Saturday, December 09, 2017

MIRLN --- 19 Nov - 9 Dec 2017 (v20.17)

MIRLN --- 19 Nov - 9 Dec 2017 (v20.17) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

New roadside scanner contract brings uninsured drivers closer to automatic tickets (Oklahoma Watch, 16 Nov 2017) - Oklahoma has finalized a deal with a Massachusetts company to use license-plate scanners to catch uninsured drivers, and the firm expects to issue 20,000 citations a month starting as early as next year. The program, believed to be the first of its kind in the nation, involves setting up automated high-speed cameras on highways around the state to detect uninsured vehicles and mailing their owners a citation with a fine of $184, according to the District Attorneys Council. Gatso USA, a Beverly, Massachusetts-based company that specializes in red-light-running and speeding detection systems, will initially get $80, or 43 percent, of each fine. Its cut will decrease to $74 after two years and $68 after five years, according to a contract approved by the state after months of legal review and negotiation. The company could expect to bring in $1.6 million a month, or $19 million a year, if the 20,000 citations are issued monthly. Gatso is a subsidiary of a Dutch company. Drivers who pay the fees will avoid having a charge of driving without insurance on their permanent record. The purpose of the Uninsured Vehicle Enforcement Diversion Program, approved by the state Legislature in 2016, is to reduce the high number of uninsured motorists in Oklahoma. A 2015 Pew Charitable Trusts survey found that 26 percent of all drivers in the state are uninsured - the highest rate in the nation - which can push up insurance premiums and hit-and-run accidents. But another incentive underlies the program. It will be overseen by the District Attorneys Council rather than law enforcement, and the state's 27 district attorneys' offices are expected to receive millions of dollars in citation revenue a year, although no estimates were provided. District attorneys have complained that their revenue sources are diminishing because of state budget cuts and the drop in bounced-check fines. top

The dangerous data hack that you won't even notice (Quartz, 17 Nov 2017) - A recent wave of cyberattacks-from WannaCry and Equifax to the alleged Russian influence on the US election-has demonstrated how hackers can wreak havoc on our largest institutions. But by focusing only on hackers' efforts to extort money or mess with our political process, we may have been missing what is potentially an even scarier possibility: data manipulation. Imagine that a major Big Food company gets hacked. But this time, instead of leaking the company's proprietary information to the public or freezing its systems with ransomware, the hackers subtly manipulate the data on which the company relies. Expiration dates on milk cartons get scrambled so that some are thrown away early while others make drinkers sick, despite appearing within their use-by date. Figures are tweaked slightly on pending invoices to vendors, altering the company's balance sheets by hundreds of thousands of dollars. Small changes are made to food-safety tests so that a dangerous product that was failing suddenly looks like it is passing regulation tests. Would the company even notice such changes happening? Could it still have the confidence that its backups were uncompromised? How could its investors accurately assess the company's value when all of its financials might suddenly be based on faulty information? And how might its customers and suppliers respond? Now apply this thought experiment to banks, medical institutions, and government organizations. It's pretty scary. Unlike "information-gathering" hacks (where data is stolen because it is valuable) or "hold hostage" attacks (when data is imprisoned until someone pays to release it), "manipulation hacks" are hard to detect: They result when individuals (or bots) illegally change vital information below the threshold of attention. * * * top

- and -

$1 billion lawsuit focuses on EHR data integrity concerns (Data Breach Today, 20 Nov 2017) - The suit alleges that eClinicalWorks' cloud-based EHR system failed to provide reliable health information for potentially millions of patients, which means "patients and doctors cannot rely on the veracity of those records." The lawsuit against eClinicalWorks comes about five months after the Department of Justice announced that the Westborough, Massachusetts-based vendor agreed to pay a $155 million financial settlement, as well as enter into a five-year corporate integrity agreement, with the Department of Health and Human Services' Office of Inspector General (see eClinicalWorks Case Shines Spotlight on Data Integrity ). The Justice Department alleged the company falsely claimed it met the HITECH Act EHR incentive program's certification requirements. Among the requirements it didn't meet, according to DoJ: accurately recording user actions - such as orders for diagnostic tests - that are conducted in the course of a patient's treatment and ensuring data portability. The civil lawsuit against eClinicalWorks alleges that as a result of the failure of the vendor to meet certification requirements of the HITECH Act EHR incentive program, the company's software: (1) Periodically displayed incorrect medical information in the right chart panel of the patient screen; (2) Periodically displayed multiple patients' information concurrently; (3) In specific workflows, failed to accurately display medical history on progress notes; and (4) Failed to have audit logs accurately record user actions, and in some cases the audit logs misled users as to the events that were conducted in the course of a patient's treatment. "As a direct result of these deficiencies, millions of patients have had their medical records compromised, i.e. they can no longer rely on the accuracy and veracity of their medical records," the lawsuit complaint claims. "Because the audit history does not accurately record user actions, there is no way for any patient to know if there records were deleted/altered/modified. In other words, ECW was grossly negligent, or in the alternative, intentionally coded their software to not accurately record user actions," the complaint says. The lawsuit, which seeks class action status and $999 million in damages for breach of fiduciary duty and gross negligence, was filed on Thursday in a New York district court by Kristina Tot, the administrator of the Estate of Stjepan Tot, "on behalf of herself and all others similarly situated." top

Cybersecurity: What to know about the 'Vulnerabilities Equities Process' (The Recorder, 22 Nov 2017) - They may not realize it, but any company hit by the WannaCry ransomware attack over the past several months was impacted firsthand by a secretive U.S. government policy mechanism known as the VEP. Short for the "Vulnerabilities Equities Process," the VEP is the procedure through which the government decides whether to hang on to knowledge of computer security flaws for offensive uses (i.e., hacking), or disclose them to ensure they get patched. In the case of WannaCry, news reports and comments by Microsoft's chief legal officer indicated that the NSA knew about the vulnerability at the root of the worm, but only told Microsoft after losing control of it. In the wake of the ensuing controversy, White House Cybersecurity Coordinator Rob Joyce last week for the first time unveiled a public version of the VEP Charter in an effort to shed some light on the government's decision-making process. The 14-page document describes in broad strokes the balancing act government hackers must go through after they discover new vulnerabilities. Here are a few things you ought to know about it: * * * top

The Fifth Amendment, decryption and biometric passcodes (Lawfare, 27 Nov 2017) - The spread of commercially available encryption products has made it harder for law enforcement officials to access to information that relates to criminal and national security investigations. In October, FBI Director Christopher Wray said that in an 11-month period, the FBI had been unable to extract data from more than 6,900 devices; that is over half of the devices it had attempted to unlock. It's a "huge, huge problem," Wray said. One might think that a way around this problem is for the government to order the user to produce the password to the device. But such an order might face a big hurdle: the Fifth Amendment. A handful of cases have emerged in recent years on the applicability of the Fifth Amendment to demands for passwords to encrypted devices. The protections afforded by the amendment depend on, among other things, whether the password involves biometric verification via a unique physical feature, or the more typical string of characters (passcode). As we will see, the government has a bit more leeway under the Fifth Amendment to insist on the decryption of personal computing devices using biometric passwords that-as in the new iPhone X-are increasingly prevalent. * * * [ Polley : this area is in flux, but the article is a decent summary.] top

Art galleries versus the Pentagon (InsideHigherEd, 28 Nov 2017) - Is it art? Or government property? Or both? The John Jay College of Criminal Justice is currently hosting an exhibit of art from eight current and former detainees at the detention camp at Guantánamo Bay Naval Base in Cuba. Earlier this month, however, the Department of Defense halted the export of artwork made by prisoners there, declaring that works made by the prisoners are property of the United States government. The exhibit, "Ode to the Sea: Art From Guantánamo," went on display at the City University of New York campus Oct. 2, when Department of Defense policy still allowed detainees to export art from the island prison where the U.S. government currently detains 41 people. A total of 779 people, all men, have been detained at Gauntanamo Bay since the prison's controversial opening in 2002. "On the opening pages of Moby-Dick , [Herman] Melville writes about the 'water-gazers' of New York, office-dwellers who spent their free time looking at the rivers and sea that surround the city," Erin Thompson, the exhibit's co-curator and an assistant professor in John Jay's Department of Art and Music, wrote in an essay for The Paris Review when the exhibit debuted. "The detainee artists told me that they thought of the sea as a symbol of both hope and fear. They represented it in order to dream about escape and to escape as best they could. By immersing themselves so fully in making art, they could imagine that they were in a ship at sea -- until the work was finished." The New York Post characterized the exhibit as "controversial," noting that some of the first responders who died in the Sept. 11 attacks had attended John Jay. (On the other hand, Thompson noted, only one of the current detainees whose work is on display has actually been charged with a crime.) After going through an examination by prison authorities, art created through prison programming was allowed to be released and sent abroad. That policy was changed earlier this month. "Items produced by detainees remain the property of the U.S. government," Ben Sakrisson, a Pentagon spokesman, said Monday, adding that the policy was in firmly in place and not under review, which previous reports had suggested was a possibility. Even if a detainee is eventually released, Sakrisson acknowledged that the policy implicitly states that any art made by the detainee would still be government property. top

BakerHostetler and Perkins Coie named 'founding stewards' in new blockchain ID network (ABA Journal, 28 Nov 2017) - BakerHostetler and Perkins Coie are "founding stewards" in the new blockchain-based identity network Sovrin. On account of high-profile data breaches of personal information and the increased interest and feasibility of blockchain technology, there is a growing movement to create IDs that do not rely on centralized storage, which is a honeypot for hackers. Sovrin, run by the nonprofit Sovrin Foundation, "is a global, decentralized identity network that allows people and organizations to create portable, self-sovereign digital identities, which they control, and cannot be taken away by any government or organization" according to the BakerHostetler website. As founding stewards, BakerHostetler and Perkins Coie "donate network power to maintain the ledger" that host nodes to house the self-sovereign IDs, according to an email from Judd Bagley, director of communications at Evernym, the company that invented Sovrin and spun it off as a separate nonprofit foundation. Bagley adds: "Stewards are charged with writing encrypted identity data to the Sovrin ledger and verifying the validity" of each ledger entry. Once in the network, the ID's existence is public across the distributed network. But it can only be accessed with the user's verification key, which is a public identifier, and a signing key, which is private and known only to the user. Collectively, those two cryptographic keys will signal to a bank, government or another individual or entity that a person is who they say. For Joe Cutler, a partner at Perkins Coie, self-sovereign identity is "the future of identity." In a press release he said: "SSI aims to shift control over your most personal information back into your own hands, and to end this notion that you must sacrifice privacy and security in order to participate in today's digital economy." Laura Jehl, a partner at BakerHostetler's D.C., office, told the ABA Journal in an email that being a steward is about helping their "clients understand and embrace a future where digital identities can be trusted, mitigating risks from data breaches and other cybersecurity incidents." The Sovrin Foundation is one of numerous entities focused on self-sovereign ID built on blockchain, which includes IBM's Blockchain Platform and Microsoft's partnership with Blockstack and ConsenSys, two blockchain companies. top

- and -

Coinbase ordered to give the IRS data on users trading more than $20,000 (TechCrunch, 29 Nov 2017) - Most digital currencies exist in a sort of twilight state just beyond the grasp of federal regulators, but the U.S. tax authority is starting to get savvy to this whole bitcoin thing. On Wednesday, a federal judge in San Francisco ruled that Coinbase must supply the IRS with identifying information on users who had more than $20,000 in annual transactions on its platform between 2013 and 2015. After noticing that the number of tax returns claiming gains from virtual currency didn't line up with the emerging popularity of digital currencies like bitcoin as an investment vehicle, the IRS asked Coinbase to hand over a broad swath of information on its users. Coinbase pushed back, and now the court has landed on a compromise that the company is calling a " partial victory ." "Coinbase itself admits that the Narrowed Summons requests information regarding 8.9 million Coinbase transactions and 14,355 Coinbase account holders. That only 800 to 900 taxpayers reported gains related to bitcoin in each of the relevant years and that more than 14,000 Coinbase users have either bought, sold, sent or received at least $20,000 worth of bitcoin in a given year suggests that many Coinbase users may not be reporting their bitcoin gains," the court documents read . While cryptocurrency users who value the relative decentralization and privacy afforded by digital currencies won't be happy, Coinbase succeeded in limiting the government's initial request for information on all Coinbase users who made transactions from 2013 to 2015 to the smaller subset of high-value users. The IRS initially requested nine kinds of user data, including "complete user profiles, know-your-customer due diligence, documents regarding third-party access, transaction logs, records of payments processed, correspondence between Coinbase and Coinbase users, account or invoice statements and records of payments." Rejecting some of those requests, today the court narrowed the scope of documents that the IRS can request from Coinbase to taxpayer ID number, name, date of birth, address, transaction logs and account statements, deeming the rest of the documents "not necessary." Again, these personal data requests will only apply to accounts that have bought, sold, sent or received more than $20,000 in any of those types of transactions between 2013 and 2015. top

As clients demand law firm cyber audits, who sets the terms? (Law.com, 29 Nov 2017) - With hackers and other cyber pitfalls affecting more and more law firms , there is still no universally accepted standard that firms must meet to show that they are adequately protected. In the legal industry, concerns about how to assess firms' cyber defenses will likely grow, as a growing number of corporate clients insist outside counsel undergo, and most often pay for, cybersecurity audits. "We have seen an exponential increase in inquiries from law firms in 2017 versus years past," said John DiMaria, a marketing executive in the London office of BSI Group, which provides certifications related to cybersecurity, including certification for ISO/IEC 27001, an international standard for information security management. According to Patti Moran, a spokeswoman for the International Legal Technology Association, and its subsidiary ILTA LegalSEC, a community of law firms seeking to improve the security in the global legal community, more than 44 law firms had achieved that certification by the end of last year, and another 56 were working toward it. That's a big increase from two years ago, when The American Lawyer reported that at least 10 Am Law 200 firms had attained the ISO certification to assure clients they were taking steps toward protecting their documents and communication systems. To make audits' worth their expense, cybersecurity auditors must use accepted and published benchmarks, said Jeffrey Ritter, a visiting fellow at the University of Oxford and founding chairman of the American Bar Association's committee on cyberspace law. "You have to show what criteria you are using," he said. At the same time, Ritter argues that such standards "have a level of ambiguity" that makes them insufficient safeguards. Meeting an ISO standard is simply not enough, according to John Sweeney, president of Nashville, Tennessee-based LogicForce, which conducts cybersecurity audits largely for law firms. (Other providers of cybersecurity audits include all the Big Four accounting firms, BSI Group and Resiliam.) "ISO is only a single standard that doesn't necessarily cover practical implementation of best practices. Our experience with corporate audits from financial, health, insurance, and other industries have shown ISO 27001 compliance isn't enough to get law firms to pass their audits," Sweeney wrote in an email responding to questions for this article. Moreover, many firms fall far behind even the minimum requirements to meet the ISO standards, a set of legal, physical and technical policies for information risk management procedures, including rules about documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. "There is currently a large gap in where plenty of law firms are today, and any formal certification process," Sweeney wrote. top

SWIFT warns banks on cyber heists as hack sophistication grows (Reuters, 28 Nov 2017) - SWIFT, the global messaging system used to move trillions of dollars each day, warned banks on Wednesday that the threat of digital heists is on the rise as hackers use increasingly sophisticated tools and techniques to launch new attacks. "Adversaries have advanced their knowledge," SWIFT said in a 16-page report co-written with BAE Systems Plc's cyber security division. "No system can be assumed to be totally infallible, or immune to attack." SWIFT has declined to disclose the number of attacks, identify victims or say how much money has been stolen. Still, details on some cases have become public. The new report described an attack on an unidentified bank. Hackers spent several months inside the network of one customer, preparing for the eventual attack by stealing user credentials and monitoring the bank's operations using software that recorded computer keystrokes and screenshots, the report said. When they launched the attack in the middle of the night, the hackers installed additional malware that let them modify messaging software so they could bypass protocols for confirming the identity of the computer's operator, according to the report. The hackers then ordered payments sent to banks in other countries by copying pre-formatted payment requests into the messaging software, according to the report. After the hackers ended the three-hour operation, they sought to hide their tracks by deleting records of their activity. They also tried to distract the bank's security team by infecting dozens of other computers with ransomware that locked documents with an encryption key, the report said. While SWIFT did not say how much money was taken, it said the bank quickly identified the fraudulent payments and arranged for the stolen funds to be frozen. [ Polley : I've seen such attacks executed with painstaking attention-to-detail, nearly-perfectly scripted. Impressive, and scary.] top

- and -

NATO mulls 'offensive defense' with cyber warfare rules (Reuters, 30 Nov 2017) - The United States, Britain, Germany, Norway, Spain, Denmark and the Netherlands are drawing up cyber warfare principles to guide their militaries on what justifies deploying cyber attack weapons more broadly, aiming for agreement by early 2019. The doctrine could shift NATO's approach from being defensive to confronting hackers that officials say Russia, China and North Korea use to try to undermine Western governments and steal technology. The 29-nation NATO alliance recognized cyber as a domain of warfare, along with land, air and sea, in 2014, but has not outlined in detail what that entails. In Europe, the issue of deploying malware is sensitive because democratic governments do not want to be seen to be using the same tactics as an authoritarian regime. Commanders and experts have focused on defending their networks and blocking attempts at malicious manipulation of data. Senior Baltic and British security officials say they have intelligence showing persistent Russian cyber hacks to try to bring down European energy and telecommunications networks, coupled with Internet disinformation campaigns. * * * NATO held its biggest ever cyber exercise this week at a military base in southern Estonia, testing 25 NATO allies against a fictional state-sponsored hacker group seeking to infiltrate NATO air defense and communication networks. "The fictional scenarios are based on real threats," said Estonian army Lieutenant-Colonel Anders Kuusk, who ran the exercise. NATO's commanders will not develop cyber weapons but allied defense ministers agreed last month that NATO commanders can request nations to allow them use of their weapons if requested. top

Facebook's new captcha test: 'Upload a clear photo of your face' (Wired, 28 Nov 2017) - Facebook may soon ask you to "upload a photo of yourself that clearly shows your face," to prove you're not a bot. The company is using a new kind of captcha to verify whether a user is a real person. According to a screenshot of the identity test shared on Twitter on Tuesday and verified by Facebook, the prompt says: "Please upload a photo of yourself that clearly shows your face. We'll check it and then permanently delete it from our servers." In a statement to WIRED, a Facebook spokesperson said the photo test is intended to "help us catch suspicious activity at various points of interaction on the site, including creating an account, sending Friend requests, setting up ads payments, and creating or editing ads." The process is automated, including identifying suspicious activity and checking the photo. To determine if the account is authentic, Facebook looks at whether the photo is unique. The Facebook spokesperson said the photo test is one of several methods, both automated and manual, used to detect suspicious activity. The company declined to share details to prevent the system from being manipulated. Suspicious activity might include someone who consistently posts from New York and then starts posting from Russia. Facial technology is increasingly common, such the use of Apple Face ID to authenticate users on iPhone X. A since deleted screenshot from Twitter seemed to indicate that users are locked out of their accounts while the photo is being verified. A message said, "You Can't Log In Right Now. We'll get in touch with you after we've reviewed your photo. You'll now be logged out of Facebook as a security precaution." Facebook users who suspect their account has been compromised can go to Facebook.com/hacked . The company would not say when it started using the technique, but in a post on Reddit users reported getting the same prompt in April. The new authentication scheme is the second in recent weeks that relies on photos. Earlier this month, Facebook asked users to upload nude photos to Facebook Messenger, as part of an effort to prevent revenge porn. Facebook said it would use the nude photos to create a digital fingerprint against which to compare future posts. Facebook said the photos are hashed and then deleted from its servers. [ Polley: Orwell.] top

Heightened security risks dictate a proactive corporate board (Security Info Watch, 1 Dec 2017) - * * * Despite the impact that data breaches and other types of cyber-attacks continue to have on all kinds of organizations, Jim Pflaging, principal, technology sector and strategy practice lead at security and risk management advisory firm The Chertoff Group, says the level of involvement many boards have today when it comes to addressing cybersecurity issues is really a mixed bag. Pflaging, who serves on the board of several technology companies himself and as a board advisor to several others, says that The Chertoff Group set out last year to get a better understanding about the state of maturity in cybersecurity conversations at the board level and subsequently interviewed over 100 leading executives across three different continents in companies ranging in size from Fortune 500 organizations to small, private firms. What they found, according to Pflaging, was a "tale of two cities." "The first (group) was the good news and that was Fortune 500 (companies) in what people would call critical infrastructure - transportation, utilities, finance, healthcare and some tech (firms) - they said, 'yeah, we've been talking about cybersecurity for years. It is a mature conversation, we talk about it from a risk point of view and, in some cases, it is beyond risk and in the overall business continuity discussion,' Pflaging says. "The second group was largely everybody else and this was not a pretty picture. This resonated with me because it reflected the boards that I am on and that is that cyber is rarely or never on the agenda and if it is on the agenda, it's in response to a breach. The state of the conversation was there really wasn't one." Pflaging says that many of these executives from the first group had learned about cybersecurity mostly from other boards but from personal stories as well. Those board members in the second group reported being confused about exactly what their roles should be as directors when it comes to cybersecurity and what questions they should be asking. top

It's gonna get a lot easier to break science journal paywalls (Wired, 3 Dec 2017) - * * * Today, even though you can't access Scholar directly from the Google-prime page, it has become the internet's default scientific search engine-even more than once-monopolistic Web of Science, the National Institutes of Health's PubMed, and Scopus, owned by the giant scientific publisher Elsevier. But most science is still paywalled. More than three quarters of published journal articles-114 million on the World Wide Web alone, by one (lowball) estimate -are only available if you are affiliated with an institution that can afford pricey subscriptions or you can swing $40-per-article fees. In the last several years, though, scientists have made strides to loosen the grip of giant science publishers. They skip over the lengthy peer review process mediated by the big journals and just … post. Review comes after. The paywall isn't crumbling, but it might be eroding. The open science movement , with its free distribution of articles before their official publication, is a big reason. Another reason, though, is stealthy improvement in scientific search engines like Google Scholar , Microsoft Academic, and Semantic Scholar -web tools increasingly able to see around paywalls or find articles that have jumped over. Scientific publishing ain't like book publishing or journalism. In fact, it's a little more like music, pre-iTunes, pre-Spotify. You know, right about when everyone started using Napster. * * * top

Stanford lied about business school scholarships (InsideHigherEd, 4 Dec 2017) - A breach of confidential data has indicated that the Stanford University Graduate School of Business has been publicly misrepresenting how it awards scholarships. The business school's website, for years, said that "all fellowships are need based," referring to scholarships. A student, Adam Allcock, recently found out that anyone in the business school had access to confidential data. He alerted the school to inform officials of the security flaw, but also downloaded the data and ran an analysis that showed that scholarship awards are not, in fact, need based. "The [Graduate School of Business] secretly ranks students as to how valuable (or replaceable) they were seen, and awarded financial aid on that basis," Allcock wrote in an 88-page report describing his analysis. "Not only has the GSB also been systematically discriminating by gender, international status and more while lying to their faces for the last 10 to ~25 years." Poets & Quants , an outlet that specializes in business school rankings and news, broke the story. The San Francisco Chronicle noted that the school has not disputed the report's findings, and that this isn't the only data breach Stanford has had in recent months. The school has since admitted that even though it claimed not to award scholarships based on merit, it "has offered additional fellowship awards to candidates whose biographies make them particularly compelling and competitive in trying to attract a diverse class." Women and those with backgrounds in finance were often favored for scholarship money, even if they had more ability to pay for tuition than others. In some cases, according to the report, scholarships could be three times larger between two different students with identical financial need. The secretive scholarship promise might explain why Stanford graduates perform so well, according to Poets & Quants : the school, for example, sends more students into venture capital and private-equity jobs than Wharton, Chicago Booth, Columbia or Harvard. "Allcock's discovery that more money is being used by Stanford to entice the best students with financial backgrounds suggests an admissions strategy that helps the school achieve the highest starting compensation packages of any M.B.A. program in the world," Poets & Quants wrote. "That is largely because prior work experience in finance is generally required to land jobs in the most lucrative finance fields in private equity, venture capital and hedge funds." top

Independent factual research by judges via the internet (ABA Formal Opinion 478, 8 Dec 2017) - Easy access to a vast amount of information available on the Internet exposes judges to potential ethical problems. Judges risk violating the Model Code of Judicial Conduct by searching the Internetforinformationrelatedtoparticipantsorfactsinaproceeding. Independent investigation of adjudicative facts generally is prohibited unless the information is properly subject to judicial notice. The restriction on independent investigation includes individuals subject to the judge's direction and control. top

RESOURCES

A Legal Anatomy of AI-generated Art: Part I (Harvard Journal of Law & Technology, 21 Nov 2017) - Abstract: This Comment is the first in a two-part series on how lawyers should think about art generated by artificial intelligences, particularly with regard to copyright law. This first part charts the anatomy of the AI-assisted artistic process. The second Comment in the series examine how copyright interests in these elements interact and provide practice tips for lawyers drafting license agreements or involved in disputes around AI-generated artwork : "Advanced algorithms that display cognition-like processes, popularly called artificial intelligences or "AIs," are capable of generating sophisticated and provocative works of art.[1] These technologies differ from widely-used digital creation and editing tools in that they are capable of developing complex decision-making processes, leading to unexpected outcomes. Generative AI systems and the artwork they produce raise mind-bending questions of ownership, from broad policy concerns[2] to the individual interests of the artists, engineers, and researchers undertaking this work. Attorneys, too, are beginning to get involved, called on by their clients to draft licenses or manage disputes. The Harvard Law School Cyberlaw Clinic at the Berkman Klein Center for Internet & Society has recently developed a practice in advising clients in the emerging field at the intersection of art and AI. We have seen for ourselves how attempts to negotiate licenses or settle disputes without a common understanding of the systems involved may result in vague and poorly understood agreements, and worse, unnecessary conflict between parties. More often than not, this friction arises between reasonable parties who are open to compromise, but suffer from a lack of clarity over what, exactly, is being negotiated. In the course of solving such problems, we have dissected generative AIs and studied their elements from a legal perspective. The result is an anatomy that forms the foundation of our thinking-and our practice-on the subject of AI-generated art. When the parties to an agreement or dispute share a common vocabulary and understanding of the nature of the work, many areas of potential conflict evaporate. This Comment makes that anatomy available to others, in the hopes that it will facilitate productive negotiations and clear, enforceable agreements for others involved in AI-related art projects. We begin by clarifying what we mean by AI-generated art, distinguishing it from art that is created by humans using digital creation and editing software. Next, we describe four key elements that make up the anatomy of a generative AI. We go into detail on each element, providing plain-language explanations that are comprehensible even to those without a technical background. We conclude with a brief preview of the second Comment in this series, which will delve into how we think about the application of copyright law in this context, including the questions of ownership that arise as to each element, and provide some practical insights for negotiating agreements in the context of AI-generated art. * * *" top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Army squeezes soldier blogs, maybe to death (Wired, 2 May 2007) -- The U.S. Army has ordered soldiers to stop posting to blogs or sending personal e-mail messages, without first clearing the content with a superior officer, Wired News has learned. The directive, issued April 19, is the sharpest restriction on troops' online activities since the start of the Iraq war. And it could mean the end of military blogs, observers say. Military officials have been wrestling for years with how to handle troops who publish blogs. Officers have weighed the need for wartime discretion against the opportunities for the public to personally connect with some of the most effective advocates for the operations in Afghanistan and Iraq -- the troops themselves. The secret-keepers have generally won the argument, and the once-permissive atmosphere has slowly grown more tightly regulated. Soldier-bloggers have dropped offline as a result. The new rules obtained by Wired News require a commander be consulted before every blog update. "This is the final nail in the coffin for combat blogging," said retired paratrooper Matthew Burden, editor of The Blog of War anthology. "No more military bloggers writing about their experiences in the combat zone. This is the best PR the military has -- it's most honest voice out of the war zone. And it's being silenced." Army Regulation 530--1: Operations Security (OPSEC) restricts more than just blogs, however. Previous editions of the rules asked Army personnel to "consult with their immediate supervisor" before posting a document "that might contain sensitive and/or critical information in a public forum." The new version, in contrast, requires "an OPSEC review prior to publishing" anything -- from "web log (blog) postings" to comments on internet message boards, from resumes to letters home. Active-duty troops aren't the only ones affected by the new guidelines. Civilians working for the military, Army contractors -- even soldiers' families -- are all subject to the directive as well. But, while the regulations may apply to a broad swath of people, not everybody affected can actually read them. In a Kafka-esque turn, the guidelines are kept on the military's restricted Army Knowledge Online intranet. Many Army contractors -- and many family members -- don't have access to the site. Even those able to get in are finding their access is blocked to that particular file. top

In trade ruling, Antigua wins a right to piracy (New York Times, 22 Dec 2007) - In an unusual ruling on Friday at the World Trade Organization, the Caribbean nation of Antigua won the right to violate copyright protections on goods like films and music from the United States - an award worth up to $21 million - as part of a dispute between the countries over online gambling. The award follows a W.T.O. ruling that Washington had wrongly blocked online gambling operators on the island from the American market at the same time it allowed online wagering on horse racing. Antigua and Barbuda had claimed damages of $3.44 billion a year. That makes the relatively small amount awarded Friday, $21 million, something of a setback for Antigua, which had been struggling to preserve its gambling industry. The United States argued that its behavior had caused $500,000 damage. Yet the ruling is significant in that it grants a rare form of compensation: the right of one country, in this case Antigua, to violate intellectual property laws of another - the United States - by allowing it to distribute copies of American music, movie and software products. top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. Aon's Technology & Professional Risks Newsletter

5. Crypto-Gram, http://www.schneier.com/crypto-gram.html

6. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

7. The Benton Foundation's Communications Headlines

8. Gate15 Situational Update Notifications, http://www.gate15.us/services.html

9. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

No comments: