Saturday, July 28, 2018

MIRLN --- 8-28 July 2018 (v21.10)

MIRLN --- 8-28 July 2018 (v21.10) --- by Vince Polley and KnowConnect PLLC

permalink

ANNOUNCEMENTS | NEWS | PODCASTS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENTS

ABA attendees at the Chicago annual meeting next week may want to attend a showcase program (August 4 10:00-11:30 Central), featuring Raj De (former NSA GC), Suzanne Spaulding (former DHS Undersecretary), and others. " Cybersecurity Wake-up Call: The Business You Save May Be Your Own." Info here . See you there!

NEWS

In world first, Danish court rules stream-ripping site illegal (Torrent Freak, 10 July 2018) - While millions of users still obtain pirate music from peer-to-peer platforms such as BitTorrent, in recent years a new challenge has appeared on the horizon. Sites like YouTube, which offer millions of copies of almost every song imaginable, are now an unwitting player in the piracy ecosystem. Every day, countless people use special tools to extract music from video tracks before storing them on their local machines. This so-called 'stream-ripping' phenomenon is now cited as being one of the greatest piracy threats to the record labels but thus far, no single action has been able to stem the tide. Over in Denmark, however, there has been a breakthrough of sorts following action by local anti-piracy outfit RightsAlliance taken on behalf of IFPI, collecting society KODA , the Danish Artist Union , and the Danish Musicians Association . The action targeted Convert2MP3 , a site that allows users to download audio and video from platforms including YouTube. The recording industry groups wanted the stream-ripping platform blocked by Internet service providers in Denmark but first, they needed it to be declared illegal in the country. That decision came last week from a court in Frederiksberg. * * * top

US government drops prohibition on files for 3D printed arms (Volokh Conspiracy, 10 July 2018) - Last week the U.S. Department of Defense and U.S. Department of State settled a lawsuit and agreed to end their prior restraint of distribution of computer files for the production of 3D printed firearms. The "International Traffic in Arms Regulations (ITAR)" are a collection of regulations covering the export of military weapons from the United States. The regulations are based on the 1976 Arms Export Control Act. The ITAR export controls apply to all arms on the U.S. Munitions List ["USML"], which is created by the State Department. An ITAR export permit costs at least $2,250 annually. Starting in 2012, the Department of Defense issued regulations asserting that many U.S. gunsmiths are required to obtain ITAR export permits even if they never export anything. Details are available on the website of Prince Law Offices, P.C., which specializes in firearms commerce regulation. Under the Obama administration, the U.S. Munitions List grew to include many ordinary firearms, as well as the computer files for 3D printing of ordinary firearms. In 2015, a lawsuit against the ban on distributing 3D printing files within the U.S. was brought by the Second Amendment Foundation (a civil rights litigation organization) and by Defense Distributed (a producer of 3D printing files). Plaintiffs' attorneys included Alan Gura (winner of the Heller and McDonald cases) and Josh Blackman (law professor at South Texas College of Law). There were many arguments in the case, but the principle one was that ban constituted a prior restraint of speech, contrary to the First Amendment. The plaintiffs sought a preliminary injunction against the restraint on speech. The U.S. government prevailed in the District Court, and before a Fifth Circuit panel. A petition for rehearing en banc was rejected by a 9-5 vote. Fifth Circuit Judges voting to grant the petition were Jones, Smith, Clement, Owen, and Elrod. Voting against the petition were Stewart, Jolly, Dennis, Prado, Southwick, Haynes, Graves, Higginson, and Costa. In January 2018, the U.S. Supreme Court denied the petition for certiorari. The preliminary injunction having been utterly defeated, the next stage for the case was factual development in district court. In the view of attorney Alan Gura, the main reason for the loss on the preliminary injunction was reluctance to upset the status quo, rather than an expectation that the government could prevail on the merits of the First Amendment issue. Documents in the case are available here . In May 2018, the Trump administration proposed revising revise the ITAR regulations. The move for regulatory reform actually began under the Obama administration, but the proposed reforms were never published. Now they have been. Export controls for many ordinary firearms and accessories will be removed from the ITAR list. Exports of such items will instead by controlled by the Department of Commerce. Among the items remaining under the ITAR system are automatic firearms, firearms of greater than .50 caliber, magazines with more than 50 rounds, and sound moderators (a/k/a "silencers"). Non-automatic firearms of.50 caliber or less will no longer be covered under ITAR; among the firearms no longer under ITAR is the semiautomatic AR-15 rifle, the most common rifle in American history. Its typical calibers are .223 and .308--well under the new .50+ caliber rule. Accordingly, the government defendants revisited the Defense Distributed case. If a particular arm (e.g., the AR-15) is no longer part of ITAR, then it would be illogical for ITAR to be applied to instructions for making the arm. Under today's settlement agreement, plaintiffs and others may freely publish 3D printing instructions for firearms that are not covered under ITAR. Restrictions on distribution of 3D printing information for items that are still under ITAR, such as machine guns or rifles over .50 caliber, remain in place. [ Polley : I.e., this is NOT a 1st Amendment case.] top

SEC probes why Facebook didn't warn sooner on privacy lapse (WSJ, 12 July 2018) - Securities regulators are investigating whether Facebook Inc. adequately warned investors that developers and other third parties may have obtained users' data without their permission or in violation of Facebook policies, people familiar with the matter said. The Securities and Exchange Commission's probe of the social-media company, first reported in early July , follows revelations that Cambridge Analytica, a data-analytics firm that had ties to President Donald Trump's 2016 campaign, got access to information on millions of Facebook users. The SEC has requested information from Facebook as it seeks to understand how much the company knew about Cambridge Analytica's use of the data, these people said. The agency also wants to know how Facebook analyzed the risk it faced if developers were to share data with others in violation of its policies, they added. The SEC, one of several government agencies investigating Facebook and its handling of user data, enforces securities laws governing what must be disclosed to shareholders so they can make informed investment decisions. It could close its investigation, which is in its early stages, without taking enforcement action against Facebook. top

Top voting machine vendor admits it installed remote-access software on systems sold to states (Motherboard, 17 July 2018) - The nation's top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them. In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had "provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006," which was installed on the election-management system ES&S sold them. The statement contradicts what the company told me and fact checkers for a story I wrote for the New York Times in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. "None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software," the spokesperson said. ES&S is the top voting machine maker in the country, a position it held in the years 2000-2006 when it was installing pcAnywhere on its systems. The company's machines were used statewide in a number of states, and at least 60 percent of ballots cast in the US in 2006 were tabulated on ES&S election-management systems. It's not clear why ES&S would have only installed the software on the systems of "a small number of customers" and not all customers, unless other customers objected or had state laws preventing this. top

Businesses cannot contractually ban "abusive" consumer reviews (Eric Goldman, 17 July 2018) - An article recently posted to SSRN argues that the Consumer Review Fairness Act (CRFA) purportedly lets businesses contractually ban "abusive" reviews. If this is correct, it could affect millions of businesses and hundreds of millions of consumers. However, the article's argument is clearly wrong, and this error exposes millions of businesses to potentially severe liability. This post explains why and how. Note: unavoidably, this blog post counterproductively draws greater attention to a bad argument. Because of the stakes, I concluded a public correction was, on balance, necessary. However, to reinforce my view that the article doesn't merit your independent review, I've deliberately not identified the article's author or title or linked to it (is there a blogging equivalent of subtweeting?). I recommend reading the article as "enthusiastically" as I "recommend" watching The Emoji Movie . TL;DR top

Ponemon Institute: Average cost of a data breach exceeds $3.8 million (Ride the Lightning, 19 July 2018) - The 2018 Cost of a Data Breach Study is available for download from IBM here . The study was done by the Ponemon Institute and IBM. This year's study reports that the global average cost of a data breach is up 6.4% over the previous year to $3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8% over the previous year to $148. IBM Security and Ponemon conducted interviews with nearly 500 companies that experienced data breaches, and they collected information on hundreds of cost factors surrounding a breach, including technical investigations and recovery, notifications, legal and regulatory requirements, cost of lost business, and loss of reputation. As reported by VentureBeat, the study found that hidden costs in data breaches - such as lost business, negative impact on reputation and employee time spent on recovery - are difficult and expensive to manage. For example, the study found that a third of the cost of "mega breaches" (over 1 million lost records) were derived from lost business. And that is course why the C-Suite has nightmares about data breaches. The reputational damages can be extraordinary. In the past five years, the amount of mega breaches (breaches of more than 1 million records) has increased from nine mega breaches in 2013 to 16 mega breaches in 2017. Due to the small amount of mega breaches in the past, the Cost of a Data Breach study historically analyzed data breaches of around 2,500 to 100,000 lost records. The vast majority of the mega-breaches (10 out of 11) were caused by malicious attacks rather than technical failures or human error. The average time to detect and contain a mega breach was 365 days - almost 100 days longer than a smaller scale breach (266 days). top

Cyber security advice issued to law firms in first legal threat report (GCHQ, 19 July 2018) - The NCSC's first legal threat report has been issued to law firms. Law firms have been urged to follow expert cyber security guidance after a report published today (19 July) showed the scale of the threat they face. The National Cyber Security Centre (NCSC) has published its first report into the cyber threat to the UK legal sector, which reveals that more than £11 million of client money was stolen by cyber criminals between 2016-17. In the last year, 60% of law firms reported an information security incident - an increase of almost 20% from the previous 12 months. The report outlines clear and actionable guidance that firms can follow, such as how to defend your practice against phishing, reduce the risk of malware infection and take effective control of your supply chain. top

US energy regulator wants more disclosure of cyber attacks (Reuters, 19 July 2018) - The Federal Energy Regulatory Commission (FERC), an energy industry regulator, called for the power industry's regulating body, the North American Electric Reliability Corp, to expand rules that require reporting of cyber security incidents to include attempts that might facilitate future efforts to disrupt the grid. FERC requested the increased disclosure after the administration of President Donald Trump blamed the Russian government in March for a campaign of cyber attacks stretching back at least two years that targeted the U.S. power grid. That marked the first time the United States had publicly accused Moscow of hacking into American energy infrastructure. Current NERC rules only mandate reporting of cyber attacks if they compromise or disrupt a "core activity" toward maintaining the reliability of the electric grid, according to a 67-page report issued by FERC. That threshold "may understate the true scope of cyber-related threats" facing the industry, the report said. top

Some colleges cautiously embrace Wikipedia (Chronicle of Higher Ed, 19 July 2018) - Anna Davis remembers when people didn't want to talk to her at academic conferences: "I had this woman one time who held her folder up over her head and was like, 'Don't let my department chair see me talking to you guys, but I'm so glad you're here.'" Davis works for Wikipedia, the online encyclopedia that was once considered anathema to the academic mission. She's director of programs for its higher-education-focused nonprofit arm, Wiki Education. Academics have traditionally distrusted Wikipedia, citing the inaccuracies that arise from its communally edited design and lamenting students' tendency to sometimes plagiarize assignments from it. Now, Davis said, higher education and Wikipedia don't seem like such strange bedfellows. At conferences these days, "everyone's like, 'Oh, Wikipedia, of course you guys are here.'" One initiative Davis oversees at Wiki Education aims to forge stronger bonds between Wikipedia and higher education. The Scholars program, which began in 2015, pairs academics at colleges with experienced Wikipedia editors. Institutions provide the editors with access to academic journals, research databases, and digital collections, which the editors use to write and expand Wikipedia articles on topics of mutual interest. A dozen institutions, including Rutgers University, Brown University, and the University of Pittsburgh, are participating. * * * Scholars' skepticism about Wikipedia also stems from its community-authorship model, said Amanda Rust, a digital-humanities librarian at Northeastern University. Not all academics felt that way about Wikipedia in its fledgling days, but a critical mass perceived the online encyclopedia as a threat, Rust said. As Wikipedia has matured, however, that consensus began to shift. And students' widespread use of Wikipedia has forced some cynics to acknowledge its role in higher education. "Whether or not you think a crowdsourced encyclopedia can work, that ship has sailed, and students are using it all the time," Rust said. top

- and -

Flabbergasted Twitter trashes Forbes story that suggests replacing libraries with Amazon (Mashable, 23 July 2018) - There are bad takes, and then there's the take by Forbes contributor Panos Mourdoukoutas (who also serves as Chair of the Department of Economics at Long Island University) that local libraries should be replaced by Amazon book stores . Among the reasons Mourdoukoutas offers are: libraries don't have as many public events as they used to because of school auditoriums; people go to places like Starbucks to hang out and work and read now instead of their library; and because technology makes physical books obsolete. * * * [ Polley : wild idea, wild story, great Tweets/comments (some NSFW).] top

- and -

Growing role of Amazon in library acquisitions (InsideHigherEd, 23 July 2018) - Research on where academic libraries buy their books has revealed the increasingly important role of nontraditional vendors such as Amazon. A preliminary study , published last week by Ithaka S+R, found that Amazon was the second most popular venue through which academic libraries purchased books in 2017. GOBI Library Solutions, a popular acquisition-management platform, took the No. 1 spot. It controls nearly half of the market share. The research included data from 54 libraries at a range of institutions -- from small private liberal arts colleges to public research universities. During 2017, these 54 libraries purchased 178,120 academic books. The clear majority of these were in print format (96 percent) rather than ebooks (4 percent). Ebooks were found to be significantly more expensive than print titles. In a blog post , Katherine Daniel, an analyst at Ithaka S+R, explained that the study was prompted by questions of whether libraries are really buying fewer books, or simply purchasing them in ways that are not currently captured in acquisition analyses. Further research will include data from large research institutions and will be published in a final report this fall. top

Public domain advocate gets appellate win in bid to publish copyrighted standards referenced in laws (ABA Journal, 19 July 2018) - A federal appeals court on Tuesday told a federal judge to reconsider whether the fair use doctrine allows a nonprofit to post technical standards created by private industry groups that are later referenced in government regulations. The U.S. Court of Appeals for the D.C. Circuit vacated injunctions that had prevented Public.Resource.org, known as PRO, from publishing copyrighted best-practice standards developed by six organizations. PRO had purchased copies of the technical standards that had been incorporated into laws, scanned them into digital files, and posted them online. Its founder, public domain advocate Carl Malamud, tweeted this about the appellate decision: "I bought the law, and the law won." The appeals court ruled in a combined appeal of two lawsuits. A federal judge had ruled the standards organizations held valid and enforceable copyrights, and PRO failed to create a triable issue of fact on whether its publication of the materials constituted fair use. On appeal, PRO argued incorporation of the standards by reference make the works a part of the law, and the law can never be copyrighted. PRO asserted that allowing private ownership of the law is inconsistent with the First Amendment principle that citizens should be able to freely discuss the law and a due process notion that citizens must have free access to the law. PRO also argued that, even if the standards remain copyrighted, its copying qualifies as a fair use because it facilitates public discussion about the law. The appeals court said PRO "raises a serious constitutional concern," but it is better to first address the fair use issue. The district court had concluded PRO distributed the standards to undermine the organizations' ability to raise revenue. According to the appeals court, the record does not support that blanket conclusion. "Rather, by all accounts, PRO distributed these standards for the purpose of educating the public about the specifics of governing law," the court said in an opinion by Judge David Tatel. In addition, Tatel said, the district court failed to account for the variation among the standards at issue and consider the legal status of each incorporated work. In a concurrence, Judge Gregory Katsas strongly supported PRO. "As a matter of common-sense, this cannot be right: access to the law cannot be conditioned on the consent of a private party, just as it cannot be conditioned on the ability to read fine print posted on high walls," he wrote, referencing a book about the Roman emperor Caligula. PRO was represented by the Electronic Frontier Foundation, the law firm of Fenwick & West, and attorney David Halperin. An EFF press release is here . [ Polley : congrats, Carl.] top

The blockchain begins finding its way in the enterprise (TechCrunch, 23 July 2018) - the blockchain is in the middle of a major hype cycle at the moment, and that makes it hard for many people to take it seriously, but if you look at the core digital ledger technology, there is tremendous potential to change the way we think about trust in business. Yet these are still extremely early days and there are a number of missing pieces that need to be in place for the blockchain to really take off in the enterprise. Suffice it to say that it has caught the fancy of major enterprise vendors with the likes of SAP, IBM, Oracle, Microsoft and Amazon all looking at providing some level of Blockchain as a service for customers. While the level of interest in blockchain remains fluid, a July 2017 survey of 400 large companies by UK firm Juniper Research found 6 in 10 respondents were "either actively considering, or are in the process of, deploying blockchain technology." In spite of the growing interest we have seen over the last 12-18 months, blockchain lacks some basic underlying system plumbing, the kind any platform needs to thrive in an enterprise setting. Granted, some companies and the open source community are recognizing this as an opportunity and trying to build it, but many challenges remain. * * * [ Polley : see " Resources " below.] top

1Password's travel mode (Bruce Schneier, 23 July 2018) - The 1Password password manager has just introduced "travel mode," which allows you to delete your stored passwords when you're in other countries or crossing borders: Your vaults aren't just hidden; they're completely removed from your devices as long as Travel Mode is on . That includes every item and all your encryption keys. There are no traces left for anyone to find. So even if you're asked to unlock 1Password by someone at the border, there's no way for them to tell that Travel Mode is even enabled. In 1Password Teams, Travel Mode is even cooler. If you're a team administrator, you have total control over which secrets your employees can travel with. You can turn Travel Mode on and off for your team members, so you can ensure that company information stays safe at all times. The way this works is important. If the scary border police demand that you unlock your 1Password vault, those passwords/keys are not there for the border police to find. The only flaw -- and this is minor -- is that the system requires you to lie. When the scary border police ask you "do you have any other passwords?" or "have you enabled travel mode," you can't tell them the truth. In the US, lying to a federal office is a felony. I previously described a system that doesn't require you to lie. It's more complicated to implement, though. This is a great feature, and I'm happy to see it implemented. top

Canadian court affirms citizens still have an expectation of privacy in devices being repaired by third parties (TechDirt, 23 July 2018) - A Canadian appeals court has decided in favor of greater privacy protections for Canadians. The case involves the discovery of child porn by a computer technician who was repairing the appellant's computer. This info was handed over to the police who obtained a "general warrant" to image the hard drive to scour it for incriminating evidence. Yes, "general warrants" are still a thing in the Crown provinces. The same thing we fought against with the institution of the Fourth Amendment exists in Canada. These days, it has more in common with All Writs orders than the general warrants of the pre-Revolution days, but there's still a hint of tyrannical intent to them. (Again, much like our All Writs orders, which date back to 1789.) "General warrants" are something the government uses when the law doesn't specifically grant permission for what it would like to do. * * * The appellant's challenge of the general warrant (rather than a more particular search warrant) almost went nowhere, but this decision grants him (and others like him) the standing to challenge the warrant in the first place. As the court notes , handing a computer over to a technician doesn't deprive the device's owner of an expectation of privacy. * * * So, while this didn't end up giving the defendant the suppression he was seeking, it did at least affirm an expectation of privacy in devices being handled and repaired by third parties. Better, the opinion contains the government's concession that this privacy expectation exists. Hopefully, this will help deter violations -- erroneous or not -- in the future. top

How clients are pushing their outside counsels to adopt stricter cybersecurity standards and protections (ABA Journal, 25 July 2018) - In a profession defined by zealous representation of clients, it's no surprise that clients are starting to push their outside counsels to beef up cybersecurity. "The possibility that your outside law firm could be breached and your sensitive data stolen is a huge nightmare for in-house lawyers," says Sterling Miller, general counsel of Marketo Inc., an online marketing technology company. "Outside counsel need to start taking this very seriously. If a breach happens, that law firm is probably no longer working for you and the malpractice claim could be very large." These aren't just idle words. In fact, they underline how serious clients have become when it comes to cybersecurity. * * * The legal industry is one of the most targeted sectors for a cyberattack because of the trove of information it possesses about clients and cases. In a profession based on precedent and history, the legal sector often has been slow to adapt to new risks and technological changes. One alarming statistic is that cybersecurity company Mandiant estimates at least 80 of the 100 largest firms in the country, by revenue, have been hacked since 2011. As law firms wade into cybersecurity best practices, the glaring reality is most law firms are not prepared to respond to a major breach. According to the ABA TechReport 2017 , only 26 percent of responding firms had an incident response plan in place to address a security breach, and only two-thirds with 500 lawyers or more had such a plan in place. These plans were not a priority with smaller firms, as 31 percent of firms with 10 to 49 lawyers, 14 percent of firms with two to nine lawyers, and 10 percent of solo practices had such plans. * * * top

Carpenter and the end of bulk surveillance of Americans (Sharon Bradford Franklin on Lawfare, 25 July 2018) - Writing for the majority in Carpenter v. United States , Chief Justice John Roberts called the court's momentous Fourth Amendment decision "a narrow one." The specific holding-that a warrant is required for law enforcement to access historical cell site location information (CSLI)-may indeed be narrow, and the decision rightfully cautions that "the Court must tread carefully" when considering new technologies. Yet, despite its limited scope, the opinion provides a framework for recognizing that the digital trails Americans create through their daily lives are protected by the Fourth Amendment. The decades-old "third-party doctrine," under which Fourth Amendment rights are extinguished whenever individuals share their information with third parties such as banks and telephone companies, has appropriately been confined to the pre-digital age scenarios in which it arose. As others have already argued , the Carpenter decision does not provide a clear legal standard for when the Fourth Amendment applies to data shared with a third party, and it raises many questions about the future of Fourth Amendment doctrine. But the decision does offer a resounding declaration that Fourth Amendment analysis must take account of the "seismic shifts in digital technology" and the power of modern surveillance tools. In particular, the Carpenter decision should foreclose, once and for all, any claim that bulk surveillance of Americans-or bulk collection of their digital records-would be constitutional. Through the USA Freedom Act of 2015, Congress ended the government's bulk telephone records program, known as the Section 215 program, and provided new authority for collection of call detail records using a "specific selection term." With reauthorization of this act to be considered next year, Carpenter's analysis should preclude any attempt to retreat from the narrowing of surveillance authorities achieved under the 2015 law. From the fall of 2013 through January 2017, I served as executive director of the Privacy and Civil Liberties Oversight Board (PCLOB). I was part of a skeletal staff of attorneys who supported the board in its examination of the Section 215 program. The PCLOB's January 2014 report on the Section 215 program found that the program was illegal; this report was highly influential in the debates in Congress that led to the ultimate demise of the program. Still, the report stopped short of finding that the program was unconstitutional. The board noted that "[t]o date ... the Supreme Court has not modified the third-party doctrine or overruled its conclusion that the Fourth Amendment does not protect telephone dialing records." Its recommendation for ending the Section 215 program was based on statutory and policy analyses. When the Second Circuit considered the Section 215 program in ACLU v. Clapper in May 2015, it too found that the program was illegal under the terms of the statute and declined to reach the constitutional questions. * * * top

NOTED PODCASTS/MOOCS

Reclaim Your Data (NPR podcast, 23 July 2018; 47 minutes) - Michael Chertoff, former Homeland Security Secretary and co-author of the Patriot Act, says data collection has gotten out of control. [ Polley : Spotted by MIRLN reader Corinne Cooper - @ucc2] top

RESOURCES

Blockchain for law students (website by Walter Effross at American U) - Offers: (1) a list of recommended resources (for self-directed study and research, as well as for constructing or supplementing syllabi); (2) summaries of and/or excerpts from the emerging body of caselaw concerning blockchain and cryptocurrency; (3) a collection of legal issues and responsive law review articles (and other sources), ordered by field of law; (4) a categorization of major types of participants in the blockchain economy; (5) suggestions on selecting law school courses relevant to blockchain practice; and (6) various questions, opinions, and observations about blockchain-related legal issues. If any reader would like to contribute a guest post on how law students (or practitioners new to this area) can best prepare (e.g., recommended reading, potential paper topics, organizations to become active in, suggestions for programming courses or tutorials), please e-mail effross@wcl.american.edu . top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Larger prey are targets of phishing (New York Times, 16 April 2008) - An e-mail scam aimed squarely at the nation's top executives is raising new alarms about the ease with which people and companies can be deceived by online criminals. Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive's name, company and phone number, and commands the recipient to appear before a grand jury in a civil case. A link embedded in the message purports to offer a copy of the entire subpoena. But a recipient who tries to view the document unwittingly downloads and installs software that secretly records keystrokes and sends the data to a remote computer over the Internet. Another piece of the software allows the computer to be controlled remotely. According to researchers who have analyzed the downloaded file, less than 40 percent of commercial antivirus programs were able to recognize and intercept the attack. The tactic of aiming at the rich and powerful with an online scam is referred to by computer security experts as whaling. The term is a play on phishing, an approach that usually involves tricking e-mail users - in this case the big fish - into divulging personal information like credit card numbers. Phishing attacks that are directed at a particular person, rather than blasted out to millions, are also known as spear phishing. Security researchers at several firms indicated they believed there had been at least several thousand victims of the attack whose computers had been compromised. "I think that it was well done in terms of something people would feel compelled to respond to," said Steve Kirsch, the chief executive of Abaca, an antispam company based in San Jose, Calif. Mr. Kirsch himself received a copy of the message and forwarded it to the company lawyer. "It had my name, phone number, company and correct e-mail address on it and looked pretty legitimate," Mr. Kirsch said. "Even the U.R.L. to find out more looked legitimate at first glance." The software used in the latest attack tries to communicate with a computer in Singapore. That system was still functioning on Tuesday evening, but security researchers said many Internet service providers had blocked access to it. top

Avatars, virtual reality technology, and the US military: Emerging policy issues (Congressional Research Service, 9 April 2008) - This report describes virtual reality technology, which uses three-dimensional user- generated content, and its use by the U.S. military and intelligence community for training and other purposes. Both the military and private sector use this new technology, but terrorist groups may also be using it to train more realistically for future attacks, while still avoiding detection on the Internet. The issues for Congress to consider may include the cost-benefit implications of this technology, whether sufficient resources are available for the communications infrastructure needed to support expanded use of virtual reality technology, and whether there might be national security considerations if the United States falls behind other nations in developing or adopting this new technology. This report will be updated as events warrant. [Editor: the USG is beginning a detailed analysis of legal, policy, and technical implications from VR applications.] top

Saturday, July 07, 2018

MIRLN --- 17 June - 7 July 2018 (v21.09)

MIRLN --- 17 June - 7 July 2018 (v21.09) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

ANNOUNCEMENTS | NEWS | RESOURCES | LOOKING BACK | NOTES

ANNOUNCEMENTS

Register now for the next cybersecurity ABA CLE webinar " Bumps in the Night: Cybersecurity Legal Requirements, Government Enforcement, and Litigation ". This second in a 5-part series airs July 18, followed by other episodes in August, September, and October. Each 90-minute episode parses related parts of the best-selling (and winner of the 2018 ACLEA "Best Publication" award) " ABA Cybersecurity Legal Handbook ". For more information, visit ambar.org/cyberwakeup to register. Get 20% off if you subscribe to the full series (recordings of earlier ones are available), along with a free e-copy of the handbook.

ABA attendees at the Chicago annual meeting will also want to attend our showcase program (August 4 10:00-11:30 Central), featuring Raj De (former NSA GC), Suzanne Spaulding (former DHS Undersecretary), and others. Info here : top

NEWS

Why destruction of information is so difficult and so essential: The case for defensible disposal (ABA's Business Law Today, 15 June 2018) - IN BRIEF: (1) Information is growing unfettered for most businesses and impacting their ability to function; (2) Lawyers must find a way to get rid of information without creating greater business and legal issues for their clients; (3) Defensible disposition rids businesses of information that no longer has business or legal value without employees having to involve themselves in classification. * * * top

A student, a worried girlfriend, a shared password and an admissions lawsuit (InsideHigherEd, 18 June 2018) - Most admissions lawsuits are about applicants who are rejected. But Eric Abramovitz won 375,000 Canadian dollars (about $284,000) last week over an admissions offer he turned down. Actually, his then girlfriend turned it down, pretending to be Abramovitz. That set up the unusual court ruling. As outlined in the ruling issued by a Canadian judge last week, Abramovitz and Jennifer Lee met in 2013 and became a couple while both were studying music at McGill University. While they were involved, Abramovitz shared his laptop -- and his passwords -- with Lee. Abramovitz was a star student of clarinet, winning numerous prizes. He aspired to finish his bachelor's degree at Colburn Conservatory of Music, in Los Angeles, where he hoped to study with Yehuda Gilad, who only accepts two students a year. In December 2013, Abramovitz applied and went to Los Angeles when he was invited to audition. On March 27, 2014, he was admitted -- and his admission brought with it a full scholarship. On that fateful day, Lee checked Abramovitz's email before he did. Using his email account, she turned down the offer and created a fake email account in Gilad's name. Then she sent an email, pretending to be Gilad, rejecting Abramovitz. Lee could not be reached for comment. She did not contest Abramovitz's suit. The court ruling says that she was apparently afraid he would move to Los Angeles, leaving her behind at McGill, in Montreal. Eventually, Abramovitz did leave for Los Angeles and enrolled in a certificate program at the University of Southern California in which Gilad also taught. That program charged about $25,000, which Abramovitz paid. (He couldn't afford USC's master's degree program, which would have cost him about twice as much in tuition.) Abramovitz was "completely taken in," the court decision says, and only went to USC after staying in Montreal -- with Lee -- to finish his bachelor's degree. The scheme unraveled when Abramovitz met Gilad, who is not used to being turned down. As Abramovitz told National Post , when he auditioned for Gilad to enter the USC program, Gilad asked him, "Why did you reject me?" When Gilad showed him the email Lee had sent, Abramovitz was stunned. But he also had Lee's passwords, and he found the fake emails. He also found she had done the same thing when he won admission to the Juilliard School -- another institution that few admitted applicants turn down. The Canadian court judged that Lee was responsible for the tuition paid by Abramovitz to USC, the lost opportunities of the scholarship to the conservatory and for delaying the start of his career. The court ruling found that Lee's conduct was "morally reprehensible." top

Why your FOIA request might not get text messages (Ride the Lightning, 19 June 2018) - Hat tip to my friend Doug Austin at CloudNine for a marvelous post on his EDiscovery Daily Blog . As Doug asks, what percentage of Freedom of Information Act (FOIA) requests actually result in receiving all of the information requested? According to the 2018 Public Sector Text & Mobile Communications Survey from Smarsh, 70 percent of federal, state, county and city government organizations surveyed report allowing SMS/text for official business communication. But, almost half of those (46 percent) are not formally capturing and retaining these messages. There were 236 total respondents in the survey. The information below is directly from Doug's post. And I fully agree with his conclusion at the end! "The vast majority of agencies allow organizational e-mail (97 percent) on mobile devices, but right behind it is SMS/text messaging, with 70 percent allowing it for official government business. Social channels Facebook and Twitter are the next most frequently cited, with 58 percent and 44 percent, respectively. Two-thirds of surveyed organizations allow employees to use their own BYOD devices for official business, for those devices, only 35 percent of respondents are retaining SMS/text messages (as opposed to 62 percent for Corporate Owned Personally Enabled (COPE) devices). The top four reasons SMS/Text records are NOT captured are: 1) Don't currently have budget this year, 2) SMS/text isn't required to be retained by law, 3) Waiting for Capstone/FOIA guidance, 4) Existing capture technologies are too complicated. The majority of respondents, 62 percent or nearly 2/3, lacked confidence that they could provide specifically requested mobile text messages promptly if responding to a public records or litigation request. Agencies with no retention solution in place have very little confidence in their ability to fulfill requests. 23 percent reported that if requested, it was unlikely they could produce SMS/text messages from their organizational leader at all. When you hear these stats, you might be surprised the numbers aren't higher. Last year, Federal Freedom of Information Act (FOIA) litigation jumped 26 percent over the previous year. In 2018, that number is on track to increase again. While an average of 2.08 lawsuits were filed each day in 2017, 2018 has seen the average increase to 2.72 lawsuits per day. Last year, there were 823,222 Federal FOIA requests - 78 percent of those requests yielded censored files or no records at all. In other words, only 22 percent of FOIA requestors got everything they asked for. 22 percent! And, the Federal government spent $40.6 million in legal fees defending its withholding of files in 2017. Freedom of information isn't free, apparently." top

Verizon will stop selling real-time location data to third-party brokers (The Verge, 19 June 2018) - Verizon has pledged to stop selling data that can pinpoint the location of its mobile users to third-party intermediaries, according to The Associated Press . Verizon is the first carrier to end the controversial practice after Sen. Ron Wyden (D-OR) revealed that one of the companies that purchased the real-time location-tracking data from carriers wasn't verifying if its users had legal permission to track cellphone users through its service. In a letter to carriers and the FCC, Sen. Wyden said that Securus Technologies - a company that mainly monitors phone calls to inmates in jails and prisons across the country and also sells real-time location data to law enforcement agencies who must upload legal documents such as a warrant stating they have the right to access the data - wasn't actually verifying if those documents were legitimate. Securus did not "conduct any review of surveillance requests," Wyden wrote in his letter to the FCC. A sheriff in Missouri was charged with illegally tracking people 11 times without court orders using Securus, according to The New York Times. While all four major carriers have now cut off access to Securus, only Verizon has said it will stop selling data to geolocation aggregators who can then turn around and sell that data to someone else. Verizon said 75 companies obtained data from the two companies it sells location data directly to: LocationSmart and Zumigo. Last month, KrebsOnSecurity reported that LocationSmart - which supplies Securus with the location-tracking data - was leaking the real-time location data of customers on every major US carrier through a free demo tool on its website, which was subsequently taken down. "Verizon did the responsible thing and promptly announced it was cutting these companies off," Wyden said in a statement to the AP. [ see also , AT&T and Sprint to follow Verizon in ending its sale of user location data to third-party brokers (The Verge, 19 June 2018)] top

Are free societies at a disadvantage in national cybersecurity (Bruce Schneier, 19 June 2018) - Jack Goldsmith and Stuart Russell just published an interesting paper , making the case that free and democratic nations are at a structural disadvantage in nation-on-nation cyberattack and defense. From a blog post : It seeks to explain why the United States is struggling to deal with the "soft" cyber operations that have been so prevalent in recent years: cyberespionage and cybertheft, often followed by strategic publication; information operations and propaganda; and relatively low-level cyber disruptions such as denial-of-service and ransomware attacks. The main explanation is that constituent elements of U.S. society -- a commitment to free speech, privacy and the rule of law; innovative technology firms; relatively unregulated markets; and deep digital sophistication -- create asymmetric vulnerabilities that foreign adversaries, especially authoritarian ones, can exploit. These asymmetrical vulnerabilities might explain why the United States so often appears to be on the losing end of recent cyber operations and why U.S. attempts to develop and implement policies to enhance defense, resiliency, response or deterrence in the cyber realm have been ineffective. I have long thought this to be true. There are defensive cybersecurity measures that a totalitarian country can take that a free, open, democratic country cannot. And there are attacks against a free, open, democratic country that just don't matter to a totalitarian country. That makes us more vulnerable. (I don't mean to imply -- and neither do Russell and Goldsmith -- that this disadvantage implies that free societies are overall worse, but it is an asymmetry that we should be aware of.) I do worry that these disadvantages will someday become intolerable. Dan Geer often said that "the price of freedom is the probability of crime." We are willing to pay this price because it isn't that high. As technology makes individual and small-group actors more powerful , this price will get higher. Will there be a point in the future where free and open societies will no longer be able to survive? I honestly don't know. EDITED TO ADD (6/21): Jack Goldsmith also wrote this . top

GDPR and browser fingerprinting: How it changes the game for the sneakiest web trackers (EFF, 19 June 2018) - Browser fingerprinting is on a collision course with privacy regulations. For almost a decade, EFF has been raising awareness about this tracking technique with projects like Panopticlick . Compared to more well-known tracking "cookies," browser fingerprinting is trickier for users and browser extensions to combat: websites can do it without detection, and it's very difficult to modify browsers so that they are less vulnerable to it. As cookies have become more visible and easier to block, companies have been increasingly tempted to turn to sneakier fingerprinting techniques. But companies also have to obey the law. And for residents of the European Union, the General Data Protection Regulation (GDPR), which entered into force on May 25th, is intended to cover exactly this kind of covert data collection. The EU has also begun the process of updating its ePrivacy Directive, best known for its mandate that websites must warn you about any cookies they are using. If you've ever seen a message asking you to approve a site's cookie use, that's likely based on this earlier Europe-wide law. This leads to a key question: Will the GDPR require companies to make fingerprinting as visible to users as the original ePrivacy Directive required them to make cookies? The answer, in short, is yes. Where the purpose of fingerprinting is tracking people, it will constitute "personal data processing" and will be covered by the GDPR. top

Should media publish government's child-detention photos? (WaPo, 19 June 2018) - Based on the photographic evidence, living conditions inside government-run detention centers for immigrant children separated from their parents in south Texas look reasonably orderly and clean. But there's a major catch: All of the photographs depicting life inside the facilities have been supplied by the government itself. There's been no independent documentation; federal officials, citing the children's privacy, have barred journalists from taking photographs or video when they've been permitted inside. This has left news organizations with a quandary: Do they publish the handouts supplied by U.S. Customs and Border Protection (CBP) - which has an incentive to make its facilities look as humane and comfortable as possible - or do they reject the photos as essentially propaganda? The New York Times, for one, has taken the latter course. On Monday, it said it would not publish CBP-supplied photos. "We thought it was a bad precedent to accept government handout photos when [photojournalists aren't] allowed in," Dean Baquet , the paper's editor, said in an interview. "It would hurt any future case for access. And given the sensitivity of this story, I don't think we can assure readers that we are seeing a full picture when the government makes the choice of what we see and show. Readers want to know what these places look like, from the view of journalists who are witnesses." One of the government-supplied photos - a shot of children sprawled on thin mattresses under mylar blankets - was featured prominently by many news organizations on Tuesday. top

Bad news cut from Michigan State alumni magazine (InsideHigherEd, 21 June 2018) - After a review by Michigan State University interim president John Engler, an upcoming edition of the university's alumni magazine will not include planned long-form essays exploring how the Larry Nassar sexual abuse case has tainted the university, multiple anonymous administration sources told the Detroit Free Press . It will also apparently not include a striking black-and-white cover image of a woman wearing teal lipstick -- teal is the color that Nassar survivors and supporters wear to show solidarity. Sources told the Free Press that Engler saw the planned image, among others, and said, "Get that teal shit out of here." While the magazine issue will address the crisis, sources said, it will showcase positive moves Engler has made since taking over, such as adding more counselors. Several people close to Engler who were not authorized to speak to the media said the effort is part of his push to "pivot toward positive news" in the wake of the scandal. top

SEC provides further guidance on when digital assets may be deemed securities (Nixon Peabody, 21 June 2018) - On June 14, 2018, William Hinman, Director of the Securities and Exchange Commission's (SEC's) Division of Corporation Finance, provided important but nonbinding guidance on when a digital asset may be deemed a security in his remarks at the Yahoo Finance All Markets Summit in San Francisco, California. Slowly, the SEC has continued to reveal its views on the approaches taken by some crypto and digital asset industry participants―such as the pioneers of the Simple Agreement for Future Tokens (or SAFT), who have attempted to structure digital asset sales in such a way that the digital asset is not a security. As noted by Director Hinman in his remarks, these are still the "early days" of crypto, but with this latest guidance, the SEC has provided more clarity around securities law-compliant digital asset sales. The following is a summary of certain key takeaways from Director Hinman's remarks and related analysis. * * * top

MIT to conduct an environmental scan of open source publishing (MIT, 22 June 2018) - The MIT Press has announced the award of a grant from The Andrew W. Mellon Foundation to conduct a landscape analysis and code audit of all known open source (OS) authoring and publishing platforms. By conducting this environmental scan, the MIT Press will be providing a comprehensive and critical analysis of OS book production and hosting systems to the scholarly publishing community. As noted by Amy Brand, director of the MIT Press, "Open source book production and publishing platforms are a key strategic issue for not-for-profit scholarly publishers, and the wide-spread utilization of these systems would foster greater institutional and organizational self-determination. The MIT Press has long been a leader in digital publishing. We are very grateful for the generous support from The Mellon Foundation for this project." The grant affords the MIT Press the unique opportunity to provide the university press community and other not-for-profit scholarly publishers with a comprehensive overview of the numerous OS publishing platforms that are currently in use or under development. These systems, which produce and host platforms for scholarly books and journals, have proliferated in the last decade. The forthcoming analysis will highlight the availability, affordances, and current limitations of these systems, and thereby encourage the adoption and continued development of OS publishing technologies. Open infrastructure could prove to be a durable alternative to complex and costly proprietary services. The results of the environmental scan and the accompanying code audit, expected later this year, will be made openly accessible. The final report will inform the MIT Press's roadmap for the publishing platform PubPub currently being codeveloped with the MIT Media Lab. top

FirstNet launches, giving police and firefighters a dedicated wireless network and infinite possibilities (WaPo, 25 June 2018) - Though it's not a renowned high-tech hub, Brazos County, Tex., has become the showroom for what technology can do for police officers, paramedics and firefighters nationwide, through the newly created FirstNet wireless network. When Brazos sheriff's deputies entered a standoff with an armed man inside his home, they positioned four cars around the building and streamed live video through FirstNet back to their command center from their phones. When firefighters launched a swiftwater rescue recently, they were able to show it in real time through FirstNet to their supervisors. When a man tried to fraudulently register a stolen car, a patrol lieutenant was able to patch into the government center cameras through FirstNet and watch the crime in progress. "It's given us some incredible communication," said Brazos Sheriff Chris Kirk, "that we've been able to put to good use. It makes us much more efficient." The idea for FirstNet was long in gestation, beginning with the terrorist attacks of Sept. 11, 2001, but has rapidly come to fruition in the year since AT&T won a contract to build it for the federal government. The idea was a dedicated wireless network exclusively for first responders, enabling them to communicate in emergencies on a secure system built to handle massive amounts of data. Former Boston police commissioner Ed Davis witnessed two major problems of emergency communication firsthand. On 9/11, police helicopters flying over the World Trade Center could see the danger of building collapse but could not reach firefighters inside the towers, who were using a different radio system. And after the Boston Marathon bombing, cellular networks were overwhelmed with traffic, and police could not communicate with each other, Davis said. FirstNet addresses both problems. The government agency was created after 9/11 to devise the interoperability of first responders, and then to enable video, data and text capabilities in addition to voice. In March 2017, FirstNet accepted AT&T's $40 billion bid to build out the network. The governments of all 50 states and the District of Columbia opted in, and in March of this year, the core network went live. More than 1,000 agencies in 52 states and U.S. territories have signed up, including Boston police and fire and the Texas Department of Public Safety. top

Potential clients are confident in law firms' cybersecurity. Should they be? (Legal Tech News, 25 June 2018) - Despite an increasingly malicious cyberthreat environment, most potential law firm clients are confident in the legal industry's ability to protect client data, according to a survey of more than 1,000 small business owners and the U.S. general public conducted by data disposal company Shred-it and market research company Ipsos Public Affairs. Almost half of the respondents, 47 percent, said data protection considerations were "very important" when deciding which law firm to hire, while 36 percent said such considerations were at least "somewhat important." But a majority, 61 percent, expressed little or no concern about providing sensitive information to lawyers, underscoring the widespread trust potential clients have in law firms ability to protect their data. * * * What's more, overconfidence may already be harming law firms security preparations, according to ALM Intelligence's "Challenges at the Intersection of Cybersecurity and Legal Services," a survey of 194 law firms and legal departments. While the survey found that most law firms were confident they had adequate cybersecurity protections in place, their cybersecurity programs failed to meet client expectations. top

- and -

Legal Tracker LDO Index (ThomsonReuters, July 2018) - The volume of work for legal departments continues to grow, yet the overall legal department budget is not increasing at the same rate. Legal departments are dealing with how to do more with less. To address this challenge, departments are focusing on legal operations. With an operational focus, legal departments are looking at process improvements and technology to deliver on key department initiatives like controlling outside counsel costs and simplifying workflow and manual processes. Sixty-eight percent of organizations say the volume of legal work - defined by the number of legal matters - is increasing. Fifty-four percent of survey respondents report the percentage of work handled in-house is increasing, while 48% of survey respondents report increasing outside counsel spending. Seventy-one percent of organizations report that outside counsel hourly rates are increasing, while only 8% of organizations report decreases. With the increases in volume of work, 35% of legal departments report increasing the total legal department budget in the last 12 months, 25% report a budget decrease, and 40% report flat legal department budgets. When it comes to the budget for technology, 34% report increasing the budget, 52% are flat, and 13% report decreasing the technology budget. We asked legal departments to rank a variety of initiatives from no priority to high priority. The top five priorities among legal departments surveyed are: * * * [ Polley : Lots of interesting data here; spotted by MIRLN reader Gordon Housworth ] top

AT&T collaborates on NSA spying through a web of secretive buildings in the US (TechCrunch, 25 June 2018) - A new report from The Intercept sheds light on the NSA's close relationship with communications provider AT&T. The Intercept identified eight facilities across the U.S. that function as hubs for efforts to collaborate with the intelligence agency. The site first identified one potential hub of this kind in 2017 in lower Manhattan. The report reveals that eight AT&T data facilities in the U.S. are regarded as high-value sites to the NSA for giving the agency direct "backbone" access to raw data that passes through, including emails, web browsing, social media and any other form of unencrypted online activity. The NSA uses the web of eight AT&T hubs for a surveillance operation code-named FAIRVIEW, a program previously reported by The New York Times . The program, first established in 1985, "involves tapping into international telecommunications cables, routers, and switches" and only coordinates directly with AT&T and not the other major U.S. mobile carriers. top

How social networks set the limits of what we can say online (Wired, 26 June 2018) - Content moderation is hard. This should be obvious, but it's easily forgotten. It is resource intensive and relentless; it requires making difficult and often untenable distinctions; it is wholly unclear what the standards should be, especially on a global scale; and one failure can incur enough public outrage to overshadow a million quiet successes. We as a society are partly to blame for having put platforms in this situation. We sometimes decry the intrusions of moderators, and sometimes decry their absence. Even so, we have handed to private companies the power to set and enforce the boundaries of appropriate public speech. That is an enormous cultural power to be held by so few, and it is largely wielded behind closed doors, making it difficult for outsiders to inspect or challenge. Platforms frequently, and conspicuously, fail to live up to our expectations. In fact, given the enormity of the undertaking, most platforms' own definition of success includes failing users on a regular basis. The social media companies that have profited most have done so by selling back to us the promises of the web and participatory culture. But those promises have begun to sour. While we cannot hold platforms responsible for the fact that some people want to post pornography, or mislead, or be hateful to others, we are now painfully aware of the ways in which platforms invite, facilitate, amplify, and exacerbate those tendencies. For more than a decade, social media platforms have portrayed themselves as mere conduits, obscuring and disavowing their active role in content moderation. But the platforms are now in a new position of responsibility-not only to individual users, but to the public more broadly. As their impact on public life has become more obvious and more complicated, these companies are grappling with how best to be stewards of public culture, a responsibility that was not evident to them-or us-at the start. For all of these reasons, we need to rethink how content moderation is done and what we expect of it. And this begins by reforming Section 230 of the Communications Decency Act-a law that gave Silicon Valley an enormous gift, but asked for nothing in return. * * * top

Instagram now lets you 4-way group video chat as you browse (TechCrunch, 26 June 2018) - latest assault on Snapchat, FaceTime and Houseparty launches today. TechCrunch scooped back in March that Instagram would launch video calling, and the feature was officially announced at F8 in May. Now it's actually rolling out to everyone on iOS and Android, allowing up to four friends to group video call together through Instagram Direct. With the feed, Stories, messaging, Live, IGTV and now video calling, Instagram is hoping to become a one-stop-shop for its 1 billion users' social needs. This massive expansion in functionality over the past two years is paying off, SimilarWeb told TechCrunch in an email, which estimates that the average U.S. user has gone from spending 29 minutes per day on the app in September 2017 to 55 minutes today. More time spent means more potential ad views and revenue for the Facebook subsidiary that a Bloomberg analyst just valued at $100 billion after it was bought for less than $1 billion in 2012. top

8 states impose new rules on Equifax after data breach (NYT, 27 June 2018) - Equifax agreed to a number of data security rules under a consent order with eight state financial regulators that was announced on Wednesday, the latest regulatory response to the breach that allowed hackers to steal sensitive personal information on more than 147 million people. The order describes specific steps the credit bureau must take, including conducting security audits at least once a year, developing written data protection policies and guides, more closely monitoring its outside technology vendors, and improving its software patch management controls. Equifax has said that the attackers gained access to its systems last year through a known software flaw that was inadvertently left unfixed for months. If Equifax falls short on any of its new promises, regulators in the states - Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas - will be able to take punitive action. Equifax said that "a good number" of the measures it agreed to in the order had already been completed. Equifax has spent nearly $243 million so far on the fallout from the data breach, including its spending on legal costs, new security tools and credit monitoring services it offered for free after the break-in was revealed in September. The company's chief executive and several other top officials were forced out in the aftermath. Government regulators and law enforcement officials are still looking into Equifax's data safeguards. The company remains under investigation by the Federal Trade Commission, the Consumer Finance Protection Bureau and the Securities and Exchange Commission, among others. top

Homeland Security subpoenas Twitter for data breach finder's account (ZDnet, 2 July 2018) - Homeland Security has served Twitter with a subpoena, demanding the account information of a data breach finder, credited with finding several large caches of exposed and leaking data. The New Zealand national, whose name isn't known but goes by the handle Flash Gordon , revealed the subpoena in a tweet last month . The pseudonymous data breach finder regularly tweets about leaked data found on exposed and unprotected servers. Last year, he found a trove of almost a million patients' data leaking from a medical telemarketing firm. A recent find included an exposed cache of law enforcement data by ALERRT, a Texas State University-based organization, which trains police and civilians against active shooters. The database, secured in March but reported last week, revealed that several police departments were under-resourced and unable to respond to active shooter situations. Homeland Security's export control agency, Immigration and Customs Enforcement (ICE), served the subpoena to Twitter on April 24, demanding information about the data breach finder's account. Twitter informed him of the subpoena, per its policy on disclosing legal processes to its users. A legal effort to challenge the subpoena by a June 20 deadline was unsuccessful. Attorneys from the Electronic Frontier Foundation provided Flash Gordon legal assistance. ICE demanded Twitter turn over his screen name, address, phone number -- and any other identifying information about the account, including credit cards on the account. The subpoena also demanded the account's IP address history, member lists, and any complaints filed against the Twitter account. The subpoena did not demand the account's private messages or any other content, which typically requires a court order or a search warrant. It's not known why the subpoena was issued. Twitter spokesperson Emily Horne said the company does not comment on individual accounts for privacy and security reasons. top

Carpenter v. United States: Big data is different (GW Law Review, 2 July 2018) - A central truism of U.S. privacy law is that if you share information, you do not have an expectation of privacy in it. This reasoning runs through both Fourth Amendment jurisprudence and privacy tort cases, and has repeatedly been identified as a central failing of American privacy law in the digital age. On June 22, in Carpenter v. United States , the Supreme Court did away with this default. While repeatedly claiming to be fact-bound and incremental, Chief Justice Roberts's opinion has paradigm-shifting implications not only for Fourth Amendment law, but also for private-sector privacy law. In short, the Court in Carpenter has declared that Big Data is different. Just how different remains to be seen. The question addressed in Carpenter- whether obtaining historic location information from cellular phone service providers constitutes a search under the Fourth Amendment-arose at the confluence of two lines of cases. One addresses location tracking in public spaces, and the other addresses records that have been shared with third parties. Until recently, neither doctrinal thicket looked particularly good for Timothy Carpenter, or for privacy. But the Carpenter decision does not come out of thin air. Starting with the Court's recent GPS-tracking decision in United States v. Jones- and what has been referred to as the Jones "shadow majority"-the Supreme Court has recently appeared to take a different approach to Big Data. Carpenter cements this change. * * * [ see also Gorsuch's dissent in 'Carpenter' case has implications for the future of privacy (The Hill, 26 June 2018), and When does a Carpenter search start-and when does it stop? (Orin Kerr on Lawfare, 6 July 2018)] top

It's time for a chemistry lesson. Put on your virtual reality goggles. (NYT, 3 July 2018) - There was a time when biochemists had a lot in common with sculptors. Scientists who had devoted their lives to studying a molecule would building a model, using metal and a forest of rods to hold up the structure of thousands of atoms. " Slow work, but at the end you really know the molecule ," said Michael Levitt, who shared the Nobel Prize in Chemistry in 2013. These days simulations on screens have replaced such models, sacrificing some of their tactile value while gaining the ability to show movement. But what if you could enter a virtual reality environment where the molecules lie before you, obeying all the laws of molecular physics as calculated by supercomputers, and move them around in three dimensions? In a new paper in the journal Science Advances , researchers report that they have constructed just such an environment, and that users who manipulate the proteins in VR can perform simple tasks nearly ten times faster in virtual reality than on a screen. The researchers asked users to perform three separate manipulations of molecules and timed how long each took. They had to thread a molecule of methane through a simulated carbon nanotube; unwind a helical molecule and wind it up in the opposite direction; and tie a knot in a simulated protein. They also did the same tasks on computers using a touchscreen or a mouse. Each task resembles research that is current in biology and chemistry. In tallying the time each task took, the researchers found that in VR, threading the nanotube and tying the knot went much quicker. The knot task, in particular, was completed nearly ten times as rapidly. By using 2D screen-based simulations of molecules, said Dr. Glowacki, "we might actually be doing things a lot slower than we could be." Scientists who use VR to get familiar with molecules may be able to gain intuition about their movements more quickly. [ Polley : pretty interesting animation videos on the website version of the story.]

RESOURCES

Tech Competence (Robert Ambrogi) - In 2012, something happened that I called a sea change in the legal profession: The American Bar Association formally approved a change to the Model Rules of Professional Conduct to make clear that lawyers have a duty to be competent not only in the law and its practice, but also in technology. * * * On this page, I track the states that have formally adopted the revised comment to Rule 1.1. The total so far is 31. [ Polley : nice interactive map of the states.] top

Grimmelmann on Whether Robot Transmissions Are Speech For First Amendment Purposes (MLPB, 20 June 2018) - James Grimmelmann, Cornell Law School, is publishing Speech in, Speech Out in Robotica: Speech Rights and Artificial Intelligence (Ronald K. L. Collins and David M. Skover, eds., Cambridge University Press 2018). Here is the abstract: This invited short response was published as part of Ronald K.L. Collins and David M. Skover's book Robotica: Speech Rights and Artificial Intelligence (Cambridge University Press 2018). Collins and Skover make a two-step argument about "whether and why First Amendment coverage given to traditional forms of speech should be extended to the data processed and transmitted by robots." First, they assert (based on reader-response literary criticism) that free speech theory can be "intentionless": what matters is a listener's experience of meaning rather than a speaker's intentions. Second, they conclude that therefore utility will become the new First Amendment norm. The premise is right, but the conclusion does not follow. Sometimes robotic transmissions are speech and sometimes they aren't, so the proper question is not "whether and why?" but "when?" Collins and Skover are right that listeners' experiences can substitute for speakers' intentions, and in a technological age this will often be a more principled basis for grounding speech claims. But robotic "speech" can be useful for reasons that are not closely linked to listeners' experiences, and in these cases their proposed "norm of utility" is not really a free speech norm. top

Lola v. Skadden and the Automation of the Legal Profession (Yale Journal of Law & Technology) - Technological innovation has accelerated at an exponential pace in the last few decades, ushering in an era of unprecedented advancements in algorithms and artificial intelligence technologies. Traditionally, the legal field has protected itself from technological disruptions by maintaining a professional monopoly over legal work and limiting the "practice of law" to only those who are licensed. This article analyzes the long-term impact of the Second Circuit's opinion in Lola v. Skadden, Arps, Slate, Meagher & Flom LLP , 620 F. App'x 37 (2d Cir. 2015), on the legal field's existing monopoly over the "practice of law." In Lola , the Second Circuit underscored that "tasks that could otherwise be performed entirely by a machine" could not be said to fall under the "practice of law." By distinguishing between mechanistic tasks and legal tasks, the Second Circuit repudiated the legal field's oft-cited appeals to tradition insisting that tasks fall under the "practice of law" because they have always fallen under the practice of law. The broader implications of this decision are threefold: (1) as machines evolve, they will encroach on and limit the tasks considered to be the "practice of law"; (2) mechanistic tasks removed from the "practice of law" may no longer be regulated by professional rules governing the legal field; and (3) to survive the rise of technology in the legal field, lawyers will need to adapt to a new "practice of law" in which they will act as innovators, purveyors of judgment and wisdom, and guardians of fairness, impartiality, and accountability within the law. The article proceeds by first discussing the procedural history and decision in Lola v. Skadden . It then explains the technological advances that will impact the legal field and the tools used by the legal field to perpetuate its self-regulating monopoly. The article then turns to the socioeconomic implications of technological disruption within the legal field and concludes with a discussion on how lawyers may prepare themselves for, and thrive within, an inevitably automated future. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Patent Office agrees to review infamous JPEG patent (TechDirt, 12 March 2008) - Last month, we noted that there was some effort being made to get the Patent Office to do a re-exam of a patent that attorney Ray Niro had been using to go after any site that had a JPEG image. While the patent itself had been re-examed before, one claim had been left intact, which Niro has said covers anyone using JPEG compression. It appears that the effort to get the USPTO to look into the patent once again has succeeded, though it's a long and rather involved process that won't come to fruition for quite a long time. The request includes a long list of prior art on that one particular claim, which the Patent Office admits it did not look at earlier and that raise substantial questions about the patentability of the remaining claim in the patent. This is rather good news. top

Administration shutting down economic indicators site (TechDirt, 14 Feb 2008) - While there was some decent news suggesting the economy might not be falling into a recession, there are still plenty of knowledgeable folks who think some sort of recession is likely. Last week, in New York, plenty of folks I spoke to seemed to believe we were already in one. Of course, to actually call a recession, the general consensus is that there would need to be two consecutive quarters of negative economic growth. So how would you measure that growth? Well, apparently the White House would prefer to make it as difficult as possible. Reader Jon writes in to note the rather inconvenient timing of the Administration suddenly deciding to shut down its own website that aggregated economic indicators. The site, EconomicIndicators.gov had even won awards from Forbes as a great resource. top