Saturday, March 24, 2018

MIRLN --- 4-24 March 2018 (v21.04)

MIRLN --- 4-24 March 2018 (v21.04) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | PODCASTS | LOOKING BACK | NOTES

Let's fix peer review (Ray Truant Laboratory, 14 Feb 2018) - If one explains the current system of peer review to a non-scientist, the response is typically, "that's insane, I thought you guys were supposed to be smart". To recap: When we apply for a grant or want to publish our science, we secretly get the work reviewed by our peers, some of which are competing with us for precious funding, or a bizarre version of fame. Under the veil of anonymity, a reviewer can write anything, included false statements, or incorrect statements to justify a decision. The decision is most often, "do not fund" or "reject", even if the review is based off of inaccuracies, lack of expertise, or even blatant slander. There are no rules, there are no repercussions. There are few integrity guidelines, or oversight, nor rules of ethics in the review process for the most part. It can lead to internet trolling at a level of high art. In funding decisions, these mistakes can be missed by inattentive panels, but were definitely missed in the CIHR reform scheme before panels were re-introduced. We still have a problem of reviewers self-identifying expertise they simply do not have. Scientists have to follow strict rules of ethics when submitting data, including conflicts of interest, research ethics, etc. No such rules are often formally stated in the review process and can vary widely between journals. This system is historic, back to an era when biomedical research was a fraction of the size it is today, and journal Editors were typically active scientists. The community was small. But as science rapidly expanded in the 90s, so did scientific publishing, and soon editors became professional editors, with some never running a lab or research program. Then, came the digital revolution, and journals were no longer being read on paper and the pipeline to publish increased exponentially. What drove the massive expansion of journals? Money. Big money. And like many historic industries, it's thriving, mostly based off free slave labor. * * * [ Polley : Quite interesting; flagged for me by a former client. See also Who May Swim in the Ocean of Knowledge? (Carl Malamud, March 2018)] top Five questions to test your understanding of the ethics of technology (Law Technology Today, 1 March 2018) - More than 28 states now say lawyers have an ethical duty to be competent in technology. Indeed, a State Bar of California ethics opinion recently extended that duty to include competence in e-discovery, CA Formal Opinion No. 2015-193. On top of that, the federal courts have implemented new proportionality rules governing your duty to produce documents. All of this comes as lawyers grapple with thorny ethical issues concerning the use of cloud technology, storing privileged documents with outside vendors, and relying on key tasks on smart but non-human computer algorithms. So what are your ethical duties with using new technology, such as technology assisted review (TAR) in e-discovery? A careful look at five key questions surrounding the ethics of TAR can help you use it in a way that is strategic, reasonable and proportional to the matter. And will save you and your client on review costs. * * * top

- and -

Ethics opinion stresses lawyers' duty of confidentiality when blogging (ABA Journal, 6 March 2018) - Lawyers should be mindful of the duty of confidentiality when they engage in public commentary, including blogging and other online postings, according to an ethics opinion from the ABA Standing Committee on Ethics and Professional Responsibility. Formal Ethics Opinion 480 explains that lawyers communicating about legal topics in public commentary must comply with the ABA Model Rules of Professional Conduct, including Rule 1.6(a) , which provides: "A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b)." This duty of confidentiality is broad and includes all information related to the representation, not just information learned directly from the client. The reach of this rule is much broader than either the attorney-client privilege or the work product doctrine. The opinion explains that this duty of confidentiality applies even if the information about the client's representation is found in a court record or other public record. "The duty of confidentiality extends generally to information related to a representation whatever its source and without regard to the fact that others may be aware of or have access to such knowledge," the opinion reads. "The salient point is that when a lawyer participates in public commentary that includes client information, if the lawyer has not secured the client's informed consent or the disclosure is not otherwise impliedly authorized to carry out the representation, then the lawyer violates Rule 1.6(a)," the opinion continues. [ Polley : This is almost entirely "not news". But, it makes the point that even "public" client information shouldn't be blogged about.] top

Hogan Lovells, 4th largest US firm, moves into the cloud (LegalTech, 1 March 2018) - Cloud adoption has been a slow-brewing trend in the legal sector over the last few years, but a recent announcement that Hogan Lovells, the fourth-largest firm in the United States based on the National Law Journal's 2017 rankings, has opted to adopt a cloud-based document management system may indicate that legal is moving more definitively into the cloud. Hogan Lovells recently announced that the firm plans to use cloud-based system NetDocuments as its primary document management system. Prior to the adoption, the firm was using two competing systems, iManage and OpenText, left over from the firm's merger of Washington D.C.-based Hogan & Hartson and U.K. firm Lovells in 2010. top

International law and cyberspace: Evolving views (Lawfare, 4 March 2018) - On Feb. 13, our colleague Robert Chesney flagged the upcoming Cyber Command legal conference titled "Cyberspace Operations in the Gray Zone." The conference-which begins Monday morning and involves heavy interagency and private sector and academia participation-is set to address a number of key international and domestic law issues surrounding cyberspace operations, such as the exploiting of social media in the gray zone, the characterizing of information warfare in cyberspace, the protecting of domestic information systems, the countering of gray zone cyber threats, technology and warfare, and privacy implications of military cyberspace operations. Much of the conference will be geared towards sub-use of force issues and activities that may not clearly be governed by the law of armed conflict, which raises questions about when exactly cyber activities do or not involve the use of force. The U.S. asserts that extant international law, to include International Humanitarian Law (IHL) applies to cyberspace, but it has yet to offer definitive guidance on what cyberattacks, short of those causing obvious large scale kinetic destruction, constitute a prohibited use of force or invoke the LOAC. While the Tallinn Manual 2.0 may be the most comprehensive treatise on the applicability of international law to cyberspace thus far, it was developed without the official participation of, and has not been sanctioned by, States. The U.S. Government, for example, has taken no official position on the views set forth in the Manual. Because members of the military are tasked with following the law, defining the nuances of the applicability of international law in cyberspace should be a central priority. We hope that the following discussions can serve to enrich this week's conference, and further DoD's development of cyber law. This year, a number of excellent pieces of scholarship emerged that could help enhance conference discussions on key elements of international law, namely the principles governing cyber operations outside the context of armed conflict, such as sovereignty and the IHL principles of distinction and proportionality. In his personal capacity, Colonel Gary P. Corn, Staff Judge Advocate of USCYBERCOM, co-authored " Sovereignty in the Age of Cyber " with Robert Taylor, Former Principal Deputy General Counsel of DoD, and posted on SSRN an advance draft of an upcoming chapter titled, "Cyber National Security: Navigating Gray Zone Challenges In and Through Cyberspace." Meanwhile, Commander Peter Pascucci, Chief of Operational Law at USCYBERCOM, authored " Distinction and Proportionality in Cyberwar: Virtual Problems with a Real Solution ." These works add nuance to the applicability of international law principles to cyberspace and vary somewhat from the publicly stated views of prior State Department Legal Advisers, as we'll argue below. top

Companies sharpen cyber due diligence as M&A activity revenue up (Morningstar, 5 March 2018) - Automatic Data Processing Inc. deployed a team of cybersecurity, risk management and financial-crime specialists to WorkMarket before acquiring it in January. The ADP team combed the software maker's technology, practices and internal policies. It also interviewed staff about monitoring for intrusions, training employees and performing other security tasks. The payroll processor also hired a cybersecurity firm to do its own evaluation. Security problems, said ADP's chief security officer Roland Cloutier, could kill any deal. "If we found out data was exfiltrated, we may walk away," he said. "We've looked at a lot of companies and only purchased a few. Security always plays a part." Companies are intensifying due diligence of acquisition targets to avoid costly cybersecurity surprises, particularly when intellectual property, such as software code or customer data drive the deal. Gaps in data protection, undiscovered breaches, regulatory violations and other holes in a company's technology operations can threaten transactions. Such problems can also decrease the value of a deal or leave an acquirer liable for problems after a merger. ADP investigators typically look for troublespots such as signs of an unauthorized presence on the target's network and scant or no evidence that employees have received security training. No significant problems surfaced at WorkMarket, but deep study of a target's cybersecurity helps executives forecast deal costs, Mr. Cloutier said. ADP typically spends two to four months on the process. Problems can arise even years later. FedEx Corp. moved quickly last month to secure a server that exposed data from customer driver's licenses and passports. FedEx inherited the server when it bought e-commerce service Bongo International in 2014. [ Polley : directly on point is the recently published ABA book " Guide to Cybersecurity Due Diligence in M&A Transactions ", which I highly recommend.] top

Reflecting on the original big idea for MOOCs (InsideHigherEd, 6 March 2018) - Six years ago, inspired by a big idea to democratize higher education, the University of Michigan (U-M) became a founding partner of Coursera. Massive open online courses (MOOCs) were born. While the issuance of MOOC death certificates by skeptics is only rivaled in frequency by those filed by South Park writers for Kenny, MOOCs consistently find ways to survive and indeed thrive in nurturing environments. MOOCs are far from dead. Rather, they appear to hatch derivatives. Sean Gallagher of Northeastern University's Center for the Future of Higher Education and Talent Strategy refers to this as "the new ecology of credentials", a landscape transforming rapidly as we move from the early knowledge economy to the digital, AI, Gig economy. Which leads those of us close to the action to reflect often upon the original big idea for MOOCs. Typically stating a goal to "democratize" is followed by "access to" something. In hindsight, it's clear we hadn't fully considered the potential of what we might be democratizing. What, in fact, are we scaling? Is it content and courses? Curriculum and credentials? Communities and college towns ? With today's announcement , we are now much closer to saying "all of the above". MOOCs may have initially provided learners an opportunity to simply peer into the university. Now MOOCs and MOOC derivatives (e.g. Teach-Outs, specializations, MicroMasters, MasterTrack, etc.) are helping universities to expand how they think about engaging with the world. For U-M, this is entirely consistent with top institutional priorities around academic innovation, diversity, equity, and inclusion, and public engagement. We are the global, inclusive, public research university. The real innovation of the MOOC era is not the unbundling of academic degrees that first captured massive attention, but rather the re-bundling that results from serious academic R&D - the creation of new communities and credentials for all levels. In announcing Michigan's new degrees this morning at the Coursera Partners Conference, Coursera CEO Jeff Maggioncalda contextualized these latest innovations as evidence that, "the future of work and the future of learning are converging." Today U-M announced the intent to design two new fully online master's degree programs and a new online cohort-based pathway to advanced degrees and career advancement called the MasterTrack Certificate. Let's consider this latest re-bundling effort within the broader context. * * * top

- and -

Udacity u-turns on money-back guarantee (InsideHigherEd, 16 March 2018) - It was hailed as a "dream come true" by Udacity's founder and CEO Sebastian Thrun. "We now GUARANTEE a job for anyone who completes a Nanodegree Plus -- or else tuition back. Hope other universities follow," tweeted Thrun in January 2016. Now, it seems, the dream is over. Udacity has quietly scrapped its pledge, nixing the program, which guaranteed a job within six months of graduation or 100 percent of students' money back, at the end of last year. top

Geek Squad's relationship with FBI is cozier than we thought (EFF, 6 March 2018) - After the prosecution of a California doctor revealed the FBI's ties to a Best Buy Geek Squad computer repair facility in Kentucky, new documents released to EFF show that the relationship goes back years. The records also confirm that the FBI has paid Geek Squad employees as informants. EFF filed a Freedom of Information Act (FOIA) lawsuit last year to learn more about how the FBI uses Geek Squad employees to flag illegal material when people pay Best Buy to repair their computers. The relationship potentially circumvents computer owners' Fourth Amendment rights . The documents released to EFF show that Best Buy officials have enjoyed a particularly close relationship with the agency for at least 10 years. For example, an FBI memo from September 2008 details how Best Buy hosted a meeting of the agency's "Cyber Working Group" at the company's Kentucky repair facility. The memo and a related email show that Geek Squad employees also gave FBI officials a tour of the facility before their meeting and makes clear that the law enforcement agency's Louisville Division "has maintained close liaison with the Geek Squad's management in an effort to glean case initiations and to support the division's Computer Intrusion and Cyber Crime programs." Another document records a $500 payment from the FBI to a confidential Geek Squad informant. This appears to be one of the same payments at issue in the prosecution of Mark Rettenmaier , the California doctor who was charged with possession of child pornography after Best Buy sent his computer to the Kentucky Geek Squad repair facility. Other documents show that over the years of working with Geek Squad employees, FBI agents developed a process for investigating and prosecuting people who sent their devices to the Geek Squad for repairs. The documents detail a series of FBI investigations in which a Geek Squad employee would call the FBI's Louisville field office after finding what they believed was child pornography. top

Large law firms seeing more data breaches (Ride the Lightning, 6 March 2018) - I know many readers have not read the 2017 ABA Legal Technology Survey because it costs money, but it is well worth reviewing the cybersecurity highlights - more 4000 respondents were surveyed. 22% of respondents said their firms had experienced a data breach at some point, up from 14 percent last year - that's a big escalation. Significantly, respondents at firms with 500 or more attorneys took the bulk of those hits. Over one third of law firms with 10-99 attorneys reported being compromised in 2017 alone. Some of the key consequences from breaches were downtime, loss of billable hours, destruction or loss of files - and of course having to pay consulting fees for remediating damages from the attacks. As one might expect, reporting stats are much lower. 7% of firms with 500+ attorneys and 3% of firms with 10-49 attorneys reported authorized access to sensitive client data. 25% of firms reported having no security policies, though all firms with 500+ lawyers did have such policies. 66% of BigLaw firms do have an Incident Response Plan. 51% of firms with 100-499 attorneys and 43% of firms with 50-99 attorneys also have an incident response plan. top

- and -

'Confusing as hell': Making sense of cyber insurance (ABA Journal, 9 March 2018) - When it comes to managing a firm's cybersecurity risks, password regimens and encrypted backups are not enough. You need cyber insurance. A Friday morning panel at ABA Techshow entitled "Cyberinsurance: Necessary, Expensive and Confusing as Hell," attempted to demystify the nascent cyber insurance field while underscoring how vital it is to have some sort of insurance policy in place in case of cyberattacks. Panelists Judy Selby, a cyber insurance consultant and lawyer, and Sharon Nelson, president of Sensei Enterprises, laid out the case for the insurance and the challenges of understanding it. No matter how good your cybersecurity infrastructure may be, "it can't stop it all," said Nelson. She argued that cyber insurance is necessary, "because you are managing an enormous risk." Providing background on the relatively new area of cyber insurance, Nelson quoted a PricewaterhouseCoopers report that found one-third of businesses have a cyber insurance policy. Additionally, she noted that policies are being offered by upwards of 60 insurers. At the same time, according to the 2017 ABA Legal Technology Survey, 22 percent of solo and small firms reported a data breach-an increase compared to the previous year, when 14 percent of such firms reported a breach. For many, this can be devastating. According to Nelson, it has been reported that half of all small businesses close within six months after a breach. Cyber insurance varies, but these types of policies can often cover first-party contingencies like legal, forensic, notification, credit monitoring and breach coach costs. It may also cover business interruption incurred by the insured or contingent business interruption, which provides coverage when a third-party service provider that the insured relies on, such as a cloud storage vendor, cannot operate because of a cyber incident. Policies may also cover data restoration, extortion, denial of service attacks and social engineering attacks. Some policies will cover third-party contingencies like privacy and network liability, public relations, regulatory liability, fines and payment card issuer liability. With growing demand and offerings, the cyber insurance market is still new, or a "soft market" in the terms of the presenters. This means that prices vary and terms and exclusions in cyber coverage are not standardized across the industry. "No matter what two polices you're looking at, it's apples and oranges," said Nelson. This includes ubiquitous terms like "cyber incident" or "social engineering," which will be defined by the insurer in their own idiosyncratic way. To this end, both say it is important to read through potential policies with an eye toward detail and definitions. top

For two months, I got my news from print newspapers. Here's what I learned. (NYT, 7 March 2018) - I first got news of the school shooting in Parkland, Fla., via an alert on my watch. Even though I had turned off news notifications months ago, the biggest news still somehow finds a way to slip through. But for much of the next 24 hours after that alert, I heard almost nothing about the shooting. There was a lot I was glad to miss. For instance, I didn't see the false claims - possibly amplified by propaganda bots - that the killer was a leftist, an anarchist, a member of ISIS and perhaps just one of multiple shooters. I missed the Fox News report tying him to Syrian resistance groups even before his name had been released. I also didn't see the claim circulated by many news outlets ( including The New York Times ) as well as by Senator Bernie Sanders and other liberals on Twitter that the massacre had been the 18th school shooting of the year, which wasn't true . Instead, the day after the shooting, a friendly person I've never met dropped off three newspapers at my front door. That morning, I spent maybe 40 minutes poring over the horror of the shooting and a million other things the newspapers had to tell me. Not only had I spent less time with the story than if I had followed along as it unfolded online, I was better informed, too. Because I had avoided the innocent mistakes - and the more malicious misdirection - that had pervaded the first hours after the shooting, my first experience of the news was an accurate account of the actual events of the day. This has been my life for nearly two months. In January, after the breaking-newsiest year in recent memory, I decided to travel back in time. I turned off my digital news notifications, unplugged from Twitter and other social networks, and subscribed to home delivery of three print newspapers - The Times, The Wall Street Journal and my local paper, The San Francisco Chronicle - plus a weekly newsmagazine, The Economist. I have spent most days since then getting the news mainly from print, though my self-imposed asceticism allowed for podcasts, email newsletters and long-form nonfiction (books and magazine articles). Basically, I was trying to slow-jam the news - I still wanted to be informed, but was looking to formats that prized depth and accuracy over speed. It has been life changing. Turning off the buzzing breaking-news machine I carry in my pocket was like unshackling myself from a monster who had me on speed dial, always ready to break into my day with half-baked bulletins. Now I am not just less anxious and less addicted to the news, I am more widely informed (though there are some blind spots). And I'm embarrassed about how much free time I have - in two months, I managed to read half a dozen books, took up pottery and (I think) became a more attentive husband and father. * * * [ Polley : resonates with me and the idea of saving time is attractive. For me, this story was the tipping point: I've just re-subscribed to New York Times home-delivery, hardcopy. I've been missing too much.] top

The FCC says a space startup launched four tiny satellites into orbit without permission (The Verge, 10 March 2018) - Earlier this year, a space startup from Silicon Valley launched four of its first prototype communications satellites on top of an Indian rocket. Except the FCC says that the company didn't have authorization to send up those spacecraft from the US government, IEEE Spectrum reports . It would seemingly mark the first time a US private company launched un-licensed satellites into orbit - and these rogue spacecraft could pose a danger to other objects in space. The four satellites reportedly belong to a fledgling company called Swarm Technologies, which was started by former Google and NASA JPL engineer Sara Spangelo in 2016. The probes, dubbed SpaceBees 1, 2, 3, and 4, are meant to test out Swarm's idea for a "space-based Internet of Things" network, according to IEEE, and went up as part of a cluster of 31 satellites aboard an Indian Polar Satellite Launch Vehicle (PSLV) rocket on January 12th. At the time of the launch, India's space agency didn't name the operator of the four satellites . top

Can't Washington protect Americans from propaganda on social media? (Poynter, 12 March 2018) - The past two years have taught us that the United States needs a better handle on what social networks are doing to manipulate and prioritize information. If there's one thing that Washington could do, it would be to provide better safeguards to ensure that these powerful tools are not used to mislead the public again. That's part of the message from Martha Minow, longtime Harvard Law school dean and expert on the shifting media and technological landscape. Minow also casts a skeptical eye on the concentration of local media ownership by companies such as Sinclair Broadcasting. We need action now, or independent news as we know it won't be around, she warned in a speech last week at Brown University. Minow cites the Constitution as impetus for Washington "to improve reliable access to material enabling competing views and authentication of messages and sources. The government can protect users against bombardment by computer-generated messages that drown out news and drive citizens away from the exchange needed for democratic self-governance." "Nothing in the Constitution forecloses government action to regulate concentrated economic power, to require disclosure of who is financing communications, and to support news initiatives where there are market failures. The First Amendment forbids Congress from 'abridging' the freedom of speech and freedom of press; it does not forbid strengthening it and amplifying news. "Affirmative government action may be precisely what the First Amendment actually requires now." top

- and -

How researchers learned to use Facebook 'likes' to sway your thinking (NYT, 20 March 2018) - Perhaps at some point in the past few years you've told Facebook that you like, say, Kim Kardashian West. When you hit the thumbs-up button on her page, you probably did it because you wanted to see the reality TV star's posts in your news feed. Maybe you realized that marketers could target advertisements to you based on your interest in her. What you probably missed is that researchers had figured out how to tie your interest in Ms. Kardashian West to certain personality traits, such as how extroverted you are (very), how conscientious (more than most) and how open-minded (only somewhat). And when your fondness for Ms. Kardashian West is combined with other interests you've indicated on Facebook, researchers believe their algorithms can predict the nuances of your political views with better accuracy than your loved ones. As The New York Times reported on Saturday , that is what motivated the consulting firm Cambridge Analytica to collect data from more than 50 million Facebook users, without their consent, to build its own behavioral models to target potential voters in various political campaigns. The company has worked for a political action committee started by John R. Bolton, who served in the George W. Bush administration, as well as for President Trump's presidential campaign in 2016. "We find your voters and move them to action," boasts on its website. top

ACLU sues TSA over searches of electronic devices (Tech Crunch, 12 March 2018) - The American Civil Liberties Union of Northern California has filed a Freedom of Information Act lawsuit against the Transportation Security Administration over its alleged practices of searching the electronic devices of passengers traveling on domestic flights. "The federal government's policies on searching the phones, laptops, and tablets of domestic air passengers remain shrouded in secrecy," ACLU Foundation of Northern California attorney Vasudha Talla said in a blog post. The lawsuit, which is directed toward the TSA field offices in San Francisco and its headquarters in Arlington, Virginia, specifically asks the TSA to hand over records related to its policies, procedures and/or protocols pertaining to the search of electronic devices. This lawsuit comes after a number of reports came in pertaining to the searches of electronic devices of passengers traveling domestically. The ACLU also wants to know what equipment the TSA uses to search, examine and extract any data from passengers' devices, as well as what kind of training TSA officers receive around screening and searching the devices. [ see also, US border searches of electronic devices: Recent developments and lawyers' ethical responsibilities (ABA, 13 March 2018) - by Keith Fisher (and, as always, worth reading)] top

Historical Supreme Court cases now online (Library of Congress, 13 March 2018) - More than 225 years of Supreme Court decisions acquired by the Library of Congress are now publicly available online - free to access in a page image format for the first time. The Library has made available more than 35,000 cases that were published in the printed bound editions of United States Reports (U.S. Reports). United States Reports is a series of bound case reporters that are the official reports of decisions for the United States Supreme Court dating to the court's first decision in 1791 and to earlier courts that preceded the Supreme Court in the colonial era. The Library's new online collection offers access to individual cases published in volumes 1-542 of the bound edition. This collection of Supreme Court cases is fully searchable. Filters allow users to narrow their searches by date, name of the justice authoring the opinion, subject and by the main legal concepts at issue in each case. PDF versions of individual cases can be viewed and downloaded. The collection is online at loc.gov/collections/united-states-reports/ . The digital versions of the U.S. Reports in the new collection were acquired by the Law Library of Congress through a purchase agreement with William S. Hein & Co. Inc. The acquisition is part of the Law Library's transition to a digital future and in support of its efforts to make historical U.S. public domain legal materials freely and easily available to Congress and the world. Users can access this collection from a link on loc.gov and law.gov . More recent editions of the U.S. Reports from 1987 to the present are available online from the U.S. Supreme Court. The U.S. Reports digital collection augments other legal collections made available online during the past year, including the U.S. Code from 1925 to 1988. Other newly digitized collections include the papers of U.S. Presidents James Buchanan, Ulysses S. Grant, Millard Fillmore, Franklin Pierce and James K. Polk; and the papers of Alexander Hamilton, Sigmund Freud and Margaret Bayard Smith. [ Polley : Spotted by MIRLN reader Carl Malamud - @carlmalamud] top

A cyberattack in Saudi Arabia had a deadly goal. Experts fear another try. (NYT, 15 March 2018) - In August, a petrochemical company with a plant in Saudi Arabia was hit by a new kind of cyberassault. The attack was not designed to simply destroy data or shut down the plant, investigators believe. It was meant to sabotage the firm's operations and trigger an explosion. The attack was a dangerous escalation in international cyberwarfare, as faceless enemies demonstrated both the drive and the ability to inflict serious physical damage. And United States government officials, their allies and cybersecurity researchers worry that the culprits could replicate it in other countries, since thousands of industrial plants all over the world rely on the same American-engineered computer systems that were compromised. Investigators have been tight-lipped about the August attack. They still won't identify the company or the country where it is based and have not identified the culprits. But the attackers were sophisticated and had plenty of time and resources, an indication that they were most likely supported by a government, according to more than a dozen people, including cybersecurity experts who have looked into the attack and asked not to be identified because of the confidentiality of the continuing investigation. The only thing that prevented an explosion was a mistake in the attackers' computer code, the investigators said. The assault was the most alarming in a string of cyberattacks on petrochemical plants in Saudi Arabia. In January 2017, computers went dark at the National Industrialization Company, Tasnee for short, which is one of the few privately owned Saudi petrochemical companies. Computers also crashed 15 miles away at Sadara Chemical Company, a joint venture between the oil and chemical giants Saudi Aramco and Dow Chemical. Within minutes of the attack at Tasnee, the hard drives inside the company's computers were destroyed and their data wiped clean, replaced with an image of Alan Kurdi , the small Syrian child who drowned off the coast of Turkey during his family's attempt to flee that country's civil war. The intent of the January attacks, Tasnee officials and researchers at the security company Symantec believe, was to inflict lasting damage on the petrochemical companies and send a political message. Recovery took months. Energy experts said the August attack could have been an attempt to complicate Crown Prince Mohammed bin Salman's plans to encourage foreign and domestic private investment to diversify the Saudi economy and produce jobs for the country's growing youth population. A team at Schneider Electric, which made the industrial systems that were targeted, called Triconex safety controllers, is also looking into the attack, the people who spoke to The Times said. So are the National Security Agency, the F.B.I., the Department of Homeland Security and the Pentagon's Defense Advanced Research Projects Agency, which has been supporting research into forensic tools designed to assist hacking investigations. All of the investigators believe the attack was most likely intended to cause an explosion that would have killed people. In the last few years, explosions at petrochemical plants in China and Mexico - though not triggered by hackers - have killed several employees, injured hundreds and forced evacuations of surrounding communities. What worries investigators and intelligence analysts the most is that the attackers compromised Schneider's Triconex controllers, which keep equipment operating safely by performing tasks like regulating voltage, pressure and temperatures. Those controllers are used in about 18,000 plants around the world, including nuclear and water treatment facilities, oil and gas refineries, and chemical plants. The Triconex system was believed to be a "lock and key operation." In other words, the safety controllers could be tweaked or dismantled only with physical contact. top

Initial estimates show digital economy accounted for 6.5 percent of GDP in 2016 (NTIA, 15 March 2018) - The Bureau of Economic Analysis released, for the first time, preliminary statistics and an accompanying report exploring the size and growth of the digital economy. Goods and services that are primarily digital accounted for 6.5 percent of the U.S. economy, or $1.2 trillion, in 2016, after a decade of growing faster than the U.S. economy overall, BEA's research shows. These new estimates are supported in part by funding from NTIA. From 2006 to 2016, the digital economy grew at an average annual rate of 5.6 percent, outpacing overall U.S. economic growth of 1.5 percent per year. In 2016, the digital economy supported 5.9 million jobs, or 3.9 percent of total U.S. employment. Digital economy employees earned $114,275 in average annual compensation compared with $66,498 per worker for the total U.S. economy. top

Election infrastructure ISAC created to share threats specific to voting systems (CyberScoop, 16 March 2018) - States and localities are getting a new, Department of Homeland Security-backed center to coordinate and share information on election security. The Elections Infrastructure Information Sharing and Analysis Center (ISAC) was announced Thursday, giving the nation's 8,800 state and local jurisdictions a dedicated venue to share information about cyberthreats and vulnerabilities specific to election systems and remote security monitoring capabilities. DHS has tasked the nonprofit Center for Internet Security with establishing and running the ISAC. CIS already runs the Multi-State ISAC , which states have been using to coordinate on election security in lieu of any official. Other ISACs exist for DHS's critical infrastructure sectors, such as the financial services, electricity and aviation industries. DHS designated election systems as subsector of the country's critical infrastructure in early 2017 when the intelligence community concluded that Russia tried to interfere in the 2016 presidential election. While that designation was initially met with skepticism on the state and local level, officials now say that it has improved election security coordination across levels of government. top

Democrats want to subpoena Apple to find out when key administration officials downloaded encrypted messaging apps (The Intercept, 17 March 2018) - On Wednesday, House Democrats on the Intelligence Committee released a memo laying out the steps they would have taken had they been in charge of the Trump-Russia investigation - and steps they may take if and when they gain subpoena power by taking over the House of Representatives in November. Down on Page 20 of the memo is a pair of ideas that could put Congress on a collision course with privacy advocates in Silicon Valley. "Apple: The Committee should seek records reflecting downloaded encrypted messaging apps for certain key individuals," the memo suggests. "The Committee should likewise issue a subpoena to WhatsApp for messages exchanged between key witnesses of interest." The committee said that it would also seek to find out "all messaging applications that Mr. [Jared] Kushner used during the campaign as well as the presidential transition, including but not limited to SMS, iMessage, Whatsapp, Facebook Messenger, Signal, Slack, Instagram, and Snapchat." The committee may also consider adding ProtonMail, the encrypted email service, to that list. One White House staffer, Ryan P. McAvoy, jotted his ProtonMail passwords and his address on a piece of White House stationery and left it at a bus stop near the White House. A source found it there and provided it to The Intercept, which confirmed its authenticity. (McAvoy did not respond to requests for comment.) top

Big four giant PWC announces blockchain auditing service (CCN, 17 March 2018) - Price Waterhouse Cooper LLP, a Big Four accounting firm that has supported various blockchain projects, has announced a blockchain audit service that it claims will encourage people to use the still new technology, according to The Wall Street Journal . The service will allow companies to offer an outside review of their use of blockchain technology, thereby ensuring they are using it properly and enabling employees to monitor the company's blockchain transactions. PwC recognizes the obstacles to the technology's adoption. These include concerns about compliance within companies and organizations, as well as concerns about risk management and corporate controls. While blockchain is often considered tamper-proof, its adoption presents issues similar to that of deploying any information technology. In recognizing such concerns among its own clients who were starting to use blockchain technology, PwC was motivated to develop its new solution. PwC logs transactions on the blockchain and has developed testing criteria and controls. The service will allows user within a company to view, test and monitor transactions on the blockchain in near real time. One customer is a major stock exchange that needs to verify its blockchain based payment process. Another customer, a digital wallet provider, is using the product to verify its transaction processing. PwC declined to identify these two customers. top

'Netflix for oil' setting stage for $1 trillion battle over data (Bloomberg, 19 March 2018) - A battle for big data is brewing in the oil patch. The service companies that map underground pockets of oil, drill the wells and lift crude from miles below are generating vast new amounts of data they never before realized could be valuable. But their exploration customers are essentially saying hands off to anything coming out of their wells, including the streams of zeros and 1s. "There's no doubt to me, we are producing two resources: the oil and gas, and the data," said Philippe Herve, a Schlumberger Ltd. veteran who now helps oil companies use artificial intelligence at SparkCognition. "The oil and gas is very clear: it belongs to the operator. But who owns the data?" Answering that question will mean real money for a global industry climbing out of the worst crude crash in a generation. An industry that only uses about 1 percent of the data it generates, according to Baker Hughes , is trying to harness it to see where to pump more oil faster for less money. Transforming to a digital oil field could add almost $1 trillion to the world's economy by 2025, according to a 2015 study by Oxford Economics and Cisco Consulting Services. To the service companies specifically, owning the data -- enough to fill 20 million file cabinets since 2010 alone -- would mean a whole new revenue stream, perhaps as they sell subscriptions to huge data libraries. "It's like Netflix for oil and gas," said John Gibson, an advisor at Tudor Pickering Holt & Co. who previously ran the oil-services business for Halliburton Co. "Imagine that all data is like a movie that many different people want to watch, but they want to watch it at different times." To the producers, though, owning that data means one less check they'd have to write. And it would ensure competing producers couldn't see their data while stealthily moving into a new field. EOG Resources Inc. , dubbed by one of its analysts as the Apple Inc. of the oilfield, is widely considered a leader among explorers for bypassing oilfield service companies to generate its own in-house innovations. "Data is king and one of our most valuable resources," Sandeep Bhakhri, chief information and technology officer at EOG told investors on a conference call last year. "You have to own the data. You cannot outsource its collection, analysis or delivery." [ Polley : Fascinating; I was in the business 14 years ago, and am surprised this issue isn't well-settled.] top

Results may vary in legal research databases (ABA Journal, March 2018) - When a lawyer searches in a legal database, that single search box is like a lure: Put in your search terms and rely on the excellence of the search algorithms to catch the right fish. At first glance, the various legal research databases seem similar. For instance, they all promote their natural language searching, so when the keywords go into the search box, researchers expect relevant results. The lawyer would also expect the results to be somewhat similar no matter which legal database a lawyer uses. After all, the algorithms are all trying to solve the same problem: translating a specific query into relevant results. The reality is much different. In a comparison of six legal databases-Casetext, Fastcase, Google Scholar, Lexis Advance, Ravel and Westlaw-when researchers entered the identical search in the same jurisdictional database of reported cases, there was hardly any overlap in the top 10 cases returned in the results. Only 7 percent of the cases were in all six databases, and 40 percent of the cases each database returned in the results set were unique to that database. It turns out that when you give six groups of humans the same problem to solve, the results are a testament to the variability of human problem-solving. If your starting point for research is a keyword search, the divergent results in each of these six databases will frame the rest of your research in a very different way. top

Former Google legal heads launch Privacy Compliance Hub (Legal Technology, 20 March 2018) - Two former heads of legal at Google have launched a Privacy Compliance Hub , which is designed to take organisations through their data obligations in a step-by-step fashion in order to keep compliance in the hands of the business, not outside consultants or lawyers. Nigel Jones and Karima Noren - who once upon a time were director of legal EMEA and head of emerging markets respectively, but in the past few years have had a fairly entrepreneurial career path (latterly co-founding legal consultancy The Legal Pod ) - created the Privacy Compliance Hub in January to help aid the process of data compliance and create a culture of privacy compliance within a business, inevitably using GDPR as a hook. Using a team of 'privacy champions' appointed from within the organisation, a compliance programme is followed using a methodology and privacy plan which are supplied within the hub. This takes the privacy champions through what they need to do in a structured, step by step fashion, recording each step of the organisation's compliance journey as they go along. The hub provides straightforward guidance and over 30 template documents, which are linked to key steps of the plan. [ Polley : super expensive; I'm curious if anybody has seen the product.] top

Think cryptocurrency is confusing? Try paying taxes on it (NYT, 21 March 2018) - The room was full of stressed-out cryptocurrency traders. And for once, they weren't nervous about the price of Bitcoin, or the roller coaster swings of the virtual currency markets. No, the subject of this gloomy affair was taxes. Specifically, how - and whether - to pay them. With this year's April 17 tax filing deadline fast approaching, many virtual currency traders are sweating over their tax returns. They're confused by the complicated rules, many of them stemming from guidelines issued by the I.R.S. in 2014, governing the taxation of virtual currencies. They're afraid that the windfall profits created by last year's cryptocurrency boom, which sent currencies like Bitcoin and Ether skyrocketing and created a new class of crypto-millionaires, have left them with huge tax bills. And, of course, they're worried about drawing the eye of the Internal Revenue Service. Taxes have become an increasingly divisive topic among cryptocurrency fans. On Reddit forums devoted to cryptocurrency trading, some users exchange tips for dodging their tax obligations, including a method of hiding their assets by converting them into "privacy coins," such as Monero, which are designed to be opaque and untraceable. They argue about whether the I.R.S. could use the blockchain, the digital ledger that records all Bitcoin transactions, to identify tax evaders in the future. And they ask for tax advice on complex situations, such as fly-by-night cryptocurrency exchanges that vanish suddenly, erasing the records of users' transactions. top

What is ProtonMail, the service used by Cambridge Analytica to cover its tracks? (Mashable, 21 March 2018) - Cambridge Analytica - the data analytics firm that came under fire this weekend for maliciously collecting information on 50 million Facebook users - reportedly used a self-destructing, encrypted email service called ProtonMail to cover its tracks, covering up correspondence between the company and third parties, according to a investigation published Wednesday. The firm set emails to self-delete after two hours and urged clients to use the service as well, per footage captured of former CEO Alexander Nix talking to a journalist posing as a would-be client. "I'd like you to set up a ProtonMail account, please," Nix said, "because these are, now it's getting quite sensitive." "We set our ProtonMail emails with a self-destruct timer," he continued. "So you send them, and after they've been read, two hours later they disappear." So how does ProtonMail work? Just like any normal email service. Go to their website , sign up for an account, and you're in. Their free service has some restrictions, though. You only get 500 MB of storage and can only send 150 messages per day. If you upgrade to the Plus plan for (4.00 € or ~ $4.91 per month), you get 5 GB of storage, 1,000 sent messages per day, and a slew of other perks. * * * All of this sounds a tad bit shady, no? Which brings us to the next question: How does ProtonMail get away with it? The answer is its email servers, which are based in Switzerland. Yes, it's something the company touts loudly on its website. On its homepage , it says, "ProtonMail is incorporated in Switzerland and all our servers are located in Switzerland. This means all user data is protected by strict Swiss privacy laws." ProtonMail purports to be so secure that no one but you can access your email. They even make it explicit that ProtonMail couldn't read your messages if it wanted to. The company says that since all of the data is stored outside the realm of "intrusive" U.S. laws, only encrypted messages could be handed over. * * * [ Polley : see also, Russian court says Telegram must hand over encryption keys to state intelligence service (TechDirt, 21 March 2018); and Kaspersky Lab plans Swiss data center to combat spying allegations - documents (Reuters, 21 March 2018)] top

NOTED PODCASTS/MOOCS

Slow Burn: A Podcast About Watergate (Slate) - You think you know the story, or maybe you don't. But Watergate was stranger, wilder, and more exciting than you can imagine. What did it feel like to live through the scandal that brought down a president? Join Leon Neyfakh for an eight-episode podcast miniseries that tells the story of Watergate as it happened-and asks, if we were living through Watergate, would we know it? [ Polley : 8 episodes (about 3 hours); fantastic. If you lived thru Watergate, this'll take you back to what it was like as the scandal slowly became clear; instructive for our current times.] top


The Accuracy, Fairness, and Limits of Predicting Recidivism
(Harvard Berkman video, 6 March 2018; 56 mins) - Algorithms for predicting recidivism are commonly used to assess a criminal defendant's likelihood of committing a crime. Proponents of these systems argue that big data and advanced machine learning make these analyses more accurate and less biased than humans. However, our study shows that the widely used commercial risk assessment software COMPAS is no more accurate or fair than predictions made by people with little or no criminal justice expertise. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Egypt 'to copyright antiquities' (BBC, 25 Dec 2007) - Egypt's MPs are expected to pass a law requiring royalties be paid whenever copies are made of museum pieces or ancient monuments such as the pyramids. Zahi Hawass, who chairs Egypt's Supreme Council of Antiquities, told the BBC the law would apply in all countries. The money was needed to maintain thousands of pharaonic sites, he said. Correspondents say the law will deal a blow to themed resorts across the world where large-scale copies of Egyptian artefacts are a crowd-puller. Mr Hawass said the law would apply to full-scale replicas of any object in any museum in Egypt. "Commercial use" of ancient monuments like the pyramids or the sphinx would also be controlled, he said. "Even if it is for private use, they must have permission from the Egyptian government," he added. But he said the law would not stop local and international artists reproducing monuments as long as they were not exact replicas. top

Science journal won't publish papers because authors want to put them on Wikipedia (TechDirt, 19 March 2008) - Over the last few months, we've been hearing more and more stories concerning some of the ridiculous levels of control that academic journals exert over the copyrights on the various papers and research they publish. Since many of those journals are ridiculously expensive, much of this important research is basically locked up entirely. This is especially troublesome when it comes to publicly funded research, which you would think should be available to the taxpayers who paid for it. While we've definitely seen a trend towards more open rules to publishing, many journals are still behind the curve. Reader parsko writes in to alert us to the news of the American Physical Society, which withdrew the offer to publish two recent studies in the Physical Review Letters because the authors wanted to be able to publish parts of the study in Wikipedia. Since the APS requires you hand over the rights to the study, they wouldn't allow it, and turned down the papers because of it. Not surprisingly, various scientists are upset about this, pointing out that it seems totally contrary to the purpose of the journal to hide such information using copyright claims. top

Saturday, March 03, 2018

MIRLN --- 11 Feb - 3 March 2018 (v21.03)

MIRLN --- 11 Feb - 3 March 2018 (v21.03) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

NEWS | RESOURCES | LOOKING BACK | NOTES

How the government controls sensitive satellite data (Wired, 8 Feb 2018) - During the cold War, on the vast, barren flatland around Area 51's dried-up Groom Lake, the military developed a stealth spy plane code-named Project Oxcart. Project personnel were sworn to secrecy, but still, US officials worried that the Soviets would find out what they were up to. With good reason: Up above, USSR satellites were ready to spy with their on-board cameras. While Area 51 employees couldn't stop these satellites from swinging by, they did come up with a low-tech solution: moving the classified planes into sheds when they knew the satellites would pass over. Today, that's not a feasible stealth solution. Earth orbit doesn't just host a few Soviet spysats: More than a thousand working orbiters are out there, hundreds of those equipped with Earth-observing cameras. They are American, European, African, South American, Japanese, Indian, Chinese, Russian. And nothing stops many of them from taking pictures of supersecret areas. But the government has other ways of restricting information. The feds can limit how good commercially available images can be when taken by US companies. And it can issue a directive barring imaging over a given location. The law regulating that imaging, though, was first passed before satellite imaging really existed as an industry. And according to insiders, it's been keeping satellites down-even as thousands more of them are set to launch in the next decade. When the Land Remote Sensing Policy Act passed, the world was a younger, more naïve place. Aladdin was about to come out. George Sr. was president. Oh, and also the satellite-imaging industry was way different. "The biggest way that it was different was that there wasn't really one," says Walter Scott, the founder of DigitalGlobe and CTO of Maxar Technologies, which bought DigitalGlobe last year. The law allowed fully private companies to get a license to take data on Earth from space-and so, when it passed in 1992, Scott did. The law-since added to, amended, and restated -still forms the legal basis for commercial remote sensing. But regulations have also accomplished the opposite, allowing the government to exercise so-called "shutter control": If the government says to close your satellite's eye, you have to do it. The government has never put shutter control into effect-at least not exactly. It's gotten around it, though. After 9/11, the feds didn't legislate the high-resolution Ikonos satellite out of taking or releasing images of Afghanistan. They simply bought exclusive rights to all of its images of the area, the only high-res ones available on the US market, making it functionally impossible for anyone else to use commercial US imagery surveil the area. Insiders call this "checkbook shutter control." That kind of limitation also happens on a smaller scale. "US government customers have the ability-as, actually, do some of our other customers-to say, 'We would like you to take this image and not make this image available publicly,'" explains Scott. "It's an exclusivity arrangement." Then, there are the things that aren't shutter control but do place cuffs around satellite operators. Take the Kyl-Bingaman Amendment , which bans US companies from releasing their high-resolution images of Israel and the Occupied Territories. In addition, "certain licensees have some area imaging restrictions," says Tahara Dawkins, the director of the NOAA Commercial Remote Sensing Regulatory Affairs Office. "The details are proprietary." [ Polley : fascinating] top

CISOs wary of threat intelligence accuracy, quality: Study (CXO Today, 8 Feb 2018) - In a world where cyber criminals are becoming increasingly stealthy and sophisticated-with new threats on the rise ranging from ransomware to DNS hijacking-it is ineffective and costly for companies to defend themselves against cybersecurity threats alone. According to a new report conducted by Ponemon Institute , the consumption and exchange of threat intelligence has increased significantly since 2015. Yet despite the increase in the exchange and use of threat intelligence, CISOs are not satisfied with the current quality of the data. [Read the full study here ] The report titled " Exchanging Cyber Threat Intelligence: There Has to Be a Better Way ," found that while security professionals are increasingly recognizing the importance of threat intelligence, the majority remain dissatisfied with its accuracy and quality. Meanwhile, because many security teams still execute threat investigations solo rather than pooling intelligence, their ability to quickly act on threats is limited. The report found 67 percent of IT and security professionals spend more than 50 hours per week on threat investigations, instead of efficiently using security resources and sharing threat intelligence. Lack of accuracy and timeliness is among the top complaints about threat intelligence, which in turn hinders its effectiveness and security teams' ability to quickly mitigate threats, the report noted. In fact, only 31 percent of respondents cited threat intelligence as actionable. But exchanging threat intelligence amongst peers, industry groups, IT vendors and government bodies can result in more holistic, accurate and timely threat intelligence and a stronger security posture. Two-thirds of respondents (66 percent) reported that threat intelligence could have prevented or minimized the consequence of a data breach or cyber attack, indicating that more infosecurity professionals are realizing the importance of threat intelligence. The vast majority of respondents are focused on threat sharing, with 84 percent of organizations fully participating or partially participating in an initiative or program for exchanging threat intelligence with peers and/or industry groups. But, most of these organizations are only participating in peer-to-peer exchange of threat intelligence (65 percent) instead of a more formal approach such as threat intelligence exchange services or consortium, which contributes to the dissatisfaction with the quality of the threat intelligence obtained. Other key findings from the survey include: Most respondents believe threat intelligence improves situational awareness, with an increase from 54 percent of respondents in 2014 to 61 percent of respondents in this year's study. Sixty-six percent of respondents say shared information is not timely, and 41 percent say it is too complicated. Potential liability and lack of trust in intelligence providers prevent some organizations from fully participating in threat intelligence exchange programs, with 58 percent and 60 percent respectively citing these concerns. Twenty-four percent of organizations would rather exchange threat intelligence via a threat intelligence exchange service and 21 percent via a trusted intermediary, with only four percent preferring to share intelligence directly with other organizations- indicating a need for an exchange platform that enables such sharing because it is trusted and neutral. While the value of threat intelligence declines within minutes, only 24 percent of respondents say they receive threat intelligence in real time (nine percent) or hourly (15 percent). Seventy-three percent of respondents say they use threat indicators and the most valuable types of information are indicators of malicious IP addresses and malicious URLs. top

New Orleans eyes bars and restaurants as new focus of surveillance (Citylab, 9 Feb 2018) - New Orleans Police Superintendent Michael Harrison has a message for New Orleans bar-goers: Be good-you're being watched. The city council is considering an unprecedented proposal to require any business with a liquor license to install video cameras that feed into a real-time surveillance "command center" monitored 24/7 by law enforcement. "We want to be able to send a message that if you're in public spaces, we're going to be able to catch you if you commit a crime," Harrison told CityLab. "We have to have the ability to demonstrate to would-be criminals, to would-be terrorists, if you will, that in public spaces we're going to find them and know who you are." To that end, New Orleans is pioneering what appears to be the most expansive surveillance of bars and restaurants in the country. As currently written, the ordinance requires proprietors to purchase and install street-facing cameras that connect to the city's command center and store the footage for at least two weeks. Businesses found violating any conditions of the liquor license could be required to install the cameras inside as well. In a survey of other municipal laws , MaCCNO found that no other cities in the U.S. require all businesses with a liquor license to participate in a real-time surveillance network. Still, this unique proposal follows a broader trend of cities increasingly expanding the geographic scope of local video surveillance in the name of public safety. Cities from New York to Fresno have developed software that merges city camera networks with predictive policing software to try to ascertain the likelihood individuals will commit a crime. New Orleans plans to eventually expand the monitoring center to "include an intelligent threat analytics platform that looks for specific kinds of threats and integrates remote-sensing technology," according to the mayor's public safety plan . top

ABA House of Delegates approves novel virtual currency draft legislation (ABA Journal, 9 Feb 2018) - The American Bar Association's House of Delegates approved a draft uniform law regarding virtual currency businesses for states to adopt. Drafted by the National Conference of Commissioners on Uniform State Laws, the Uniform Regulation of Virtual-Currency Business Act is draft legislation intended to create a statutory structure for regulating "virtual currency business activity," according to the act's prefatory note . The vote took place during the ABA Midyear Meeting in Vancouver, British Columbia. Many involved with cryptocurrency "are not enamored much in the way of regulation," according to Fred Miller, the chair of the committee that drafted the legislation. He says, however, that there was near unanimity from advocates, business people and lawyers regarding the need for this type of legislation. Miller notes that the bill does not regulate the underlying technology of virtual currency, called blockchain, often described as a distributed ledger. Instead, the draft law focuses on licensing businesses associated with virtual currencies, like money transmitters and money services. In that regard, the draft law is similar to the Uniform Money Services Act, which deals with traditional currency businesses. To date, state governments have had mixed responses to cryptocurrencies and related businesses. While some have taken a hands-off approach, others have created elaborate licensing schemes. In one example, New York created the BitLicense regulatory scheme in 2015. It has received broad criticism for being over the top, according to Miller. As of last month, only three companies had received BitLicenses. Miller says that the criticism of the New York law was one reason the draft legislation did something novel: it created tiered regulation. The system will trigger certain levels of regulation depending on a company's earnings. Entities with under $5,000 of business activity will be exempt from regulatory oversight. Those operating between $5,000 and $35,000 will require a "light license", explains Miller. The full regulatory scheme is triggered once a business breaches the $35,000 threshold. "We wanted to allow some regulation and allow some experimentation and innovation as well," says Miller. To date, the draft legislation has been introduced in Hawaii and Nebraska, according to the Uniform Law Commission's website . top

German court says Facebook's real name policy is illegal (The Verge, 12 Feb 2018) - A German court ruled that Facebook's real name policy is illegal and that users must be allowed to sign up for the service under pseudonyms to comply with a decade-old privacy law. The ruling, made last month but only now being announced, comes from the Berlin Regional Court and was detailed today by the Federation of German Consumer Organizations (abbreviated from German as VZBV), which filed the lawsuit against Facebook. Facebook says it will appeal the ruling, but also that it will make changes to comply with European Union privacy laws coming into effect in June, according to Reuters . "We are working hard to ensure that our guidelines are clear and easy to understand, and that the services offered by Facebook are in full accordance with the law," a Facebook spokesperson said. According to the VZBV, the court found that Facebook's real name policy was "a covert way" of obtaining users' consent to share their names, which are one of many pieces of information the court said Facebook did not properly obtain users' permission for. The court also said that Facebook did not provide a clear choice to users for other default settings, such as to share their location in chats, and it ruled against clauses that allowed Facebook to use information such as profile pictures for "commercial, sponsored, or related content." VZBV notes that it didn't win on all counts, though. Facebook prevailed on a complaint that it was misleading to say the service was free, because as VZBV put it, consumers pay "with their data." Given that the ruling comes from a regional court and that both parties intend to appeal, it's unlikely that some of these decisions are going to be final. But it's still bad news for Facebook - and good news for users - that a consumer advocacy group is finding success as it pushes back against the social network's generous data sharing policies, which are often more a benefit to the company than to people using the service. top

97% of cybersecurity leaders are evaluating vendor security, including law firms, says new survey (ABA Journal, 12 Feb 2018) - Released Feb. 8, the report, titled "The Shifting Cybersecurity Landscape: How CISOs and Security Leaders Are Managing Evolving Global Risks to Safeguard Data," explores the role of chief information security officers, the adoption of cloud technology and how businesses are auditing their vendors. While the report did not focus on the legal industry, formal evaluation of legal vendors was touched on. Seventeen percent of respondents said these evaluations were driven by regulatory requirements. Even with this level of scrutiny, only 53 percent said they were confident in the security of their data being managed by third parties, like law firms. Fifty-seven percent of respondents said they were periodically involved in litigation or investigations. And the level of concern regarding sharing data with these companies "depends on the case and litigation, as well as what disclosure of information is required," said an unnamed technology CISO in the report. Looking at cloud storage, the report found that 87 percent of respondents were using third-party cloud providers to "host non-critical information" to save money and streamline business processes. Nearly one-fifth said that moving to the cloud was spurred by using Microsoft Office 365. The 30-person survey, conducted last August by Ari Kaplan Advisors and Ankura, a consultancy, included chief information security officers, chief technology officers and director-level positions related to information security from primarily the U.S. Sixty-seven percent of respondents were from highly regulated financial- and healthcare-related industries, which skewed results towards stronger levels of awareness of these issues, according to the report. top

- and -

Memo to law firms: Raise cybersecurity bar or risk client losses (Bloomberg, 23 Feb 2018) - Law firms may not be the safe repository of client confidences-such as trade secrets and merger plans-that they once were, as hackers recognize firms as prized vaults of proprietary corporate data. "Law firms are ideal targets for hackers because of the sensitive nature and variety of information they collect and store," Dore said. Clients, for their part, view law firm data breaches or lax security as serious business considerations, Lucian T. Pera, legal ethics partner at Adam and Reese LLP in Memphis, Tenn. and former treasurer of the American Bar Association, told Bloomberg Law. "Cybersecurity protections are becoming a serious factor in client decision-making," at law firms, and large firms stand to lose business if they don't take care of cybersecurity, he said. [ Polley : Again, see ABA Cybersecurity Handbook (which Lucian Pera helped write). More than a thousand copies have sold in its 3 months. See also , the ABA Journal's ongoing 2018 " Digital Dangers " series/resources.] top

Tech's ethical 'dark side': Harvard, Stanford and others want to address it (NYT, 12 Feb 2018) - The medical profession has an ethic: First, do no harm . Silicon Valley has an ethos: Build it first and ask for forgiveness later . Now, in the wake of fake news and other troubles at tech companies, universities that helped produce some of Silicon Valley's top technologists are hustling to bring a more medicine-like morality to computer science. This semester, Harvard University and the Massachusetts Institute of Technology are jointly offering a new course on the ethics and regulation of artificial intelligence. The University of Texas at Austin just introduced a course titled " Ethical Foundations of Computer Science " - with the idea of eventually requiring it for all computer science majors. And at Stanford University, the academic heart of the industry, three professors and a research fellow are developing a computer science ethics course for next year. They hope several hundred students will enroll. The idea is to train the next generation of technologists and policymakers to consider the ramifications of innovations - like autonomous weapons or self-driving cars - before those products go on sale. "It's about finding or identifying issues that we know in the next two, three, five, 10 years, the students who graduate from here are going to have to grapple with," said Mehran Sahami , a popular computer science professor at Stanford who is helping to develop the course. He is renowned on campus for bringing Mark Zuckerberg to class . "Technology is not neutral," said Professor Sahami, who formerly worked at Google as a senior research scientist. "The choices that get made in building technology then have social ramifications." top

Porsche is 3d printing hard-to-find parts for the 959 and other classics (Jalopnik.com, 13 Feb 2018) - Porsche Classic, Porsche's classic cars division, has turned to 3D printing obscure parts that people might need on occasion. They already have about 52,000 parts available, but for the truly arcane ones, it's cheaper to 3D print them than make the specialized tools to create them over again. top

We don't need new laws for faked videos, we already have them (EFF, 13 Feb 2018) - Video editing technology hit a milestone this month. The new tech is being used to make porn. With easy-to-use software, pretty much anyone can seamlessly take the face of one real person (like a celebrity) and splice it onto the body of another (like a porn star), creating videos that lack the consent of multiple parties. People have already picked up the technology, creating and uploading dozens of videos on the Internet that purport to involve famous Hollywood actresses in pornography films that they had no part in whatsoever. While many specific uses of the technology (like specific uses of any technology) may be illegal or create liability, there is nothing inherently illegal about the technology itself. And existing legal restrictions should be enough to set right any injuries caused by malicious uses. * * * [ Polley : Useful article, as usual.] top

- and -

Deep Fakes: A looming crisis for national security, democracy and privacy? (Bobby Chesney on Lawfare, 21 Feb 2018) - "We are truly fucked." That was Motherboard's spot-on reaction to deep fake sex videos (realistic-looking videos that swap a person's face into sex scenes actually involving other people). And that sleazy application is just the tip of the iceberg. As Julian Sanchez tweeted, "The prospect of any Internet rando being able to swap anyone's face into porn is incredibly creepy. But my first thought is that we have not even scratched the surface of how bad 'fake news' is going to get." Indeed. Recent events amply demonstrate that false claims-even preposterous ones-can be peddled with unprecedented success today thanks to a combination of social media ubiquity and virality, cognitive biases, filter bubbles, and group polarization. The resulting harms are significant for individuals, businesses, and democracy. Belated recognition of the problem has spurred a variety of efforts to address this most recent illustration of truth decay, and at first blush there seems to be reason for optimism. Alas, the problem may soon take a significant turn for the worse thanks to deep fakes. Get used to hearing that phrase. It refers to digital manipulation of sound, images, or video to impersonate someone or make it appear that a person did something-and to do so in a manner that is increasingly realistic, to the point that the unaided observer cannot detect the fake. Think of it as a destructive variation of the Turing test: imitation designed to mislead and deceive rather than to emulate and iterate. * * * [ see also , The danger of deep fakes: responding to Bobby Chesney and Danielle Citron (Stanford's Herb Lin on Lawfare, 27 Feb 2013)] top

Iterating on Code.mil (Defense Digital Service, 13 Feb 2018) - In February 2017, the Defense Digital Service (DDS) decided it was time to take a more involved approach within the Department of Defense in the government-wide movement to open source code. This was spurred by the release of the new Federal Source Code Policy by the Office of Management and Budget in August, 2016 and Code.gov in November, 2016. We spent a lot of time talking with people in the DoD, across the federal government, and leaders in the Free / Open Source Software (F/OSS) community. Thus we formed a new project called Code.mil and created a repository providing guidance on how to open source code at the DoD. It's been a long time coming, but that guidance - and its organization and presentation - has received a well-needed refresh with today's (re)launch of Code.mil , an experiment in open source at the Department of Defense. Our guidance has been reorganized into an easy to digest website and we're investing in further improvements. The DoD faces many challenges in open sourcing code. Unlike most software projects, code written by U.S. Federal government employees typically does not have copyright protections under U.S. and some international laws. Often times this makes people think that our code can't use an OSS license, but this is far from true! It does, however, require a little more effort to define our intent. The complexity of national security policy adds another point of difficulty when individual program offices look to open source their work. Even with approval to release code publicly, government employees can be hindered by lack of access to modern source control and developer operations processes. Those barriers are precisely what DDS is good at tackling. The guidance we're providing at Code.mil will help many projects across the Department by giving developers and product owners a template to start from and the necessary background information to share with people in their organization who may not be familiar with open source software. The site also highlights the policy and laws that affect custom-developed code written by U.S. government employees - or contractors working with us - so that people are informed about the requirements placed on them. * * * top

Project revives old software, preserves 'born-digital' data (Yale News, 13 Feb 2018) - Digital preservationists at Yale University Library are building a shareable "emulation as a service" infrastructure to resurrect thousands of obsolete software programs and ensure that the information produced on them will be kept intact and made easily available for future access, study, and use. Funded through a pair of $1 million grants from The Andrew W. Mellon Foundation and the Alfred P. Sloan Foundation, the project will enable access to at least 3,000 applications, including operating systems, scientific software, office and email applications, design and engineering software, and software for creative pursuits like video editing or music composition. "Material across subjects and fields increasingly is created only in digital form, making it vital for research libraries to develop ways to preserve digital information and make it readily accessible to the public," said Susan Gibbons, university librarian and deputy provost for collections and scholarly communication. "Thanks to the generous support and foresight of the Sloan and Mellon Foundations, Yale University Library is helping both to establish best practices in this emerging and critically important field and to ensure that future generations of students and scholars can examine a word-processing file or electronic spreadsheet as easily as they study a book or manuscript." The project will establish a shareable infrastructure that provides on-demand access to old software, recreating the original software environment on a current-day device, said Euan Cochrane, the library's digital preservation manager and the project's principle investigator. top

CDT launching effort to improve trust in VPNs (CDT, 14 Feb 2018) - As more internet users strive to take more control of their online privacy, Virtual Private Networks or VPNs have surged in popularity. VPNs work by creating an encrypted connections tunnel between a browser or device and the VPN provider's network, protecting traffic from through potentially hostile local network conditions. They assist in obscuring oneself from ISPs and shielding personal information flowing through non-secure public WiFi found in airports, coffee shops, conferences, and hotels. Advocates, including CDT, and regulators routinely advise individuals to consider using a VPN if they are particularly concerned about protecting their online privacy. But the basic security, privacy, and usability of VPNs vary widely and it can be extremely difficult for users to assess the reliability of any given VPN provider's privacy and security practices, as evidenced by CDT's complaint last summer against AnchorFree's Hotspot Shield VPN . While there have been several well-meaning efforts to develop best practices for VPNs, it remains difficult for privacy advocates and technical experts to recommend a specific commercial VPN service. It is also hard for responsible VPN providers to differentiate themselves on their privacy and security bonafides in the marketplace. To address these challenges, CDT will bring together VPN providers, privacy and consumer advocates, technical experts, and other stakeholders focused on internet infrastructure to create best practices and an enforceable code of conduct for protecting user data with VPNs. CDT believes any successful guidance on privacy and security in VPNs will address the following five issues: * * * [ Polley : This is great; all VPNs are not created equal; CDT is a credible entity to shine some light on this. See also In the market for a VPN app? (FTC, 22 Feb 2018)] top

Salon to use readers' computers to mine cryptocurrency (The Hill, 13 Feb 2018) - Media company Salon.com is asking readers to allow them to use their computers to mine cryptocurrencies as a new source of revenue. The left-leaning company launched the test program on Monday and is targeting readers who use ad blockers, which it blames for declining revenues, the Financial Times reports. Readers who suppress ads with a blocker now see a pop-up that asks them if they will give Salon access to their computers' unused processing power to mine digital currencies. The pop-up is powered by Coinhive, which allows companies to run a program on users' web browsers to mine the cryptocurrency Monero, known for its privacy features and popularity on the black market. [ Polley : I use ad-blockers for security purposes, and there's no chance that I'd let somebody borrow computer cycles from me either. Forbes and Salon have thus lost me as a reader; Talking Points Memo left enough outside the paywall to keep me engaged, and I've just signed up for their "prime" service ($50/year).] top

How Russian bots spread fear at university in the US (InsideHigherEd, 15 Feb 2018) - Numerous reports in the last year have documented how Russian bots manipulated social media during the 2016 presidential campaign. A new journal article in Strategic Studies Quarterly reveals that the Russian bots had another target in the fall of 2015: students at the University of Missouri at Columbia. The bots created false impressions about some threats against black students and faculty members at the university, which resulted in some campus leaders calling for people to stay home and many students to say that they were terrified. The false reports also contributed to a negative image of the university -- particularly with regard to its support for minority students -- that the university continues to fight. Complicating the situation is that racial tensions were quite real at Mizzou that fall, and real threats did exist. But the article documents how the false reports contributed to considerable fear on campus. In fact, the Russian bots avoided detection in part because the hashtag #PrayforMizzou was used by real people who were at the university or were concerned about it, as well as by those forwarding the bot-created tweets. * * * The author of the journal article is Lieutenant Colonel Jarred Prier of the United States Air Force. Prier writes that there was plenty of evidence -- for those looking -- that the tweets that spread were false. He cites the tweeting and retweeting patterns, consistent with other Russian bot efforts. "The plot was smoothly executed and evaded the algorithms Twitter designed to catch bot tweeting, mainly because the Mizzou hashtag was being used outside of that attack," he writes. "The narrative was set as the trend was hijacked, and the hoax was underway." top

New York's cybersecurity requirements for financial services companies: Certification of compliance due (Ride The Lightning, 21 Feb 2018) - Lexology reported last week that the first certification of compliance was due under a new law in New York. The New York State Department of Financial Services enacted Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500, on March 1, 2017. The first certification of compliance with this regulation was due February 15, 2018. The regulation requires "covered entities"-meaning any person or non-governmental entity operating under or required to operate under authorization under the Banking Law, Insurance Law, or Financial Services law, to maintain a strong cybersecurity program that includes monitoring, testing, and training, as well as written cybersecurity policies that include periodic risk assessments. The regulation also requires covered entities to designate a qualified "Chief Information Security Officer" and require that the entity establish a written incident response plan to promptly respond to and recover from a cybersecurity incident. The regulation requires a covered entity to provide notice of a breach or cybersecurity event to the superintendent within 72 hours of determination that a cyber event has occurred and empowers the superintendent to enforce the provisions of the regulation. [ see also New York cybersecurity deadline highlights importance of a comprehensive insurance coverage for cyber risks (Hunton, 15 Feb 2018)] top

Facebook inks music licensing deal with ICE covering 160 territories, 290K rightsholders on FB, Insta, Oculus and Messenger (TechCrunch, 21 Feb 2018) - Facebook today took its latest step towards making good on paying out royalties to music rightsholders around tracks that are used across its multiple platforms and networks. The company has signed a deal with ICE Services - a licensing group and copyright database of some 31 million works that represents PRS in the UK, STIM in Sweden and GEMA in Germany - to provide music licensing and royalty collection for works and artists represented by the group, when their music is used on Facebook, Instagram, Oculus and Messenger. WhatsApp is not included because "We understand that WhatsApp is currently used as a pure communication tool akin to private email / messaging," a spokesperson for ICE told TechCrunch. "This will be kept under review." The deal is significant because, as ICE describes it, it's the first multi-territorial license Facebook has signed with an online licensing hub: it will cover 160 territories and 290,000 rightsholders. So what will this be used for? Facebook has moved into a lot of different services over the years, but a streaming music operation to compete with the likes of (soon-to-be public) Spotify, Pandora and Apple Music has not been one of them. However, in recent times it has been laying the groundwork to do more in music. And specifically, it has been signing deals with record labels and others to make sure that the music that is used in videos and other items posted to its sites is legit and paid for to avoid lawsuits, takedown requests, and - yes - potentially the creation of new music-based services down the road, as it starts to tap into the opportunities that music affords it. top

Tech-savvy attorneys in heavy demand amid emerging tech (Bloomberg, 22 Feb 2018) - Memo to lawyers: free your inner computer nerd if you want to represent today's clients. Take Patrick Berarducci, a lawyer whose resume also includes a background in computer science and software engineering. He was quickly snatched up by the blockchain company ConsenSys to make sure the developing technology complies with existing laws and regulations. "There's a real shortage" of lawyers like him, John Wolpert, ConsenSys' product executive, told Bloomberg Law. "We need a lot more code-y lawyers, as I say." Emerging and fast-evolving technologies, such as blockchain, artificial intelligence and cybersecurity, have law firms scrambling for legal talent that understands technology. Law firms are scouring for attorneys with expertise in computer science or cryptography to advise corporate and government clients implementing technology and navigate nascent case law in these areas, executives and attorneys told Bloomberg Law. Law firms trailing in tech know-how risk losing business from all sectors of the economy, attorneys told Bloomberg Law. More states, in their attorney competence standards, are telling firms to boost their lawyers' tech expertise, or run the risk of possible sanctions or penalties. * * * [ Polley : look for fluent lawyers - conversant in the technology, international issues, business, and the law. As a Venn-diagram, you want to engage with those in the center.] top

Court destroys future public art installations by holding building owner liable for destroying this one (TechDirt, 22 Feb 2018) - Last week was a big week for dramatically bad copyright rulings from the New York federal courts: the one finding people liable for infringement if they embed others' content in their own webpages , and this one about 5Pointz , where a court has found a building owner liable for substantial monetary damages for having painted his own building . While many have hailed this decision , including those who have mistakenly viewed it as a win for artists , this post explains why it is actually bad for everyone. The facts in this case are basically this: the owner of a run-down, formerly industrial building in a run-down neighborhood aspired to do something to redevelop his property, but it would be a few years before the time would be right. So in the meantime he let some graffiti artists use the building for their aerosol paintings. The building became known as 5Pointz, and the artwork on it soon began to attract attention. The neighborhood also began to change, and with the improvement the prospects for redeveloping the property into residences became more promising. From the outset everyone knew that redevelopment would happen eventually, and that it would put an end to the arrangement since the redevelopment would likely necessitate tearing down the building, and with it the art on the walls. As the date of demolition grew closer, the artists considered buying the building from the owner in order to prevent it from being torn down and thus preserve the art. However the owner had received a variance that suddenly made the value of the property skyrocket from $40 million to $200 million, which made the buyout impossible. So the artists instead sued to halt the destruction of their art and asked for a preliminary injunction, which would ensure that nothing happened to the art while the case was litigated. But in late 2013 the court denied the preliminary injunction , and so a few days later the building owner went ahead and painted over the walls. The painting-over didn't end the litigation, which then became focused on whether this painting-over broke the law. In 2017 the court issued a ruling allowing the case to proceed to trial on this question . Then last week came the results of that trial, with the court finding this painting-over a "willfully" "infringing" act and assessing a $6.7 million damages award against the owner for it. It may be tempting to cheer the news that an apparently wealthy man has been ordered to pay $6.7 million to poorer artists for damaging their art. True -- the building owner, with his valuable property, seems to be someone who potentially could afford to share some of that wealth with artists who are presumably of lesser means. But we can't assume that a defendant building owner, who wants to be able to do with his property what he is normally legally allowed to do, will always be the one with all the money, and the plaintiff artist will always be the one without those resources. The law applies to all cases, no matter which party is richer, and the judicial reasoning at play in this case could just as easily apply if Banksy happened to paint the side of your house and you no longer wanted what he had painted to remain there. Per this decision, removing it could turn into an expensive proposition. The decision presents several interrelated reasons for concern. * * * top

SEC expands guidance on cybersecurity disclosure obligations (Wiley Rein, 22 Feb 2018) - On February 21, 2018, the Securities and Exchange Commission (SEC) announced much-anticipated guidance which updates previous guidance on disclosing cybersecurity risk. The Commission stated it was "reinforcing and expanding upon the staff's 2011 guidance," while continuing to consider other means of promoting appropriate disclosure of cyber incidents. One takeaway from this guidance is that some uncertainty will remain as to what is material. That said, the SEC is sending clear signals. Companies must pay more attention to the quality and nature of their disclosures and Board management is top of mind at the Commission. Companies should double down on efforts to ensure they have solid policies and procedures, and consider SEC risk when handling a cyber incident. This update comes against the backdrop of other executive branch activity on market transparency and disclosure in response to President Trump's 2017 Executive Order, as well as statements by senior government officials signaling increasing expectations about private sector efforts on cybersecurity. The government is also looking at measurement and metrics for cyber risk management, in other venues. top

A new, democratic tool for mapping city streets (The Atlantic, 23 Feb 2018) - Let's say you're throwing a block party. You and your neighbor both draw your own maps of where the street will be closed, and how to get there. How would you do it? Just label some points on a line, or draw all the intersections? Do you indicate nearby parking spots? Does your map look exactly like your neighbor's? Would partygoers looking at both get confused? Now take that concept to the city level, where mismatched maps can have truly high stakes. Using giant GIS databases, cities from Boston to San Diego maintain master street maps to guide their transportation and safety decisions. But there's no standard format for that data. Where are the intersections? How long are the curbs? Where's the median? It varies from city to city, and map to map. That's a problem as more private transportation services flood the roads. If a city needs to communicate street closures or parking regulations to Uber drivers, or Google Maps users, or new dockless bike-sharing services-which all use proprietary digital maps of their own-any confusion could mean the difference between smooth traffic and carpocalypse. And, perhaps more importantly, it goes the other way too: Cities struggle to obtain and translate the trip data they get from private companies ( if they can get their hands on it, which isn't always the case) when their map formats don't match up. A team of street-design and transportation-data experts believes it has a solution. On Thursday, the National Association of City Transportation Officials and the nonprofit Open Transport Partnership launched a new open data standard and digital platform for mapping and sharing city streets. It might sound wonky, but the implications are big: SharedStreets brings public agencies, private companies, and civic hackers onto the same page, with the collective goal of creating safer, more efficient, and democratic transportation networks. top

How a fight over Star Wars download codes could reshape copyright law (ArsTechnica, 23 Feb 2018) - A federal judge in California has rejected Disney's effort to stop Redbox from reselling download codes of popular Disney titles like Frozen , Beauty and the Beast , and the latest Star Wars movies. Judge Dean Pregerson's Tuesday ruling invoked the little-used doctrine of copyright misuse, which holds that a copyright holder loses the right to enforce a copyright if the copyright is being abused. Pregerson faulted Disney for tying digital download codes to physical ownership of discs, a practice that he argued ran afoul of copyright's first sale doctrine, which guarantees customers the right to resell used DVDs. If the ruling were upheld on appeal, it would have sweeping implications. It could potentially force Hollywood studios to stop bundling digital download codes with physical DVDs and force video game companies to rethink their own practices. But James Grimmelmann, a copyright scholar at Cornell Law School, is skeptical that the ruling will survive an inevitable appeal from Disney. When you buy a Disney DVD or Blu-ray disc, it will often come bundled with a special code that can be used at one of two Disney-sponsored websites, RedeemDigitalMovies and Disney Movies Anywhere (recently superceded by the multi-studio Movies Anywhere ), to obtain a digital copy that can be viewed on PCs and mobile devices. Disney didn't view the DVD and the download code as two separate products. Instead, Disney views them as a customer convenience-a way to allow a single customer to watch the one movie they've purchased on a wide range of devices. But Redbox had a different interpretation. Redbox is in the business of buying DVDs and renting them out to customers. And it saw an opportunity to make some extra money from Disney's download codes. The company started buying DVD-plus-download-code bundles at ordinary retail locations and breaking the bundles apart. Redbox rented out the DVDs and Blu-Ray discs as it always has. But it also began selling the download codes to customers, allowing them to gain a digital copy of a movie for a fraction of the cost of purchasing a digital download directly from Disney. Disney sued, arguing that Redbox was violating the licensing terms that came with the bundle. The Disney DVDs came bundled with a notice that says "codes are not for sale or transfer." Disney argued that Redbox had to accept this condition in order to open the package and gain access to the download code. [ Polley : I've got a lot of respect for Grimmelmann, and this is a weird case.] top

2nd Circuit contributes to fair use week with an odd and problematic ruling on TVEyes (TechDirt, 2 March 2018) - For years, we've quoted a copyright lawyer/law professor who once noted that the standards for fair use are an almost total crapshoot: nearly any case can have almost any result, depending on the judge (and sometimes jury) in the case. Even though there are "four factors" that must be evaluated, judges will often bend over backwards to twist those four factors to get to their desired result. Some might argue that this is a good thing in giving judges discretion in coming up with the "right" solution. But, it also means that there's little real "guidance" on fair use for people who wish to make use of it. And that's a huge problem, as it discourages and suppresses many innovations that might otherwise be quite useful. Case in point: earlier this week the 2nd Circuit rejected a lower court decision in the Fox News v. TVEyes case. If you don't recall, TVEyes provides a useful media monitoring service that records basically all TV and radio, and makes the collections searchable and accessible. It's a useful tool for other media companies (which want to use clips), for large PR firms tracking mentions, and for a variety of other uses as well. The initial ruling was a big win for fair use (even when done for profit) and against Fox News' assertion of the obsolete doctrine of "Hot News" misappropriation. That was good. However, that initial ruling only covered some aspects of TVEyes' operations -- mainly the searching and indexing. A second ruling was more of a mixed bag , saying that archiving the content was fair use, but allowing downloading the content and "date and time search" (as opposed to content search) was not fair use. Some of this was appealed up to the 2nd circuit -- specifically that second ruling saying parts of the service were not fair use. Thankfully, Fox didn't even bother appealing the "hot news" ruling or the "fair use on index search" ruling. As you'd expect, the court runs through a four factors test, and as noted above, the analysis is... weird. Once again, it seems clear that the court decided Fox should win and then bent its four factors analysis to make that happen. The court separates out TVEyes operations into two things: "Search" and "Watch." Whereas the lower court separated out "Watch" into various components, here the court decides that the entire "Watch" part is not fair use, and thus there's no need to examine the components (the "Search" part remains covered by fair use -- which, again, Fox did not challenge). * * * top

RESOURCES

Self-Destruct Apps: Spoliation by Design? (Agnieszka McPeak, U Toledo, 19 Feb 2018) - Abstract: The Federal Rules of Civil Procedure are at risk of being out of sync with current technology trends. Privacy policy in the US and Europe encourages "privacy by design," the idea that privacy-enhancing features should be built into the very design of new technology. Self-destruct apps, like Snapchat, Confide, and Vaporstream, embody privacy by design by offering ephemeral communication tools that mimic live conversation and avoid permanent records. At the same time, the Federal Rules of Civil Procedure contemplate broad access to relevant information, including electronically stored information, and impose potentially serious consequences in litigation when relevant information is not preserved. This essay analyzes the impact self-destruct apps, like Snapchat, will have on civil discovery and explores the tension between privacy policy and preservation duties. It cautions against characterizing self-destruct apps as spoliation by design: onerous or overly expansive preservation duties for self-destructing content are not warranted or desirable. In some contexts, ephemeral messaging may be more akin to live conversation than email, and the Federal Rules need not assume spoliation by their mere use by individuals and businesses. top

A Call To Cyberarms: The International Arbitrator's Duty To Avoid Digital Intrusion (Fordham Int'l Law Journal, 2017) - International commercial arbitration rests on certain fundamental attributes that cut across the different rule sets and cultural and legal systems in which it operates. There is common ground that any international commercial arbitration regime must encompass integrity and fairness, uphold the legitimate expectations of commercial parties, and respect essential elements of due process such as equal treatment of the parties, a fair opportunity for each party to present its case and neutral adjudicatory proceedings, untainted by illegal conduct. The system and its integrity depend substantially on the role of the arbitrator. As Professor Rogers has stated: [T]he authoritative nature of adjudicatory outcomes, as well as their existence within a larger system, imposes on adjudicators an obligation to preserve the integrity and legitimacy of the adjudicatory system in which they operate. Cyberbreaches of the arbitral process, including intrusion into arbitration-related data and transmissions, pose a direct and serious threat to the integrity and legitimacy of the process. This article posits that the arbitrator, as the presiding actor, has an important, front-line duty to avoid intrusion into the process. The focus here on cyberintrusion into the arbitral process does not imply that international arbitration is uniquely vulnerable to data breaches, but only that international arbitration proceedings are not immune to increasingly pervasive cyberattacks against corporations, law firms, government agencies and officials and other custodians of large electronic data sets of sensitive information. Similarly, our focus on the role and responsibilities of the arbitrator should not obscure that cybersecurity is a shared responsibility and that other actors have independent obligations. Arbitrators are not uniquely vulnerable to data breaches and are not guarantors of cybersecurity. In the highly interdependent landscape of international commercial arbitration, data associated with any arbitration matter will only be as secure as the weakest link. Since data security ultimately depends on the responsible conduct and vigilance of individuals, any individual actor can be that weak link, whatever their practice setting, whatever the infrastructure they rely upon, and whatever role they play in an arbitration. * * * [ Polley : Spotted by MIRLN reader Phil Ray @philray66.] top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Egypt 'to copyright antiquities' (BBC, 25 Dec 2007) - Egypt's MPs are expected to pass a law requiring royalties be paid whenever copies are made of museum pieces or ancient monuments such as the pyramids. Zahi Hawass, who chairs Egypt's Supreme Council of Antiquities, told the BBC the law would apply in all countries. The money was needed to maintain thousands of pharaonic sites, he said. Correspondents say the law will deal a blow to themed resorts across the world where large-scale copies of Egyptian artefacts are a crowd-puller. Mr Hawass said the law would apply to full-scale replicas of any object in any museum in Egypt. "Commercial use" of ancient monuments like the pyramids or the sphinx would also be controlled, he said. "Even if it is for private use, they must have permission from the Egyptian government," he added. But he said the law would not stop local and international artists reproducing monuments as long as they were not exact replicas. top

Laura Berg's letter (New York Times Editorial, 27 April 2008) - The PEN American Center, the literary organization committed to free expression, is honoring an American most people in this country have never read or even heard of: Laura Berg. She is a psychiatric nurse at a Veterans Affairs hospital who was threatened with a sedition investigation after she wrote a letter to the editor denouncing the Bush administration's bungling of Hurricane Katrina and the Iraq war. That's right, sedition: inciting rebellion against the government. We suppose nothing should surprise us in these days of government zealotry. But the horror and the shame of that witch hunt should shock everyone. Ms. Berg identified herself as a V.A. nurse when, soon after Katrina's horrors, she sent her impassioned letter to The Alibi, a paper in Albuquerque. "I am furious with the tragically misplaced priorities and criminal negligence of this government," she wrote. "We need to wake up and get real here, and act forcefully to remove a government administration playing games of smoke and mirrors and vicious deceit." Her superiors at the hospital soon alerted the Federal Bureau of Investigation and impounded her office computer, where she keeps the case files of war-scarred veterans she treats. Then she received an official warning in which a Veterans Affairs investigator intoned that her letter "potentially represents sedition." It took civil rights litigators and Senator Jeff Bingaman of New Mexico to "act forcefully" in reminding the government of the Constitution and her right to free speech. The Department of Veterans Affairs retreated then finally apologized to the shaken Ms. Berg. Even then, she noted, one superior told her it was preferred that she not identify herself as a V.A. nurse in any future letter writing. "And so I am saying I am a V.A. nurse," Ms. Berg soon boomed out in a radio broadcast. "And some of my fire in writing this about Katrina and Iraq is from my experience as a V.A. nurse." Thus declared Ms. Berg, well chosen to receive the new PEN/Katherine Anne Porter First Amendment Award. top