Saturday, August 05, 2017

MIRLN --- 16 July - 5 August 2017 (v20.11)

MIRLN --- 16 July - 5 August 2017 (v20.11) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

New York DFS publishes FAQs on new cybersecurity regulations (Covington, 14 July 2017) - As our readers know , New York's Department of Financial Services ("NY DFS") released a draft of its new Cybersecurity Regulations on September 13, 2016, and the final version of the regulations went into effect on March 1, 2017 ( 23 NYCRR 500 ). Among other things, the regulations require regulated entities to conduct cyber risk assessments and to develop and implement cybersecurity programs to manage their cyber risk. Notwithstanding the fanfare surrounding the announcement of these "first-in-the-nation" regulations, there has been significant uncertainty about precisely how the regulations will be interpreted and enforced. That uncertainty has been increasing with the approach of the August 28 deadline for compliance with the first round of requirements (Section 500.22(a)). On June 29, 2017, NY DFS took steps to reduce that uncertainty by posting a " Frequently Asked Questions " section about the regulations on its website. The FAQs seek to clarify some key provisions of these regulations, including provisions regarding reporting requirements and consumer notification triggers. Some highlights below: * * * [ Polley : e.g., a possible obligation to report unsuccessful cyber attacks.] top

When do review websites commit extortion?-Icon Health v. ConsumerAffairs (Eric Goldman, 14 July 2017) - Icon Health and Fitness manufactures exercise equipment, such as the well-known NordicTrack. ConsumerAffairs is a review website. Like many other review websites, its business model is predicated on payments from reviewed businesses. However, ConsumerAffairs' specific practices raise some extra questions. The complaint made the following allegations: Defendants, through that database, favor product manufacturers who agree to pay a one-time setup fee and an ongoing monthly fee to ConsumerAffairs or Consumers Unified, LLC. ConsumerAffairs publishes an "Overall Satisfaction Rating" for each product reviewed on its website. The Overall Satisfaction Rating is expressed as a star rating out of five possible stars. ConsumerAffairs calculates the rating based on an unspecified subset of user reviews hosted on ConsumerAffairs' website. ConsumerAffairs' chooses which consumer reviews to include in given company's Overall Satisfaction Rating based solely on whether that company pays a monthly fee to ConsumerAffairs. ConsumerAffairs alters a company's Overall Satisfaction Rating by intentionally omitting or removing legitimate positive consumer-submitted reviews from pages discussing non-paying companies. * * * If these allegations are true, as a consumer I would not consider ConsumerAffairs' review database management practices credible. Nevertheless, to me, these allegations make it clear that ConsumerAffairs qualifies for Section 230 protection (see also the Fourth Circuit's Nemet Chevrolet ruling , but see the disastrous Consumer Cellular ruling ). Unfortunately, the court doesn't know what to do with these allegations. Thus, the court bifurcates its opinion into some general principles about Section 230 and then specific applications on a claim-by-claim basis. The net effect isn't too bad for ConsumerAffairs, but the opinion has many interstices. * * * top

Lloyds of London: Insure cyberattacks like natural disasters (The Hill, 17 July 2017) - Cybersecurity insurers have to become more prepared to treat global cyberattacks more like national disasters than traditional crimes, concludes a report from insurer Lloyd's of London . In a report dated last week, the United Kingdom-based firm speculates about two hypothetical "cyber events" that could cause global damage cybersecurity insurance providers may not be prepared for. The report tabulates the potential damage caused by two types of attacks. In one, hackers disrupt cloud service providers. In a second, hackers get their hands on a vulnerability for an operating system used by 45 percent of the global market. Lloyd's of London approximates that average cloud service events of varying severity range from $4.6 billion in total damages for a "large" attack to $53.1 billion for an "extreme" one. In the vulnerability example, the average costs range from $9.7 billion for a large event to $28.7 billion for an extreme one. The report notes that attacks fluctuate dramatically around that average - in the extreme cloud event that averaged $53.1 billion in damages, attacks might do as little as $15.6 billion or as much as $121.4 billion. Lloyd's notes that much of the damages would not be covered by insurance. Only around 15 percent of damages would be covered in the cloud example and 7 percent in the vulnerability example. top

Alleged retweet by judge doesn't warrant retroactive recusal, 9th Circuit rules (ABA Journal, 17 July 2017) - A federal appeals court has refused to order the retroactive recusal of a federal judge accused of retweeting a news story about a case after he denied a motion. The San Francisco-based 9th U.S. Circuit Court of Appeals said that, even if U.S. District Judge William Shubb was the owner of the anonymous Twitter account at issue, his tweet didn't warrant retroactive recusal, report the Recorder (sub. req.) the Sacramento Bee and the Metropolitan News-Enterprise . Above the Law noted the July 13 decision (PDF). Sierra Pacific had initially sought to unravel a $122 million settlement related to a massive forest fire in 2007 based on allegations about alleged government misconduct. The government had sued Sierra Pacific and other defendants to recover damages and money it spent fighting the blaze. Shubb refused to grant Sierra Pacific's motion for relief from judgment. Sierra Pacific Industries Inc. claimed Shubb was tweeting at the account @nostalgist1 . The account had followed the U.S. Attorney office, which tweeted eight times about the case after Shubb's ruling. Sierra Pacific had argued that following the account created the appearance of bias. The news article that was retweeted was headlined "Sierra Pacific still liable for Moonlight Fire damages." Sierra Pacific had objected to the headline because it didn't admit liability and the settlement had said the payment didn't constitute damages. Sierra Pacific said the retweet created an additional inference of bias and constituted an impermissible public comment. Merely following a Twitter account doesn't create a basis for recusal and doesn't constitute improper ex parte communications, the appeals court said. Nor did retweeting a news article constitute plain error requiring recusal, the appeals court also said. Though the appeals court saw no reason to require Shubb's retroactive recusal, it nonetheless said the case was "a cautionary tale about the possible pitfalls of judges engaging in social media activity relating to pending cases." top

- and -

Miami-Dade judge's Facebook 'friendship' leads to court battle (Daily Business Review, 28 July 2017) - A North Miami law firm is fighting to have a judge removed from a case for being Facebook friends with a lawyer who appeared before her. Miami-Dade Circuit Judge Beatrice Butchko is publicly linked on the social networking site with Israel Reyes, a former colleague from the bench. Reyes, now the managing partner at the Reyes Law Firm in Coral Gables, entered an appearance on behalf of a nonparty in a case before Butchko. The Facebook friendship means Reyes can "influence" Butchko, who therefore "cannot be impartial," argued Reuven Herssein, founding member of Herssein Law Group, in a motion to disqualify Butchko. She declined to recuse herself, saying the motion was legally insufficient. The fight is now before the Third District Court of Appeal, where attorneys are debating the ethics of judicial social media use nearly a decade after the state first addressed judges' Facebook friendships. Florida has relatively strict guidelines on social media connections, compared with other states. A 2009 opinion from the Florida Supreme Court's judicial ethics advisory committee said judges should not send or accept social media friend requests from lawyers who may appear before them. "The committee believes that listing lawyers who may appear before the judge as 'friends' on a judge's social networking page reasonably conveys to others the impression that these lawyer 'friends' are in a special position to influence the judge," the committee wrote, recognizing that a social media "friend" may be nothing more than a distant acquaintance. The Fourth District Court of Appeal relied on the opinion in a decision disqualifying a judge in a criminal case for being Facebook friends with the prosecutor. The court found the social media connection could "create in a reasonably prudent person a well-founded fear of not receiving a fair and impartial trial." But United States Automobile Association, the defendant in the case filed by Herssein Law Group, argues the Fourth DCA decision doesn't apply here. While a criminal defendant might reasonably fear bias in this situation, Herssein and his firm are more sophisticated than that, USAA's counsel argued. "No reasonably prudent Miami lawyer has a well-founded fear of not receiving a fair and impartial trial simply because two judges who sat on the bench in Miami-Dade County are 'friends' on Facebook," wrote Shutts & Bowen attorneys Patrick Brugger and Frank Zacherl of Miami, who did not respond to a request for comment by deadline. Eleven states have issued guidance on judicial social media use, according to the National Center for State Courts. Florida's guidelines are among the most restrictive, with states including California, Kentucky and New York opining that judges can accept Facebook friend requests from lawyers who may appear before them under certain conditions. In California, judges may add lawyers on Facebook if their pages are used only for professional activities, such as interacting with members of a law school alumni group. Other factors include how many friends the judge has, whether he or she declines some attorneys' friend requests but accepts others and how often the attorney appears before the judge. top

- and -

Court rules that politicians blocking followers violates free speech (NY Magazine, 28 July 2017) - While there is no set precedent for the issue, more and more courts are encountering a new type of lawsuit related to social-media blocking. The Knight Foundation, for instance, is suing the U.S. government on behalf of Twitter users blocked by President Donald Trump , whose Twitter account has become alarmingly vital when it comes to understanding his presidency. This week, a federal court in Virginia tackled the issue when it ruled on behalf of a plaintiff blocked by a local county politician. According to The Wall Street Journal , "Brian Davison sued the chairwoman of the Loudoun County Board of Supervisors, who temporarily banned him from her Facebook page after he posted criticism of local officials last year." Judge James Cacheris found that she had violated Davison's First Amendment rights by blocking him from leaving comment, because, in his judgment, the chairwoman, Phyllis Randall, was using her Facebook page in a public capacity. Though it was a personal account, she used it to solicit comments from constituents. "The suppression of critical commentary regarding elected officials is the quintessential form of viewpoint discrimination against which the First Amendment guards," the judge stated in his ruling. Cacheris did emphasize that his ruling should not prohibit officials from moderating comments to protect against harassment. Davison was only banned for 12 hours, and Randall faces no penalties. Still, the ruling is one of the first in a growing, thorny legal issue surrounding social media that has already reached the White house. top

Debevoise protocol to promote cybersecurity in international arbitration (Debevoise, July 2017) - As the prevalence of malicious cyberactors and cyberattacks on high-profile companies and government organizations grows, parties to commercially or politically sensitive international arbitrations increasingly express concerns with respect to cybersecurity. Cybersecurity threats may create significant operational and legal problems that can compromise the arbitral process, including loss or unauthorized disclosure of sensitive data, breaches of attorney-client confidentiality, adverse media coverage and reputational damage, costs associated with breach notification or data recovery, and legal liability. In addition to the threat cyberattacks pose to the parties to an arbitration, failing to address this problem could ultimately lead to a loss of confidence in the arbitral system. To respond to these concerns, the practitioners at Debevoise & Plimpton LLP have developed this Protocol to Promote Cybersecurity in International Arbitration. This Protocol operates on three principles: (i) Establishing Secure Protocols for the Transfer of Sensitive Information at the Outset of Proceedings, (ii) Limiting Disclosure and Use of Sensitive Information, and (iii) Developing Procedures for Disclosing Cyber Incidents. * * * top

New Zealand airports customs officials performing 'digital strip searches' of travelers' electronics (TechDirt, 17 July 2017) - Despite DHS hints that foreign airports were falling down on the "security theater" job, it appears a few customs officials are more than happy to engage in local versions of " extreme vetting ." New Zealand customs officials are way ahead of the DHS in this department, having turned airports into rights-free zones where nearly anything can happen... to travelers . According to an investigative report by New Zealand's 1 news , airport customs officials routinely force up to two travelers each day to give up their electronic devices and passwords for searching. According to the customs agents, the program is designed to look for smugglers by performing a "digital strip search" on the phones and laptops of travelers. This does not require a court order, but the agents do claim to adhere to New Zealand's privacy act. The data shows more than 1,300 people have been subjected to these suspicionless "strip searches" since 2015, with less than a third of those being New Zealand citizens. The majority of those searched are foreigners and it appears visitors to the country should somehow expect delays of up to five hours thanks to this supposedly random vetting process. And there is no option to refuse this additional, highly-invasive search. As Techspot reports, travelers refusing to hand over their electronic devices can be subject to fines of $5,000. top

- and -

NYC Bar guides attorneys on US border e-device searches (Bloomberg, 28 July 2017) - Attorneys crossing the U.S. border now have more guidance on how they should protect confidential client information stored on electronic devices from the prying eyes of customs and immigration agents. A formal opinion issued July 25 by the New York City Bar's ethics committee identifies some measures attorneys who travel internationally may take to satisfy their ethical obligations, in light of broad powers that U.S. Customs and Border Protection (CBP) agents assert they have to inspect travelers' electronic devices. The ethics opinion appears to be the first to address the topic and comes at a time when there has been uptick in U.S. border electronic devices searches by CBP agents. There were nearly 15,000 electronic devices searched during the first six month of the CBP's 2017 fiscal year, compared to only just over 8,000 searches during the previous six months, according to CBP statistics released in April. As the number of searches of electronic devices has increased, many major law firms are reevaluating what policies they should have in place in order to protect confidential information, Steven Puiszis, a Chicago-based partner at Hinshaw & Culbertson LLP, who is his firm's general counsel for privacy, security & compliance, told Bloomberg BNA. The American Bar Association has also raised concerns about the handling of privileged and confidential legal materials during border searches. In May, the ABA sent a letter to the Department of Homeland Security, asking it to revise directives on the standards and procedures that CBP and Immigration and Customs Enforcement agents must follow before the contents of a lawyer's electronic device can be searched or seized at the border. ABA asserted that DHS's interpretation of the directives has "resulted in CBP Officers and ICE Special Agents exercising sweeping powers to search electronic devices at the border, with or without reasonable suspicion of any wrongdoing." ABA urged that DHS revise the directives to state that privileged or confidential electronic documents and files on a device cannot be read, duplicated, seized, or shared unless a subpoena or warrant is first obtained. The ethics committee's opinion addresses steps attorneys can take prior to crossing the U.S. border, during border searches, and after a CBP agent reviews confidential information. The opinion provides some practical guidance and highlights an issue that attorneys should be aware of, J. Alexander Lawrence, a New York-based partner at Morrison & Foerster LLP and co-chair of its eDiscovery Task Force, told Bloomberg BNA. * * * top

FedEx on Petya attack: systems still down, no cyber insurance (CSO, 18 July 2017) - US parcel delivery giant FedEx says customers of subsidiary TNT Express are still experiencing delays due to the Petya ransomware attack and that it didn't have cyber insurance to cover the incident. The company released further details about the impact of the attack in its SEC 10-K filing today , revealing the attack affected operational, financial, back-office and secondary business systems. FedEx still does not know when some of the systems downed by the Petya ransomware can be revived. On June 28, a day after the Petya ransomware began spreading in Ukraine, FedEx trading due to an unspecified cyber attack that crippled the operations of TNT Express, its Netherlands-based subsidiary. The attack forced it to move some TNT services across to FedEx. FedEx hasn't calculated the exact damage to its balance sheet, but repeated its initial warning that it would likely materially affect its financial performance. [ Polley : from the FedEx press release re the SEC 10-K: " We do not have cyber or other insurance in place that covers this attack. " And: " In addition to financial consequences, the cyber-attack may materially impact our disclosure controls and procedures and internal control over financial reporting in future periods. "] top

Putin's hackers now under attack-from Microsoft (The Daily Beast, 20 July 2017) - A new offensive by Microsoft has been making inroads against the Russian government hackers behind last year's election meddling, identifying over 120 new targets of the Kremlin's cyber spying, and control-alt-deleting segments of Putin's hacking apparatus. How are they doing it? It turns out Microsoft has something even more formidable than Moscow's malware: Lawyers. Last year attorneys for the software maker quietly sued the hacker group known as Fancy Bear in a federal court outside Washington DC, accusing it of computer intrusion, cybersquatting, and infringing on Microsoft's trademarks. The action, though, is not about dragging the hackers into court. The lawsuit is a tool for Microsoft to target what it calls "the most vulnerable point" in Fancy Bear's espionage operations: the command-and-control servers the hackers use to covertly direct malware on victim computers. These servers can be thought of as the spymasters in Russia 's cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents. Since August, Microsoft has used the lawsuit to wrest control of 70 different command-and-control points from Fancy Bear. The company's approach is indirect, but effective. Rather than getting physical custody of the servers, which Fancy Bear rents from data centers around the world, Microsoft has been taking over the Internet domain names that route to them. These are addresses like "livemicrosoft[.]net" or "rsshotmail[.]com" that Fancy Bear registers under aliases for about $10 each. Once under Microsoft's control, the domains get redirected from Russia's servers to the company's, cutting off the hackers from their victims, and giving Microsoft a omniscient view of that servers' network of automated spies. "In other words," Microsoft outside counsel Sten Jenson explained in a court filing last year, "any time an infected computer attempts to contact a command-and-control server through one of the domains, it will instead be connected to a Microsoft-controlled, secure server." top

Court rejects cell site RF signal map in murder trial because it's evidence of nothing (TechDirt, 21 July 2017) - The Maryland Court of Special Appeals has handed down a ruling [PDF] on quasi-cell site location info. The evidence offered by the state isn't being so much suppressed as it is being rejected. The information wasn't obtained illegally and no rights were violated. Rather, the court finds the evidence to be questionable, as in "evidence of what, exactly?" [via EvidenceProf Blog ] The defendant in the case is charged with murder. Bashunn Phillips filed a motion to exclude the evidence, which was granted by the lower court. The state appealed. But there's nothing in it for the state. The "evidence" -- which is going to carry around scare quotes for the remainder of this post -- doesn't tie Phillips to anything. What was submitted isn't even the equivalent of coarse cell site location info. What the state submitted is something that can easily be obtained without a warrant… because it doesn't actually target any person at all. Phillips filed a motion in limine on August 7, 2015, seeking to exclude the RF signal propagation map and related testimony. Phillips argued that the method used to create the map was not generally accepted as reliable within the relevant scientific community under Maryland's Frye-Reed test for admissibility of evidence based on novel scientific methodology. Phillips acknowledged that cell phone tower "ping" evidence is admissible, but drew a distinction between the method used to create the RF signal propagation map and the collection of historical cell phone "ping" evidence. * * * top

Abuses hide in the silence of non-disparagement agreements (CNBC, 21 July 2017) - * * * As more harassment allegations come to light, employment lawyers say nondisparagement agreements have helped enable a culture of secrecy. In particular, the tech start-up world has been roiled by accounts of workplace sexual harassment, and nondisparagement clauses have played a significant role in keeping those accusations secret. Harassers move on and harass again. Women have no way of knowing their history. Nor do future employers or business partners. Nondisparagement clauses are not limited to legal settlements. They are increasingly found in standard employment contracts in many industries, sometimes in a simple offer letter that helps to create a blanket of silence around a company. Their use has become particularly widespread in tech employment contracts, from venture investment firms and start-ups to the biggest companies in Silicon Valley, including Google. * * * In its buyout agreements, The New York Times asks employees to agree to a limited nondisparagement clause that specifies the agreement does not prohibit people from providing information about legal violations or discrimination to the government or regulators. The terms of other nondisparagement agreements vary. top

SEC regulators are coming after ICOs (TechCrunch, 25 July 2017) - It looks like ICOs , shorthand for initial coin offerings, are about to undergo a lot more scrutiny. The SEC has concluded that the digital currency financing events will be regulated as securities, meaning unregistered offerings could be subject to criminal punishment. The decision was announced on Tuesday. To reach its findings, regulators evaluated an offering facilitated by "The DAO," which resulted in theft by hackers. The report concluded, "that issuers of distributed ledger or blockchain technology-based securities must register offers and sales of such securities unless a valid exemption applies." The SEC said its report served to remind "investors of red flags of investment fraud, and that new technologies may be used to perpetrate investment schemes that may not comply with the federal securities laws." This is a blow to many startups that had been using ICOs as an alternative way to raise capital. There have been a wave of these offerings in recent months, where people have been investing in business ideas via Bitcoin, Ethereum or other cryptocurrencies. But like all startups, these investments bear risks. And the opaque nature of the ICOs meant that there wasn't enough oversight about what the businesses did with the proceeds. Many of the coins are traded on secondary markets, which provides short-term liquidity. Although many of the ICOs have been smaller unknown companies, the difficult fundraising environment has caused some venture-backed startups to raise coin offerings for enough capital to get them to the next step. Messaging app . In anticipation of an SEC crackdown, some startups had already prohibited U.S. investors. [ Polley : See also , this blog posting from TheCorporateCounsel.net.] top

- and -

The Uniform Law Commission has given states a clear path to approach bitcoin (Coindesk, 27 July 2017) - The Uniform Law Commission (ULC), a private body of lawyers and legal academics, has voted to finalize and approve a uniform model law for the regulation of virtual currency businesses. Now an official model for states to follow, I'm hopeful that over the next year, we'll see state after state pass this language as legislation. For states with badly drafted regulations (like the New York "BitLicense" ) or vague money transmission statutes that may or may not cover bitcoin businesses (like in California), this new legislation would be a major improvement and a huge win for our community. For one thing, the model act's language is explicitly clear on what types of digital currency businesses are and are not regulated. In many states, poorly written or outdated legal language that does not account for the properties of open blockchain networks has created legal gray areas for entrepreneurs. Whether or not they even need licenses is often open to interpretation - a looming prospect that hangs over the head of anyone trying to build a business in those states. * * * top

Lawyer's e-discovery error led to release of confidential info on thousands of Wells Fargo clients (ABA Journal, 27 July 2017) - A lawyer representing Wells Fargo in a lawsuit subpoena request has explained how she inadvertently turned over confidential information about thousands of bank clients. Lawyer Angela Turiano of Bressler, Amery & Ross had overseen the e-discovery conducted by a vendor and turned over the documents to a lawyer for a defamation plaintiff without realizing she was releasing information about wealthy Wells Fargo clients, the New York Law Journal (sub. req.) reports. The plaintiff and his lawyer told the New York Times about the release. According to the Times, the information consisted of "a vast trove of confidential information about tens of thousands of the bank's wealthiest clients," including customer names, Social Security numbers and financial data. In an affidavit, Turiano said she used an e-discovery vendor's software to review what she believed to be a complete set of results and marked some documents as privileged and confidential. She did not realize she was using "a view" that showed a limited set of documents. [ Polley : May implicate the duty of technological competence.] top

Sci-Hub's cache of pirated papers is so big, subscription journals are doomed, data analyst suggests (AAAS Science, 27 July 2017) - There is no doubt that Sci-Hub, the infamous-and, according to a U.S. court, illegal-online repository of pirated research papers, is enormously popular. (See Science 's investigation last year of who is downloading papers from Sci-Hub .) But just how enormous is its repository? That is the question biodata scientist Daniel Himmelstein at the University of Pennsylvania and colleagues recently set out to answer, after an assist from Sci-Hub. Their findings, published in a preprint on the PeerJ journal site on 20 July, indicate that Sci-Hub can instantly provide access to more than two-thirds of all scholarly articles, an amount that Himmelstein says is "even higher" than he anticipated. For research papers protected by a paywall, the study found Sci-Hub's reach is greater still, with instant access to 85% of all papers published in subscription journals. For some major publishers, such as Elsevier, more than 97% of their catalog of journal articles is being stored on Sci-Hub's servers-meaning they can be accessed there for free. Given that Sci-Hub has access to almost every paper a scientist would ever want to read, and can quickly obtain requested papers it doesn't have, could the website truly topple traditional publishing? In a chat with Science Insider, Himmelstein concludes that the results of his study could mark "the beginning of the end" for paywalled research. This interview has been edited for clarity and brevity. [ Polley : very interesting.] top

- and -

Elsevier acquires bepress : Library and knowledge community respond (Kevin O'Keefe, 3 August 2017) - Elsevier , a Dutch publisher and one of the world's major providers of scientific, technical, and medical information, announced this week the acquisition of bepress , formerly the Berkeley Electronic Press, an academic repository and software firm founded by academics in 1999. Elsevier is part of Reed Elsevier, the parent of LexisNexis. Much of the publishing Elsevier sells is authored by professionals and submitted for peer review. As I understand it, the research and information then published is only available by subscription, including as to any authority who would want to access their own submissions. Elsevier has been subject to criticism of late from academic institutions worldwide, and even governmental agencies, for their having to fund research/scholarly writing, give it to Elsevier for free and then pay millions to Elsevier to get access to the research and writing. In the case of government funded schools and research centers, the taxpayers pay twice. To fund research that goes to Elsevier, then to pay Elsevier for access to the research their colleges, healthcare centers and government agencies require. Bepress, on the other hand, has open access tools under its "Digital Commons" that allows institutions, including law schools, to showcase and preserve their scholarly output. Law review articles and other legal scholarship is available for free through bepress' Law Commons, part of the larger Digital Commons network encompassing other academic areas. Bepress' acquisition comes on the heels of LexisNexis' acquisition of SSRN , another repository of scholarly output, including that from law professors. Some librarians are looking with some suspicion at whether LexisNexis will retain open access and freely allow legal scholars to use their work freely across the net. How did librarians and knowledge management professionals react to the bepress acquisition? Not well, looking through the "Top" tweets on a Twitter search of bepress in the hours after the acquisition announcement. * * * Attorney and legal tech blogger, Bob Ambrogi, reporting on the acquisition noted that the announcement said nothing about the future of the bepress' Digital Commons. Ambrogi said "we'll have to wait and see what impact this has on scholarly publishing in law." top

LinkedIn: It's illegal to scrape our website without permission (Ars Technica, 31 July 2017) - A small company called hiQ is locked in a high-stakes battle over Web scraping with LinkedIn. It's a fight that could determine whether an anti-hacking law can be used to curtail the use of scraping tools across the Web. HiQ scrapes data about thousands of employees from public LinkedIn profiles, then packages the data for sale to employers worried about their employees quitting. LinkedIn, which was acquired by Microsoft last year, sent hiQ a cease-and-desist letter warning that this scraping violated the Computer Fraud and Abuse Act, the controversial 1986 law that makes computer hacking a crime. HiQ sued, asking courts to rule that its activities did not, in fact, violate the CFAA. James Grimmelmann, a professor at Cornell Law School, told Ars that the stakes here go well beyond the fate of one little-known company. "Lots of businesses are built on connecting data from a lot of sources," Grimmelmann said. He argued that scraping is a key way that companies bootstrap themselves into "having the scale to do something interesting with that data." If scraping without consent becomes illegal, startups like hiQ will have a harder time getting off the ground. But the law may be on the side of LinkedIn-especially in Northern California, where the case is being heard. In a 2016 ruling , the 9th Circuit Court of Appeals, which has jurisdiction over California, found that a startup called Power Ventures had violated the CFAA when it continued accessing Facebook's servers despite a cease-and-desist letter from Facebook. LinkedIn's position disturbs Orin Kerr, a legal scholar at George Washington University. "You can't publish to the world and then say 'no, you can't look at it,'" Kerr told Ars. The CFAA makes it a crime to "access a computer without authorization or exceed authorized access." Courts have been struggling to figure out what this means ever since Congress passed it more than 30 years ago. One plausible reading of the law-the one LinkedIn is advocating-is that once a website operator asks you to stop accessing its site, you commit a crime if you don't comply. * * * top

Daenerys Stormborn, Jon Snow and the real enemy of higher education (InsideHigherEd, 3 August 2017) - There was a moment while watching Daenerys Stormborn and Jon Snow's first meeting in the latest episode of Game of Thrones that reminded me of attending higher education conferences. Daenerys is pushing Snow to bend the knee, and become her loyal subject in the fight against Cersei. Jon Snow's reaction is that Cersei might be evil, but in reality the Seven Kingdoms have much bigger problems. Snow informs Daenerys that it doesn't matter who sits on the Iron Throne, as unless the Night King's Army of the Dead is defeated, she will " be ruling over a graveyard." Those of us who work in higher ed have a similar challenge to The Mother of Dragons and the King of the North. We need to understand who our real enemies are, and which battles we should be fighting. In our world, the Army of the Dead that we should be unifying against is the ongoing state level disinvestment in public higher education. No enemy is as potentially dangerous to the existence of a functional, equitable, and affordable system of postsecondary education as is the decision of state governments to cutback on funding for their public colleges and universities. Adjusting for the growth in students attending public institutions, state support per FTE has declined by 37 percent between 2000 and 2012 . In inflation adjusted dollars, this is a decline of an average of $7,000 in per-student state support in 2000 to $4,400 in 2012. While federal support grow in this time period, from $3,800 to $5,100 per student , this has not been enough to makeup for the state shortfall. The result, predictably enough, has been dramatic increases in tuition (and student debt). Another result of public disinvestment in higher education has been the widening gap in available resources between a select few private schools (and well-endowed public institutions), and the public colleges and universities where most students attend. Public disinvestment in higher education is exacerbating trends around inequality. We are moving towards a two-tiered postsecondary system, where only the affluent will enjoy the benefits of a high quality - and in particular a liberal arts - college education. Why the threat of public disinvestment in public education is not the big topic of every higher education conference is a mystery. This is particularly true of my world of educational technology and online learning. We should be calibrating our work, however, to follow the wisdom of Jon Snow. We should be fighting our true enemy - and that enemy is the decline of investment in public higher education. The reason that higher ed people, including edtech people, continue to focus on everything in higher ed except public disinvestment can understood by how Tyrion Lannister explains the world. The Hand of the Queen tells Jon Snow that, " People's minds aren't made for problems that large. White walkers, the Night King, Army of the Dead... it's almost a relief to confront a comfortable, familiar monster like my sister." Like Ser Davos, I fear for higher education that, " If we don't put aside our enmities and band together, we will die. And then it doesn't matter whose skeleton sits on the Iron Throne ." Winter is here. top

This shadowy company is flying spy planes over US cities (BuzzFeed, 4 August 2017) - For six straight days in the middle of March, a small twin-propeller plane flew over Phoenix. Each evening, it picked two or three spots and circled for hours, flying at more than 17,000 feet. The plane was loaded with sophisticated surveillance equipment, including technology developed by the National Security Agency to track cell phones. In June of last year, that same plane spent three weeks circling daily over Wilmington, North Carolina, carrying a state-of-the-art "persistent surveillance" camera that can monitor a large area continuously for hours at a time. The Phoenix and Wilmington flights are among dozens tracked by BuzzFeed News that were flown by companies run by an obscure, Oklahoma-based private equity fund called Acorn Growth Companies . Acorn's planes serve as the US military's "A-Team" for aerial surveillance in Africa, including tracking suspected terrorists' phones from the air. In the US, the planes sometimes take part in military exercises - as they were in Phoenix - helping troops practice raids on targets using the same phone-tracking technology. At other times, Acorn serves commercial clients. The Wilmington flights, according to the company that made and operated the persistent surveillance camera, were run for two reasons: to demonstrate the technology's value for traffic surveys, and to track vehicles going to and from retail outlets. This "commercial intelligence" would allow businesses to understand where their customers are driving from. The idea was to give retailers clues to help their marketing, so they can target mailings or other efforts to lure in customers from neighborhoods where people tend to shop at competing stores. Acorn's diverse activities in these and other cities raise questions about how much data is being gathered from ordinary people who come under the visual and electronic gaze of sophisticated spy planes - and how that information is being used. Although the city of Phoenix agreed to the military exercises and knew that the planes would carry out some sort of surveillance, officials did not know specifics about which technologies were used. And because there's no requirement to inform cities when recording aerial imagery, the city of Wilmington wasn't told about the June 2016 flights. * * * Acorn's pilots and sensor operators tend to join the firm directly from military service, often with special ops experience. "You're not talking about any Joe Schmo walking in off the street," one former employee, who spoke on condition of anonymity, told BuzzFeed News. "There are still fairly high security clearances involved." That's not surprising, given the sensitive technology deployed from Acorn's planes. BuzzFeed News found out about this gear from documents submitted to the Federal Aviation Administration to certify that a plane is still safe to fly after structural alterations. The plane that flew over Phoenix in March, for example, was modified to carry a device called Nebula, which mimics a cell phone tower, causing phones to connect to it. Nebula can then be used to locate and track a target phone from the air, or intercept its communications. A surveillance catalog leaked to The Intercept in 2015 suggests that the device can also connect to and track satellite phones. "The NSA is leading system development," says the section on Nebula , noting that approval for its use rests under "Title 50" of the US Code, which covers espionage and covert operations. * * * Phoenix and its suburbs, with a population of more than 4.5 million, is one of several cities to have fallen under Acorn's watch over the past two years. Using data collected by the websites Flightradar24 and ADS-B Exchange , which track signals emitted by aircraft transponders, BuzzFeed News spotted planes registered to Commuter Air Technology and Aircraft Logistics Group flying surveillance patterns over cities including Brawley, California; Charlotte, North Carolina; and multiple locations along the Gulf of Mexico in Louisiana, Mississippi, and Alabama. * * * [ Polley : interesting; we don't know what we don't know.] top

RESOURCES

Sunstein and Randall on Political Control Over Public Communications By Government Scientists (MLPB, 24 July 2017) - Cass R. Sunstein, Harvard Law School, and Lisa Randall, Harvard University, Department of Physics, have published Political Control Over Public Communications by Government Scientists . Here is the abstract: In recent years, there has been a great deal of controversy over political control of communications by government scientists. Legitimate interests can be found on both sides of the equation. This essay argues for adoption and implementation of a framework that accommodates those interests-a framework that allows advance notice to political officials, including the White House, without hindering the free flow of scientific information. top

At Our Own Peril: DoD Risk Assessment in a Post-Primacy World (US Army War College, 29 June 2017) - The U.S. Department of Defense (DoD) faces persistent fundamental change in its strategic and operating environments. This report suggests this reality is the product of the United States entering or being in the midst of a new, more competitive, post-U.S. primacy environment. Post-primacy conditions promise far-reaching impacts on U.S. national security and defense strategy. Consequently, there is an urgent requirement for DoD to examine and adapt how it develops strategy and describes, identifies, assesses, and communicates corporate-level risk. This report takes on the latter risk challenge. It argues for a new post-primacy risk concept and its four governing principles of diversity, dynamism, persistent dialogue, and adaptation. The authors suggest that this approach is critical to maintaining U.S. military advantage into the future. Absent change in current risk convention, the report suggests DoD exposes current and future military performance to potential failure or gross under-performance. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Sony BMG Settles FTC Charges Over Anti-Piracy CDs (SiliconValley.com, 30 Jan 2007) -- U.S. regulators said Tuesday that Sony BMG Music Entertainment agreed to reimburse consumers up to $150 for damage to their computers from CDs with hidden anti-piracy software. According to the Federal Trade Commission, which announced the settlement, Sony BMG's anti-piracy software limited the devices on which music could be played to those made by Sony Corp., Microsoft Corp. or other Windows-compatible devices. The software also restricted the number of copies of the music that could be made to three, the agency said, and ``exposed consumers to significant security risks and was unreasonably difficult to uninstall." ``Installations of secret software that create security risks are intrusive and unlawful," FTC Chairman Deborah Platt Majoras said. The focus of the FTC action is not the limits themselves, Majoras said, but the lack of notification. ``Ordinary experience with CDs would not lead consumers to expect these limits," she said. ``This was a case about disclosure." The settlement requires the company to allow consumers to exchange through the end of June the affected CDs purchased before Dec. 31, 2006, and reimburse them up to $150 to repair damage done when they tried to remove the software. It also requires Sony BMG to clearly disclose limitations on consumers' use of music CDs and prohibits it from installing software without consumer consent. For two years, Sony BMG also must provide an uninstall tool and patches to repair the security vulnerabilities on consumers' computers and must advertise them on its Web site. The company also is required to publish notices describing the exchange and repair reimbursement programs on its Web site. top

New York Times to end paid Internet service (Reuters, 18 Sept 2007) - The New York Times Co said on Monday it will end its paid TimesSelect Web service and make most of its Web site available for free in the hopes of attracting more readers and higher advertising revenue. TimesSelect will shut down on Wednesday, two years after the Times launched it, which charges subscribers $7.95 a month or $49.95 a year to read articles by columnists such as Maureen Dowd and Thomas Friedman. The trademark orange "T's" marking premium articles will begin disappearing Tuesday night, said the Web site's Vice President and General Manager Vivian Schiller. The move is an acknowledgment by The Times that making Web site visitors pay for content would not bring in as much money as making it available for free and supporting it with advertising. "We now believe by opening up all our content and unleashing what will be millions and millions of new documents, combined with phenomenal growth, that that will create a revenue stream that will more than exceed the subscription revenue," Schiller said. Figuring out how to increase online revenue is crucial to the Times and other U.S. newspaper publishers, which are struggling with a drop in advertising sales and paying subscribers as more readers move online. "Of course, everything on the Web is free, so it's understandable why they would want to do that," said Alan Mutter a former editor at the San Francisco Chronicle and proprietor of a blog about the Internet and the news business called Reflections of a Newsosaur. "The more page views you have, the more you can sell," he said. "In the immediate moment it's a perfectly good idea." Starting on Wednesday, access to the archives will be available for free back to 1987, and as well as stories before 1923, which are in the public domain, Schiller said. Users can buy articles between 1923 and 1986 on their own or in 10-article packages, the company said. Some stories, such as film reviews, will be free, she said. American Express will be the first sponsor of the opened areas on the site, and will have a "significant advertising presence" on the homepage and in the opinion and archives sections, the company said. top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

No comments: