Saturday, October 28, 2017

MIRLN --- 8-28 Oct 2017 (v20.15)

MIRLN --- 8-28 Oct 2017 (v20.15) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENT | NEWS | DIFFERENT | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENT

The new Second Edition of the ABA's best-selling Cybersecurity Handbook is a must-read for anyone working in the field, including private-practice attorneys, in-house counsel, non-profit and government lawyers, and others. For more detail, visit the ABA store at http://bit.ly/2x7HNbJ. A pre-release review of the Handbook is here: ABA urges lawyers to adopt encryption, other cybersecurity practices in latest 'handbook' (Inside Cybersecurity, 24 Oct 2017).

Framing the Museum GitHub Repository (Berkman Klein, 5 Oct 2017) - When we use information, we need to understand what we're looking at. We do this by framing that information - sharing new details about what it is and how we can use it. For museum collections that connect data points across centuries of artworks and objects, institutions are turning to new tools to share and communicate that data. Here, we can look at four institutions using GitHub as a platform to share collections data - the Metropolitan Museum of Art, Museum of Modern Art (MoMA), Cooper Hewitt Smithsonian, Design Museum, and the Tate collection - as an opportunity to parse current practice in this area. GitHub is a platform for sharing and collaborating on code repositories. In a GitHub repository, the README functions as an overview of the repository and its contents. In the museum context, the README may act as a guide for how institutions have chosen to share their collections data. In identifying what information is commonly included in the README, we can map commonalities in which elements institutions have selected to frame and contextualize their collections data. * * * top

- and -

Jeff Koons' augmented reality Snapchat artwork gets 'vandalized' (TechCrunch, 8 Oct 2017) - Earlier this week, Snapchat launched a new augmented reality art exhibiting feature as part of a collaboration with the artist Jeff Koons. ART, as it's called, will plaster the digital artwork and sculptures of artists into geo-tagged physical locations across the world that viewers can see as a Lens inside the Snapchat app. There has already been a backlash by some in the artistic community who are skeptical of corporations "putting up" digital art that they could potentially monetize wherever they would like. As a way to spark the conversation, earlier this week a group of New York-based artists mocked-up a "vandalized" version of Jeff Koon's AR Balloon Dog. To be fair, this is a patently 2017 issue to have, but also one that we will definitely have conversation build around it as we question the ownership of physical digital locations. The group didn't hack Snap's servers to vandalize the sculpture, the work is more simply a 3D digital recreation of the work placed on top of a photo of the same geo-tagged location as Koons' work. Graffiti artist Sebastien Errazuriz sought to raise some interesting questions with the work done with Cross Lab Studio, positing whether augmented reality experiences should be governed by similar rules to those renting out physical spaces. On an image of the vandalized artwork, he added more questions: Should corporations be allowed to place what ever content they choose over our digital public space? Central Park belongs to the city of NY. Why should corporations get to geo-tag its gps coordinates for free? We know they will make money renting gps spots to brands and bombard us with advertisement. They should pay rent, we should choose to approve what can be geo-tagged to our digital public and private space. These debates might be a few years ahead of their time, but as augmented reality grows less gimmicky and more monetizable, advertising in public space could grow to be a major industry. It's interesting to see artists looking to the government to regulate public companies creating art platforms, but it also shows the hesitation many are feeling to the manner in which tech companies are looking to mesh the digital world onto public physical locations with AR tech. top

Court dismisses FTC's unfairness claims against D-Link (Crowell & Moring, 6 Oct 2017) - Earlier this month, the Northern District of California dismissed FTC's unfairness claims against D-Link, a manufacturer of routers and IP cameras, while allowing most of FTC's claims rooted in deception to survive, suggesting that traditional false advertising actions may be FTC's most effective means of addressing suspect data security practices. Further, the Northern District of California's decision to dismiss the unfairness claims shows this court's unwillingness to entertain data security actions rooted in the FTC's unfairness prong, without concrete harm. FTC filed suit against D-Link in January of this year, alleging that the company engaged in both deceptive and unfair practices based on D-Link's claimed flimsy data security practices. Specifically, the FTC alleged that D-Link engaged in deceptive practices by marketing sophisticated and state-of-the-art security provided with its products, while simultaneously failing to protect users from "widely known and reasonably foreseeable risks of unauthorized access." For example, D-Link touted that its products featured "the latest wireless security features to help prevent unauthorized access" and offered the "best possible encryption." But in practice, according to FTC's pleadings, D-Link failed to take "easily preventable measures" against "hard-coded user credentials and other backdoors." And, the Northern District held, these accusations were sufficient to plead a deception claim under the FTC Act. However, where the company did not specifically market its data security practices, its advertising was not deceptive - such as in a brochure where D-Link described the camera as a "surveillance camera" for the "home or small office." Indeed, where D-Link did not refer to its digital security, the court would not imply messages about the state of that security. Notably though, the Northern District dismissed FTC's claims that, because D-Link failed to provide adequate data security, it engaged in unfair practices. Specifically, the court found that, because the FTC could not plead actual harm, it had not sufficiently pled a violation of the FTC Act. FTC was unable, the court noted, to show any "monetary loss or an actual incident where sensitive personal data was accessed or exposed." It was not enough to plead that D-Link put customers at risk. The Northern District did not, however, completely close the door on potential unfairness claims against D-Link. Choosing to dismiss the claims without prejudice, the Northern District noted that "[i]f the FTC had tied the unfairness claim to representations underlying the deception claims, it might have had a more colorable injury element." Accordingly, where a company does not make affirmative representations about its data security practices, a court will likely be reluctant to find a violation of the FTC Act without concrete injury. top

DoD issues guidance for compliance with cybersecurity regulations (Holland & Knight, 6 Oct 2017) - The U.S. Department of Defense (DoD) published in 2016 a new Defense Federal Acquisition Regulation Supplement (DFARS) provision and two clauses covering the safeguarding of contractor networks. The final DoD clauses are DFARS 252.204-7008, "Compliance with Safeguarding Covered Defense Information Controls," and DFARS 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting." To comply with the rule, contractors must meet the standards set forth in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations," not later than Dec. 31, 2017. On Sept. 21, 2017, the Office of the Under Secretary of Defense provided guidance to DoD acquisition personnel concerning implementation of the NIST SP 800-171 standards. * * * top

Publishers take ResearchGate to court, alleging massive copyright infringement (Science Magazine, 6 Oct 2017) - Scholarly publishing giants Elsevier and the American Chemical Society (ACS) have filed a lawsuit in Germany against ResearchGate, a popular academic networking site, alleging copyright infringement on a mass scale. The move comes after a larger group of publishers became dissatisfied with ResearchGate's response to a request to alter its article-sharing practices. ResearchGate, a for-profit firm based in Berlin, Germany, which was founded in 2008, is one of the largest social networking sites aimed at the academic community. It claims more than 13 million users, who can use their personal pages to upload and share a wide range of material, including published papers, book chapters and meeting presentations. Science funders and investors have put substantial funds into the firm; it has raised more than $87 million from the Wellcome Trust charity, Goldman Sachs, and Bill Gates. In recent years, journal publishers have become increasingly concerned about the millions of copyrighted papers - usually accessible only behind subscription paywalls - that are being shared by ResearchGate users. And on 15 September, the International Association of Scientific, Technical, and Medical Publishers wrote to ResearchGate on behalf of more than 140 publishers, expressing concerns about its article-sharing policies. Specifically, the organization proposed that ResearchGate implement a "seamless and easy" automated system that would help the site's users determine if an article was protected by copyright and could be legally shared publicly or privately. The association asked for a response by 22 September , noting that its members could follow-up individually or collectively if ResearchGate failed to agree to its proposal. (AAAS, which publishes Science Insider, is a member of the association.) Yesterday, a group of five publishers - ACS, Elsevier, Brill, Wiley and Wolters Kluwer - announced that ResearchGate had rejected the association's proposal. Instead, the group, which calls itself the " Coalition for Responsible Sharing ," said in a 5 October statement that ResearchGate suggested publishers should send the company formal notices, called "takedown notices," asking it to remove content that breaches copyright. The five publishers will be sending takedown notices, according to the group. But the coalition also alleges that ResearchGate is illicitly making as many as 7 million copyrighted articles freely available, and that the company's "business model depends on the distribution of these in-copyright articles to generate traffic to its site, which is then commercialised through the sale of targeted advertising." The coalition also states that sending millions of takedown notices "is not a viable long-term solution, given the current and future scale of infringement. … Sending large numbers of takedown notices on an ongoing basis will prove highly disruptive to the research community." As a result, two coalition members-ACS and Elsevier-have opted to go to court to try to force ResearchGate's hand. The lawsuit, filed in a German regional court, asks for "clarity and judgement" on the legality of posting such content, says James Milne, spokesperson for the Coalition for Responsible Sharing and senior vice president of ACS's journals publishing group in Oxford, U.K. top

Petition to look at former CBS lawyer underscores ethical risks of social media (Inside Counsel, 6 Oct 2017) - After being fired for a controversial Facebook post in the aftermath of the mass shooting in Las Vegas, former CBS lawyer Hayley Geftman-Gold is the subject of a petition calling for the New York State Bar Association to consider whether she is capable of remaining professional in response to a tragedy. This push, which calls for the NYSBA to consider whether Geftman-Gold's social media post is in keeping with her professional obligations, highlights the ethical risks lawyers face when it comes to using social media, attorneys say. Not long after a gunman in Las Vegas killed more than 50 people and injured nearly 500, Geftman-Gold, who was a vice president and senior counsel of strategic transactions at CBS, posted in a Facebook discussion that she was "not even sympathetic" because "country music fans often are Republican gun toters." CBS fired her Monday, saying in a statement Friday to Corporate Counsel that the views expressed by Geftman-Gold on social media were "deeply unacceptable to all of us at CBS." Geftman-Gold, who could not be reached for comment, said in a statement provided to Fox News that she sincerely regrets making the "indefensible post." The petition, addressed to NYSBA executive director Pamela McDevitt, condemns Geftman-Gold's "reprehensible and despicable remarks" and calls on the association to "conduct an ethics review of this individual to measure her abilities to remain professional during the response phase of a national tragedy and to censor herself appropriately." In response to request for comment from McDevitt, Richard Rifkin, special counsel to the NYSBA, told Corporate Counsel that the association has "gotten a number of complaints" about Geftman-Gold. Rifkin added, however, that the NYSBA does not have the ability to discipline attorneys, and so complainants are informed on how "to file a complaint with the appropriate part of the court system." Currently, Geftman-Gold's attorney registration record shows no record of discipline. Posted Monday by the Citizens for Judicial Reform, the petition had more than 12,000 signatures as of publication of this article. "The bigger lesson here is people need to think before they post or tweet," said Ignatius Grande, senior discovery attorney at Hughes Hubbard & Reed, who is also co-chair of the Social Media Committee of the NYSBA's Commercial and Federal Litigation Section. "Especially as a lawyer, because there are a lot of ethical issues that can come back to haunt you." The NYSBA's social media ethics guidelines outline where issues can arise, such as violating rules around advertising or posting confidential information. The guidelines also point to an ethics opinion from the D.C. Bar Legal Ethics Committee in order to make clear that caution should be exercised when stating positions on issues and legal developments on social media platforms that may be inconsistent with those positions of clients. "I think part of what the ethics boards have been dealing with over the last ten years is how to deal with social media, because it really has changed how you apply some of the rules that are out there," Grande said. "And attorneys are looked at with a magnifying glass or looked at with a higher standard, so it's important to look before you post." top

Computer virus hits US Predator and Reaper drone fleet (ArsTechnica, 7 Oct 2017) - A computer virus has infected the cockpits of America's Predator and Reaper drones, logging pilots' every keystroke as they remotely fly missions over Afghanistan and other war zones. The virus, first detected nearly two weeks ago by the military's Host-Based Security System , has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech's computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the US military's most important weapons system. "We keep wiping it off, and it keeps coming back," says a source familiar with the network infection, one of three that told Danger Room about the virus. "We think it's benign. But we just don't know." top

How Russia harvested American rage to reshape US politics (NYT, 9 Oct 2017) - YouTube videos of police beatings on American streets. A widely circulated internet hoax about Muslim men in Michigan collecting welfare for multiple wives. A local news story about two veterans brutally mugged on a freezing winter night. All of these were recorded, posted or written by Americans. Yet all ended up becoming grist for a network of Facebook pages linked to a shadowy Russian company that has carried out propaganda campaigns for the Kremlin, and which is now believed to be at the center of a far-reaching Russian program to influence the 2016 presidential election. A New York Times examination of hundreds of those posts shows that one of the most powerful weapons that Russian agents used to reshape American politics was the anger, passion and misinformation that real Americans were broadcasting across social media platforms. * * * top

Cyberstalking case highlights how VPN provider claims about not keeping logs are often false (TechDirt, 10 Oct 2017) - When the Trump administration recently decided to gut consumer privacy protections for broadband , many folks understandably rushed to VPNs for some additional privacy and protection. And indeed, many ISPs justified their lobbying assault on the rules by stating that users didn't need privacy protections, since they could simply use a VPN to fully protect their online activity. But we've noted repeatedly that VPNs are not some kind of panacea , and in many instances you're simply shifting the potential for abuse from your ISP -- to a VPN provider that may not actually offer the privacy it claims. Latest case in point: like many companies, a VPN provider by the name of PureVPN has been advertising for years on its website that it keeps no logs of user behavior: "PureVPN operates a self-managed VPN network that currently stands at 750+ Servers in 141 Countries. But is this enough to ensure complete security? That's why PureVPN has launched advanced features to add proactive, preventive and complete security. There are no third-parties involved and NO logs of your activities ." But when the Department of Justice man by the name of Ryan Lin for stalking, one key component of the case involved using PureVPN logs to track his online activities. * * * top

Host of hacks not raising cyber premiums (iTreasurer, 10 Oct 2017) - Despite the continuing steady flow of news about major companies getting hacked, cyber policy premiums have continued to fall and their coverage broaden as insurers crowd into the space. In fact, the magnitude of cybercrimes only seems to be growing, with recent revelations that all of Yahoo's three billion customer accounts were hacked, as was Equifax's 140 million customers, along with Deloitte's client emails and certain SEC filings. As a result, some cyber insurers have increased underwriting scrutiny for certain risks while others still offer premiums that continue to fall, according to Kevin Kalinich, the global practice leader for cyber risk at brokerage Aon. "We have over 70 cyber carriers out of the US, Bermuda and London. Therefore, despite the recent cyber incidents, unless you are in a 'high risk' industry class, because there's so much competition we're seeing rates come down," Mr. Kalinich said. "If you're buying cyber insurance, now is definitely a good time to buy it." David Bradford, chief strategy officer and director of strategic partnership development at Advisen, a provider of data, media, and technology solutions for the commercial property and casualty insurance market, said that many companies are currently experiencing reductions between 5% and 15%, a trend that should continue for the immediate future. He said the Equifax breach is unlikely to have a significant impact on premiums, because the company has $150 million or less of coverage, and so is unlikely to drive capacity out of the marketplace. "It will probably cause some alarm among certain classes of buyers, but it's within the range of what insurers expected to pay," he said. Premiums remain elevated for companies in industries such as retail and healthcare, which have seen significant breaches in recent years. However, they likely will fall gradually as cybercriminals turn their sights to other industries. The broad downward pressure on premiums fundamentally stems from supply outweighing demand-the 65 insurers Advisen estimates plying the cyber-policy space are chasing after a relatively small pot of premiums, approximately $3.5 billion. Companies can take on upwards of $600 million in coverage, Mr. Bradford said, although brokers must cobble together that capacity using policies from numerous carriers. top

What could Equifax CLO John Kelley have done differently? (InsideCounsel, 11 Oct 2017) - John Kelley, CLO of Equifax, has found himself at the center of the controversy surrounding the recent massive data breach at the company. Former Equifax Inc. CEO Richard Smith spent much of last week testifying before Congress about the massive data breach that has affected some 145 million U.S. consumers . Many grilling Smith questioned the timeline following the discovery of the incursion and wondered how three Equifax executives were able to sell shares totaling close to $2 million just days later. The answers inevitably came back to the company's chief legal officer, John Kelley III , who along with being in charge of security within the company , is responsible for approving share sales by Equifax executives. Parsing the decisions Kelley made in the aftermath of the breach raises some intriguing issues for the many in-house counsel who must grapple with cybersecurity threats and shows that the story of how Equifax responded to its recent breach is anything but simple. * * * [ Polley : interesting.] top

- and -

What cybersecurity standard will a judge use in Equifax breach suits? (Lawfare, 20 Oct 2017) - Those affected by data breaches now have increasing opportunities to take their claims to court. Last month, in northern California's federal district court, Judge Lucy Koh upheld the right of victims to sue Yahoo for massive breaches between 2013 and 2016. Victims of the Equifax hack, which impacted millions more than initially reported, are filing dozens of lawsuits. And in another ruling last month, Koh upheld a class of health insurance company Anthem's data breach victims right to sue for a recently revealed second breach-shortly after Anthem was ordered to pay $115 million to victims and credit-monitors after the first incident. We've previously described the role of theories of harm to victims, and the duty of care for companies, as courts iron out standards in data breach litigation. But what happens in court? What standards are judges applying for cybersecurity when deciding these lawsuits? What amount of cybersecurity would have been sufficient, in court if not in practice? In other words, we should assume that because a cybersecurity regime is a series of processes, and because no large-scale entity is impenetrable, breaches can and will happen, even when a company exercises care. So, what standard of care is acceptable? Especially in large-scale operations that hold potential for large scale breaches? The Equifax case may set the high-water mark of weak precautions and bungled incident-response plans, coupled with the intimacy of data and vastness of people affected. But what is the lower limit of acceptable standards for situations that are less clear? (Incidents like the Deloitte hack in September that compromised confidential emails of some of its blue-chip clients.) * * * [ Polley : interesting, and lengthy; ultimately (unsurprisingly) indeterminate; still, a useful exposition.] top

Australian court rules an unsent text message on phone of a deceased man as a valid will (Mashable, 11 Oct 2017) - An unsent message of a deceased man in Australia has been ruled as a valid will. It means he will leave his estate to his brother and nephew as opposed to his son and wife, who he apparently had a difficult relationship with. The decision was handed down by a judge at the Supreme Court of Queensland, following no evidence of any other will created by the deceased man. The man, who tragically took his own life, was found with the phone by his widow in October 2016. The following day, a friend of the widow was asked to look through the deceased man's contact list to see who should be notified of his death. It was there the unsent text message was found, and a screenshot was taken. " Dave Nic you and Jack keep all that I have house and superannuation, put my ashes in the back garden with Trish Julie will take her stuff only she's ok gone back to her ex AGAIN I'm beaten . A bit of cash behind TV and a bit in the bank Cash card pin 3636 MRN190162Q 10/10/2016 My will ," read the text message. The widow, who contested the will, sought to rely on the fact that because the deceased man did not send the text message, he didn't mean it. But the judge in this case, Justice Susan Brown, was satisfied the unsent text constituted as a valid document and the deceased man had made up his mind on where his property would go after his death, due to the words "my will" at the end of the message. Also noted by the judge was the contact between the deceased man, his brother and nephew, prior to his death, and that the text was written close to the date of his death. It was also deemed likely the deceased man intended for the message to be found with him. "In all of the circumstances I consider that the text message was intended by the deceased to operate as his will upon his death," Brown said. top

Microsoft cloud can now host classified Pentagon data (NextGov, 17 Oct 2017) - Microsoft announced on Tuesday that the Defense Department can host secret classified data in its cloud. The announcement means the Defense Department, the military services, intelligence agencies and their industry partners working within secret enclaves can host classified data in Microsoft's Azure Government Secret cloud, where they'll have access to new technologies like machine learning. * * * Secret data is traditionally distributed through a system of computer networks managed by the Defense and State departments called the Secret Internet Protocol Router Network, or SIPRNet. Microsoft's Azure Government Secret cloud can now host SIPRNet data. top

Federal judge unseals New York crime lab's software for analyzing DNA evidence (ProPublica, 20 Oct 2017) - A federal judge this week unsealed the source code for a software program developed by New York City's crime lab, exposing to public scrutiny a disputed technique for analyzing complex DNA evidence. Judge Valerie Caproni of the Southern District of New York lifted a protective order in response to a motion by ProPublica , which argued that there was a public interest in disclosing the code. ProPublica has obtained the source code, known as the Forensic Statistical Tool, or FST, and published it on GitHub ; two newly unredacted defense expert affidavits are also available . "Everybody who has been the subject of an FST report now gets to find out to what extent that was inaccurate," said Christopher Flood, a defense lawyer who has sought access to the code for several years. "And I mean everybody - whether they pleaded guilty before trial, or whether it was presented to a jury, or whether their case was dismissed. Everybody has a right to know, and the public has a right to know." Caproni's ruling comes amid increased complaints by scientists and lawyers that flaws in the now-discontinued software program may have sent innocent people to prison. Similar legal fights for access to proprietary DNA analysis software are ongoing elsewhere in the U.S. At the same time, New York City policymakers are pushing for transparency for all of the city's decision-making algorithms, from pre-trial risk assessments, to predictive policing systems, to methods of assigning students to high schools. top

Casetext now automatically 'pushes' legal research to attorneys (Bob Ambrogi, 23 Oct 2017) - The legal research company Casetext has introduced a feature that monitors an attorney's litigation dockets for briefs and memoranda from opposing counsel and then automatically delivers a report of case law that is relevant but not included in the document. The feature uses Casetext's legal research assistant CARA , an analytical tool that automatically finds cases that are relevant to a legal document but not cited in the document. The standard way to use CARA is for an attorney who has received a brief, memoranda or other legal document to upload it to CARA, and CARA then performs its analysis and generates a list of relevant cases that are not mentioned in the document. With this new feature, which Casetext is calling CARA Notifications, Casetext monitors all the PACER dockets in which an attorney has active matters. Whenever opposing counsel files a substantive document such as a brief or memorandum, Casetext retrieves the document, runs it through CARA, and delivers the report to the attorney. "Traditionally in legal research, an attorney gets a brief and then seeks out case law to oppose the brief," Pablo Arredondo, chief legal research officer at Casetext, explained. "The closest thing there has been to push notification is that some research services let you track a case or track a search. What we're doing now - and I believe we're the first - is pushing the caselaw to oppose the brief automatically based on monitoring the dockets." Seven firms have been using this feature on a pilot basis since Oct. 1, including Quinn Emanuel Urquhart & Sullivan, Ogletree Deakins, and Fenwick & West. The feature is being provided to them as part of their standard subscription, at no extra cost. Casetext is analyzing the text of docket entries and documents to determine which are substantive and which are not, so that it does not run routine filings through the analysis. It only analyzes documents filed by opposing sides in the case, so the attorney's own filings are not automatically analyzed. (Of course, subscribers can always run their documents through CARA before they file them.) One early user called the service "anticipatory knowledge retrieval," Arredondo said. top

MIT issues diplomas using the Bitcoin blockchain (Cryptocoins News, 23 Oct 2017) - The Massachusetts Institute of Technology (MIT) has begun a pilot program to test the benefits and challenges of using the bitcoin blockchain to issue diplomas. As MIT News reports , the pilot program began this summer and provided 111 MIT graduates with the option to receive their diplomas through a blockchain-reliant smartphone app called Blockcerts Wallet, in addition to the traditional hard-copy format. The Blockcerts app, which was developed by the MIT Media Lab in collaboration with Cambridge software company Learning Machine, generates a public-private key pair after a student downloads it and registers for the program. The app then sends the public key to MIT, who writes it into the digital record and adds a one-way hash to the bitcoin blockchain. The app stores the user's private key, enabling him or her to prove ownership of the diploma. The school says "empower[s] students to be the curators of their own credentials." top

Decision reversed: Mistake using file sharing site didn't waive privilege (Ride the Lightning, 24 Oct 2017) - A case I wrote a post about in March of 2017 has now been reversed - to the relief of many lawyers, I'm sure. As Bloomberg BNA reported (sub. req.), the decision by a state magistrate judge in Harleysville Ins. Co. v. Holding Funeral Home, Inc . was reversed by a federal judge in Virginia on October 2nd. Thanks to Dave Ries for letting me know. The decision basically says that inadvertent disclosure of confidential materials through an error in using a file-sharing site didn't waive a plaintiff's attorney-client privilege and work product protection for those materials. The judge also found that defense counsel acted unethically by using the protected materials without notifying plaintiff's counsel and seeking a court ruling on the waiver issue. The case represents a reminder that lawyers generally aren't free to secretly exploit inadvertently disclosed materials even if they believe the disclosure waived any privilege claim. * * * top

DIFFERENT

Tenure-track Faculty Positions (MIT, 17 Oct 2017) - Tenure track faculty position; Program in Media Arts and Sciences/Media Lab: The MIT Media Lab seeks a new kind of early career faculty member, not defined by discipline, rather by his or her unique and iconoclastic experience, style and points of view. You can be a designer, inventor, scientist, scholar or other - any combination - as long as you make things that matter. Impact is key. This means somebody with at least these three sets of characteristics: (1) being deeply versed in a minimum of two fields, preferably not ones normally juxtaposed; (2) being an orthogonal and counter-intuitive thinker, even a misfit within normal structures; (3) having an adventurous personality, boundless optimism, and desire to change the world. Any disciplines apply as long as their confluence shows promise of solving big, hard and long-term problems. And, most importantly, candidates must explain why their work really can only be done at the Media Lab. We prefer candidates not be similar to our existing faculty. We welcome applicants who have never considered academic careers. Successful candidates will: establish and lead their own research group within the Media Lab; engage in collaborative projects with industrial sponsors and other Media Lab research groups; actively contribute to shaping the open and creative culture that defines our community; supervise masters and doctoral students; and participate in the Media Arts and Sciences academic program. Appointments will be within the Media Arts and Sciences academic program, principally at the Assistant Professor level. A doctorate is not necessary, but evidence of extreme creativity is. * * * [ Polley : I'd guess that every MIRLN reader wants this job. Pass it along.] top

RESOURCES

A tool to get your copyrights back (Lawrence Lessig, October 2017) - I was incredibly happy to read that Creative Commons and the Authors Alliance have released a tool (cool URL: rightsback.org) to enable authors to recover the rights they had transferred to someone else. This was a project started a decade ago. It was hard then. I am very proud they have delivered it now. Copyright is an incredibly interesting law of property, chock through with weird exceptions and protections. One of those protections is that a creator can get a second chance with his or her copyright. If you created something, and then transferred your copyright to someone else, even though the transfer might say "this is forever …" you have the right to get it back. But (surprise! surprise!) it turns out it is INCREDIBLY difficult to exercise that right properly. And many creators find it just way too difficult (read: expensive) to exercise the right. The tool that CC/AA have created tries to make it as simple as possible. The tool walks you through the steps necessary to determine whether you have a right, and when you need to file. The tool doesn't do the transfer, but it does help you see whether you are entitled, and if you are, it simplifies the process of making that happen. The purpose of copyright law is to help creators. You wouldn't know that by looking at the way the law actually works. But where the law clearly benefits creators, we should do whatever we can to support it. top

ABA Committee on Law and National Security launches national security podcast (ABA, 23 Oct 2017) - The ABA Committee on Law and National Security has created a new podcast called National Security Law Today . Hosted by committee members and staff, the podcast features legal experts discussing hot topics and current issues in the world of national security, as well as career advice for those looking to break into the field of national security law. Listeners will learn about the specific impact that national security law has on the legal, economic and business world outside the government. The theme for the first year is national security in private practice, focusing on laws and regulations that impact practitioners and their clients. Topics include State Department and Treasury Department sanctions, the Committee on Foreign Investment in the United States, the Foreign Agents Registration Act, export regulations, security clearances and litigation, international tribunals and prosecuting terrorist acts. New episodes air every other Thursday, and each one is approximately a half-hour long. The show is available online on the podcast website and you can find it for streaming or subscribing on iTunes , Stitcher , Soundcloud and TuneIn . Upcoming guests include: * * * top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Judge: Man can't be forced to divulge encryption passphrase (CNET, 14 Dec 2007) - A federal judge in Vermont has ruled that prosecutors can't force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase. U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination. Niedermeier tossed out a grand jury's subpoena that directed Sebastien Boucher to provide "any passwords" used with his Alienware laptop. "Compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him," the judge wrote in an order dated November 29 that went unnoticed until this week. "Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop." Especially if this ruling is appealed, U.S. v. Boucher could become a landmark case. The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for the last decade arguing the merits of either approach. (A U.S. Justice Department attorney wrote an article in 1996, for instance, titled "Compelled Production of Plaintext and Keys.") This debate has been one of analogy and metaphor. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings. Orin Kerr, a former Justice Department prosecutor who's now a law professor at George Washington University, shares this view. Kerr acknowledges that it's a tough call, but says, "I tend to think Judge Niedermeier was wrong given the specific facts of this case." top

E-mail from the grave? Microsoft seeks patent on 'immortal computing' (Seattle PI, 22 Jan 2007) -- In this culture of instant information, some Microsoft Corp. researchers are pursuing a radical notion -- the concept of saving messages for delivery in decades, centuries or more. The project, dubbed "immortal computing," would let people store digital information in physical artifacts and other forms to be preserved and revealed to future generations, and maybe even to future civilizations. After all, when looking that far in the future, you never know who the end users might be. One scenario the researchers envision: People could store messages to descendants, information about their lives or interactive holograms of themselves for access by visitors at their tombstones or urns. And here's where the notion of immortality really kicks in: The researchers say the artifacts could be symbolic representations of people, reflecting elements of their personalities. The systems might be set up to take action -- e-mailing birthday greetings to people identified as grandchildren, for example. The previously undisclosed project came to light through a newly surfaced patent application in which the researchers explain some of the concepts they're exploring. The project seeks to address the fact that large amounts of valuable information are stored on media with limited life spans, in formats that could be rendered obsolete. Consider how quickly floppy disks disappeared. But the researchers aren't just thinking about the informational legacies of individuals. "Maybe we should start thinking as a civilization about creating our Rosetta stones now, along with lots of information, even going beyond personal memories into civilization memories," said Eric Horvitz, a Microsoft principal researcher who also is working on the project. top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

Saturday, October 07, 2017

MIRLN --- 17 Sept - 7 Oct 2017 (v20.14)

MIRLN --- 17 Sept - 7 Oct 2017 (v20.14) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | FUN | LOOKING BACK | NOTES

Future Navy accident investigations will look for cyber attacks (NextGov, 15 Sept 2017) - Rampant internet speculation aside, there's no evidence yet that any hostile electronic breach led to recent U.S. Navy mishaps, according to the admiral who leads the service's cyber operations. In fact, it was mostly to put such speculation to rest that Vice Adm. Jan Tighe said she dispatched a small team to join the Navy's investigation into the Aug. 21 collision of the USS McCain with a cargo ship off Singapore. That accident followed a similar June 17 incident involving another destroyer, the USS Fitzgerald. Tighe said there's no particular schedule for the team to complete its work. "Quite frankly, with respect to McCain, this is a 'first of.' We have a really hard time predicting a timeline," she said. "It rather depends on what and if we find anything that looks suspicious and what and how we will go about determining whether it is, actually, suspicious or not. So, it could be weeks. It could be months. I don't think it's years." But that's part of the point. As Tighe's investigators sniff around for evidence of meddling, they are trying to figure out where to look, whom to talk to, what angles to consider, and more. They are, in fact, pioneering a new kind of inquiry for the Navy. "Codifying how we will do these types of mishap investigations to account for a cyber component going forward is where we will learn from the results of the McCain investigation," she said. Eventually, the Navy will "make it part of the normal process of how we do mishap investigations." top

The alternate reality of prior art (Patently-O, 17 Sept 2017) - Thought pioneer Dan Abelow fits within an interesting designation. So far in 2017, his U.S. Patent Publication No. 2012/0069131 - mysteriously titled "Reality Alternate" - is the Most-Oft examiner cited U.S. prior art reference. The document - now patented as U.S. Patent No. 9,183,560 - covers a method of providing "a portal for a user … to be present simultaneously in two or more different non-fictional alternate realities that are distinct from a non-fictional physical reality of the user." [Here, I'm looking at Examiner citations rather than those submitted by Applicants] The Abelow document reads something like science-fiction novel - defining a new Alternate Reality world both in terms of its incredible impact and technical specifications. From the abstract: Just as fiction authors have described alternate worlds in novels, this introduces an Alternate Reality-but provides it as technical innovation. This new Alternate Reality's "world" is named the "Expandaverse" which is a conceptual alteration of the "Universe" name and a conceptual alteration of our current reality. Where our physical "Universe" is considered given and physically fixed, the Expandaverse provides a plurality of human created digital realities that includes a plurality of human created means that may be used simultaneously by individuals, groups, institutions and societies to expand the number and types of digital realities-and may be used to provide continuous expansions of a plurality of Alternate Realities. To create the Expandaverse current known technologies are reorganized and combined with new innovations to repurpose what they accomplish and deliver, collectively turning the Earth and near-space into the equivalent of one large, connected room (herein one or a plurality of "Shared Planetary Life Spaces" or SPLS) with a plurality of new possible human realities and living patterns that may be combined differently, directed differently and controlled differently than our current physical reality. In addition to being written in a way that draws diverse connections (helpful for obviousness conclusions), the reference is also 750 pages long! (The patentee paid an extra $4,000+ in filing costs for the extra page length). One of the best patent attorneys in the country - David Feigenbaum - filed this case and helped push it through to issuance. [ Polley : Hmmmmmm… Snowcrash ? Rainbow's End ?] top

Lawyers can accept payment in bitcoin, Nebraska ethics opinion says (ABA Journal, 18 Sept 2017) - Lawyers may accept payment in digital currencies such as bitcoin but must immediately convert the money into U.S. dollars, according to a Nebraska ethics advisory opinion. The opinion , issued Sept. 11, is the first by a state ethics body to address the ethics of bitcoin payments, the Norfolk Daily News and Coin Desk report. Nebraska lawyer Matt McKeever says he requested the opinion. Eastern Nebraska is a rapidly growing hub for payment processing and financial technology, McKeever told the Norfolk Daily News. Bitcoin ATMs are already in use in the area, and the currency is being used on a daily basis, he said. The ethics opinion by the Lawyer's Advisory Committee says a growing number of law firms in other jurisdictions accept payments in bitcoin, a currency with volatile prices. In 2013, for example, the price fluctuated from about $7 per bitcoin to $1,200 per bitcoin. Immediate conversion to dollars mitigates the risk of volatility and possible unconscionable overpayment for legal services, the ethics opinion says. Lawyers who receive payment in digital currencies should take three steps, the opinion says. First, the lawyer should notify the client that the payment will be immediately converted to U.S. dollars. Second, the lawyer should make the conversion through a payment processor. Third the lawyer should credit the client's account at the time of payment. The opinion also says that lawyers who accept virtual currency "must be careful to see that this property they accept as payment is not contraband, does not reveal client secrets, and is not used in a money-laundering or tax avoidance scheme; because convertible virtual currencies can be associated with such mischief." Lawyers may hold digital currencies in trust for clients after advising that the currency won't be converted to U.S. dollars, but the currency must be held separate from the lawyer's property and must be properly safeguarded, the ethics opinion says. There is no bank or FDIC insurance to reimburse a client for hacked bitcoin, so lawyers should take precautions such as encryption or use of more than one private key for access. top

World Wide Web Consortium abandons consensus, standardizes DRM with 58.4% support, EFF resigns (Cory Doctorow on BoingBoing, 18 Sept 2017) - In July, the Director of the World Wide Web Consortium overruled dozens of members' objections to publishing a DRM standard without a compromise to protect accessibility, security research, archiving, and competition. EFF appealed the decision , the first-ever appeal in W3C history, which concluded last week with a deeply divided membership. 58.4% of the group voted to go on with publication, and the W3C did so today, an unprecedented move in a body that has always operated on consensus and compromise. In their public statements about the standard, the W3C executive repeatedly said that they didn't think the DRM advocates would be willing to compromise, and in the absence of such willingness, the exec have given them everything they demanded. This is a bad day for the W3C: it's the day it publishes a standard designed to control, rather than empower, web users. That standard that was explicitly published without any protections -- even the most minimal compromise was rejected without discussion , an intransigence that the W3C leadership tacitly approved . It's the day that the W3C changed its process to reward stonewalling over compromise, provided those doing the stonewalling are the biggest corporations in the consortium. EFF no longer believes that the W3C process is suited to defending the open web. We have resigned from the Consortium, effective today. Below is our resignation letter : * * * top

Motel 6 to revamp privacy, data sharing policies after Phoenix locations send guest info to ICE (SC Magazine, 18 Sept 2017) - Motel 6 employees in the Phoenix area who voluntarily and routinely handed guest registers to ICE officials without the benefit of a warrant may not have run afoul of the company's privacy policy , but the hotel chain said it would take steps to shut down or prevent similar operations at its other properties nationwide. The Phoenix New Times reported last week quoted an employee at one of two Phoenix-area Motel 6 locations as saying, "every morning at about 5 o'clock we do the audit and push a button and it sends it to ICE," prompting the American Civil Liberties Union (ACLU) to call out the motel chain on both Twitter and Facebook. "Is this your official company policy?" the ACLU tweeted . The Motel Six had said the Phoenix operation was orchestrated by locals and was shut down when corporate caught wind of it. "Moving forward, to help ensure that this does not occur again, we will be issuing a directive to every one of our more than 1,400 locations nationwide, making clear that they are prohibited from voluntarily providing daily guest lists to ICE," according to a Motel 6 statement. "Additionally, to help ensure that our broader engagement with law enforcement is done in a manner that is respectful of our guests' rights, we will be undertaking a comprehensive review of our current practices and then issue updated, company-wide guidelines." top

New ABA book explores what makes cyber due diligence different (LegalTech, 18 Sept 2017) - Companies are now paying much closer attention to cybersecurity issues when involved in mergers and acquisitions. To help explain recent changes, the American Bar Association's Business Law Section has published a new book, the "Guide to Cybersecurity Due Diligence in M&A Transactions." It is edited by Thomas J. Smedinghoff, an attorney at Locke Lord, and Roland Trope, an attorney at Trope and Schramm. The 272-page book is broken down into 13 chapters that explore the importance of cybersecurity to due diligence and M&A, what acquirers should know, and how due diligence impacts a transaction. It also features an appendix that includes a listing of common U.S. data security laws and regulations. Among those working on the book were attorneys who specialize in corporate governance and cybersecurity. In explaining why the book came about, Trope told Legaltech News that "just a few years ago, cybersecurity due diligence was often ignored in M&A deals." He cited one 2015 survey of global dealmakers by an international law firm that found that 78 percent of the respondents indicated that cybersecurity was not analyzed in great depth or specifically quantified as part of the M&A due diligence process. "In the past two years, however, there has been a significant shift toward recognizing the importance of cybersecurity due diligence in the context of M&A transactions," he said. "Moreover, cybersecurity breaches have had a major impact on recent M&A transactions, further highlighting the need to address this important issue." Smedinghoff explained that, in the M&A process, cybersecurity due diligence is similar to due diligence of any other topic, such as finance. "It seeks to determine the state or status of cybersecurity preparedness of the target company," he told Legaltech News. He further highlighted some important questions that companies may want to address: * * * [ Polley : In a related vein, the Second Edition of the ABA's bestselling Cybersecurity Handbook will come out in early November; a must-read for anyone working in the field, including private-practice attorneys, in-house counsel, non-profit and government lawyers, and others. For more detail, visit the ABA store at http://bit.ly/2x7HNbJ . A limited number of pre-publication copies are available to the press; contact me for information.] top

Author of key internet freedom law opposes new sex trafficking bill (Ars Technica, 19 Sept 2017) - The United States Senate is moving toward passage of a bill that would-for the first time-water down a landmark 1996 law that shields website operators from lawsuits and state prosecution for user-generated content. And one of the authors of that 1996 law, Sen. Ron Wyden (D-Ore.), argued Tuesday that this would be a mistake. The Stop Enabling Sex Trafficking Act now has 28 co-sponsors, and the breadth of that support was evident at a Tuesday hearing before the Senate Commerce Committee. The legislation would allow state attorneys general to prosecute websites that are used to promote sex trafficking-something that's currently barred by Section 230 of the 1996 Communications Decency Act. It would also allow private lawsuits against sites that host sex trafficking ads. But Wyden argued at Tuesday's hearing that weakening Section 230 would be a mistake. In Wyden's view, Section 230 has been essential for establishing the United States as a global technology leader. It freed Internet startups from worrying about getting sued for hosting user-generated content, Wyden claimed. The section also allows startups to focus their resources on hiring developers and designers instead of lawyers. top

- and -

The ten most important Section 230 rulings (Eric Goldman, 26 Sept 2017) - I've posted a new essay entitled " The Ten Most Important Section 230 Rulings ." It will be published in the Tulane Journal of Technology & Intellectual Property. Everyone loves lists and rankings, but this essay is more than just fluffy clickbait. Organizing Section 230 cases by importance actually creates a helpful narrative about the development of Section 230 jurisprudence and the ongoing dialogue between different judges and courts. I'm pretty sure you can guess what's #1 on the list (and we'll be throwing it a proper 20th birthday party-more on that soon), and maybe you can guess #2, but can you guess #3 or #4? Would you reorder my list? Would you subtract one of my top 10 and replace with something different? Wars have broken out over lesser controversies. As always, I'd love to hear your thoughts, and feel free to thrash out the debate in the comments, too. * * * top

Cyber attack, hurricane weigh on FedEx quarterly profit (Reuters, 19 Sept 2017) - Package delivery company FedEx Corp ( FDX.N ) said on Tuesday a June cyber attack on its Dutch unit slashed $300 million from its quarterly profit, and the company lowered its full-year earnings forecast. The company said the cyber attack slashed 79 cents per share from its profit - nearly 40 times the 2 cents per share caused by deadly Hurricane Harvey, which brought catastrophic flooding to southeastern Texas. FedEx joins a string of companies that reported big drops in earnings due to the NotPetya virus, which hit on June 29, crippling Ukraine businesses before spreading worldwide to shut down shipping ports, factories and corporate offices. * * * Excluding the impact of the cyber attack and Hurricane Harvey, FedEx said it would have posted EPS of $3.32, above analysts' expectations. Most services of the Dutch TNT Express unit resumed during the quarter and systems had been restored, but TNT Express volume, revenue and profit still remained below pre-attack levels, the company said. FedEx did not have insurance in place that covered the impact from the cyber attack. top

Patent venue: Cyberspace does not expand place of business (Patently-O, 21 Sept 2017) - Following the Supreme Court's decision in TC Heartland , the debate has moved to interpretation of the requirement that an infringement defendant have either residence or " a regular and established place of business " in the chosen venue. Any civil action for patent infringement may be brought in the judicial district where the defendant resides, or where the defendant has committed acts of infringement and has a regular and established place of business. 28 U.S.C. § 1400(b). In Raytheon v. Cray , the defendant is a Washington corporation with facilities in Austin and Houston - both of which are outside of the Eastern District of Texas. Still, E.D. Texas Judge Gilstrap found the company to fit within the regular and established place of business venue requirement based upon evidence that two Cray sales executives worked from home within the district - developing new sales and accounts worth ~ $350 million over the past 7 years. The execs received reimbursement for certain utilities and charges within the district and publicly advertised their "office" phone numbers within E.D. Texas. In the process of deciding its case, Judge Gilstrap also set forth an open four-factor test finding a regular and established place of business: physical presence, defendant's representations, benefits received, and targeted interactions with the district. As a general matter, Judge Gilstrap's interpretation appears fairly broad, and on writ of mandamus , the Federal Circuit has rejected Gilstrap's analysis and directed that he transfer the case to a more appropriate venue. * * * Important mandamus order narrowing patent venue. In re Cray (Fed. Cir. 2017) [ Read the Case ] top

Deloitte hit by cyber-attack revealing clients' secret emails (The Guardian, 25 Sept 2017) - One of the world's "big four" accountancy firms has been targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients, the Guardian can reveal. Deloitte , which is registered in London and has its global headquarters in New York, was the victim of a cybersecurity attack that went unnoticed for months. One of the largest private firms in the US, which reported a record $37bn (£27.3bn) revenue last year, Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world's biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies. The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments. So far, six of Deloitte's clients have been told their information was "impacted" by the hack. Deloitte's internal review into the incident is ongoing. The Guardian understands Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016. [ see also, Deloitte breach affected all company email, admin accounts (Krebs on Security 25 Sept 2017)] top

- and -

Law firm inadvertently leaks Pepsi client secrets to Wall Street Journal (Ride the Lightning, 28 Sept 2017) - Doesn't it seem like we've heard the same story before with different players? Yes, once again we have an inadvertently misaddressed e-mail going to the last place you want it to go - to a reporter with The Wall Street Journal . Corporate Counsel carried the story , reporting that Wilmer, Cutler, Pickering, Hale and Dorr was caught up on September 27 th in an e-mail error that revealed secret U.S. Securities and Exchange Commission and internal investigations at PepsiCo, after a Wilmer lawyer accidentally sent a Wall Street Journal reporter privileged documents detailing a history of whistleblower claims at the company. The internal investigation revolves around PepsiCo's 2011 acquisition of the Russian drinks company Wimm-Bill-Dann and the departure of general counsel Maura Smith in 2012 following allegations of financial misreporting and other wrongdoing at PepsiCo. A subsequent SEC investigation into Smith's dismissal, and whether the company fired her in violation of whistleblower laws, is "at an early stage," The Wall Street Journal reported. The reporter learned details about the years-old internal investigation started by Smith and about the more recent SEC probe, for which Smith was subpoenaed. The information included an August 31 memo about Smith's subpoena and her contact with federal investigators that was "mistakenly sent by a WilmerHale attorney to a Wall Street Journal reporter as part of communication to other attorneys working on the matter," the report said. Wilmer's explanation and apology, sent from a spokesman, came less than three hours after the newspaper published its report. The law firm said it "inadvertently" leaked privileged information by e-mail, then asked the reporter to delete what he received. Wilmer accuses the newspaper of going back on its word to delete leaked documents. top

- and -

FBI investigating hack attack on law firm defending top target of Chinese regime (World Tribune, 3 Oct 2017) - A law firm that was representing a major dissident who has exposed corruption at the highest realms of the Chinese Communist Party was targeted in a cyber attack, a report said. The FBI is investigating the alleged hacking this month at the Clark Hill law firm, which had been representing Guo Wengui, according to a report by Bill Gertz for the Washington Free Beacon on Sept. 29. The cyber attack "disrupted Clark Hill's information systems for several days and appeared to have been carried out by sophisticated hackers who targeted Guo's personal information and the lawyer representing him," the report said. "Private cyber investigators later traced the cyber attack to China and South Korea," according to persons with knowledge of the FBI investigation cited by the report. top

FCC proposes to eliminate requirement to keep hard copies of FCC rules (FCC, 26 Sept 2017) - The Federal Communications Commission today issued a Notice of Proposed Rulemaking that proposes to eliminate rules requiring certain broadcast and cable entities to keep paper copies of FCC rules. More than forty years ago, the Commission adopted rules requiring low power TV, TV and FM translator, TV and FM booster stations, cable television relay station (CARS) licensees, and certain cable operators to maintain paper copies of Commission rules. These rules were intended to ensure that such entities could access and stay familiar with the rules governing their operations. Because the rules are now readily accessible online, many parties believe that the paper copy requirements are outdated and unnecessarily burdensome. While regulated entities still would be required to be familiar with the rules governing their services, elimination of the paper copy requirements would give them flexibility to determine how to fulfill that obligation. This rulemaking is part of the Modernization of Media Regulation Initiative that the FCC launched earlier this year to reduce unnecessary regulation that can stand in the way of competition and innovation in media markets. top

Bloomberg Law launches AI research tool to find key points of law (Bob Ambrogi, 26 Sept 2017) - Bloomberg Law today rolled out to its subscribers new tool, Points of Law, that uses artificial intelligence and machine learning to help legal researchers quickly find language critical to a court's reasoning and to support their legal arguments. As a researcher scrolls through a court opinion, Points of Law highlights the essential language in the opinion, making it easier for the researcher to browse through the key discussion points and enabling the researcher to more quickly get the gist of the key holdings. A pop-up shows the top three cases cited for the principle. The user can then select any of these Points of Law to see an expanded treatment that shows other cases that make the same point of law and an visual timeline and citation map of these other cases, as well as the ability to see and search related points of law. Each Point of Law has its own distinct page with these elements. "We are using machine learning and AI to extract the sense of a what a judge says in an opinion to allow for quicker and easier research and to uncover language that might be hard to find," Darby Green, commercial product director for Bloomberg Law Litigation Solutions, told me yesterday. Bloomberg says that it has extracted more than one million Points of Law from its database of 13 million published and unpublished state and federal court opinions, and that these Points of Law are being continually updated as new cases are added. In addition to getting to these Points of Law through a court opinion, a researcher can also find them by conducting keyword searches across all case law or specific jurisdictions. top

- and -

New from Fastcase: Instantly add public hyperlinks to case citations in legal documents (Bob Ambrogi, 3 Oct 2017) - The legal research company Fastcase is introducing a new feature today, Cloud Linking, that automatically converts case citations in legal documents into hyperlinks to the full-text cases. Cloud Linking is notable because the links it creates are public and free - anyone can follow them regardless of whether they have a Fastcase account. While both LexisNexis and Westlaw also have tools that convert citations into hyperlinks, the person following their links must have a subscription to view the source material. "We're trying to make public law more public and useful - to move from a world in which law is scarce to one in which law is abundant," said Ed Walters, Fastcase cofounder and CEO. "Our team at Fastcase has always said that law should be like electric power: nearly ubiquitous, inexpensive, reliable, and useful for powering other things." To convert a document using Cloud Linking, you must be a Fastcase subscriber. In Fastcase 7, Cloud Linking now appears as an option on the top menu bar. In Fastcase 6, click Options in the top menu bar and then select Cloud Linking. top

The media really has neglected Puerto Rico (538, 28 Sept 2017) - While Puerto Rico suffers after Hurricane Maria, much of the U.S. media (FiveThirtyEight not excepted) has been occupied with other things: a health care bill that failed to pass, a primary election in Alabama, and a spat between the president and sports players, just to name a few. Last Sunday alone, after President Trump's tweets about the NFL, the phrase "national anthem" was said in more sentences on TV news than "Puerto Rico" and "Hurricane Maria" combined. Those other stories are worth covering, of course. But compared to the other natural disasters of the past few weeks, Hurricane Maria has been relatively ignored. Data from Media Cloud, a database that collects news published on the internet every day, shows that the devastation in Puerto Rico is getting comparatively little attention. [ Polley : pretty interesting graphics; more interesting are the techniques employed.] top

Restoring those old liner notes in music's digital era (NYT, 29 Sept 2017) - Two decades into the era of online music, streaming has been hailed as the industry's savior, but a complaint from the earliest days of digital services persists: What happened to the liner notes? Much of the material that once accompanied an album has long since been stripped away - not just the lyrics and thank-you lists, but also essays, artwork and even basic details like songwriting credits - leaving listeners with little more on their screens to look at but a song title and a postage-stamp-size cover image. One company, TunesMap , wants to return much of that lost information, and more, through an interactive display that, when cued by a song playing on a streaming service, will present a feed of videos, photographs and links to related material. After a decade of development, TunesMap is scheduled to make its debut in November as an Apple TV app that will work with Sonos, the connected speaker system. The app is the brainchild of G. Marq Roswell, a Hollywood music supervisor who has worked with David Lynch and Denzel Washington. He bemoans the way early digital players and online music stores like iTunes removed all sense of music coming from a particular place and time. Working with Nigel Grainge , an influential record executive who died in June; Erik Loyer, an app developer and media artist; and Jon Blaufarb, an industry lawyer, Mr. Roswell in 2007 began to design what he calls an interactive "context engine." Stream a song on a Sonos speaker and, if TunesMap's app is also fired up on Apple TV, images and historical information related to the artist or a song's origins begin to float buy. For a Bob Dylan song, the app shows vintage photographs of Greenwich Village, news clippings and links to related artists (like Martin Scorsese, who directed the Bob Dylan documentary "No Direction Home"). The goal is to present fans with a web of educational "rabbit holes" to explore. top

- and -

Elsevier launches encyclopedic tool (InsideHigherEd, 3 Oct 2017) - The publisher Elsevier has announced the launch of ScienceDirect Topics, an information platform that has been compared to Wikipedia . The tool, announced last month, uses information from Elsevier books to generate "a quick snapshot of definitions, terms and excerpts on scientific topics." An Elsevier news release said the tool would save researchers time because they won't have to navigate away from Elsevier research articles to look up information outside their core discipline. "Previously, researchers would have had to leave the site, open up a search engine and spend time trying to find the right and trusted information. Not anymore. Our new technology enables researchers to access these foundational references and knowledge quickly, easily and at the point of need," said Sumita Singh, managing director of Elsevier Reference Solutions. top

Google to ditch controversial 'first click free' policy (The Guardian, 2 Oct 2017) - Google is to abandon its controversial policy of forcing news providers to offer free articles in order to appear on its search engine as part of a collection of measures designed to support the growth of digital subscriptions. The US company will replace its so-called "first click free" policy, which requires publishers to offer three free articles a day before readers come across a pay wall. Instead Google will offer a flexible sampling model that allows news organisations to decide how many, if any, articles it offers for free. The "first click free" model has been described as "toxic" by publishers such as Axel Springer and Rupert Murdoch's News Corp. Google is making the move after feedback from publishers and readers and after tests with the New York Times and the Financial Times . It is also a recognition of the growth of subscription services and the fact a "one size fits all" approach was not appropriate. As well as dropping "first click free", Google will make it easier for users to subscribe to services. For example, people will be able to subscribe to news providers with one click through Google's existing payment technology. top

Equifax is reportedly reviewing actions of its top lawyer, who oversaw security and stock sales (ABA Journal, 2 Oct 2017) - Equifax's board of directors is reportedly scrutinizing the actions of the company's chief legal officer, John Kelley, because of two of his duties-overseeing security and approving stock sales by executives. The Wall Street Journal (sub. req.) has the story , based on anonymous sources. Kelley had the responsibility to approve stock sales by senior executives, three of whom sold stock worth about $1.8 million days after the company discovered the data breach on July 29, according to the Wall Street Journal. Equifax has said the executives were not aware of the breach when they sold stock. It's unknown when Kelley was told about the hack. Also, the company's former chief security officer reported to Kelley. The company wanted the chief legal officer to oversee cybersecurity rather than an executive who might be concerned about the allocation of money, the article explains. top

Google's new Gmail security: If you're a high-value target, you'll use physical keys (ZDnet, 2 Oct 2017) - Google will soon be offering an Advanced Protection Program to lock down the Gmail accounts of high-value targets. According to Bloomberg , the new Gmail service will block third-party apps from accessing user data and introduces a replacement for two-factor authentication based on Google's USB Security Key. Google will begin offering the Advanced Protection Program next month, which will be marketed to "corporate executives, politicians and others with heightened security concerns". Bloomberg notes that the service builds on USB Security Key, for which Google introduced software in 2014 . Security Key is a physical USB key used in place of a code required for two-step verification. It's more secure because an attacker needs physical possession of the key to access an account they have credentials for. The USB key also cryptographically verifies the user is on a legitimate Google site and not a phishing site. G Suite admins can force their users to require the USB key for login. The Advanced Protection Program will require two keys to use the service, according to Bloomberg. top

More than 80% of all net neutrality comments were sent by bots, researchers say (Motherboard, 3 Oct 2017) - The Trump administration and its embattled FCC commissioner are on a mission to roll back the pro-net neutrality rules approved during the Obama years, despite the fact that most Americans support those safeguards . But there is a large number of entities that do not: telecom companies , their lobbyists, and hordes of bots. Of all the more than 22 million comments submitted to the FCC website and through the agency's API found that only 3,863,929 comments were "unique," according to a new analysis by Gravwell , a data analytics company. The rest? A bunch of copy-pasted comments, most of them likely by automated astroturfing bots, almost all of them-curiously-against net neutrality. "Using our (admittedly) simple classification, over 95 percent of the organic comments are in favor of Title II regulation," Corey Thuen, the founder of Gravwell, told Motherboard in an email. This one was sent to the FCC 1.2 million times: The unprecedented regulatory power the Obama Administration imposed on the internet is smothering innovation, damaging the American economy and obstructing job creation.\n\nI urge the Federal Communications Commission to end the bureaucratic regulatory overreach of the internet known as Title II and restore the bipartisan light-touch regulatory consensus that enabled the internet to flourish for more than 20 years.\n\nThe plan currently under consideration at the FCC to repeal Obama's Title II power grab is a positive step forward and will help to promote a truly free and open internet for everyone.\n In case you are wondering, the "\n" strings as well as other weird symbols that might appear in other comments are alternative representation of certain special characters, or line breaks, according to Thuen. The comment above was already spotted as coming from bots in May . (Gravwell published some of the data they crunched in a spreadsheet in case you are curious.) top

App listening for audio beacons may be illegal wiretapping-Rackemann v. Colts (Technology & Marketing Law Blog, 4 Oct 2017) - This is a lawsuit against the Colts and app developers, alleging that the Colts' app activates a device's microphone and temporarily records portions of audio, for advertising purposes. The app monitors the audio for "beacon tones" which are then used to deploy advertisements. The app is able to listen on command and while running in the background. The app's terms of service allegedly does not disclose the use of beacon technology or that it activates the microphone for the purposes of "listening in". It's unclear from the order precisely when the listening feature was activated. Plaintiff alleged that he downloaded the app from the Google Play store and used it to follow the Colts and as a result, the app listened in on his "private conversations". He sued on his own behalf and on behalf of a putative class. The various defendants (the Colts, app developers) moved to dismiss. The court denies the motions. * * * top

Supreme Court says live streaming would "adversely affect" oral arguments (Ars Technica, 4 Oct 2017) - The Supreme Court is setting aside a request to live stream its oral arguments. The attorney for Chief Justice John Roberts Jr. told members of Congress that live streaming even the audio portion of its oral arguments might impact the outcome. "The Chief Justice appreciated and shares your ultimate goal of increasing public transparency and improving public understanding of the Supreme Court," Roberts' attorney, Jeffrey P. Minear, wrote (PDF) the four members of Congress seeking (PDF) to have the court's gerrymandering case live streamed in audio. "I am sure you are, however, familiar with the Justices' concerns surrounding the live broadcast or streaming of oral arguments, which could adversely affect the character and quality of the dialogue between the attorneys and Justices. Consequently, the Court is unable to accommodate your request." For years, members of Congress and the public have been trying to get the high court to televise or to live stream the audio of their oral arguments, in a bid to make the court more transparent. The response has always been an affirmative "NO" out of fear that it could affect the proceedings. The court's oral arguments are open to the public, however, and the audio version of an oral argument is usually made publicly available on the Friday of the week that the case was argued. The court's opinions are also posted to its website when the court releases them. In other ways, however, public access to the court has been stuck in the Dark Ages-such as when it comes to obtaining briefs submitted by parties to the court. The court does not make them available online. But it plans to do so for free beginning next month . The lower federal courts started making their records available online nearly two decades ago using a paid system called PACER . [ Polley : Why should the Supreme Court be different from other gov't entities?] top

New CIS cybersecurity guide for small and medium businesses (Ride The Lightning, 5 Oct 2017) - The Center for Internet Security (CIS) recently published CIS Controls: Implementation Guide for Small- and Medium-Sized Enterprises (SMEs). This guide contains a small sub-set of the CIS Controls specifically selected to help protect SMEs. The guide seeks to empower the owners of small and medium-sized enterprises to help them protect their businesses with a small number of high priority actions based on the CIS Controls - a comprehensive set of cybersecurity best practices developed by IT experts that address the most common threats and vulnerabilities. The guide is only 15 pages - well worth reading in conjunction with the NIST Cybersecurity Framework (covers businesses with up to 500 users) - and it mentions a number of free and low-priced tools. The CIS Controls discussed include: * * * top

RESOURCES

Law Enforcement Access to Student Records: A Guide for School Administrators & Ed Tech Service Providers (Future of Privacy Forum, 26 Sept 2017) - Today, the Future of Privacy Forum released a new paper, Law Enforcement Access to Student Records: A Guide for School Administrators & Ed Tech Service Providers . With the repeal of the Deferred Action for Childhood Arrivals (DACA) program last month, it is important that schools - and the companies that serve them - understand their legal options and when they may be required to disclose student personal information to law enforcement. "The Federal Education Rights and Privacy Act (FERPA) broadly prohibits schools from disclosing student records without the written consent of the parent or student," said Amelia Vance, FPF Policy Counsel. "In this Guide, we highlight two key best practices when responding to federal requests for student data: 1) consult legal counsel to determine your obligations; and 2) carefully align the amount and types of data you collect about students to the programs and services you provide," said Vance. The Guide notes that some schools collect student immigration status or other data that can be used to imply immigration status. "If schools collect student immigration status data, it is considered part of the student record and is protected by FERPA," Vance said. The Guide explains that schools may only disclose this information with consent or in response to a valid court order or subpoena. In addition to the Guide, FPF has released an accompanying blog with a list of supplemental resources and articles. top

Stop and Frisk Online: Theorizing Everyday Racism in Digital Policing in the Use of Social Media for Identification of Criminal Conduct and Associations (Sage Journals, 28 Sept 2017) - Abstract: Police are increasingly monitoring social media to build evidence for criminal indictments. In 2014, 103 alleged gang members residing in public housing in Harlem, New York, were arrested in what has been called "the largest gang bust in history." The arrests came after the New York Police Department (NYPD) spent 4 years monitoring the social media communication of these suspected gang members. In this article, we explore the implications of using social media for the identification of criminal activity. We describe everyday racism in digital policing as a burgeoning conceptual framework for understanding racialized social media surveillance by law enforcement. We discuss implications for law enforcement agencies utilizing social media data for intelligence and evidence in criminal cases. top

FUN

I Fought The Law; A photo exploration of the most absurd American laws and legal legends (Mashable, 28 Sept 2017) - It all started with one vague conversation. "One winter evening in 2012, a friend told me it was illegal to have an ice-cream cone in your back pocket," says photographer Oliva Locher. "Our conversation quickly moved on to a new topic but that statement stuck with me. After doing some research and learning of many other strange laws I knew I had a new project." That project transformed itself into Locher's new book, I Fought The Law , a photo examination of the absurd laws in American history. For the book, Locher figured out strange laws in each state in the U.S. and photographed each one being broken. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Yahoo strikes deal to catalog lyrics online (SiliconValley.com, 24 April 2007) -- Yahoo has teamed up with Gracenote, an Emeryville company, to offer what it is calling "the largest catalog of legal, licensed song lyrics" on the Web. "It fills a huge, gaping hole out there," said Ian Rogers, general manager of Yahoo Music. While there are plenty of Web sites offering lyrics, Gracenote is the first company to have gone through the painstaking process of negotiating deals with the thousands of publishers who own copyrights to the lyrics. The catalog offered by Yahoo will include lyrics of 400,000 songs owned by more than 10,000 publishers. About 9,000 artists are represented, ranging from classic names such as the Beatles and Bob Dylan to more recent stars like Radiohead and Beyonce. Craig Palmer, chief executive of Gracenote, said it took more than two years and nearly 100 deals to forge the legal framework behind the database. Gracenote then had to create standards for publishing lyrics on the Web and put together an automated system for compensating the songwriters. This can include as many as 10 writers on a single hip-hop song. "The copyrights, the database and the payments issues all had to be solved in order to bring this obvious service to market," Palmer said. Yahoo's song lyrics are supposed to be the official versions. Under the licensing agreement, Yahoo will share with copyright holders the revenue from the ads that will be displayed alongside the lyrics. Music publishers such as BMG Music Publishing, EMI Music Publishing, Sony/ATV Music Publishing, Universal Music Publishing Group and Warner/Chappell Music are contributing lyrics. top

8.3 million Americans victims of id theft (Washington Post, 27 Nov 2007) - Nearly 4 percent of American adults were victims of identity theft in 2005, but half of them did not incur any out-of-pocket expenses, the U.S. Federal Trade Commission said on Tuesday. An agency survey found identity information was stolen from 8.3 million U.S. adults and most commonly used to access or open accounts for credit cards, bank checking, telephone service, e-mail, and medical insurance. "In more than half of the incidents, victims incurred no out-of-pocket expenses," the FTC said in a statement. However, 10 percent of the victims reported out-of-pocket expenses of $1,200 or more, it said. The FTC survey also looked at the value of goods or services that thieves obtained using the victims' personal information. In half of all incidents, thieves obtained items or services worth $500 or less while in 10 percent of cases, thieves got at least $6,000. Some 37 percent of victims reported problems beyond their out-of-pocket expenses, the FTC said. They included being harassed by debt collectors, denied new credit or loans, unable to use existing credit cards, having utilities cut off, or having difficulty obtaining or accessing bank accounts. top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top