hand, has open access tools under its "Digital Commons" that allows institutions, including law schools, to showcase and preserve their scholarly output. Law review articles and other legal scholarship is available for free through bepress' Law Commons, part of the larger Digital Commons network encompassing other academic areas. Bepress' acquisition comes on the heels of LexisNexis' acquisition of SSRN , another repository of scholarly output, including that from law professors. Some librarians are looking with some suspicion at whether LexisNexis will retain open access and freely allow legal scholars to use their work freely across the net. How did librarians and knowledge management professionals react to the bepress acquisition? Not well, looking through the "Top" tweets on a Twitter search of bepress in the hours after the acquisition announcement. * * * Attorney and legal tech blogger, Bob Ambrogi, reporting on the acquisition noted that the announcement said nothing about the future of the bepress' Digital Commons. Ambrogi said "we'll have to wait and see what impact this has on scholarly publishing in law." top

LinkedIn: It's illegal to scrape our website without permission (Ars Technica, 31 July 2017) - A small company called hiQ is locked in a high-stakes battle over Web scraping with LinkedIn. It's a fight that could determine whether an anti-hacking law can be used to curtail the use of scraping tools across the Web. HiQ scrapes data about thousands of employees from public LinkedIn profiles, then packages the data for sale to employers worried about their employees quitting. LinkedIn, which was acquired by Microsoft last year, sent hiQ a cease-and-desist letter warning that this scraping violated the Computer Fraud and Abuse Act, the controversial 1986 law that makes computer hacking a crime. HiQ sued, asking courts to rule that its activities did not, in fact, violate the CFAA. James Grimmelmann, a professor at Cornell Law School, told Ars that the stakes here go well beyond the fate of one little-known company. "Lots of businesses are built on connecting data from a lot of sources," Grimmelmann said. He argued that scraping is a key way that companies bootstrap themselves into "having the scale to do something interesting with that data." If scraping without consent becomes illegal, startups like hiQ will have a harder time getting off the ground. But the law may be on the side of LinkedIn-especially in Northern California, where the case is being heard. In a 2016 ruling , the 9th Circuit Court of Appeals, which has jurisdiction over California, found that a startup called Power Ventures had violated the CFAA when it continued accessing Facebook's servers despite a cease-and-desist letter from Facebook. LinkedIn's position disturbs Orin Kerr, a legal scholar at George Washington University. "You can't publish to the world and then say 'no, you can't look at it,'" Kerr told Ars. The CFAA makes it a crime to "access a computer without authorization or exceed authorized access." Courts have been struggling to figure out what this means ever since Congress passed it more than 30 years ago. One plausible reading of the law-the one LinkedIn is advocating-is that once a website operator asks you to stop accessing its site, you commit a crime if you don't comply. * * * top

Daenerys Stormborn, Jon Snow and the real enemy of higher education (InsideHigherEd, 3 August 2017) - There was a moment while watching Daenerys Stormborn and Jon Snow's first meeting in the latest episode of Game of Thrones that reminded me of attending higher education conferences. Daenerys is pushing Snow to bend the knee, and become her loyal subject in the fight against Cersei. Jon Snow's reaction is that Cersei might be evil, but in reality the Seven Kingdoms have much bigger problems. Snow informs Daenerys that it doesn't matter who sits on the Iron Throne, as unless the Night King's Army of the Dead is defeated, she will " be ruling over a graveyard." Those of us who work in higher ed have a similar challenge to The Mother of Dragons and the King of the North. We need to understand who our real enemies are, and which battles we should be fighting. In our world, the Army of the Dead that we should be unifying against is the ongoing state level disinvestment in public higher education. No enemy is as potentially dangerous to the existence of a functional, equitable, and affordable system of postsecondary education as is the decision of state governments to cutback on funding for their public colleges and universities. Adjusting for the growth in students attending public institutions, state support per FTE has declined by 37 percent between 2000 and 2012 . In inflation adjusted dollars, this is a decline of an average of $7,000 in per-student state support in 2000 to $4,400 in 2012. While federal support grow in this time period, from $3,800 to $5,100 per student , this has not been enough to makeup for the state shortfall. The result, predictably enough, has been dramatic increases in tuition (and student debt). Another result of public disinvestment in higher education has been the widening gap in available resources between a select few private schools (and well-endowed public institutions), and the public colleges and universities where most students attend. Public disinvestment in higher education is exacerbating trends around inequality. We are moving towards a two-tiered postsecondary system, where only the affluent will enjoy the benefits of a high quality - and in particular a liberal arts - college education. Why the threat of public disinvestment in public education is not the big topic of every higher education conference is a mystery. This is particularly true of my world of educational technology and online learning. We should be calibrating our work, however, to follow the wisdom of Jon Snow. We should be fighting our true enemy - and that enemy is the decline of investment in public higher education. The reason that higher ed people, including edtech people, continue to focus on everything in higher ed except public disinvestment can understood by how Tyrion Lannister explains the world. The Hand of the Queen tells Jon Snow that, " People's minds aren't made for problems that large. White walkers, the Night King, Army of the Dead... it's almost a relief to confront a comfortable, familiar monster like my sister." Like Ser Davos, I fear for higher education that, " If we don't put aside our enmities and band together, we will die. And then it doesn't matter whose skeleton sits on the Iron Throne ." Winter is here. top

This shadowy company is flying spy planes over US cities (BuzzFeed, 4 August 2017) - For six straight days in the middle of March, a small twin-propeller plane flew over Phoenix. Each evening, it picked two or three spots and circled for hours, flying at more than 17,000 feet. The plane was loaded with sophisticated surveillance equipment, including technology developed by the National Security Agency to track cell phones. In June of last year, that same plane spent three weeks circling daily over Wilmington, North Carolina, carrying a state-of-the-art "persistent surveillance" camera that can monitor a large area continuously for hours at a time. The Phoenix and Wilmington flights are among dozens tracked by BuzzFeed News that were flown by companies run by an obscure, Oklahoma-based private equity fund called Acorn Growth Companies . Acorn's planes serve as the US military's "A-Team" for aerial surveillance in Africa, including tracking suspected terrorists' phones from the air. In the US, the planes sometimes take part in military exercises - as they were in Phoenix - helping troops practice raids on targets using the same phone-tracking technology. At other times, Acorn serves commercial clients. The Wilmington flights, according to the company that made and operated the persistent surveillance camera, were run for two reasons: to demonstrate the technology's value for traffic surveys, and to track vehicles going to and from retail outlets. This "commercial intelligence" would allow businesses to understand where their customers are driving from. The idea was to give retailers clues to help their marketing, so they can target mailings or other efforts to lure in customers from neighborhoods where people tend to shop at competing stores. Acorn's diverse activities in these and other cities raise questions about how much data is being gathered from ordinary people who come under the visual and electronic gaze of sophisticated spy planes - and how that information is being used. Although the city of Phoenix agreed to the military exercises and knew that the planes would carry out some sort of surveillance, officials did not know specifics about which technologies were used. And because there's no requirement to inform cities when recording aerial imagery, the city of Wilmington wasn't told about the June 2016 flights. * * * Acorn's pilots and sensor operators tend to join the firm directly from military service, often with special ops experience. "You're not talking about any Joe Schmo walking in off the street," one former employee, who spoke on condition of anonymity, told BuzzFeed News. "There are still fairly high security clearances involved." That's not surprising, given the sensitive technology deployed from Acorn's planes. BuzzFeed News found out about this gear from documents submitted to the Federal Aviation Administration to certify that a plane is still safe to fly after structural alterations. The plane that flew over Phoenix in March, for example, was modified to carry a device called Nebula, which mimics a cell phone tower, causing phones to connect to it. Nebula can then be used to locate and track a target phone from the air, or intercept its communications. A surveillance catalog leaked to The Intercept in 2015 suggests that the device can also connect to and track satellite phones. "The NSA is leading system development," says the section on Nebula , noting that approval for its use rests under "Title 50" of the US Code, which covers espionage and covert operations. * * * Phoenix and its suburbs, with a population of more than 4.5 million, is one of several cities to have fallen under Acorn's watch over the past two years. Using data collected by the websites Flightradar24 and ADS-B Exchange , which track signals emitted by aircraft transponders, BuzzFeed News spotted planes registered to Commuter Air Technology and Aircraft Logistics Group flying surveillance patterns over cities including Brawley, California; Charlotte, North Carolina; and multiple locations along the Gulf of Mexico in Louisiana, Mississippi, and Alabama. * * * [ Polley : interesting; we don't know what we don't know.] top

RESOURCES

Sunstein and Randall on Political Control Over Public Communications By Government Scientists (MLPB, 24 July 2017) - Cass R. Sunstein, Harvard Law School, and Lisa Randall, Harvard University, Department of Physics, have published Political Control Over Public Communications by Government Scientists . Here is the abstract: In recent years, there has been a great deal of controversy over political control of communications by government scientists. Legitimate interests can be found on both sides of the equation. This essay argues for adoption and implementation of a framework that accommodates those interests-a framework that allows advance notice to political officials, including the White House, without hindering the free flow of scientific information. top

At Our Own Peril: DoD Risk Assessment in a Post-Primacy World (US Army War College, 29 June 2017) - The U.S. Department of Defense (DoD) faces persistent fundamental change in its strategic and operating environments. This report suggests this reality is the product of the United States entering or being in the midst of a new, more competitive, post-U.S. primacy environment. Post-primacy conditions promise far-reaching impacts on U.S. national security and defense strategy. Consequently, there is an urgent requirement for DoD to examine and adapt how it develops strategy and describes, identifies, assesses, and communicates corporate-level risk. This report takes on the latter risk challenge. It argues for a new post-primacy risk concept and its four governing principles of diversity, dynamism, persistent dialogue, and adaptation. The authors suggest that this approach is critical to maintaining U.S. military advantage into the future. Absent change in current risk convention, the report suggests DoD exposes current and future military performance to potential failure or gross under-performance. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Sony BMG Settles FTC Charges Over Anti-Piracy CDs (SiliconValley.com, 30 Jan 2007) -- U.S. regulators said Tuesday that Sony BMG Music Entertainment agreed to reimburse consumers up to $150 for damage to their computers from CDs with hidden anti-piracy software. According to the Federal Trade Commission, which announced the settlement, Sony BMG's anti-piracy software limited the devices on which music could be played to those made by Sony Corp., Microsoft Corp. or other Windows-compatible devices. The software also restricted the number of copies of the music that could be made to three, the agency said, and ``exposed consumers to significant security risks and was unreasonably difficult to uninstall." ``Installations of secret software that create security risks are intrusive and unlawful," FTC Chairman Deborah Platt Majoras said. The focus of the FTC action is not the limits themselves, Majoras said, but the lack of notification. ``Ordinary experience with CDs would not lead consumers to expect these limits," she said. ``This was a case about disclosure." The settlement requires the company to allow consumers to exchange through the end of June the affected CDs purchased before Dec. 31, 2006, and reimburse them up to $150 to repair damage done when they tried to remove the software. It also requires Sony BMG to clearly disclose limitations on consumers' use of music CDs and prohibits it from installing software without consumer consent. For two years, Sony BMG also must provide an uninstall tool and patches to repair the security vulnerabilities on consumers' computers and must advertise them on its Web site. The company also is required to publish notices describing the exchange and repair reimbursement programs on its Web site. top

New York Times to end paid Internet service (Reuters, 18 Sept 2007) - The New York Times Co said on Monday it will end its paid TimesSelect Web service and make most of its Web site available for free in the hopes of attracting more readers and higher advertising revenue. TimesSelect will shut down on Wednesday, two years after the Times launched it, which charges subscribers $7.95 a month or $49.95 a year to read articles by columnists such as Maureen Dowd and Thomas Friedman. The trademark orange "T's" marking premium articles will begin disappearing Tuesday night, said the Web site's Vice President and General Manager Vivian Schiller. The move is an acknowledgment by The Times that making Web site visitors pay for content would not bring in as much money as making it available for free and supporting it with advertising. "We now believe by opening up all our content and unleashing what will be millions and millions of new documents, combined with phenomenal growth, that that will create a revenue stream that will more than exceed the subscription revenue," Schiller said. Figuring out how to increase online revenue is crucial to the Times and other U.S. newspaper publishers, which are struggling with a drop in advertising sales and paying subscribers as more readers move online. "Of course, everything on the Web is free, so it's understandable why they would want to do that," said Alan Mutter a former editor at the San Francisco Chronicle and proprietor of a blog about the Internet and the news business called Reflections of a Newsosaur. "The more page views you have, the more you can sell," he said. "In the immediate moment it's a perfectly good idea." Starting on Wednesday, access to the archives will be available for free back to 1987, and as well as stories before 1923, which are in the public domain, Schiller said. Users can buy articles between 1923 and 1986 on their own or in 10-article packages, the company said. Some stories, such as film reviews, will be free, she said. American Express will be the first sponsor of the opened areas on the site, and will have a "significant advertising presence" on the homepage and in the opinion and archives sections, the company said. top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top