MIRLN --- 7-27 Oct 2018 (v21.14)
NEWS | RESOURCES | LOOKING BACK | NOTES
NEWS
- California bill bans bots during elections
- California bans default passwords on any internet-connected device
- Microsoft to host the government's classified data early next year
- Can lawyers ethically accept cryptocurrency?
- New bots from DoNotPay includes one that lets you sue in any small claims court at the press of a button
- Microsoft makes its 60,000 patents open source to help Linux
- Amicus brief on burdens of proof for compelled decryption
- Seventy years after Howey: An overview of the SEC's developing jurisdiction over digital assets
- SEC launches new strategic hub for innovation and financial technology
- Cybersecurity: Fortune 100 disclosure practices
- Federal court ruling in Georgia shows judges have a role to play in election security
- Real estate lawyers have become big "phish" for cyberfraudsters
- 3D printers have 'fingerprints,' a discovery that could help trace 3D-printed guns
- Appeals court says of course Georgia's laws (including annotations) are not protected by copyright and free to share
- ABA ethics opinion offers guidance on data breaches
- New copyright exemptions let you legally repair your phone or jailbreak voice assistants
California bill bans bots during elections (SC Magazine, 3 Oct 2018) - A California bill that will ban the use of undeclared bots during elections is set to take effect on July 1, 2019, after Gov. Jerry Brown signed it into law Friday. "This bill would, with certain exceptions, make it unlawful for any person to use a bot to communicate or interact with another person in California online with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication in order to incentivise a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election," according to the Senate Bill No. 1001 . top
- and -
California bans default passwords on any internet-connected device (Engadget, 5 Oct 2018) - In less than two years, anything that can connect to the internet will come with a unique password - that is, if it's produced or sold in California. The " Information Privacy: Connected Devices " bill that comes into effect on January 1, 2020, effectively bans pre-installed and hard-coded default passwords. It only took the authorities about two weeks to approve the proposal made by the state senate. The new regulation mandates device manufacturers to either create a unique password for each device at the time of production or require the user to create one when they interact with the device for the first time. According to the bill, it applies to any connected device, which is defined as a "physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address." top
Microsoft to host the government's classified data early next year (NextGov, 9 Oct 2018) - Microsoft is making moves to target a growing multibillion market: hosting, storing and running the U.S. government's most sensitive classified secrets and data. On Tuesday, the software giant announced it will join rival Amazon as the only commercial cloud providers with the security capabilities to host secret classified data by the end of the first quarter of 2019. Microsoft's announcement comes days before the Pentagon will accept bids on its $10 billion Joint Enterprise Defense Infrastructure contract, which it will award to a single cloud service provider. The announcement doubles as a public declaration of Microsoft's intent to bid on the contract one day after Google pulled out of the competition in part because it can't meet the Pentagon's security requirements stipulated for JEDI quickly enough. Most experts consider Amazon Web Services the favorite to win the contract, in part because it operates the CIA's C2S Cloud, but Microsoft isn't pulling any punches. The company also announced its intent to meet additional security controls to host the government's data classified as top secret, which include the military and Defense Department's most sensitive information. The ability to host both secret and top secret data is a prerequisite to compete for JEDI. top
Can lawyers ethically accept cryptocurrency? (Attorney at Work, 10 Oct 2018) - Several years back we added credit card billing to our options for client bill payment, including through an online secured platform. Our bill collection rates dramatically increased along with how fast a bill was paid with emailed invoices. It was great! We recently saw some companies accepting bitcoin and other cryptocurrencies as payment for goods and services. While we don't expect a high volume of clients to pay with this new "currency," we are thinking about offering it as an option. If nothing else, it shows we are keeping ahead of the curve on modern trends. Should we be pumping the brakes, or do we have the green light to accept cryptocurrency as payment? At first glance, it may seem like you would be in the clear to accept alternative payments for the legal services rendered. Why not, since you can accept nonmonetary items such as a goat for preparing a family's estate planning documents, so long as the goat was reasonable compensation for the legal services provided. Yes, I'm sure someone at some time bartered hooved animals for the services of an attorney and counselor at law. No? What ethics rules might be considered in how you are paid for your work? What makes cryptocurrency different from currency (or bovine for that matter)? At least one state bar has issued an advisory opinion on the topic of cryptocurrency as payment for legal services or otherwise being held for clients by a law firm. In Nebraska Ethics Advisory Opinion for Lawyers No. 17-03, the ethics committee concluded that attorneys "may receive and accept digital currencies such as bitcoin as payment for legal services" with some caveats. The leading concern with the often volatile cryptocurrency values comes in ensuring the fees being paid by a client are reasonable, as required by ABA Model Rule 1.5 . Bitcoin is one of the less volatile of these currencies, and still it has been known to have swings of 10 percent or greater occurring every few hours. As the opinion gives the example, "An arrangement for payment in bitcoin for attorney services could mean that the client pays $200 an hour in one month and $500 an hour the next month, which the client could very easily allege as unconscionable." The opinion suggests the following actions to mitigate the risk of volatility and possible unethical overpayment for services: * * * top
New bots from DoNotPay includes one that lets you sue in any small claims court at the press of a button (Robert Ambrogi, 10 Oct 2018) - DoNotPay , the company that created a chat bot to automatically appeal parking tickets, is today launching a series of legal and consumer-protection bots, in the form of an iOS app, that includes one that will enable individuals to file an action in any small claims court in the United States. In addition, DoNotPay is announcing that it has acquired Visabot , a service launched shortly after the election of Donald Trump to help individuals obtain visas and green cards. DoNotPay is relaunching Visabot and eliminating all fees for the service, which previously ranged from $110 to $150. The new small claims bot covers small claims courts in all 3,000 counties in all 50 states. There is no charge to use the product, so users keep 100 percent of anything they recover. Joshua Browder, the self-taught coder who founded DoNotPay as a 17-year-old in 2015, said the initial idea for this product came from an app he created in the wake of the Equifax breach to help people file small claims lawsuits against the credit rating company. top
Microsoft makes its 60,000 patents open source to help Linux (The Verge, 10 Oct 2018) - Microsoft announced today that it's joining the Open Invention Network (OIN), an open-source patent group designed to help protect Linux from patent lawsuits. In essence, this makes the company's library over 60,000 patents open source and available to OIN members, via ZDNet . OIN provides a license platform for Linux for around 2,400 companies - from individual developers to huge companies like Google and IBM - and all members get access to both OIN-owned patents and cross-licenses between other OIN licensees, royalty-free. Microsoft joining is a big step forward for both sides: OIN gets thousands of new patents from Microsoft, and Microsoft is really helping the open-source community that it has shunned in the past. As Scott Guthrie, Microsoft's executive vice president of the cloud and enterprise group, commented in an interview to ZDNet , "We want to protect open-source projects from IP lawsuits, so we're opening our patent portfolio to the OIN." There are exceptions to what Microsoft is making available - specifically, Windows desktop and desktop application code, which makes sense for many reasons - but otherwise, Microsoft is going open source. And ultimately, that's a good thing for the whole developer community. top
Amicus brief on burdens of proof for compelled decryption (Orin Kerr on Volokh Conspiracy, 11 Oct 2018) - I recently posted a draft article on the Fifth Amendment and compelled entering of passwords: Compelled Decryption and the Privilege Against Self-Incrimination . My article flagged but did not answer a closely-related question: What is the burden of proof to show a foregone conclusion when the government compels entering a password? Coincidentally, the Massachusetts Supreme Judicial Court happened to invite amicus briefs on this issue in a pending case shortly after I posted my draft. It's a question of first impression among state supreme courts and federal circuit courts, and it relates closely to the underlying Fifth Amendment standard. In for a penny, in for a pound, I say. So today I submitted an amicus brief on the proper burden of proof in compelled decryption cases. You can read my brief here: Amicus Brief of Professor Orin Kerr on Standards for Compelled Decryption Under the Fifth Amendment . It argues that the government's burden should be to prove by clear and convincing evidence, based on a totality of the circumstances, that the subject of the order knows the password. top
Seventy years after Howey: An overview of the SEC's developing jurisdiction over digital assets (ABA's BLT, 12 Oct 2018) - On June 14, 2018, Director William Hinman of the SEC's Division of Corporation Finance delivered a speech at the Yahoo! Finance All Markets Summit in San Francisco, during which he shared his view that current offer and sale of bitcoin and ether, the two most valuable and prominent digital assets today, does not constitute a securities transaction. Reiterating the facts-and-circumstances approach the SEC takes in applying securities laws to digital assets, Hinman admitted that the evolvement and the decentralized nature of digital assets could at some point render the application of securities laws requirements insensible and unnecessary. Hinman's speech is the first public statement from SEC leadership that offers clear assurance that certain types of digital assets are not within the purview of SEC regulations. The SEC has been following and monitoring the development of ICOs and digital assets closely. This article traces the series of SEC actions leading up to Hinman's speech and analyzes how the SEC's jurisprudence in this field has developed overtime. * * * top
- and -
SEC launches new strategic hub for innovation and financial technology (SEC, 18 Oct 2018) - The U.S. Securities and Exchange Commission today announced the launch of the agency's Strategic Hub for Innovation and Financial Technology ( FinHub ). The FinHub will serve as a resource for public engagement on the SEC's FinTech-related issues and initiatives, such as distributed ledger technology (including digital assets), automated investment advice, digital marketplace financing, and artificial intelligence/machine learning. The FinHub also replaces and builds on the work of several internal working groups at the SEC that have focused on similar issues. * * * top
- and -
Cybersecurity: Fortune 100 disclosure practices (TheCorporateCounsel.net, 23 Oct 2018) - The SEC continues to ratchet up its scrutiny of cybersecurity issues. It issued disclosure guidance earlier this year & recently turned its attention to internal control implications of cybersecurity lapses. But are companies getting the message? This recent EY report provides some clues on the disclosure front. It analyzes cybersecurity-related disclosures of Fortune 100 companies in proxy statements and Form 10-K filings. Not surprisingly, disclosure practices vary widely. Here are some key findings: * * * top
Federal court ruling in Georgia shows judges have a role to play in election security (Lawfare, 12 Oct 2018) - In the wake of Russia's interference in U.S. elections, questions persist as to whether Russia changed vote totals and changed the outcome of the election. Former Homeland Security Secretary Jeh Johnson and the Senate intelligence committee each say there is no evidence that the Russians did so. But as technologist Matt Blaze told the New York Times , that's "less comforting than it might sound at first glance, because we haven't looked very hard." And experts agree that our outdated voting technology certainly exposes voters to the risk of interference, as election security experts and election administrators have known for more than a decade. Last month, the U.S. District Court for the Northern District of Georgia recognized that the risk of election hacking is of constitutional significance-and that courts can do something about it. In Curling v. Kemp , two groups of Georgia voters contend that Georgia's old paperless voting machines are so unreliable that they compromise the plaintiffs' constitutional right to vote. In ruling on the voters' motion for preliminary injunction, Judge Amy Totenberg held that the plaintiffs had demonstrated a likelihood of success on the merits-in other words, Georgia's insecure voting system likely violated their constitutional rights. While the court declined to order relief in time for the 2018 elections, the ruling suggests that Georgia may eventually be ordered to move to a more secure voting system. top
Real estate lawyers have become big "phish" for cyberfraudsters (Attorney at Work, 12 Oct 2018) - Cyberfraud is a major issue in any industry, but especially in real estate where property transactions can net a hacker hundreds of thousands of dollars in a single wire diversion. Attorneys who practice real estate law and their clients have become prime targets for hackers. According to published FBI data , $969 million was diverted or attempted to be diverted to "criminally controlled" accounts in real estate transactions in fiscal year 2017. Compare that with 2016, when comparable real estate wire transfer frauds amounted to just $19 million. * * * It's extremely difficult to recover funds that have been wired to a fraudulent account, though not impossible. Those who realize the mistake immediately have a better chance. As is the case with many things in life, prevention is the best tactic. Here are ways to lower the risk of real estate cyberfraud. * * * top
3D printers have 'fingerprints,' a discovery that could help trace 3D-printed guns (Science Daily, 18 Oct 2018) - Like fingerprints, no 3D printer is exactly the same. That's the takeaway from a new study that describes what's believed to be the first accurate method for tracing a 3D-printed object to the machine it came from. The advancement could help law enforcement and intelligence agencies track the origin of 3D-printed guns, counterfeit products and other goods. top
Appeals court says of course Georgia's laws (including annotations) are not protected by copyright and free to share (TechDirt, 19 Oct 2018) - The 11th Circuit appeals court has just overturned a lower court ruling and said that Georgia's laws, including annotations, are not covered by copyright, and it is not infringing to post them online. This is big, and a huge win for online information activist Carl Malamud whose Public.Resource.org was the unfortunate defendant in a fight to make sure people actually understood the laws that ruled them. The details here matter, so let's dig in: * * * [ Polley : This is an important victory, and Carl deserves our thanks. Hats off to Alston & Bird, David Halperin (Public Resource), and the ACLU. See also 11th Circuit: Georgia can't copyright annotated legal code (Law.com, 22 Oct 2018), and Court tells Georgia it can't charge people to read the law (ACLU, 22 Oct 2018)] top
ABA ethics opinion offers guidance on data breaches (ABA Journal, 17 Oct 2018) - Lawyers have to safeguard client data and notify clients of a data breach, and the ABA Standing Committee on Ethics and Professional Responsibility has issued a formal opinion that reaffirms that duty. In Formal Opinion 483 , issued Tuesday, the standing committee also provided new guidance to help attorneys take reasonable steps to meet this obligation. "Lawyers today face daunting challenges from the risk of data breaches and cyber attacks that can lead to disclosure of client confidences," says Barbara S. Gillers, chair of the standing committee. "Formal Opinion 483 offers helpful guidance on how the ABA Model Rules of Professional Conduct should inform lawyers' approaches to these risks in order to comply with the duty to protect client information." This opinion builds on the standing committee's Formal Opinion 477R released in May 2017, which set forth a lawyer's ethical obligation to secure protected client information when communicating digitally . "When a breach of protected client information is either suspected or detected, Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach," Formal Opinion 483 says. To that end, this week's new formal opinion only discusses the breach of client data, not other data breaches that may also require action on the part of an attorney or firm. "As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach," states the opinion. "The decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach." The opinion ends on a somber reminder that even if attorneys follow the Model Rules and make "reasonable efforts" to prevent disclosure and access to client information, they may still experience a data breach. "When they do, they have a duty to notify clients of the data breach under Model Rule 1.4 in sufficient detail to keep clients 'reasonably informed' and with an explanation 'to the extent necessary to permit the client to make informed decisions regarding the representation,'" the opinion closes. [ Polley : The Opinion also contains language suggesting that lawyers must "monitor" internet activity-e.g., using IDS tools.] top
New copyright exemptions let you legally repair your phone or jailbreak voice assistants (The Verge, 25 Oct 2018) - In a big victory for hacker, tinkerers, and the right to repair movement, the US Copyright Office has ruled some major changes to the legal exemption to the DMCA, making it far easier for owners to build software tools to hack, modify, and repair their own devices, as explained by iFixit founder Kyle Wiens . Under section 1201 of the Digital Millennium Copyright Act (DMCA), it is "unlawful to circumvent technological measures used to prevent unauthorized access to copyrighted works." Because software has become so integral to all the devices we use - everything from phones to speakers to even trackers - device manufacturers have long used section 1201 to prevent owners from taking apart or repairing their own devices, arguing that breaking the software locks as part of replacing parts or modifying your gadgets is a violation of that statute. But as part of that law, citizens are allowed to petition for exemptions to section 1201 every three years, when the Copyright Office rules what kind of repairs and software tools are and aren't allowed by the law. The final ruling for this cycle was just released (it goes into effect as law on October 28th), and it enacts broad new protections for repairing devices. Wiens' post breaks down the biggest changes, which include: * * * top
RESOURCES
Clarke and Piper on A Legal Framework to Govern Online Political Expression by Public Servants @Carleton_U (MLPB, 23 Oct 2018) - Amanda Clarke, Carleton University School of Public Policy and Administration, and Benjamin Pipe, National Judicial Institute, have published A Legal Framework to Govern Online Political Expression by Public Servants at 21 Canadian Labour and Employment Law Journal 1 (2018). Here is the abstract: This paper considers the extent to which public servants should be allowed to engage in political activities in online fora such as Facebook, Twitter, and YouTube. The question of the appropriate balance between the principle of political neutrality binding public servants and their Charter-protected right to political expression has been extensively addressed in the case law. However, the framework set out in the existing jurisprudence was developed in the context of more traditional forms of political engagement, and fails to provide clear guidance in an age when the political activities of public servants, like those of Canadians as a whole, have to a large degree migrated to social media and other platforms on the web. In an effort to remedy this deficiency, the authors lay the foundation for a revised framework for assessing the permissibility of online political activity by public servants, consisting of four analytical factors: the level and nature of a public servant's position; the visibility of the online activity; the substance of the online activity; and the identifiability of the online actor as a public servant. Adopting this test, the authors contend, would enable adjudicators to strike a reasonable balance between freedom of expression and the principle of political neutrality, by recognizing that in today's world both politics and life as a public servant play out online. top
LOOKING BACK - MIRLN TEN YEARS AGO
(note: link-rot has affected about 50% of these original URLs)
Smartphones, seat belts, searches, and the Fourth Amendment (ArsTechnica, 24 Jan 2008) - When Steve Jobs introduced the iPhone as a "revolutionary" device, he probably wasn't thinking of its effect on the Fourth Amendment. But a new paper by Adam Gershowitz, a professor at the South Texas College of Law, argues that unless courts or legislators make significant changes to the rules governing law enforcement searches, the increasing ubiquity of devices like Apple's übergadget will permit police to routinely gather massive amounts of citizens' sensitive personal data without a warrant. The Fourth Amendment guarantees that Americans will not be subject to "unreasonable searches and seizures." Normally, this means police must show a judge that there is "probable cause" to believe a search will uncover evidence of a crime before tapping our phones or digging through our papers. But the courts have always recognized a variety of special circumstances under which a search may be reasonable even without a court warrant. One important such exception is for "search incident to arrest." This allows police to search the person and immediate vicinity of anyone being placed under arrest, to ensure that the arrestee can't destroy evidence or pull a concealed weapon. The problem with this, argues Gershowitz, is that with the proliferation of iPhone-like devices, the officer digging through your coat pocket suddenly has access to gigabytes worth of potentially sensitive e-mail, videos, photographs, browsing histories, and other documents. If you're in the habit of keeping your passwords saved, they may even be able to reach bank statements, file servers, and that Nerve Personals account you opened "just for fun." Though the underlying rationale for searches incident to arrest is officer safety, courts have adopted a "bright line" rule permitting an arresting officer to search any object in a suspect's possession, such as a cigarette pack, even if it unlikely to conceal a miniature Glock. And since the Supreme Court has ruled that police have broad authority to arrest people for even trivial infractions, such as failure to wear a seat belt, the current rule gives law enforcement officers broad discretion to transform a routine traffic stop into a highly intrusive excavation of your digital life. top
Google makes health service publicly available (SiliconValley.com, 19 May 2008) - Google is now offering the general public electronic access to their medical records and other health-related information. The Mountain View-based Web search leader announced the public launch of Google Health during a Webcast today. It lets users import records from a variety of care providers and pharmacies. Google tested the service by storing medical records for a few thousand patient volunteers at the not-for-profit Cleveland Clinic. [Editor in 2008 : Now, I want Google to offer search for health-care providers, by cost and reputation; then, they'll offer health care insurance coverage.] top