Saturday, September 16, 2017

MIRLN --- 27 August – 16 Sept 2017 (v20.13)

MIRLN --- 27 August - 16 Sept 2017 (v20.13) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

An Attorney's Ethical Duties Regarding U.S. Border Searches of Electronic Devices Containing Clients' Confidential Information (Bar of the City of NY Formal Opinion 2017-5, July 2017) - Under the New York Rules of Professional Conduct (the "Rules"), a New York lawyer has certain ethical obligations when crossing the U.S. border with confidential client information. Before crossing the border, the Rules require a lawyer to take reasonable steps to avoid disclosing confidential information in the event a border agent seeks to search the attorney's electronic device. The "reasonableness" standard does not imply that particular protective measures must invariably be adopted in all circumstances to safeguard clients' confidential information; however, this opinion identifies measures that may satisfy the obligation to safeguard clients' confidences in this situation. Additionally, Under Rule 1.6(b)(6), the lawyer may not disclose a client's confidential information in response to a claim of lawful authority unless doing so is "reasonably necessary" to comply with a border agent's claim of lawful authority. This includes first making reasonable efforts to assert the attorney-client privilege and to otherwise avert or limit the disclosure of confidential information. Finally, if the attorney discloses clients' confidential information to a third party during a border search, the attorney must inform affected clients about such disclosures pursuant to Rule 1.4. [ Polley : Spotted by MIRLN reader Roland Trope - @RolandTrope. Very interesting opinion, and should be influential well beyond NYC; contains a scary sentence: " in many cases the attorney will entirely avoid carrying clients' confidential information in an electronic device ", and footnotes the increasing possibility that the same issues may arise upon entry to other countries.] top

VW engineer sentenced to 40-month prison term in diesel case (Reuters, 25 Aug 2017) - A federal judge in Detroit sentenced former engineer James Liang to 40 months in prison on Friday for his role in Volkswagen AG's multiyear scheme to sell diesel cars that generated more pollution than U.S. clean air rules allowed. U.S. District Court Judge Sean Cox also ordered Liang to pay a $200,000 fine, 10 times the amount sought by federal prosecutors. Cox said he hoped the prison sentence and fine would deter other auto industry engineers and executives from similar schemes to deceive regulators and consumers. Prosecutors last week recommended that Liang, 63, receive a three-year prison sentence, reflecting credit for his months of cooperation with the U.S. investigation of Volkswagen's diesel emissions fraud. Liang could have received a five-year prison term under federal sentencing guidelines. Liang's lawyers had asked for a sentence of home detention and community service. Volkswagen pleaded guilty in March to three felony charges under an agreement with prosecutors to resolve the U.S. criminal probe of the company itself. It agreed to spend as much as $25 billion in the United States to resolve claims from owners and regulators and offered to buy back about 500,000 vehicles. top

Despite privacy outrage, AccuWeather still shares precise location data with ad firms (ZDnet, 25 Aug 2017) - AccuWeather is still sending precise geolocation data to a third-party advertiser, ZDNet can confirm, despite updating its app earlier this week to remove a feature that collected user's location data without their permission. In case you missed it , AccuWeather was until this week sending the near-precise location of its iPhone app users to Reveal Mobile, a data monetization firm -- even when location sharing was switched off. Security researcher Will Strafach, who first reported the issue , also accused the company of sharing a user's precise GPS coordinates under the guise of providing local weather alerts. The news sparked outrage and anger. AccuWeather responded with a forced apology, which one leading Apple critic John Gruber called a "bulls**t response." However, tests conducted by Strafach show that the updated app, released Thursday, still shares precise geolocation data with a data monetization and advertising firm. ZDNet independently verified the findings. We found that AccuWeather was still, with location sharing enabled, sending precise GPS coordinates and altitude albeit to a different advertiser, without the user's explicit consent. That data can be used to pinpoint down to a few meters a person's location -- even which floor of a building they are on. top

How the NSA identified Satoshi Nakamoto (Medium, 26 Aug 2017) - The 'creator' of Bitcoin, Satoshi Nakamoto, is the world's most elusive billionaire. Very few people outside of the Department of Homeland Security know Satoshi's real name. In fact, DHS will not publicly confirm that even THEY know the billionaire's identity. Satoshi has taken great care to keep his identity secret employing the latest encryption and obfuscation methods in his communications. Despite these efforts (according to my source at the DHS) Satoshi Nakamoto gave investigators the only tool they needed to find him -  his own words . Using stylometry one is able to compare texts to determine authorship of a particular work. Throughout the years Satoshi wrote thousands of posts and emails and most of which are publicly available. According to my source, the NSA was able to the use the 'writer invariant' method of stylometry to compare Satoshi's 'known' writings with trillions of writing samples from people across the globe. By taking Satoshi's texts and finding the 50 most common words, the NSA was able to break down his text into 5,000 word chunks and analyse each to find the frequency of those 50 words. This would result in a unique 50-number identifier for each chunk. The NSA then placed each of these numbers into a 50-dimensional space and flatten them into a plane using principal components analysis. The result is a 'fingerprint' for anything written by Satoshi that could easily be compared to any other writing. The NSA then took bulk emails and texts collected from their mass surveillance efforts. First through PRISM (a court-approved front-door access to Google and Yahoo user accounts) and then through MUSCULAR (where the NSA copies the data flows across fiber optic cables that carry information among the data centers of Google, Yahoo, Amazon, and Facebook) the NSA was able to place trillions of writings from more than a billion people in the same plane as Satoshi's writings to find his true identity. The effort took less than a month and resulted in positive match. Why go to so much trouble to identify Satoshi? My source tells me that the Obama administration was concerned that Satoshi was an agent of Russia or China - that Bitcoin might be weaponized against us in the future. Knowing the source would help the administration understand their motives. top

Cyber crime now targeting law firms (Law Journal Newsletters, August 2017) - Cyber attacks and theft are on the rise around the country, and law firms are becoming prime targets. Similar to healthcare providers, a law firm's data ( i.e. , client files) can be the gold standard. Unlike manufacturers, banks and retailers, law firms are unique organizations that result in them being highly vulnerable. * * * Once firms recognize they are targets, and all are, they must be proactive in addressing the situation. Where to start? A comprehensive cyber risk assessment is critical to structuring a strong, multi-pronged defense. Think enterprise risk management - not to mention ethical concerns if breached. The American Bar Association just re-visited the issue of cybersecurity as an ethical consideration for attorneys and sets out some limited guidance. (See the ABA's Cybersecurity Legal Task Force .) An assessment becomes the guide to building a robust cybersecurity defense for any law firm. However, once a firm's security is implemented and verified, the process cannot stop there. Just like malpractice insurance, cybersecurity insurance is a must these days. For many firms, a breach exposing large amounts of clients' private information can quickly escalate into a bet-the-firm proposition to survive. The average cost for responding to a breach is approximately $221 per client. Do the math. And that does not even begin to address a firm's costs to re-secure their network, public relations expenses, lost income, and the likely lawsuits from unhappy clients. * * * [ Polley : Nice to see the reference to the ABA's Task Force, which I'm co-chairing with Ruth Bro. Otherwise, the story is unremarkable.] top

Meet the sometime-streamer: TV watchers who sign up for one show - then cancel (WaPo. 28 Aug 2017) - Winter has finally come for "Game of Thrones," whose latest season finale, which aired Sunday, left the land of Westeros in as deep a crisis as it's seen in thousands of years. But with the HBO fantasy series now on hiatus until at least the end of 2018, some viewers say they're taking a break from HBO entirely - highlighting a challenge facing many entertainment companies in an era of constant stimulation and on-demand digital services. Colleen Morrison, a "Game of Thrones" fan in New Jersey, signed up for HBO's online streaming app in June. Now, Morrison says, it's going to be an easy decision to cancel her subscription this week after she re-watches the season finale a second time. "I didn't mind paying the $15 each month because it's the kind of show where I wanted an immediate viewing to avoid spoilers, but I'm also not interested in keeping the service since I'm not invested in anything else," she said. Morrison is part of a small but savvy crowd of consumers who know exactly what they want out of their TV experience. Cost-conscious and empowered by the Internet's convenience-at-a-click mentality, these consumers take advantage of free trials, no-contract commitments and the media industry's own struggle in the face of technological change to help guard their wallets. Ignoring the barrage of in-house teasers and promos for other related content, these viewers resist the siren song of TV networks that, more than ever, are being forced to battle one another for attention dominance. An abundance of high-quality television shows from Netflix, Hulu and old-school cable programmers like AMC, HBO and Showtime are helping some consumers become more discerning in their tastes - and less loyal. Abandoning one series or channel for another has never been more convenient or less risky, particularly when many cable channels offer streaming apps directly to the public instead of through cable companies or other traditional TV providers. "In a world where you can turn anything on and off whenever you want, you're always fighting for my wallet," said Rich Greenfield, a media analyst at BTIG. "I can cancel Hulu or Sling TV or HBO or DirecTV Now - any of these things have become 'point at a button and click.'" top

- and -

AT&T expands free HBO to both its unlimited wireless plans (TechCrunch, 12 Sept 2017) - AT&T announced this morning it's adding free HBO to all customers on its unlimited wireless plans, including both Unlimited Plus and Unlimited Choice. The carrier in April had offered free HBO only to those on Unlimited Plus - its premium tier - but today's move brings the network to the Unlimited Choice plan as well. Currently, AT&T's Unlimited Choice plan offers unlimited data, talk and text for $60 per month, or 4 lines for under $40 per line. The option will become available to both new and existing AT&T Unlimited Choice customers starting on Friday, September 15th, says AT&T. As before when it rolled out free HBO to Unlimited Plus customers, AT&T is also sweetening this new deal by offering a $25 monthly video credit for Unlimited Choice customers that can be used towards any applicable AT&T video service, including its streaming service for cord cutters, DirecTV Now, as well as DirecTV and U-Verse TV. With the $25 credit, that means AT&T customers can basically add on over-the-top streaming TV for $10 per month, as DirecTV Now's plans begin at $35 per month. The fine print, however, notes that the credit starts within three billing cycles, so don't expect it right away. Customers with an existing AT&T video service will have HBO added for no extra charge to their existing plan, while current HBO subscribers will just no longer have to pay, the announcement explains. For those who don't subscribe to HBO through an AT&T video service, they'll be able to access HBO through the DirecTV Now and HBO GO applications. top

To tackle robocalls from illegally spoofed numbers, FCC proposes whopping $82m fine (CommLawBlog, 29 Aug 2017) - Earlier this month, in its war against illegal robocalling campaigns the Federal Communications Commission (FCC) proposed another hefty fine . That is, a fine of 82 million dollars. The target of the FCC's wrath? Mr. Philip Roesel, who wasn't just calling a la Adele style . Instead, Mr. Roesel is accused of both illegal robocalling in violation of the Telephone Consumer Protection Act (TCPA) (for a refresher on the TCPA and robocalls, take a look here ) and illegal spoofing, which the FCC claims violated the Truth in Caller ID Act of 2009 (TCIA). For his 21 million illegal robocalls, Mr. Roesel received merely a sternly worded citation from the FCC (more on why later). Following a recent trend, the FCC's massive $82 million fine proposed against Roesel relied primarily on the TCIA's prohibition against the transmission of misleading or inaccurate caller ID information, commonly referred to as spoofing, "with the intent to defraud, cause harm or wrongfully obtain anything of value." What's unique about this proposed fine is two-fold. First, the monetary value of the fine itself is one to write home about. While it doesn't match the record $120 million fine issued earlier this year in another TCIA case, $82 million isn't chump change. As with past TCIA penalties, the FCC set the base fine for each spoofed call at $1,000, which quickly adds up when there are millions of calls being made each month - though the FCC calculated the proposed fine on only the 82,000 calls verified to have come from spoofed numbers. Second, this fine is yet another instance where the TCIA has been used by the FCC to issue a penalty against illegal robocallers. It's a trend that the FCC started not too long ago but is likely to continue into the future for several reasons. [ Polley : see also Phone industry turns to James Bond for answer to robocall villainy (LA Times, 1 Sept 2017)] top

Watchdog pressed to probe post-data breach services (The Hill, 30 Aug 2017) - Democratic members of the House Energy and Commerce Committee are pressing a government watchdog to further investigate whether existing credit monitoring services do enough to protect consumers affected by data breaches. The Government Accountability Office (GAO) released a report in March on identity theft services offered by the federal government and private companies to consumers who have had their information exposed. While the watchdog concluded that services like credit monitoring offer some benefits, auditors said that they are "limited" in preventing some types of fraud. Democratic Reps. Frank Pallone Jr. (N.J.), Diana DeGette (Colo.) and Jan Schakowsky (Ill.) are now asking the GAO to explore a number of questions raised by the audit, including looking into whether certain credit monitoring services are more effective than others. They also want the watchdog to examine additional options that aren't currently used by private or public companies to protect consumers in the wake of breaches and to divulge "the recent trends in breaches or information theft." top

16 colleges, 1 law firm (InsideHigherEd, 31 Aug 2017) - Collaboration is hard -- so much so that while a majority of campus business officials think their college or university should share back-office functions with other institutions, fewer than one in four say their leaders have seriously considered doing so, according to Inside Higher Ed 's recent survey of business officers . The Associated Colleges of the South is a well-established consortium of 16 private liberal arts colleges that have a history of working together on international programs, teaching workshops and digital learning initiatives, as well as some joint purchasing agreements. But in an environment that the group's leader, R. Owen Williams, believes increasingly requires the colleges to drive down their internal costs (and hence their tuition prices), the coalition is taking collaboration to a new level: a seemingly unprecedented agreement for the 16 independent ACS colleges to share one national law firm, Steptoe & Johnson PLLC, based in West Virginia. Under the arrangement, in which the members are expected to participate to varying degrees, the colleges will continue to use their in-house legal teams (which half of them have) and local law firms for legal work involving the nuances of state law and transactions such as zoning or real estate. But Steptoe will offer both preventative educational advice designed to help keep the 16 colleges out of legal trouble, by better navigating the increasingly complex regulatory environment they face, and project-based legal services at a sharply reduced rate on issues such as federal regulatory compliance, academic freedom, domestic and international admissions, and nonprofit governance. top

Justice Dept implores FCC to combat prison cellphone problem (AP, 31 Aug 2017) - The U.S. Department of Justice is pressing federal regulators to come up with a way of keeping inmates from using cellphones in the nation's prisons. In a letter obtained Thursday by The Associated Press, Assistant Attorney General Beth Williams told the Federal Communications Commission that addressing the security threat posed by contraband cellphones "should be a chief priority" of both the FCC and Justice, which oversees the federal Bureau of Prisons. The letter follows an appeal from South Carolina's prisons director to Attorney General Jeff Sessions in June, beseeching the top prosecutor for help pursuing FCC permission to jam cell signals of the phones, which are thrown over fences, smuggled by errant employees, even delivered by drone. A decades-old law says federal officials can grant permission to jam the public airwaves only to federal agencies, not state or local ones. Telecommunications companies are opposed, saying jamming cell signals could set a bad precedent and interfere with legal cell users nearby. top

You can now download information from every congressional session since 1973 (Motherboard, 31 Aug 2017) - Since 2009, developers have been able to use the ProPublica Congress API (first developed by The New York Times ) to retrieve data about the thousands of bills introduced during every two-year session in the House of Representatives. Until now though, you had to download each piece of information separately, and you needed to know how to write API calls. For example, if you wanted to discover who sponsored a bill and also how members of Congress voted on it, you would need to download those pieces of data individually, and know how to call for them in the software code. That's no longer the case. Wednesday, ProPublica announced that you can now download all the information about all of the bills in each legislative session using its new bulk bill data set . You can get all of the data for free in the ProPublica data store. There's also a data dictionary that can be used to decipher the bills here , and you can download them in either JSON or XML formats. Two times a day, ProPublica will generate a single zip file containing metadata for every bill introduced in the current congress. That way, if you're interested in learning about legislation currently being considered, you'll be able to get info about it quickly. The tool also lets you download archived sessions-dating back to 1973. Want to know how the war on drugs progressed through the 1980s, and how each member of Congress voted on related legislation? No problem, just download the bulk data for the corresponding time period, and start poking around. ProPublica hopes the new data will "be useful to researchers, journalists and any other citizen trying to better understand our country's legislature," Jeremy B. Merrill, a news apps developer at the organization, wrote in a post announcing the new tool. top

Russian election hacking efforts, wider than previously known, draw little scrutiny (NYT, 1 Sept 2017) - The calls started flooding in from hundreds of irate North Carolina voters just after 7 a.m. on Election Day last November. Dozens were told they were ineligible to vote and were turned away at the polls, even when they displayed current registration cards. Others were sent from one polling place to another, only to be rejected. Scores of voters were incorrectly told they had cast ballots days earlier. In one precinct, voting halted for two hours. Susan Greenhalgh, a troubleshooter at a nonpartisan election monitoring group, was alarmed. Most of the complaints came from Durham, a blue-leaning county in a swing state. The problems involved electronic poll books - tablets and laptops, loaded with check-in software, that have increasingly replaced the thick binders of paper used to verify voters' identities and registration status. She knew that the company that provided Durham's software, VR Systems, had been penetrated by Russian hackers months before. "It felt like tampering, or some kind of cyberattack," Ms. Greenhalgh said about the voting troubles in Durham. There are plenty of other reasons for such breakdowns - local officials blamed human error and software malfunctions - and no clear-cut evidence of digital sabotage has emerged, much less a Russian role in it. Despite the disruptions, a record number of votes were cast in Durham, following a pattern there of overwhelming support for Democratic presidential candidates, this time Hillary Clinton . But months later, for Ms. Greenhalgh, other election security experts and some state officials, questions still linger about what happened that day in Durham as well as other counties in North Carolina, Virginia, Georgia and Arizona. After a presidential campaign scarred by Russian meddling, local, state and federal agencies have conducted little of the type of digital forensic investigation required to assess the impact, if any, on voting in at least 21 states whose election systems were targeted by Russian hackers, according to interviews with nearly two dozen national security and state officials and election technology specialists. The assaults on the vast back-end election apparatus - voter-registration operations, state and local election databases, e-poll books and other equipment - have received far less attention than other aspects of the Russian interference, such as the hacking of Democratic emails and spreading of false or damaging information about Mrs. Clinton. Yet the hacking of electoral systems was more extensive than previously disclosed, The New York Times found. Beyond VR Systems, hackers breached at least two other providers of critical election services well ahead of the 2016 voting, said current and former intelligence officials, speaking on condition of anonymity because the information is classified. The officials would not disclose the names of the companies. Intelligence officials in January reassured Americans that there was no indication that Russian hackers had altered the vote count on Election Day, the bottom-line outcome. But the assurances stopped there. Government officials said that they intentionally did not address the security of the back-end election systems, whose disruption could prevent voters from even casting ballots. That's partly because states control elections; they have fewer resources than the federal government but have long been loath to allow even cursory federal intrusions into the voting process. * * * top

Harvard professor tells students they should come to class (InsideHigherEd, 5 Sept 2017) - This year's FAQ for CS50, Harvard University's largest course, featured this statement: "Unlike last year, students are encouraged to attend all lectures in person this year." Encouraging the 800-plus students enrolled in the introductory computer programming course may sound typical. But it's a reversal for the course, which is regularly described as one of the most popular and rigorous at Harvard, and a model of effective teaching . Last year David J. Malan, the Gordon McKay Professor of the Practice of Computer Science, made attending lectures optional. In a very public version of flipping the classroom, Malan said it would be fine for students to watch videos that are made of each lecture. In an essay a year ago , Malan wrote that he was requiring students to attend only the first and last lectures of the course. And he questioned the value of saying everyone should attend every lecture. * * * In an email to Inside Higher Ed, Malan said that there was no decline in learning outcomes in the course, even as the number of students who attended lectures in person was not as high as in past years. Malan also said that he realizes there will still be students who have scheduling conflicts with other courses such that they may rely on the recordings, which will be produced live this year. And other students may benefit from watching the recordings after attending the lectures in person. So why revert to telling students they are expected in class? "Enough former students reported that something was missing, not just the students themselves but the energy of an audience, that we decided to bring [encouraging students to attend] live lectures back this fall," Malan said. One of Harvard's satire websites has suggested that -- following Malan's shift -- another course should do the opposite. top

Military appeals court says demands to unlock phones may violate the Fifth Amendment (TechDirt, 6 Sept 2017) - A decision [PDF] handed down by the Appeals Court presiding over military cases that almost affirms Fifth Amendment protections against being forced unlock devices and/or hand over passwords. Almost. The CAAF (Court of Appeals for the Armed Forces) doesn't quite connect the final dot, but does at least discuss the issue, rather than dismiss the Fifth Amendment question out of hand. (h/t FourthAmendment.com ] The case stems from a harassment case against a soldier who violated (apparently repeatedly) a no-contact order separating him from his wife. After being taken into custody, Sgt. Edward Mitchell demanded to speak to a lawyer. Rather than provide him with a lawyer, investigators asked him to unlock his phone instead. * * * top

Another state adopts duty of technology competence, bringing total to 28 (Bob Ambrogi, 6 Sept 2017) - In my continuing effort to keep a tally of the states that have adopted the duty of technology competence, I've discovered another, Nebraska, which brings the total to 28 states. The Nebraska Supreme Court adopted the amendment on June 28, 2017. It amends comment 6 to Nebraska Rule of Professional Conduct § 3-501.1 - the corollary to ABA Model Rule 1.1 on competence - to read as follows: To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. The italicized phrase is the same as the language that the ABA recommended in 2012 when it approved a change to the Model Rules of Professional Conduct to make clear that lawyers have a duty to be competent not only in the law and its practice, but also in technology. top

Gender analytics: Using litigation data to evaluate law firm diversity (PatentlyO, 6 Sept 2017) - More women are entering the legal profession than ever -women now make up about half of all law students and 36% of all licensed attorneys - but these ratios are not reflected at the highest levels of firm positions. Judges anecdotally report that women rarely act as lead counsel in litigation, and the percentage of female partners at firms hovers around 22% . Corporate clients are aware of the gender imbalance and actively seek out firms that reflect their own commitment to gender diversity. Clients now regularly request firm diversity statistics as part of law firm pitches, putting pressure on firms to support female attorneys at the highest ranks. Law firms typically measure diversity by tracking headcount; the number of male and female associates and partners in their ranks. These metrics can ignore the often more meaningful metric of how often female attorneys actually appear in court-room litigation. Modern legal analytics can play an important role in increasing transparency in law firm gender diversity. Traditional legal analytics show how often parties or law firms win cases, or the likelihood of winning legal relief in front of a particular judge. However, they can also be used to rank and analyze more general litigation trends, including gender diversity. To identify firms with the most balanced male-female attorney ratio, Docket Alarm scours the litigation record, looking at the names of attorneys and their law firm. The gender of each attorney in a case is identified based on the attorney's first name and other factors. The result is that we can now measure firm gender diversity based on attorneys actually staffed on cases, i.e. , those that most substantively participate in litigation, not just by firm head-count. The analysis began with the Patent Trial and Appeal Board ("PTAB"), a specialized court focused on patent validity. The analysis shows that patent litigation is dominated by male attorneys. Of the top 100 law firms, 55 have less than 10% female attorneys on cases, and 8 firms have never had a single female attorney work on their PTAB AIA-Trial cases. On average, attorney appearances are only 12% female. When representing patent owners, the percentage of female attorneys drops further to 9.8%. * * * top

News use across social media platforms 2017 (Pew, 7 Sept 2017) - As of August 2017, two-thirds (67%) of Americans report that they get at least some of their news on social media - with two-in-ten doing so often, according to a new survey from Pew Research Center. This is a modest increase since early 2016, when (during the height of the presidential primaries) 62% of U.S. adults reported getting news from social media. While a small increase overall, this growth is driven by more substantial increases among Americans who are older, less educated, and nonwhite. This study is based on a survey conducted August 8-21, 2017, with 4,971 U.S. adults who are members of Pew Research Center's nationally representative American Trends Panel. For the first time in the Center's surveys, more than half (55%) of Americans ages 50 or older report getting news on social media sites. That is 10 percentage points higher than the 45% who said so in 2016. Those under 50, meanwhile, remain more likely than their elders to get news from these sites (78% do, unchanged from 2016). Furthermore, about three-quarters of nonwhites (74%) get news on social media sites, up from 64% in 2016. This growth means that nonwhites are now more likely than whites to get news while on social media. And social media news use also increased among those with less than a bachelor's degree, up nine percentage points from 60% in 2016 to 69% in 2017. Alternatively, among those with at least a college degree, social media news use declined slightly. top

EU ministers test responses in first computer war game (Reuters, 7 Sept 2017) - European Union defense ministers tested their ability to respond to a potential attack by computer hackers in their first cyber war game on Thursday, based on a simulated attack on one of the bloc's military missions abroad. In the simulation, hackers sabotaged the EU's naval mission in the Mediterranean and launched a campaign on social media to discredit the EU operations and provoke protests. Each of the defense ministers tried to contain the crisis over the course of the 90-minute, closed-door exercise in Tallinn that officials sought to make real by creating mock news videos giving updates on an escalating situation. * * * NATO last year recognized cyberspace as a domain of warfare and said it justified activating the alliance's collective defense clause. The European Union has broadened its information-sharing between governments and is expected to present a new cyber defense plan. The EU exercise made ministers consider how to work more closely with NATO, whose Secretary-General Jens Stoltenberg was there as an observer, diplomats present said. "Over the last year, we saw a 60 percent increase in the number of cyber attacks against NATO networks," Stoltenberg told reporters. "A timely exchange of information (with the EU) is key to responding to any cyber attacks." top

Virginia halts use of voting machines considered vulnerable to hacking (Reuters, 8 Sept 2017) - Virginia on Friday agreed to stop using paperless touchscreen voting machines that had been flagged by cyber security experts as potentially vulnerable to hackers and lacking sufficient vote auditing capabilities. The action represented one of the most concrete steps taken by a U.S. state to bolster the cyber security of election systems since the 2016 presidential race, when U.S. intelligence agencies say Russia waged a digital influence campaign to help President Donald Trump win. Virginia's board of elections voted to accept a recommendation from its state election director, Edgardo Cortes, to decertify so-called direct-recording electronic machines, which count votes digitally and do not produce paper trails that can be checked against a final result. Five states still rely solely on direct record electronic machines, according to Verified Voting. They include New Jersey, which will also elect a new governor this year. Eight other states rely on a mix of paper ballots and paperless direct recording electronic machines, the group said. top

'Big tech' companies such as Facebook are skating on thin ice (Roger Cochetti in The Hill, 9 Sept 2017) - Internet sex trafficking issues exploded recently when Sens. Rob Portman (R-Ohio) and Claire McCaskill (D-Mo.) introduced S.1693, which could expose internet companies to liability for enabling sex trafficking. Nearly the entire internet industry opposes the legislation, but more than a quarter of both chambers have nonetheless co-sponsored the legislation. It's worth understanding how Section 230 came about and affected the internet ecosystem, and how recent efforts may now be putting it at risk. The world was a very different place in 1995. There were probably 15-20 million internet users and Prodigy, CompuServe and America Online dominated the online industry. Dial-up computer bulletin boards were popular, although many courts had held that their operators were publishers and responsible for the content they displayed. People increasingly believed that making any effort to curate content posted on one's internet service would make the operator responsible for all displayed content. The Senate had actually gone so far as to approve language declaring that online operators were subject to the same obscenity regulations as television broadcasters. The internet looked like it was headed for a life of endless lawsuits and regulations. Then-Reps. Chris Cox (R-Calif.) Ron Wyden (D-Ore.) originally introduced Section 230 to prevent online service providers from being treated as if they were either publishers or TV broadcasters. It introduced the critically important concept of very limited or no intermediary liability for the content created by others. It was approved in the House as a part of the 1996 Telecom Act. * * * Internationally, at the time, few governments had much of an idea of how the internet fit into existing regulations. The internet wasn't a computer bulletin board, a magazine, a bookstore, a telephone service, a closed computer network, broadcast TV, or cable TV. This is why 230 became important: It provided a simple explanation of the internet. The internet has some characteristics of a private computer service and some of a telephone service. Like a telephone service, the intermediaries couldn't be responsible for the content that flows over their network and like a private computer service, operators have a right to get rid of dangerous content. This explanation of how a then-unimportant medium should be viewed caught on internationally; and it's no exaggeration to say that it allowed the Internet as we know it to come into existence. That was then and this is now. Over the last 22 years, a lot has changed. Billions use the internet and virtually every policy-maker knows something about how it works. Big data and AI enable content monitoring that was considered science fiction in 1995 and nudity is far from the top concern about internet content. * * * top

Turks detained for using encrypted app 'had human rights breached' (The Guardian, 11 Sept 2017) - Tens of thousands of Turkish citizens detained or dismissed from their jobs on the basis of downloading an encrypted messaging app have had their human rights breached, a legal opinion published in London has found. The study , commissioned by opponents of the Turkish president, Recep Tayyip Erdoğan, argues that the arrest of 75,000 suspects primarily because they downloaded the ByLock app is arbitrary and illegal. It reflects growing concern about the legality of the Turkish government's crackdown in the aftermath of last year's failed coup . The legal opinion was commissioned by a pro-Gülen organisation based in Europe. The two British lawyers involved, William Clegg QC and Simon Baker, are experienced barristers. The report examines transcripts of recent trials of alleged Gülenists in Turkey as well as Turkish intelligence reports on ByLock. It concludes that the cases presented so far breach the European convention on human rights, which Turkey is signed up to. top

Tesla remotely extended the range of drivers in Florida for free... and that's NOT a good thing (TechDirt, 11 Sept 2017) - In the lead up to Hurricane Irma hitting Florida over the weekend, Tesla did something kind of interesting: it gave a "free" upgrade to a bunch of Tesla drivers in Florida , extending the range of those vehicles, to make it easier for them to evacuate the state. Now, as an initial response, this may seem praiseworthy. The company did something (at no cost to car-owners) to help them evacuate from a serious danger zone. In a complete vacuum, that sounds like a good idea. But there are a variety of problems with it when put back into context. The first thing you need to understand is that while Tesla sells different version of its Model S, with different ranges, the range is actually entirely software-dependent. That is, it uses the same batteries in different cars -- it just limits how much they'll charge via software. Thus, spend more on a "nicer" model and more of the battery is used. So all that happened here was that Tesla "upgraded" these cars with an over the air update. In some ways, this feels kind of neat -- it means that a Tesla owner could "purchase" an upgrade to extend the range of the car. But it should also be somewhat terrifying. In some areas, this has led to discussions about the possibility of hacking the software on the cheaper version to unlock the greater battery power -- and I, for one, can't wait to see the CFAA lawsuit that eventually comes out of that should it ever happen (at least some people are hacking into the Tesla's battery management system, but just to determine how much capacity is really available). But this brings us back to the same old discussion of whether or not you really own what you've bought. When a company can automagically update the physical product you bought from them, it at least raises some serious questions. Yes, in this case, it's being used for a good purpose: to hopefully make it easier for Tesla owners to get the hell out of Florida. But it works the other way too, as law professor Elizabeth Jo points out * * * top

The next Yik Yak? (InsideHigherEd, 12 Sept 2017) - As thousands of students armed with smartphones start the new school year, they'll have plenty of social media options to choose from to find friends and connect with their peers. But at a select group of college campuses, a new player has entered the scene -- a student-centered networking app called Islands . Billed as "Slack for college students," Islands is a location-based app designed specifically with college students, rather than business colleagues, in mind. In an interview, Greg Isenberg, CEO of Islands, said that he wanted to create an experience that will "delight people" and help "connect the disconnected." Of course, students already have a lot of ways to connect with each other on campus, but Isenberg believes that a lot of students use apps like GroupMe out of necessity rather than by choice. "Ask any college kid what they think of GroupMe, and at least 75 percent will have had a negative experience with it," said Isenberg. "It's crazy, because if you ask them what are the three biggest apps they use on campus, they'll tell you Instagram, Snapchat and GroupMe. You have millions of daily active users using a product, and they're not even loving the experience." The premise of the Islands app is simple. If you're within range of a college campus with access to the app, you'll be able to log in with your Facebook account or email. Inside the app you'll find a number of different group chats, or "islands." Some are public, meaning anyone can join. Some are private, and you must request to join the group. Example public islands available when you log into the app include Buy & Sell, Pickup Basketball and Undergraduate Library. The aim of the app is to connect students to groups of people "they might never have found" otherwise -- whether that is a new best friend, a study partner or someone to play sports with. The way that you choose to communicate when you start a private island is customizable, Isenberg explains. "We give people the Lego building blocks to create a space however they want. If they want to have a room that is anonymous, they could. If they want to have a room where all the messages disappear after an hour, great. If they want the room to just be for sharing photos, they can do that." * * * top

RESOURCES

Algorithms in the Criminal Justice System: Assessing the Use of Risk Assessments in Sentencing (Harvard, 25 Aug 2017) - In the summer of 2016, some unusual headlines began appearing in news outlets across the United States. "Secret Algorithms That Predict Future Criminals Get a Thumbs Up From the Wisconsin Supreme Court," read one. Another declared: "There's software used across the country to predict future criminals. And it's biased against blacks." These news stories (and others like them) drew attention to a previously obscure but fast-growing area in the field of criminal justice: the use of risk assessment software, powered by sophisticated and sometimes proprietary algorithms, to predict whether individual criminals are likely candidates for recidivism. In recent years, these programs have spread like wildfire throughout the American judicial system. They are now being used in a broad capacity, in areas ranging from pre-trial risk assessment to sentencing and probation hearings. This paper focuses on the latest-and perhaps most concerning-use of these risk assessment tools: their incorporation into the criminal sentencing process, a development which raises fundamental legal and ethical questions about fairness, accountability, and transparency. The goal is to provide an overview of these issues and offer a set of key considerations and questions for further research that can help local policymakers who are currently implementing or considering implementing similar systems. We start by putting this trend in context: the history of actuarial risk in the American legal system and the evolution of algorithmic risk assessments as the latest incarnation of a much broader trend. We go on to discuss how these tools are used in sentencing specifically and how that differs from other contexts like pre-trial risk assessment. We then delve into the legal and policy questions raised by the use of risk assessment software in sentencing decisions, including the potential for constitutional challenges under the Due Process and Equal Protection clauses of the Fourteenth Amendment. Finally, we summarize the challenges that these systems create for law and policymakers in the United States, and outline a series of possible best practices to ensure that these systems are deployed in a manner that promotes fairness, transparency, and accountability in the criminal justice system. This is a paper of the Responsive Communities project produced by Harvard students Priscilla Guo, Danielle Kehl, and Sam Kessler. This paper is a product of the students' work in the HLS Responsive Communities Lab course, co-led by Susan Crawford and Waide Warner. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Tech firms, rights groups to form Web conduct code (CNET, 18 Feb 2007) -- Technology companies Microsoft, Google, Yahoo and Vodafone are in talks with human rights and press freedom groups to draw up an Internet code of conduct to protect free speech and privacy of Web users. The parties said in a statement Friday that they aim to produce a code by the end of this year that would counter such trends as the increased jailing of Internet journalists, monitoring of legitimate online activity, and censorship. Talks are being led by the Washington-based Center for Democracy and Technology and San Francisco nonprofit Business for Social Responsibility. They are trying to craft a code to hold companies accountable if they cooperate with governments to suppress free speech or violate human rights. "Technology companies have played a vital role building the economy and providing tools important for democratic reform in developing countries," said Leslie Harris, executive director of the Center for Democracy and Technology. "But some governments have found ways to turn technology against their citizens--monitoring legitimate online activities and censoring democratic material," Harris said. top

TJX data breach: at 45.6m card numbers, it's the biggest ever (Computerworld, 29 March 2007) -- After more than two months of refusing to reveal the size and scope of its data breach, TJX Companies Inc. is finally offering more details about the extent of the compromise. In filings with the U.S. Securities and Exchange Commission yesterday, the company said 45.6 million credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders. That number eclipses the 40 million records compromised in the mid-2005 breach at CardSystems Solutions and makes the TJX compromise the worst ever involving the loss of personal data. In addition, personal data provided in connection with the return of merchandise without receipts by about 451,000 individuals in 2003 was also stolen. The company is in the process of contacting individuals affected by the breach, TJX said in its filings. "Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed," the company said. Framingham, Mass.-based TJX is the owner of a number of retail brands, including T.J.Maxx, Marshalls and Bob's Stores. In January, the company announced that someone had illegally accessed one of its payment systems and made off with card data belonging to an unspecified number of customers in the U.S., Canada, Puerto Rico and potentially the U.K. and Ireland. top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top