tag:blogger.com,1999:blog-78355882024-02-19T11:34:16.741-05:00MIRLNMIRLN stands for Miscellaneous IT Related Legal News, since 1997 a free monthly e-newsletter edited by Vince Polley (www.knowconnect.com). Earlier editions, and email delivery subscription information, are at http://www.knowconnect.com/mirln/Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.comBlogger244125tag:blogger.com,1999:blog-7835588.post-28753943213967171852018-12-22T07:30:00.000-05:002018-12-22T07:30:08.982-05:00MIRLN --- 28 Nov - 22 Dec 2018 (v21.16)<p> <a name="TOP"> </a> MIRLN --- 28 Nov - 22 Dec 2018 (v21.16) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_28_nov_22_dec_2018_v2116/" > permalink </a> </p> <p> <a href="">NEWS </a> | <a href="">RESOURCES </a>| <a href="">LOOKING BACK </a>| <a href="http://www.knowconnect.com/mirln/sources/">NOTES</a> </p> <ul> <li> <a href=""> Facebook's New 'Supreme Court' Could Revolutionize Online Speech </a> </li> <li> <a href=""> Today in brighter crypto news: SEC says tokens are securities </a> </li> <li> <a href=""> Ohio becomes the first state to accept bitcoin for tax payments </a> </li> <li> <a href="">Jury dismissed after Crown looks up jurors on LinkedIn </a> </li> <li> <a href=""> French tax officials to start digging through social media posts for expensive cars it thinks you can't afford </a> </li> <li> <a href="">Online dispute resolution bolstering access to justice </a> </li> <li> <a href=""> Pennsylvania Supreme Court recognizes Common Law duty to safeguard employees' personal data </a> </li> <li> <a href="">When the Internet Archive forgets </a> </li> <li> <a href=""> GCHQ: We don't tell tech companies about every software flaw </a> </li> <li> <a href="">Principles for a more informed exceptional access debate </a> </li> <li> <a href=""> Making a ransomware payment? It may now violate US sanctions </a> </li> <li> <a href=""> Secret Service announces test of face recognition system around White House </a> </li> <li> <a href="">The sneaky fight to give cable lines free speech rights </a> </li> <li> <a href="">Cybersecurity: Who's fessed up to a "Material Weakness?" </a> </li> <li> <a href=""> Four tips for law firms in responding to overreaching client audits </a> </li> </ul> <p> <a name="NEWS"> </a> </p> <p> <a name="FacebooksNew"> </a> <strong> <a href="https://www.lawfareblog.com/facebooks-new-supreme-court-could-revolutionize-online-speech" > Facebook's New 'Supreme Court' Could Revolutionize Online Speech </a> </strong> (Lawfare, 19 Nov 2018) - The Supreme Court of Facebook is about to become a reality. When Facebook CEO Mark Zuckerberg first mentioned the idea of an independent oversight body to determine the boundaries of acceptable speech on the platform-"almost like a Supreme Court," he said-in <a href="https://www.vox.com/2018/4/2/17185052/mark-zuckerberg-facebook-interview-fake-news-bots-cambridge" > an April 2018 interview with Vox </a> , it sounded like an offhand musing. But on Nov. 15, responding to a <a href="https://www.nytimes.com/2018/11/14/technology/facebook-data-russia-election-racism.html?action=click&module=Top%20Stories&pgtype=Homepage" > New York Times article </a> documenting how Facebook's executives have dealt with the company's scandal-ridden last few years, Zuckerberg published a <a href="https://www.facebook.com/notes/mark-zuckerberg/a-blueprint-for-content-governance-and-enforcement/10156443129621634/" > blog post </a> announcing that Facebook will "create a new way for people to appeal content decisions to an independent body, whose decisions would be transparent and binding." Supreme Court of Facebook-like bodies will be piloted early next year in regions around the world, and the "court" proper is to be established by the end of 2019, he wrote. It is difficult to overstate the potential this has to transform understandings of online speech governance, international communication and even the very definition of "free speech." Zuckerberg's blog post literally asks more questions about the anticipated tribunal than it answers. (He writes, "Starting today, we're beginning a consultation period to address the hardest questions, such as: how are members of the body selected? How do we ensure their independence from Facebook, but also their commitment to the principles they must uphold? How do people petition this body? How does the body pick which cases to hear from potentially millions of requests?") But it's worth unpacking the underlying ideas behind the proposal and the most difficult challenges that will need to be resolved in how it's set up. <a href="">top </a> </p> <p><a name="TodayIn"> </a> <strong> <a href="https://techcrunch.com/2018/11/19/today-in-brighter-crypto-news-sec-says-tokens-are-securities/" > Today in brighter crypto news: SEC says tokens are securities </a> </strong> (TechCrunch, 21 Nov 2018) - Crypto news got a little boost last week after a dark month of <a href="https://techcrunch.com/2018/11/15/bitcoin-be-careful-what-you-wish-for/" > crashes </a> , <a href="https://techcrunch.com/2018/10/25/as-tether-flails-cryptocurrency-exchanges-launch-rival-stablecoins/" > stablecoins </a> and <a href="https://techcrunch.com/gallery/happy-10th-birthday-bitcoin/"> birthdays </a> . The SEC ruled that two ICO issuers, CarrierEQ Inc. and Paragon Coin Inc., were in fact selling securities instead of so-called utility tokens. "Both companies have agreed to return funds to harmed investors, register the tokens as securities, file periodic reports with the Commission, and pay penalties," wrote Pamela Sawhney of the SEC. "These are the Commission's first cases imposing civil penalties solely for ICO securities offering registration violations." <a href="">top </a> </p> <p> - and - </p> <p> <a name="OhioBecomes"> </a> <strong> <a href="https://techcrunch.com/2018/11/25/ohio-becomes-the-first-state-to-accept-bitcoin-for-tax-payments/" > Ohio becomes the first state to accept bitcoin for tax payments </a> </strong> (TechCrunch, 28 Nov 2018) - Starting Monday, businesses in Ohio will be able to pay their taxes in bitcoin - making the state that's high in the middle and round on both ends the first in the nation to accept cryptocurrency officially. Companies that want to take part in the program simply need to go to <a href="https://ohiocrypto.com/">OhioCrypto.com </a> and register to pay in crypto whatever taxes their corporate hearts desire. It could be anything from cigarette sales taxes to employee withholding taxes, <a href="https://www.wsj.com/articles/pay-taxes-with-bitcoin-ohio-says-sure-1543161720?mod=searchresults&page=1&pos=1" > according to a report in The Wall Street Journal </a> , which first noted the initiative. The brainchild of current Ohio state treasurer Josh Mandel, the bitcoin program is intended to be a signal of the state's broader ambitions to remake itself in a more tech-friendly image. Already, Ohio has something of a technology hub forming in Columbus, home to one of the largest venture capital funds in the Midwest, <a href="https://crunchbase.com/organization/drive-capital" target="_blank"> Drive Capital </a> . And Cleveland (the city once called "the mistake on the lake") is trying to remake itself in cryptocurrency's image <a href="https://www.npr.org/2018/11/23/664364583/from-believeland-to-blockland-cleveland-aims-to-be-a-tech-hub" > with a new drive to rebrand the city as "Blockland." </a> <a href="">top </a> </p> <p> <a name="JuryDismissed"> </a> <strong> <a href="https://www.theglobeandmail.com/canada/article-jury-dismissed-after-crown-looks-up-jurors-on-linkedin/" > Jury dismissed after Crown looks up jurors on LinkedIn </a> </strong> (The Globe & Mail, 22 Nov 2018) - A prosecutor's use of LinkedIn to conduct background checks on jurors is raising new questions about improper vetting after a second jury in a week was dismissed in Atlantic Canada over the issue. Both cases - a murder trial, and one of criminal negligence causing death - are now being tried by judge alone after the prosecution was obliged to drop its earlier objection to defence requests for such a trial. The newest instance came on Thursday in an important case in Nova Scotia - the first in that province under a federal Criminal Code provision drafted after the 1992 Westray methane explosion that killed 26 miners in Plymouth, N.S. Elie Hoyeck, the owner of an auto-repair shop, is charged with criminal negligence causing the death of an employee, Peter Kempton, in a 2013 vehicle fire. The 2004 "Westray law" says that anyone who directs another person in a task must take reasonable steps to ensure the person's safety. The earlier instance was revealed in a ruling on Monday in a high-profile case in New Brunswick - the retrial of Dennis Oland, charged with second-degree murder of his wealthy father, Richard. He had been found guilty in 2015, but an appeal court set aside the conviction and ordered a new trial in 2016. A police officer conducted checks in a local police database with information on all police contacts (as a witness, complainant, or suspect), and did not share the information with Mr. Oland's defence team. A judge dismissed the jury and declared a mistrial; a new trial started Tuesday. Vancouver lawyer Eric Gottardi, the past chair of the Canadian Bar Association's criminal-justice section, said that even one or two such cases are concerning. "You have to think it's like the tip of an iceberg just because of how unlikely it is that these practices would come to light," he said in an interview. It is not a new area of law, and the message is clear to police and prosecutors about what they may and may not do. In 2012, the Supreme Court of Canada ruled that prosecutors and police must share with defence lawyers anything they find inadvertently when checking whether potential jurors have criminal records. It made a similar ruling in 1997. The idea is that the prosecution should not have an advantage over the defence, or interfere with jurors' privacy. <a href="">top </a> </p> <p> <a name="FrenchTax"> </a> <strong> <a href="https://www.techdirt.com/articles/20181119/21244441075/french-tax-officials-to-start-digging-through-social-media-posts-expensive-cars-it-thinks-you-cant-afford.shtml" > French tax officials to start digging through social media posts for expensive cars it thinks you can't afford </a> </strong> (TechDirt, 26 Nov 2018) - In a weird announcement threatening the commencement of pointless government monitoring, a French official <a href="https://www.reuters.com/article/us-france-taxes-socialmedia/france-to-hunt-for-tax-cheats-on-social-media-idUSKCN1NF0JH" target="_blank" > says tax cheats will now be outed by their own selfies </a> . (via <a href="https://reason.com/blog/2018/11/16/brickbat-tmi" target="_blank"> Reason </a> ): <em> France's tax administrators will start searching through social media accounts in early 2019, a pilot project in the fight against tax avoidance, Budget Minister Gerald Darmanin told weekly business TV show Capital. </em> <em>[...] </em> <em> "(The fiscal administration) will be able to see that if you have numerous pictures of yourself with a luxury car while you don't have the means to own one, then maybe your cousin or your girlfriend has lent it to you... or maybe not," Darmanin said. </em> I guess French tax collectors will be scrolling through social media profiles with lists of tax dodgers and a keen appraiser's eye. There may be several reasons people have expensive items showcased on social media, and not all of them will have anything to do with ill-gotten net gains. A very common internet pastime is presenting your life as more exciting, dynamic, and filled with material goods than it actually is. <a href="https://www.hotcars.com/20-people-who-tried-photoshopping-themselves-onto-cars-and-it-didnt-go-so-well/" target="_blank" > Photoshop may be involved </a> . Some of what tax officials come across will be evidence of nothing more than self-esteem issues. <a href="">top </a> </p> <p> <a name="OnlineDispute"> </a> <strong> <a href="https://www.lawyersweekly.com.au/wig-chamber/24535-online-dispute-resolution-bolstering-access-to-justice" > Online dispute resolution bolstering access to justice </a> </strong> (Lawyers Weekly/Australia, 27 Nov 2018) - Despite the reluctance many jurisdictions have about utilising tech in dispute resolution matters, the chair of Canada's Civil Resolution Tribunal has shared how doing so has aided in the country's access to justice crisis. Speaking to Lawyers Weekly ahead of her appearance at last week's ODR: The State of the Art International Symposium, the tribunal's chair Shannon Salter spoke about what has been described as the access to justice crisis and the need for the development of creative solutions to combat the problem. Ms Salter said this is what led Canada's British Columbia to develop The Civil Resolution Tribunal (CRT) - Canada's first online tribunal. * * * <a href="">top </a> </p> <p> <a name="Pennsylvania"> </a> <strong> <a href="https://www.natlawreview.com/article/pennsylvania-supreme-court-recognizes-common-law-duty-to-safeguard-employees" > Pennsylvania Supreme Court recognizes Common Law duty to safeguard employees' personal data </a> </strong> (Nat'l Law Review, 27 Nov 2018) - The Pennsylvania Supreme Court has drastically changed the data breach litigation landscape by <a href="https://response.ballardspahr.com/email_handler.aspx?sid=4a74b4f1-323c-450c-9e9b-e2775ff30cb4&redirect=http%3a%2f%2fwww.pacourts.us%2fassets%2fopinions%2fSupreme%2fout%2fMajority+Opinion++VacatedRemanded++10378165044604409.pdf%3fcb%3d1" > holding </a> that an employer has a common law duty to use reasonable care to safeguard its employees' personal information stored on an internet-accessible computer. The court further held that Pennsylvania's economic loss doctrine permits recovery for "purely pecuniary damages" on a negligence claim premised on a breach of such a duty. This decision is likely to have a very significant impact on cybersecurity-related litigation in and beyond Pennsylvania, as negligence is now a viable cause of action for inadequate data security under Pennsylvania law. The court rejected the notion that it was creating a "new affirmative duty" under common law, and instead held that it was applying the "existing duty to a novel factual scenario." The plaintiffs alleged that-as a condition of employment at UPMC-they were required to provide certain financial and personal information. They further alleged that UPMC collected and stored that information on its internet-accessible computer system without the use of adequate security measures, including proper encryption, adequate firewalls, or adequate authentication protocols. The court held that where an employer's affirmative collection of employee personal information creates a foreseeable risk of a data breach (even by cybercriminals), the employer has a duty of reasonable care to secure its employees' personal information "against an unreasonable risk of harm arising out of [the employer's data collection practices]." UPMC should have realized, the court concluded, that "a cybercriminal might take advantage of the vulnerabilities in UPMC's computer system and steal [its employees'] information; thus, the data breach was 'within the scope of the risk created by' UPMC." As to the 'duty' element of the negligence claim, "the criminal acts of third parties in executing the data breach do not alleviate UPMC of its duty to protect [its employees'] personal and financial information from that breach." <a href="">top </a> </p> <p> <a name="WhenTheInterner"> </a> <strong> <a href="https://gizmodo.com/when-the-internet-archive-forgets-1830462131" > When the Internet Archive forgets </a> </strong> (Gizmodo, 28 Nov 2018) - On the internet, there are certain institutions we have come to rely on daily to keep truth from becoming nebulous or elastic. Not necessarily in the way that something stupid like <a href="https://gizmodo.com/tag/verrit">Verrit </a> aspired to, but at least in confirming that you aren't losing your mind, that an old post or article you remember reading did, in fact, actually exist. It can be as fleeting as using Google Cache to grab a quickly deleted tweet, but it can also be as involved as doing a deep dive of a now-dead site's archive via the Wayback Machine. But what happens when an archive becomes less reliable, and arguably has legitimate reasons to bow to pressure and remove controversial archived material? A few weeks ago, while recording my podcast, the topic turned to the old blog written by The Ultimate Warrior, the late bodybuilder turned chiropractic student turned pro wrestler turned ranting conservative political speaker under his legal name of, yes, "Warrior." As <a href="https://deadspin.com/the-ultimate-warrior-was-an-insane-dick-1561275496#_ga=2.164286911.1891823263.1543243795-4193545961.1521480663" target="_blank" > described by Deadspin's Barry Petchesky </a> in the aftermath of Warrior's 2014 passing, he was "an insane dick," spouting off in blogs and campus speeches about people with disabilities, gay people, New Orleans residents, and many others. But when I went looking for a specific blog post, I saw that the blogs were not just removed, the site itself was <a href="http://web.archive.org/web/*/www.ultimatewarrior.com" target="_blank" > no longer </a> in the Internet Archive, replaced by the error message: "This URL has been excluded from the Wayback Machine." <a href="https://twitter.com/mongo_ebooks/status/1029937437928312832" target="_blank" > Apparently </a> , Warrior's site had been de-archived for months, not long after <a href="https://sports.vice.com/en_us/article/59y3nb/wwe-is-whitewashing-the-ultimate-warriors-bigoted-past" target="_blank" > Rob Rousseau pored over it for a Vice Sports article </a> on the hypocrisy of WWE using Warrior's image for their Breast Cancer Awareness Month campaign. The campaign was all about getting women to "Unleash Your Warrior," <a href="https://www.businesswire.com/news/home/20171003005874/en/WWE%C2%AE-Susan-G.-Komen%C2%AE-Encourage-%E2%80%9CUnleash-Warrior%E2%80%9D" target="_blank" > complete </a> <a href="http://archive.is/5rauL" target="_blank">with </a> <a href="https://www.youtube.com/watch?v=uDS55nEsWaY" target="_blank"> an </a> <a href="http://archive.is/ktDws" target="_blank">Ultimate </a> <a href="https://www.youtube.com/watch?v=aqHT-ZLvApE" target="_blank"> Warrior </a> <a href="https://www.youtube.com/watch?v=gvk4tvborw0" target="_blank"> motif </a> , but since Warrior's blogs included wishing death on a cancer-survivor, this wasn't a good look. Rousseau was struck by how the archive was removed "almost immediately after my piece went up, like within that week," he told Gizmodo. * * * <a href="">top </a> </p> <p> <a name="GCHQ"> </a> <strong> <a href="https://www.zdnet.com/article/gchq-we-dont-tell-tech-companies-about-every-software-flaw/" > GCHQ: We don't tell tech companies about every software flaw </a> </strong> (ZDnet, 29 Nov 2018) - The UK intelligence services has revealed how it chooses which security vulnerabilities to reveal to technology vendors -- and which aren't disclosed because the UK's national interest is better served by what GCHQ describes as 'retaining' the knowledge. For the first time ever, GCHQ and its cyber arm the National Cyber Security Centre (NCSC) has revealed process that is used to determine if a vulnerability is disclosed or not disclosed when discovered. It ultimately means that sometimes GCHQ won't tell a company if their software is vulnerable to cyber attacks and hacking if it's deemed to be the better option for national security. When a previously unknown vulnerability is discovered, the default position is to disclose it -- but if it serves the national interest, knowledge of the vulnerability may not be disclosed. GCHQ states that the decision to withhold vulnerabilities is not taken lightly and always involves 'rigorous assessment' by a panel of experts from GCHQ, the NCSC and the Ministry of Defence. <a href="">top </a> </p> <p> - and - </p> <p> <a name="PrinciplesFor"> </a> <strong> <a href="https://www.lawfareblog.com/principles-more-informed-exceptional-access-debate" > Principles for a more informed exceptional access debate </a> </strong> (Lawfare, 29 Nov 2018) - <em> This is part of a <a href="https://www.lawfareblog.com/node/16227/">series of essays </a> from the Crypto 2018 Workshop on Encryption and Surveillance. </em> In any discussion of cyber security, details matter. Unfortunately, it's the details that are missing from the discussion around lawful access to commodity end-to-end encrypted services and devices (often called the "going dark" problem). Without details, the problem is debated as a purely academic abstraction concerning security, liberty, and the role of government. There is a better way that doesn't involve, on one side, various governments, and on the other side lawyers, philosophers, and vendors' PR departments continuing to shout at each other. If we can get all parties to look at some actual detail, some practices and proposals-without asking anyone to compromise on things they fundamentally believe in-we might get somewhere. As commodity technology starts to really drive the evolution of our daily lives and more of our personal data, our industry and our economy is on the internet, we will repeatedly run into challenges of how to explain complex and subtle technical concepts to non-experts. That's likely to cover everything from how the internet economy could affect personal privacy through how the mass of data our smart stuff will be generating affects national security to how agencies charged with public protection can do their job in a way that meets the public's expectation. To do that, we need to have open and honest conversations between experts that can inform the public debate about what's right and we'll need a framework in which to do that. We hope the U.K.'s principles for access to encrypted services may help start that off. These are not intended as general principles for government access to data covering every case; and they do not address the 'discovery' problem around how governments establish which services and identities are being used by criminals and other valid targets. They're specifically for mass-scale, commodity, end-to-end encrypted services, which today pose one of the toughest challenges for targeted lawful access to data and an apparent dichotomy around security. * * * <a href="">top </a> </p> <p> <a name="MakingAransomeware"> </a> <strong> <a href="https://www.bleepingcomputer.com/news/security/making-a-ransomware-payment-it-may-now-violate-us-sanctions/#.XAUmiyVQifo.twitter" > Making a ransomware payment? It may now violate US sanctions </a> </strong> (Bleeping Computer, 30 Nov 2018) - Thinking about making a ransomware payment? If so, you may want to think twice before doing so as it could land you in trouble for violating U.S. government sanctions. This week the Department of Justice unsealed a grand jury hackers allegedly responsible for the <a href="https://www.bleepingcomputer.com/news/security/samsam-ransomware-crew-made-nearly-6-million-from-ransom-payments/" target="_blank" > SamSam Ransomware </a> . As part of this indictment, for the first time the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) also publicly attributed cryptocurrency addresses to individuals who were involved in the converting ransomware cryptocurrency payments to fiat currency. "While OFAC routinely provides identifiers for designated persons, today's action marks the first time OFAC is publicly attributing digital currency addresses to designated individuals" stated the Department of Treasury's <a href="https://home.treasury.gov/news/press-releases/sm556" target="_blank" > announcement </a> . In this particular case, the cryptocurrency addresses are being attributed to Iran-based individuals named <a href="https://sanctionssearch.ofac.treas.gov/Details.aspx?id=7343" target="_blank" > Ali Khorashadizadeh </a> and <a href="https://sanctionssearch.ofac.treas.gov/Details.aspx?id=7344" target="_blank" > Mohammad Ghorbaniyan </a> who the U.S. government states have facilitated the exchange of ransomware payments into Iranian Rial. The addresses attributed to these individuals are <a href="https://www.blockchain.com/btc/address/1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V" target="_blank" > 1AjZPMsnmpdK2Rv9KQNfMurTXinscVro9V </a> and <a href="https://www.blockchain.com/btc/address/149w62rY42aZBox8fGcmqNsXUzSStKeq8C" target="_blank" > 149w62rY42aZBox8fGcmqNsXUzSStKeq8C </a> and contain a combined total of 5,901 bitcoins. At the current prices of bitcoins this is equivalent to over $23 million USD. <a href="">top </a> </p> <p> <a name="SecretService"> </a> <strong> <a href="https://www.aclu.org/blog/privacy-technology/surveillance-technologies/secret-service-announces-test-face-recognition" > Secret Service announces test of face recognition system around White House </a> </strong> (ACLU, 4 Dec 2018) - In yet another step toward the normalization of facial recognition as a blanket security measure, last week the Department of Homeland Security published details of a U.S. Secret Service plan to test the use of facial recognition in and around the White House. According to the <a href="https://www.dhs.gov/publication/dhsussspia-024-facial-recognition-pilot" > document </a> , the Secret Service will test whether its system can identify certain volunteer staff members by scanning video feeds from existing cameras "from two separate locations on the White House Complex, and will include images of individuals passing by on public streets and parks adjacent to the White House Complex." The ultimate goal seems to be to give the Secret Service the ability to track "subjects of interest" in public spaces. <a href="">top </a> </p> <p> <a name="TheSneakyFight"> </a> <strong> <a href="https://www.wired.com/story/spectrum-comcast-telecom-fight-win-free-speech/?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > The sneaky fight to give cable lines free speech rights </a> </strong> (Susan Crawford, Wired, 4 Dec 2018) - It seems counterintuitive that a phone line could be a "speaker." But the cable industry very much wants to ensure that the act of transmitting speech from Point A to Point B is protected by the First Amendment, so that making a cable connection carry any speech it isn't interested in amounts to unconstitutional "forced speech." The addition of Justice Brett Kavanaugh to the Supreme Court roster gives the industry a significant boost. In a 2017 DC Circuit <a href="https://www.cadc.uscourts.gov/internet/opinions.nsf/06F8BFD079A89E13852581130053C3F8/$file/15-1063-1673357.pdf" target="_blank" > dissenting opinion </a> , Justice Kavanaugh made it clear that he supports giving internet access providers "speaker" privileges, saying that "the First Amendment bars the Government from restricting the editorial discretion of Internet service providers." <a href="">top </a> </p> <p> <a name="CybersecurityWhos"> </a> <strong> <a href="https://www.thecorporatecounsel.net/blog/2018/12/cybersecurity-whos-fessed-up-to-a-material-weakness.html" > Cybersecurity: Who's fessed up to a "Material Weakness?" </a> </strong> (The CorporateCounsel.net, 6 Dec 2018) - The SEC's recent <a href="https://www.thecorporatecounsel.net/blog/2018/10/sec-issues-section-21a-report-on-ceo-impersonator-emails.html" > Cyber 21(a) Report </a> highlighted cybersecurity internal control shortcomings at 9 different companies. This <a href="https://www.auditanalytics.com/blog/sec-registrants-with-poor-cyber-controls/" > Audit Analytics blog </a> looks at which companies have disclosed a "material weakness" following a data breach. This excerpt says that not many have: <em> The investigative report stopped short of recommending any enforcement action and did not name the companies that were investigated. Moreover, the report does not provide sufficient details to determine the identity of the companies. Although we are unable to identify the companies, we were curious whether we can find similar cases. Using Audit Analytics' cyber breaches dataset, we looked at recent examples & disclosures of companies that fell victims to the attacks described in the report. In total, we looked at nine companies that disclosed incidents of similar breaches. Six of these companies disclosed the breaches in filings furnished with the SEC, though only one made the disclosure in a current report (8-K). Of the six companies that disclosed their cyber breaches in SEC filings, just three disclosed that the breach rose to the level of a material weakness in the companies' internal controls. </em> The blog also reviews the disclosures made by companies that determined a material weakness existed following a data breach. <a href="">top </a> </p> <p> <a name="FourTips"> </a> <strong> <a href="https://www.law.com/legaltechnews/2018/12/07/four-tips-for-law-firms-in-responding-to-overreaching-client-audits/?kw=Four%20Tips%20for%20Law%20Firms%20in%20Responding%20to%20Overreaching%20Client%20Audits&et=editorial&bu=ALMcyberSecure&cn=20181214&src=EMC-Email&pt=cyberSecureNews" > Four tips for law firms in responding to overreaching client audits </a> </strong> (Law.com, 7 Dec 2018) - As you know, there can be a lot of effort on the law firm's end in responding to these security inquiries. How do legal IT professionals identify scenarios where clients are overreaching reasonable bounds of information or action? In cases of overreaching, how should a firm respond to the client? These are all areas where law firms may struggle, as reputation among other clients, professional responsibility concerns, or even bar admittance could be on the line if managed poorly. Here are four tips to better enable your firm to handle these inquiries. * * * <a href="">top </a> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <strong> <a href="https://www.lawfareblog.com/teaching-cybersecurity-law-and-policy-my-revised-62-page-syllabusprimer" > Teaching Cybersecurity Law and Policy: My Revised 62-Page Syllabus/Primer </a> </strong> (UT's Bobby Chesney, 4 Dec 2018) - Cybersecurity law and policy is a fun subject to teach. There is vast room for creativity in selecting topics, readings and learning objectives. But that same quality makes it difficult to decide what to cover, what learning objectives to set, and which reading assignments to use. With support from the Hewlett Foundation, I've spent a lot of time in recent years wrestling with this challenge, and last spring I posted the initial fruits of that effort in the form of a massive "syllabus" document. Now, I'm back with version 2.0. . At 62 pages (including a great deal of original substantive content, links to readings, and endless discussion prompts), it is probably most accurate to describe it as a hybrid between a syllabus and a textbook. Though definitely intended in the first instance to benefit colleagues who teach in this area or might want to do so, I think it also will be handy as a primer for anyone-practitioner, lawyer, engineer, student, etc.-who wants to think deeply about the various substrands of this emergent field and how they relate to one another. <a href="">top </a> </p> <p> - and - </p> <p> <strong> <a href="http://peterswire.net/wp-content/uploads/Pedagogic-cybersecurity-framework.pdf" > Privacy and Security: A Pedagogic Cybersecurity Framework </a> </strong> (Peter Swire, Oct 2018) - This column proposes a Pedagogic Cybersecurity Framework (PCF) for categorizing and teaching the jumble of non-code yet vital cybersecurity topics. From my experience teaching cybersecurity to computer science and other majors at Georgia Tech, the PCF clarifies how the varied pieces in a multidisciplinary cybersecurity course fit together. The framework organizes the subjects that have not been included in traditional cybersecurity courses, but instead address cybersecurity management, policy, law, and international affairs. <a href="">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <strong> <a href="https://www.fiercewireless.com/europe/nbc-offers-wide-online-access-for-beijing-olympics" > NBC offers wide online access for Beijing Olympics </a> </strong> (Washington Post, 28 June 2008) - NBC is making more than 2,200 hours of live competition from Beijing available online, giving Olympic junkies more action than they could ever devour in a day. After barely tipping its toe in the digital world during past Olympics, the network will dive into the deep end: live blogging, 3,000 hours of highlights on demand, daily recaps and analysis and even fantasy league gaming. That's in addition to the 1,400 hours of coverage planned on six television networks, more than the combined total of every previous Summer Olympics. NBC's digital plans, however, have angered media outlets that worry the company is being heavy-handed in enforcing its rights to exclusive Olympic access. There's been some brewing tension about the rights of other media organizations to cover the event; NBC paid $3.5 billion to the International Olympics Committee to televise the five Olympics through Beijing. Other TV networks have a limited window in which to show Olympics highlights, but no video of Olympic events is permitted to be shown on any Web site besides NBCOlympics.com. NBC has allowed video of Olympic trials events to be shown on other Web sites, but each site is required to link to NBCOlympics.com. All of that video must come down Aug. 7, the day before the Beijing Games start. That's going to limit the ability of Swimming World magazine, which has a heavy online component, to offer material to its users, said Brent Rutemiller, the magazine's publisher. He's also upset that limits have been placed on where other organizations can interview athletes, and that they were extended to coaches and officials. <a href="">top </a> </p> <p> <strong> <a href="http://www.abajournal.com/news/article/biglaw_firm_recruits_on_facebook" > Biglaw firm recruits on Facebook </a> </strong> (ABA Journal, 26 August 2008) - Screen shot of firm's Facebook page. Looking for a way to better promote itself to the next generation of lawyers, Curtis, Mallet-Prevost, Colt & Mosle has launched a Facebook page as part of its broader law school recruiting efforts. "We are pleased to be capitalizing on the popularity of the most widely used social networking site," Nancy Delaney, a Curtis partner who is a member of the firm's personnel committee, says in a release (PDF) about the page. "As a Firm, we recognized the power of this format of communication and the wide use being made of it by future lawyers." As of this posting, the page had 32 fans. The page promotes the 178-year-old firm with historical information and the benefits of starting a career in New York. It also includes links to news, awards, policies and questions and answers about other office locations and on-campus schedules. On his LawSites blog, Robert Ambrogi posits that Curtis may be the first Am Law 200 firm to feature Facebook as a central recruiting tool. <a href="">top </a> </p> Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-64073645695632096122018-11-17T07:16:00.000-05:002018-11-17T07:16:03.148-05:00MIRLN --- 28 Oct - 17 Nov 2018 (v21.15)<p> <a name="TOP"> </a> MIRLN --- 28 Oct - 17 Nov 2018 (v21.15) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_28_oct_17_nov_2018_v2115/" > permalink </a> </p> <p> <a href="">ANNOUNCEMENTS </a> | <a href="">NEWS </a>| <a href="">LOOKING BACK </a>| <a href="http://www.knowconnect.com/mirln/sources/">NOTES</a> </p> <p> <a name="ANNOUNCEMENT"> </a> <h3> ANNOUNCEMENT </h3> </p> <p> MIRLN began in 1997 and I've have published around 250 times, using an evolving, idiosyncratic approach to stories (not too new, not too obvious, etc.), with an idiosyncratic cross-section of readers (steady at about 3000: techies, lawyers, judges, international types, people in the IC, two former US AGs, etc.). This year probably will be MIRLN's last. (With curated Twitter/RSS feeds you may not miss it at all.) It's been fun; thanks for reading! <a href="">top </a> </p> <p> <a name="NEWS"> </a> <h3> NEWS </h3> </p> <ul> <li> <a href=""> Ohio's new cybersecurity law: creating a data breach safe harbor </a> </li> <li> <a href="">FTC offers small businesses free cybersecurity resources </a> </li> <li> <a href=""> Law firm cybersecurity: Are your vendors posing the threat of a data breach? </a> </li> <li> <a href=""> Solo, small firms are concerned about the cloud's confidentiality and security </a> </li> <li> <a href=""> The Vote With Me app looks up your contacts' voting records </a> </li> <li> <a href=""> Project provides access to all US case law, covering 360 years </a> </li> <li> <a href=""> SEC Section 21(a) report focuses on cyber threats and internal accounting controls - measures to consider taking to mitigate risk </a> </li> <li> <a href=""> US-CERT issues guide on how to properly dispose of your electronic devices </a> </li> <li> <a href=""> Copyright Office extends anti-circumvention DMCA exemptions to all filmmakers, not just documentarians </a> </li> <li> <a href="">'Modern-day neighborhood watch' </a> </li> <li> <a href=""> The DEA and ICE are hiding surveillance cameras in streetlights </a> </li> <li> <a href=""> West Virginians abroad in 29 countries have voted by mobile device, in the biggest blockchain-based voting test ever </a> </li> <li> <a href="">Flickr says it won't delete Creative Commons photos </a> </li> <li> <a href=""> As state actors continue to wage cyberwar on the United States, they have a powerful ally-gaps and ambiguities in the law </a> </li> <li> <a href=""> Pentagon draws back the veil on APT malware with sudden embrace of VirusTotal </a> </li> <li> <a href=""> The New York Times turns to Google Cloud to digitize its photo archive </a> </li> <li> <a href=""> Judges need not recuse themselves just because they are Facebook "friends" with a lawyer </a> </li> </ul> <p> <a name="Ohio"> </a> <strong> <a href="https://www.mayerbrown.com/ohios-new-cybersecurity-law-creating-a-data-breach-safe-harbor-10-23-2018/?utm_source=Mondaq&utm_medium=syndication&utm_campaign=View-Original" > Ohio's new cybersecurity law: creating a data breach safe harbor </a> </strong> (Mayer Brown, 23 Oct 2018) - Policymakers long have wrestled with how to enhance private-sector cybersecurity without imposing prescriptive one-size-fits-all requirements that undermine effective cyber risk management. With the passage of its Cybersecurity Safe Harbor Act (the "Act") on August 3, 2018, Ohio has enacted legislation-the first of its kind-that is intended to use the promise of relief from legal liability to incentivize companies to adopt appropriate cyber protections. Specifically, the Act gives companies that take certain steps to create, maintain and comply with a written cyber program an affirmative defense to data breach claims sounding in tort (such as negligence) brought under the laws or in the courts of Ohio. It remains to be seen whether the Act will have a practical impact on companies' approaches to cyber risk management or their liability exposure after a data breach. The Act nonetheless is important because it suggests a new approach to the regulation of cybersecurity practices and liability after a data breach. * * * <a href="">top </a> </p> <p> <a name="FTCoffers"> </a> <strong> <a href="https://www.darkreading.com/vulnerabilities---threats/ftc-offers-small-businesses-free-cybersecurity-resources/d/d-id/1333134" > FTC offers small businesses free cybersecurity resources </a> </strong> (DarkReading, 26 Oct 2018) - The Federal Trade Commission's (FTC) newly launched national initiative to educate small business owners about cybersecurity threats and defenses began with a "listening tour" last year. What it learned became the foundation for the agency's new Cybersecurity for Small Business website and related resources, which draw from a dozen different security topics FTC officials gathered from its discussions with small and midsize business (SMB) owners nationwide, said Jon Miller Steiger, director of the FTC's East Central Region, who spoke at the <a href="https://www.centralvirginia.org/events/2018-cybersecurity-conference/" target="_blank" > 2018 Cyber Security Conference </a> for small businesses in Charlottesville, Va., earlier this week. Among their hot-button concerns, Steiger said, are their ability to train employees properly for security awareness, cyberthreats, and human error leading to a cyberattack. "They want to get one unified message from the federal government" on cybersecurity as well, he said. The <a href="https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity" target="_blank" > new website </a> , created in cooperation with the US Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST), and the Small Business Administration (SBA), was officially launched on Oct. 18. It includes cybersecurity basics and best practices including the <a href="https://www.darkreading.com/application-security/half-of-small-businesses-believe-theyre-not-cybercrime-targets/d/d-id/1332656" target="_blank" > NIST cybersecurity framework for SMBs </a> , and covers security threats, such as phishing, ransomware, email spoofing, and tech support scams. The FTC site also includes free resources, such as quizzes and educational videos. <a href="">top </a> </p> <p> - and - </p> <p> <a name="LawFirmCybersecurity"> </a> <strong> <a href="https://www.natlawreview.com/article/law-firm-cybersecurity-are-your-vendors-posing-threat-data-breach" > Law firm cybersecurity: Are your vendors posing the threat of a data breach? </a> </strong> (Nat'l Law Review, 30 Oct 2018) - If you've been paying attention, chances are your law firm security is up-to-date and fairly strong. While that takes care of the firm itself, <a href="https://www.natlawreview.com/article/law-firms-guide-to-selecting-cloud-based-vendor" target="_blank" > these days it is just as important that your cybersecurity policy takes into account the cybersecurity of your vendors. </a> "A responsible firm must also reduce the risk of a data breach at their third-party vendors," according to <a href="https://www.law.com/2018/05/17/vendor-risk-management-for-law-firms-7-steps-to-success/?slreturn=20180923202318" > Ishan Girdhar, CEO and founder of Privva </a> , a cloud-based platform that streamlines the data security assessment process throughout the value chain. * * * Girdhar's article " <a href="https://www.law.com/2018/05/17/vendor-risk-management-for-law-firms-7-steps-to-success/" target="_blank" > Vendor Risk Management for Law Firms: 7 Steps to Success </a> ," lists the following steps needed to be included in cybersecurity policy for law firms: * * * <a href="">top </a> </p> <p> - and - </p> <p> <a name="SoloSmall"> </a> <strong> <a href="https://www.law.com/legaltechnews/2018/11/13/solo-small-firms-are-concerned-about-the-clouds-confidentiality-and-security/?printer-friendly/" > Solo, small firms are concerned about the cloud's confidentiality and security </a> </strong> (Law.com, 13 Nov 2018) - In the lead-up to its scheduled January release of its annual Legal Technology Survey Report, the American Bar Association recently released a <a href="https://www.lawtechnologytoday.org/2018/11/techreport-2018-solo-and-small-firm/" > report </a> examining the tech usage of solo lawyers and small firms with two to nine lawyers. In the report, 63 percent of all lawyer-respondents who use cloud technology said they are concerned about cloud-based services' confidentiality and security. Among those not using cloud-based services, confidentiality and security (56 percent) and lack of control over the data (40 percent) were cited as key barriers preventing them from using the technology. To be sure, cloud technology has been adopted by many solo lawyers and lawyers in small firms alike. The ABA reported 59 percent of solo practitioners and 58 percent of lawyers in small firms use cloud-based computing for their work. On the cybersecurity front, the report found that 14 percent of solos and 24 percent of small law firms said they experienced a breach. Of those, 66 percent of solos and 65 percent of small firms said no significant business disruption or loss occurred due to the breach. About half, 51 percent of lawyers in small law firms, said they had data retention policies, while only 33 percent of solo practitioners reported the same. The ABA also found that most, 70 percent, of solo practitioners and 63 percent of small firms don't use use password management tools. But most firms surveyed said they were required under <a href="https://www.law.com/legaltechnews/2018/10/25/states-require-lawyers-to-have-tech-competency-but-observers-see-some-struggling/" > ethical competency rules </a> to stay abreast of the benefits and risks of technology, which may fuel faster technology retention by lawyers. <a href="">top </a> </p> <p> <a name="TheVoteWithMe"> </a> <strong> <a href="https://www.buzzfeednews.com/article/katienotopoulos/vote-with-me-app-friends-registered-vote-privacy" > The Vote With Me app looks up your contacts' voting records </a> </strong> (BuzzFeed, 29 Oct 2018) - The app <a href="https://votewithme.us/about.html" target="_blank">Vote With Me </a> connects to your phone's contact list and matches names and phone numbers with state voter rolls - telling you which party your friends are registered to and which of the last elections they actually voted in. The idea is that you can use this information to encourage friends to go vote, and will prewrite a text message to them through the app. Great, right? Except that upon deeper reflection, I found this creepy and believe it's a strange invasion of my and my friends' privacy. Just because the voter records of our friends (or really, anyone on our phones, which is a lot of random people!) are a matter of public record doesn't mean they expect other people to look for them. Even weirder is getting a text from someone telling you that they saw you didn't vote in the last election! Mikey Dickerson, executive director of The New Data Project, the non-profit group that made Vote With Me, says that he knows his app might seem a little, well, creepy to some people, but he's ok with that. "Establishing the social norm of voting is important enough that a little bit of discomfort is warranted," he told BuzzFeed News. "It feels new because it hasn't been easy to have [voter records] publicly viewed before, but we think that's for the public good." Voter rolls are technically a matter of public record, but it's not easy to look up your friends' information. There simply isn't a single free website where you can enter a name and get a voter record. There's <a href="https://voterrecords.com/" target="_blank">voterrecords.com </a>, but it only covers 14 states plus D.C. On certain official state websites, you can look up registrations, but only if you know extra information like a person's actual full name and, say, their zip code or birth date. And all of these just say if you're registered or not, not which years you voted. (Who you voted for is, of course, always secret and not part of any of this information.) Vote With Me gets its info by paying for a licensed set of records from a commercial entity that provides this as a service to campaigns or other groups. In a <a href="https://medium.com/ndp-annotations/introducing-votewithme-1db7bb8f22" target="_blank" > Medium post </a> , the group that made Vote With Me called the Project describeshow they obtained the voter data: "Campaigns have used these records for decades, and sometimes have taken steps to prevent you from realizing it. We feel that as long as this data exists, regular people not on a political payroll should be able to see and use it, too." <a href="">top </a> </p> <p> <a name="ProjectProvides"> </a> <strong> <a href="https://www.lawsitesblog.com/2018/10/project-provides-access-u-s-case-law-covering-360-years.html" > Project provides access to all US case law, covering 360 years </a> </strong> (Robert Ambrogi, 29 Oct 2018) - Launching today is the capstone to a massive project executed over the last three years to digitize all U.S. case law, some 6.4 million cases dating all the way back to 1658, a span of 360 years. The <a href="https://case.law/">Caselaw Access Project </a> site launching today makes all published U.S. court decisions freely available to the public in a consistent digitized format. The site is the product of a partnership <a href="https://www.lawsitesblog.com/2015/10/huge-news-harvard-law-and-ravel-law-team-up-to-digitize-all-u-s-case-law.html" > started in 2015 </a> between Harvard Law School's <a href="https://lil.law.harvard.edu/">Library Innovation Lab </a> and legal research service <a href="https://home.ravellaw.com/">Ravel Law </a> to digitize Harvard's entire collection of U.S. case law, which Harvard says it the most comprehensive and authoritative database of American law and cases available anywhere outside the Library of Congress. The collection includes all federal and state courts, and all territorial courts for American Samoa, Dakota Territory, Guam, Native American Courts, Navajo Nation, and the Northern Mariana Islands. For now, the collection is text only, although Harvard plans to add images at a later time. <a href="">top </a> </p> <p> <a name="SECsection21"> </a> <strong> <a href="https://www.jdsupra.com/legalnews/sec-section-21-a-report-focuses-on-43918/?utm_source=eloqua&utm_medium=email_58731&utm_campaign=27393" > SEC Section 21(a) report focuses on cyber threats and internal accounting controls - measures to consider taking to mitigate risk </a> </strong> (MoFo, 30 Oct 2018) - The Securities and Exchange Commission's October 16, 2018 Section 21(a) report focusing on public companies victimized by cyber-related attacks underscores the importance of devising and implementing proper internal accounting controls with an eye on addressing such cyber threats. The report, after detailing the SEC Enforcement Division's investigations of nine public companies that had lost millions of dollars as victims of cyber fraud, did not announce any action against the victims of the cyberattacks, but makes clear the Enforcement Division will continue to scrutinize how public companies create and implement internal controls relating to cybersecurity. <a name="_ftnref1"> </a> <a href="https://www.mofo.com/resources/publications/181026-sec-section-21a.html#_ftn1" > [1] </a> Indeed, the SEC's press release announcing the report specifically cautioned public companies that they "should consider cyber threats when implementing internal accounting controls." <a name="_ftnref2"> </a> <a href="https://www.mofo.com/resources/publications/181026-sec-section-21a.html#_ftn2" > [2] </a> Section 21(a) reports are not enforcement actions, but the SEC often utilizes such reports to signal an area of emphasis in its enforcement program, with enforcement actions relating to the same subject matter likely to follow. For example, the SEC's July 25, 2017 Section 21(a) report known as the "DAO Report," which reminded readers of the federal securities laws' registration requirements and their application to sales of certain "tokens," heralded the SEC's recent spate of enforcement actions relating to crypto-currency transactions. Companies would be wise, therefore, to read the SEC's latest Section 21(a) report as a reminder to revisit their internal accounting controls to ensure compliance with the federal securities laws. The SEC has previously provided guidance on cybersecurity disclosures, cybersecurity risk management, and the insider-trading implications of cybersecurity incidents, <a name="_ftnref3"> </a> <a href="https://www.mofo.com/resources/publications/181026-sec-section-21a.html#_ftn3" > [3] </a> and it has pursued enforcement actions against regulated firms for failure to safeguard customer information in the wake of cybersecurity incidents and companies for alleged delays in the disclosure of a material data breach. The Section 21(a) report focuses on a different dimension of cybersecurity, specifically, cyber fraud schemes targeting public company personnel, and provides a window into how the SEC Enforcement Division would look at whether a company's vulnerabilities to cyber fraud could signal an underlying failure in its internal accounting controls. <a href="">top </a> </p> <p> <a name="UScert"> </a> <strong> <a href="https://www.zdnet.com/article/us-cert-issues-guide-on-how-to-properly-dispose-of-your-electronic-devices/" > US-CERT issues guide on how to properly dispose of your electronic devices </a> </strong> (ZDnet, 31 Oct 2018) - This week, the United States Computer Emergency Readiness Team (US-CERT), a division part of the Department of Homeland Security (DHS), has published an <a href="https://www.us-cert.gov/ncas/tips/ST18-005" target="_blank"> official advisory </a> with instructions and recommendations for properly deleting data from electronic devices that a user wishes to dispose of in one form or another. These instructions are universal and can be applied to computers, smartphones, tablets, cameras, media players, external storage devices, and even gaming consoles. Many of these recommendations are also common knowledge for IT industry veterans, but the guide was also written with non-technical users in mind. So let's take a deep dive into the proper device sanitization procedures. * * * <a href="">top </a> </p> <p> <a name="CopyrightOffice"> </a> <strong> <a href="https://www.techdirt.com/articles/20181101/10104240962/copyright-office-extends-anti-circumvention-dmca-exemptions-to-all-filmmakers-not-just-documentarians.shtml" > Copyright Office extends anti-circumvention DMCA exemptions to all filmmakers, not just documentarians </a> </strong> (TechDirt, 2 Nov 2018) - Earlier this year, we wrote a bunch of posts on the Copyright Office's request for comment on changes needed to the DMCA's anti-circumvention exemption list. There were lots of interesting submissions, but one that caught my attention was a whole bunch of film association groups, most of them for documentarians, <a href="https://www.techdirt.com/articles/20180228/09561839330/mpaa-opposes-several-filmmaker-associations-request-expanded-circumvention-exemptions.shtml" > advocating </a> that the anti-circumvention they enjoyed to be able to use clips from other films and content be expanded to include filmmakers generally. This would address the copyright industries' cynical attempt to route around Fair Use usage by filmmakers by simply locking up their content behind all kinds of DRM that, unless you're a documentarian, you can't circumvent. The MPAA, as you would expect, said that allowing for this would kick off "widespread hacking" of all the DVDs on the planet, while all it was really concerned about was the licensing agreements it was able to secure by filmmakers who didn't want to violate the DMCA to get the Fair Use clips they wanted. Well, the Copyright Office made its decision and the <a href="https://www.law.com/therecorder/2018/10/31/copyright-office-broadens-dmca-exemption-for-filmmakers/" > exemption will now be offered to filmmakers en masse </a> . <a href="">top </a> </p> <p> <a name="ModernDay"> </a> <strong> <a href="https://www.candgnews.com/news/modernday-neighborhood-watch-110616" > 'Modern-day neighborhood watch' </a> </strong> (C&G Newspapers, 5 Nov 2018) - Each year, criminals get a little smarter and more advanced in their scheming. You know it's true - you've got a chip in your credit card, a mind-numbingly complex login password, and a missed call log full of spoofed "local" numbers from overseas scam callers to prove it. The only way to fight unlawful technology is with gadgets for good. Police departments across the country are taking advantage of the growing availability of surveillance systems to keep a closer eye on neighborhoods. Several weeks ago, Bloomfield Township police launched a registry list for homeowners and businesses with outdoor surveillance systems called Extra Eyes. Residents and business owners simply add their address and phone number to the list, and if police investigate a crime in their neighborhood, they could be called to see if their camera system recorded anything suspicious. * * * Aside from a lack of awareness, Pizzuti said he's had an issue with explaining the program to residents, who mistakenly think that by signing up they are granting the department access to their camera systems. "That's not true at all. We couldn't have access to your cameras, nor would we want it," he explained. "This is just a faster way for us to see who in the area has cameras, instead of us canvassing neighborhoods one home at a time looking for (witnesses)." How Extra Eyes works is this: When a crime is committed and police begin to investigate, officers would normally go door to door looking for clues, asking neighbors if they'd seen anything that could be helpful to the case. With the registry, officers can see who in the area might have surveillance cameras and they can contact the owners for help. "It can work one of two ways: They can view the camera themselves and tell us if they saw anything suspicious. Maybe we can say, 'Did you see this vehicle go by at this time?' Or they can offer for us to come over and take a look at the footage with them. We never have direct access. It's more of a modern-day neighborhood watch program." <a href="">top </a> </p> <p> - and - </p> <p> <a name="TheDEAandICE"> </a> <strong> <a href="https://qz.com/1458475/the-dea-and-ice-are-hiding-surveillance-cameras-in-streetlights/?utm_source=reddit.com" > The DEA and ICE are hiding surveillance cameras in streetlights </a> </strong> (Quartz, 9 Nov 2018) - The US Drug Enforcement Administration (DEA) and Immigration and Customs Enforcement (ICE) have hidden an undisclosed number of covert surveillance cameras inside streetlights around the country, federal contracting documents reveal. According to <a href="https://www.fpds.gov/ezsearch/fpdsportal?s=FPDSNG.COM&templateName=1.4.4&indexName=awardfull&q=VENDOR_DUNS_NUMBER%3A%22085189089%22" > government procurement data </a> , the DEA has paid a Houston, Texas company called Cowboy Streetlight Concealments LLC roughly $22,000 since June 2018 for "video recording and reproducing equipment." ICE paid out about $28,000 to Cowboy Streetlight Concealments over the same period of time. It's unclear where the DEA and ICE streetlight cameras have been installed, or where the next deployments will take place. ICE offices in Dallas, Houston, and San Antonio have provided funding for recent acquisitions from Cowboy Streetlight Concealments; the DEA's most recent purchases were funded by the agency's Office of Investigative Technology, which is located in Lorton, Virginia. * * * Earlier this week, the DEA <a href="https://www.fbo.gov/index.php?s=opportunity&mode=form&id=cbd0c228d1865f87bc88a949a39f4c63&tab=core&tabmode=list&=" > issued a solicitation for </a> "concealments made to house network PTZ [Pan-Tilt-Zoom] camera, cellular modem, cellular compression device," noting that the government intended to give the contract to Obsidian Integration LLC, an Oregon company with a sizable number of federal law enforcement customers. On November 7, the Jersey City Police Department <a href="https://www.cityofjerseycity.com/UserFiles/Servers/Server_6189660/File/2018%20Resolutions/RES%202018%2011%2007.pdf" > awarded a contract to Obsidian Integration </a> for "the purchase and delivery of a covert pole camera." The filing did not provide further design details. * * * In addition to streetlights, the DEA has also placed covert <a href="https://www.fbo.gov/index?s=opportunity&mode=form&id=a0459e93674685daf7c08cfa3db0ed2e&tab=core&tabmode=list&=" > surveillance cameras inside traffic barrels </a> , a purpose-built product <a href="http://www.boundlesssecurity.com/documents/BoundlessSecurity_Rapid_Deployment_Battery-Powered_Covert_Traffic_Barrel_Cellular_Wireless_Digital_Video_Surveillance_System_with_Smartphone_WiFi_Monitoring_flyer.pdf" > offered by </a> a number of manufacturers. And as Quartz <a href="https://qz.com/1400791/that-road-sign-telling-you-how-fast-youre-driving-may-be-part-of-a-us-government-surveillance-network/" > reported last month </a> , the DEA operates a network of digital speed-display road signs that contain automated license plate reader technology within them. <a href="">top </a> </p> <p> <a name="WestVirginians"> </a> <strong> <a href="https://www.washingtonpost.com/technology/2018/11/06/west-virginians-countries-have-voted-by-mobile-device-biggest-blockchain-based-voting-test-ever/?utm_campaign=Newsletters&utm_medium=email&utm_source=sendgrid&utm_term=.2ff65e2a76b5" > West Virginians abroad in 29 countries have voted by mobile device, in the biggest blockchain-based voting test ever </a> </strong> (WaPo, 6 Nov 2018) - Nearly 140 West Virginians living abroad in 29 countries have cast their election ballots in an unprecedented pilot project that involves voting remotely by mobile device, according to state officials. The statewide pilot, which covers 24 of West Virginia's 55 counties, uses a mixture of smartphones, facial recognition and the same technology that underpins bitcoin - the blockchain - in an effort to create a large-scale and secure way for service members, Peace Corps volunteers or other Americans living overseas to participate in the midterm elections. West Virginia is the first state to run a blockchain-based voting project at such a scale, state officials say. And if adopted more widely, the technology could make it easier to vote and potentially reduce long lines at the polls. But many security experts worry that the technology may not be ready for broader use - and could even contain vulnerabilities that risks the integrity of elections. As many as 300,000 U.S. voters located overseas requested ballots in the 2016 elections but failed to submit them. West Virginia sought to solve the problem by turning to Voatz, a company that in January received $2.2 million from Medici Ventures, a blockchain-focused investment firm owned by the online retailer Overstock.com. The Voatz app has been used on a limited basis in a number of other settings, such as student council races and West Virginia's May primary. <a href="">top </a> </p> <p> <a name="FlickrSays"> </a> <strong> <a href="https://techcrunch.com/2018/11/07/flickr-says-it-wont-delete-creative-commons-photos/" > Flickr says it won't delete Creative Commons photos </a> </strong> (7 Nov 2018) - will spare both the Flickr Commons and Creative Commons photos from deletion, the now <a href="https://techcrunch.com/2018/04/20/smugmug-acquires-flickr/"> SmugMug-owned </a> company announced today. However, its new storage limitations on free accounts may impact its use as a home for photos with a Creative Commons license in the future. When the company <a href="https://techcrunch.com/2018/11/01/flickr-revamps-under-smugmug-with-new-limits-on-free-accounts-unlimited-storage-for-pros/" > unveiled </a> its big revamp last week, one of the immediate <a href="https://techcrunch.com/2018/11/02/flickrs-new-business-model-could-see-works-deleted-from-creative-commons/" > concerns </a> among users was what the changes meant for the Creative Commons photos hosted on Flickr. Under its new management, Flickr decided to stop offering free users a terabyte of storage, and instead will begin charging users who want to host more than 1,000 photos on its site. Users with more than 1,000 photos either had to choose to upgrade to a Pro account to retain those photos on the site or see them deleted. Ryan Merkley, CEO at Creative Commons, expressed some concern last week over what this meant for the millions of CC images hosted on Flickr. Would they be gone, too? Flickr today says the answer is "no." It <a href="https://blog.flickr.net/en/2018/11/07/the-commons-the-past-is-100-part-of-our-future/" > vows </a> not to delete either its own Flickr Commons archive or any photos uploaded with a Creative Commons license before November 1, 2018. The Flickr Commons is a resource consisting of photos from institutions that want to share their digital collections with the world, such as NASA, the National Parks Service, the UK National Archives and The British Library, for example. These organizations were either already Pro account holders or have now received a free Pro account from Flickr, the company says. <a href="">top </a> </p> <p> <a name="AsStateActors"> </a> <strong> <a href="http://www.abajournal.com/magazine/article/cyberwar_gaps_ambiguities_law" > As state actors continue to wage cyberwar on the United States, they have a powerful ally-gaps and ambiguities in the law </a> </strong> (Harvey Rishikof, et al., in the ABA Journal, Nov 2018) - A major hack on the firms Cravath, Swaine & Moore and Weil Gotshal & Manges a few years ago was linked to foreign nationals with ties to the Chinese government. Their target? Proprietary client information. In 2014, a group with links to the Russian state energy sector hacked into a website belonging to the British law firm 39 Essex Chambers looking for information. Last year, the Department of Justice opened an investigation into whether the Chinese government had attempted to hack Clark Hill, a law firm representing a Chinese dissident. And those are just the directed assaults. Law firms also are vulnerable to more broad-based attacks. DLA Piper was devastated in 2017 by a ransomware worm that placed nearly 3,600 of their lawyers on temporary lockdown. The worm later was found to be the work of hackers linked to North Korea. Cyber exploitations and attacks happen every day on a global scale. How do we characterize this new cyber reality? Are these network violations criminal activity or espionage? Or are they acts of war? Our existing international laws, domestic statutes and law of armed conflict frameworks, all conceived in the pre-internet age, are struggling to find principles to bring order to our digital era. The legal rules for cyber incidents below the threshold of an "armed attack" live in a gray zone as practitioners and scholars struggle to fill the legal doctrinal gaps on nonintervention under international law. The roles, responsibilities, authorities, accountability or standards for attribution are not universal, and there are no agreed-upon responses or norms for unlawful acts in cyberspace. As the U.S. attorney general's 2018 Cyber-Digital Task Force Report makes clear, although many government agencies are working on cybersecurity, and much has been accomplished, the DOJ is "keenly aware" that the current "tools and authorities are not sufficient by themselves" to keep America safe from cyberthreats. * * * <a href="">top </a> </p> <p> <a name="PentagonDraws"> </a> <strong> <a href="https://threatpost.com/pentagon-draws-back-the-veil-on-apt-malware-with-sudden-embrace-of-virustotal/138954/" > Pentagon draws back the veil on APT malware with sudden embrace of VirusTotal </a> </strong> (Threatpost, 8 Nov 2018) - The Pentagon has suddenly started uploading malware samples from APTs and other nation-state sources to the website VirusTotal, which is essentially a malware zoo that's used by security pros and antivirus/malware detection engines to gain a better understanding of the threat landscape. The Cyber National Mission Force (CNMF), which is under the auspices of the U.S. Cyber Command, posted its first malware samples to VirusTotal on Monday, after opening its account there. It also set up a "malware alert" <a href="https://twitter.com/CNMF_VirusAlert/status/1059513836506697728?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1059513836506697728&ref_url=https%3A%2F%2Fwww.zdnet.com%2Farticle%2Fus-cyber-command-starts-uploading-foreign-apt-malware-to-virustotal%2F" target="_blank" > Twitter feed </a> to go along with the new effort. No advanced announcement of a new initiative accompanied the move, which is unusual for government entities. "Recognizing the value of collaboration with the public sector, the CNMF has initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity," CNMF said in a brief <a href="https://www.cybercom.mil/Media/News/News-Display/Article/1681533/new-cnmf-initiative-shares-malware-samples-with-cybersecurity-industry/" target="_blank" > statement </a> . The first <a href="https://www.virustotal.com/en/user/CYBERCOM_Malware_Alert/" target="_blank" > two samples </a> are files called rpcnetp.dll and rpcnetp.exe, which are both detected as dropper mechanisms for what was formerly known as the <a href="https://threatpost.com/millions-of-pcs-affected-by-mysterious-computrace-backdoor-2/107700/" target="_blank" > Computrace </a> backdoor trojan, often associated with the Russia-based <a href="https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/" target="_blank" > APT28/Fancy Bear </a> group. "The particular pair of samples, Computrace/LoJack/Lojax, is actually a trojanized version of the legitimate software 'LoJack,' from a company formerly called Computrace (now called Absolute). The trojanized version of the legitimate LoJack software is called LoJax or DoubleAgent," a spokesperson from Chronicle told Threatpost. Releasing such samples is a bold move for a Department of Defense that has long kept its cyber-activities and knowledge very close to the vest, according to Tom Kellermann, chief cybersecurity officer at Carbon Black. "This is a huge leap forward for the cybersecurity community," he told Threatpost. "For too long, the U.S. has over-classified cyber- threat intelligence. This empowers the cybersecurity community to mobilize on clandestine threats in real time, thus aiding the U.S government in protecting and securing American cyberspace." [ <strong>Polley </strong>: Bruce Schneier <a href="https://www.schneier.com/crypto-gram/archives/2018/1115.html#cg22"> writes </a> about this: <em> "This feels like an example of the US's new strategy of actively harassing foreign government actors. By making their malware public, the US is forcing them to continually find and use new vulnerabilities." </em> ] <a href="">top </a> </p> <p> <a name="TheNewYorkTimes"> </a> <strong> <a href="https://betanews.com/2018/11/09/new-york-times-google-cloud/"> The New York Times turns to Google Cloud to digitize its photo archive </a> </strong> (BetaNews, 9 Nov 2018) - The New York Times is to digitize more than a century's worth of photographs, and it is going to use Google Cloud to do so. The NYT has a massive collection of photos dating back decades, and the plan is to digitize millions of images -- some dating back to the late nineteenth century -- to ensure they can be accessed by generations to come. The digitization process will also prove useful for journalists who will be able to delve into the archives far more easily in future. <a href="">top </a> </p> <p> <a name="JudgesNeedNot"> </a> <strong> <a href="https://reason.com/volokh/2018/11/15/judges-need-not-recuse-themselves-just-b" > Judges need not recuse themselves just because they are Facebook "friends" with a lawyer </a> </strong> (Volokh Conspiracy, 15 Nov 2018) - "The establishment of a Facebook 'friendship' does not objectively signal the existence of the affection and esteem involved in a traditional 'friendship.'" Indeed, as the court points out in today's <em> <a href="http://www.floridasupremecourt.org/decisions/2018/sc17-1848.pdf" > Law Offices of Herssein & Herssein, P.A. v. United Servs. Auto. Ass'n </a> , </em> even traditional "friendship" doesn't always require recusal (though perhaps very close friendship might): Though the court doesn't give these as examples, state and federal Supreme Court Justices are often on close terms with their former clerks, who routinely practice in front of them, and in many small towns all the judges and lawyers may know each other well, especially since judges are usually former local lawyers. Note, though, that these rules vary from state to state; as the majority points out, its position is the dominant view among those states that have considered it, but other states do require recusal in such situations (as the 3-Justice dissent in the Florida Supreme Court would have). <a href="">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <strong> <a href="https://www.ft.com/content/0c82561a-2697-11dd-9c95-000077b07658" > Moody's error gave top ratings to debt products </a> </strong> (Financial Times, 20 May 2008) - Moody's awarded incorrect triple-A ratings to billions of dollars worth of a type of complex debt product due to a bug in its computer models, an Financial Times investigation has discovered. Internal Moody's documents seen by the FT show that some senior staff within the credit agency knew early in 2007 that products rated the previous year had received top-notch triple A ratings and that, after a computer coding error was corrected, their ratings should have been up to four notches lower. <a href="">top </a> </p> <p> <strong> <a href="https://www.duanemorris.com/articles/article2863.html"> SEC to require electronic financial reporting in 2009 </a> </strong> (Duane Morris article, 24 June 2008) - Certain companies will soon be required to submit their financial results, including annual and quarterly required submissions, electronically using XBRL, a language for communication of financial data. On May 14, the Securities and Exchange Commission unanimously agreed to propose the mandatory use of this technology, which has been in development since 1998, to ensure that investors receive essential financial information in a more timely fashion, with increased levels of reliability and at a lower cost. This interactive reporting vehicle will not only provide information to investors more rapidly but will aid companies in preparing their financial reporting packages more accurately and efficiently. Interactive data will revolutionize how the SEC collects data and will change the backbone of the financial reporting system, improve analytic capabilities and put vital information at the fingertips of investors. <a href="">top </a> </p> <p> <strong> <a href="https://www.duanemorris.com/alerts/alert2948.html"> SEC provides guidance regarding use of company websites to disclose information for investors </a> </strong> (Duane Morris advisory, 15 August 2008) - The Securities and Exchange Commission (the "SEC") has published an interpretive release, Commission Guidance on the Use of Company Web Sites, Release No. 34-58288 (the "Release"), providing guidance to companies and issuers of securities on the use of company websites to disclose information to investors. The Release, which became effective August 7, 2008, is intended to encourage companies to develop their websites in compliance with the federal securities laws so that such websites can serve as effective analytical tools for investors by being a vital source of information about a company's business, financial condition and operations. The Release is intended to provide guidance to those companies that are utilizing websites to supplement their required SEC filings. Since the adoption of the Securities Act of 1933 and the Securities Exchange Act of 1934 (the "Exchange Act"), the foundation of securities regulation in the United States has rested upon timely disclosure of relevant information to investors and the securities markets. Historically, companies have disclosed information to investors and the markets by mailing reports to stockholders, filing periodic reports with the SEC and issuing press releases. As technology has advanced, the Internet, the SEC's Electronic Data Gathering, Analysis and Retrieval ("EDGAR") system, and electronic communications have modernized the disclosure system. More and more investors are turning to the Internet and company websites as their main source of information before making investment decisions. The Release provides guidance to companies posting information on their websites, including (1) when information posted on their website is considered "public" for purposes of the "fair disclosure" requirements of Regulation FD; (2) the application of the antifraud provisions of the federal securities laws to information posted on company websites; (3) the types of controls and procedures advisable with respect to posting information; and (4) the appropriate format of the information presented on the website. <a href="">top </a> </p>Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-67805235246904328042018-10-27T07:17:00.000-04:002018-10-27T07:17:00.596-04:00MIRLN --- 7-27 Oct 2018 (v21.14)<p> <a name="TOP"> </a> MIRLN --- 7-27 Oct 2018 (v21.14) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_7_29_oct_2018_v2114/" > permalink </a> </p> <p> <a href="">NEWS </a> | <a href="">RESOURCES </a>| <a href="">LOOKING BACK </a>| <a href="http://www.knowconnect.com/mirln/sources/">NOTES</a> </p> <p> <a name="NEWS"> </a> <h3> NEWS </h3> </p> <ul> <li> <a href="">California bill bans bots during elections </a> </li> <li> <a href=""> California bans default passwords on any internet-connected device </a> </li> <li> <a href=""> Microsoft to host the government's classified data early next year </a> </li> <li> <a href="">Can lawyers ethically accept cryptocurrency? </a> </li> <li> <a href=""> New bots from DoNotPay includes one that lets you sue in any small claims court at the press of a button </a> </li> <li> <a href=""> Microsoft makes its 60,000 patents open source to help Linux </a> </li> <li> <a href=""> Amicus brief on burdens of proof for compelled decryption </a> </li> <li> <a href=""> Seventy years after Howey: An overview of the SEC's developing jurisdiction over digital assets </a> </li> <li> <a href=""> SEC launches new strategic hub for innovation and financial technology </a> </li> <li> <a href="">Cybersecurity: Fortune 100 disclosure practices </a> </li> <li> <a href=""> Federal court ruling in Georgia shows judges have a role to play in election security </a> </li> <li> <a href=""> Real estate lawyers have become big "phish" for cyberfraudsters </a> </li> <li> <a href=""> 3D printers have 'fingerprints,' a discovery that could help trace 3D-printed guns </a> </li> <li> <a href=""> Appeals court says of course Georgia's laws (including annotations) are not protected by copyright and free to share </a> </li> <li> <a href="">ABA ethics opinion offers guidance on data breaches </a> </li> <li> <a href=""> New copyright exemptions let you legally repair your phone or jailbreak voice assistants </a> </li> </ul> <p> <a name="CaliforniaBill"> </a> <strong> <a href="https://www.scmagazine.com/home/security-news/california-bill-bans-bots-during-elections/" > California bill bans bots during elections </a> </strong> <strong> </strong> (SC Magazine, 3 Oct 2018) - A California bill that will ban the use of undeclared bots during elections is set to take effect on July 1, 2019, after Gov. Jerry Brown signed it into law Friday. "This bill would, with certain exceptions, make it unlawful for any person to use a bot to communicate or interact with another person in California online with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication in order to incentivise a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election," according to the <a href="https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB1001" > Senate Bill No. 1001 </a> . <a href="">top </a> </p> <p> - and - </p> <p> <a name="CaliforniaBans"> </a> <strong> <a href="https://www.engadget.com/2018/10/05/california-default-password-ban-information-privacy-connected-devices-bill/" > California bans default passwords on any internet-connected device </a> </strong> (Engadget, 5 Oct 2018) - In less than two years, anything that can connect to the internet will come with a unique password - that is, if it's produced or sold in California. The " <a href="https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201720180SB327" > Information Privacy: Connected Devices </a> " bill that comes into effect on January 1, 2020, effectively bans pre-installed and hard-coded default passwords. It only took the authorities about two weeks to approve the <a href="https://www.engadget.com/2018/09/19/california-connected-devices-security-law-cybersecurity/" > proposal </a> made by the state senate. The new regulation mandates device manufacturers to either create a unique password for each device at the time of production or require the user to create one when they interact with the device for the first time. According to the bill, it applies to any connected device, which is defined as a "physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address." <a href="">top </a> </p> <p> <a name="MicrosoftToHost"> </a> <strong> <a href="https://www.nextgov.com/it-modernization/2018/10/microsoft-host-governments-classified-data-early-next-year/151861/" > Microsoft to host the government's classified data early next year </a> </strong> (NextGov, 9 Oct 2018) - Microsoft is making moves to target a growing multibillion market: hosting, storing and running the U.S. government's most sensitive classified secrets and data. On Tuesday, the software giant announced it will join rival Amazon as the only commercial cloud providers with the security capabilities to host secret classified data by the end of the first quarter of 2019. Microsoft's announcement comes days before the Pentagon will accept bids on its $10 billion <a href="https://www.nextgov.com/feature/jedi-contract/"> Joint Enterprise Defense Infrastructure </a> contract, which it will award to a single cloud service provider. The announcement doubles as a public declaration of Microsoft's intent to bid on the contract one day after Google <a href="https://www.bloomberg.com/news/articles/2018-10-08/google-drops-out-of-pentagon-s-10-billion-cloud-competition" target="_blank" > pulled out </a> of the competition in part because it can't meet the Pentagon's security requirements stipulated for JEDI quickly enough. Most experts consider Amazon Web Services the favorite to win the contract, in part because it operates the CIA's C2S Cloud, but Microsoft isn't pulling any punches. The company also announced its intent to meet additional security controls to host the government's data classified as top secret, which include the military and Defense Department's most sensitive information. The ability to host both secret and top secret data is a prerequisite to compete for JEDI. <a href="">top </a> </p> <p> <a name="CanLawyers"> </a> <strong> <a href="https://www.attorneyatwork.com/can-lawyers-ethically-accept-cryptocurrency/" > Can lawyers ethically accept cryptocurrency? </a> </strong> (Attorney at Work, 10 Oct 2018) - Several years back we added credit card billing to our options for client bill payment, including through an online secured platform. Our bill collection rates dramatically increased along with how fast a bill was paid with emailed invoices. It was great! We recently saw some companies accepting bitcoin and other cryptocurrencies as payment for goods and services. While we don't expect a high volume of clients to pay with this new "currency," we are thinking about offering it as an option. If nothing else, it shows we are keeping ahead of the curve on modern trends. Should we be pumping the brakes, or do we have the green light to accept cryptocurrency as payment? At first glance, it may seem like you would be in the clear to accept alternative payments for the legal services rendered. Why not, since you can accept nonmonetary items such as a goat for preparing a family's estate planning documents, so long as the goat was reasonable compensation for the legal services provided. Yes, I'm sure someone at some time bartered hooved animals for the services of an attorney and counselor at law. No? What ethics rules might be considered in how you are paid for your work? What makes cryptocurrency different from currency (or bovine for that matter)? At least one state bar has issued an advisory opinion on the topic of cryptocurrency as payment for legal services or otherwise being held for clients by a law firm. In Nebraska Ethics Advisory Opinion for Lawyers No. 17-03, the ethics committee concluded that attorneys "may receive and accept digital currencies such as bitcoin as payment for legal services" with some caveats. The leading concern with the often volatile cryptocurrency values comes in ensuring the fees being paid by a client are reasonable, as required by <a href="https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_5_fees.html" > ABA Model Rule 1.5 </a> . Bitcoin is one of the less volatile of these currencies, and still it has been known to have swings of 10 percent or greater occurring every few hours. As the opinion gives the example, "An arrangement for payment in bitcoin for attorney services could mean that the client pays $200 an hour in one month and $500 an hour the next month, which the client could very easily allege as unconscionable." The opinion suggests the following actions to mitigate the risk of volatility and possible unethical overpayment for services: * * * <a href="">top </a> </p> <p> <a name="NewBots"> </a> <strong> <a href="https://www.lawsitesblog.com/2018/10/new-bots-donotpay-includes-one-lets-sue-small-claims-court-press-button.html" > New bots from DoNotPay includes one that lets you sue in any small claims court at the press of a button </a> </strong> (Robert Ambrogi, 10 Oct 2018) - <a href="https://www.donotpay.com/">DoNotPay </a>, the company that created a chat bot to automatically appeal parking tickets, is today launching a series of legal and consumer-protection bots, in the form of an iOS app, that includes one that will enable individuals to file an action in any small claims court in the United States. In addition, DoNotPay is announcing that it has acquired <a href="https://visabot.co/">Visabot </a>, a service launched shortly after the election of Donald Trump to help individuals obtain visas and green cards. DoNotPay is relaunching Visabot and eliminating all fees for the service, which previously ranged from $110 to $150. The new small claims bot covers small claims courts in all 3,000 counties in all 50 states. There is no charge to use the product, so users keep 100 percent of anything they recover. Joshua Browder, the self-taught coder who founded DoNotPay as a 17-year-old in 2015, said the initial idea for this product came from an app he created in the wake of the Equifax breach to help people file small claims lawsuits against the credit rating company. <a href="">top </a> </p> <p> <a name="MicrosoftMakes"> </a> <strong> <a href="https://www.theverge.com/2018/10/10/17959978/microsoft-makes-its-60000-patents-open-source-to-help-linux" > Microsoft makes its 60,000 patents open source to help Linux </a> </strong> (The Verge, 10 Oct 2018) - <a href="https://click.linksynergy.com/deeplink?id=nOD%2FrLJHOac&mid=24542&u1=verge&murl=https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Fmicrosoft-joins-open-invention-network-to-help-protect-linux-and-open-source%2F" target="_blank" > Microsoft announced today </a> that it's joining the Open Invention Network (OIN), an open-source patent group designed to help protect Linux from patent lawsuits. In essence, this makes the company's library over 60,000 patents open source and available to OIN members, <a href="https://www.zdnet.com/article/microsoft-open-sources-its-entire-patent-portfolio/" > via <em>ZDNet </em> </a> . OIN provides a license platform for Linux for around 2,400 companies - from individual developers to huge companies like Google and IBM - and all members get access to both OIN-owned patents and cross-licenses between other OIN licensees, royalty-free. Microsoft joining is a big step forward for both sides: OIN gets thousands of new patents from Microsoft, and Microsoft is really helping the open-source community that it has shunned in the past. As Scott Guthrie, Microsoft's executive vice president of the cloud and enterprise group, commented in an interview to <em>ZDNet </em>, "We want to protect open-source projects from IP lawsuits, so we're opening our patent portfolio to the OIN." There are exceptions to what Microsoft is making available - specifically, Windows desktop and desktop application code, which makes sense for many reasons - but otherwise, Microsoft is going open source. And ultimately, that's a good thing for the whole developer community. <a href="">top </a> </p> <p> <a name="AmicusBrief"> </a> <strong> <a href="https://reason.com/volokh/2018/10/11/amicus-brief-on-burdens-of-proof-for-com" > Amicus brief on burdens of proof for compelled decryption </a> </strong> (Orin Kerr on Volokh Conspiracy, 11 Oct 2018) - I recently posted a draft article on the Fifth Amendment and compelled entering of passwords: <em> <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3248286"> Compelled Decryption and the Privilege Against Self-Incrimination </a> </em> . My article flagged but did not answer a closely-related question: What is the burden of proof to show a foregone conclusion when the government compels entering a password? Coincidentally, the Massachusetts Supreme Judicial Court happened to <a href="https://www.mass.gov/info-details/amicus-announcements-from-september-2018-to-august-2019" > invite amicus briefs </a> on this issue in a pending case shortly after I posted my draft. It's a question of first impression among state supreme courts and federal circuit courts, and it relates closely to the underlying Fifth Amendment standard. In for a penny, in for a pound, I say. So today I submitted an amicus brief on the proper burden of proof in compelled decryption cases. You can read my brief here: <em> <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3264866"> Amicus Brief of Professor Orin Kerr on Standards for Compelled Decryption Under the Fifth Amendment </a> </em> . It argues that the government's burden should be to prove by clear and convincing evidence, based on a totality of the circumstances, that the subject of the order knows the password. <a href="">top </a> </p> <p> <a name="SeventyYears"> </a> <strong> <a href="https://businesslawtoday.org/2018/10/seventy-years-howey-overview-secs-developing-jurisdiction-digital-assets/?utm_source=newsletter&utm_medium=email&utm_campaign=october18_articles" > Seventy years after Howey: An overview of the SEC's developing jurisdiction over digital assets </a> </strong> (ABA's BLT, 12 Oct 2018) - On June 14, 2018, Director William Hinman of the SEC's Division of Corporation Finance delivered a speech at the Yahoo! Finance All Markets Summit in San Francisco, during which he shared his view that current offer and sale of bitcoin and ether, the two most valuable and prominent digital assets today, does not constitute a securities transaction. Reiterating the facts-and-circumstances approach the SEC takes in applying securities laws to digital assets, Hinman admitted that the evolvement and the decentralized nature of digital assets could at some point render the application of securities laws requirements insensible and unnecessary. Hinman's speech is the first public statement from SEC leadership that offers clear assurance that certain types of digital assets are not within the purview of SEC regulations. The SEC has been following and monitoring the development of ICOs and digital assets closely. This article traces the series of SEC actions leading up to Hinman's speech and analyzes how the SEC's jurisprudence in this field has developed overtime. * * * <a href="">top </a> </p> <p> - and - </p> <p> <a name="SEClaunches"> </a> <strong> <a href="https://www.sec.gov/news/press-release/2018-240"> SEC launches new strategic hub for innovation and financial technology </a> </strong> (SEC, 18 Oct 2018) - The U.S. Securities and Exchange Commission today announced the launch of the agency's Strategic Hub for Innovation and Financial Technology ( <a href="https://www.sec.gov/finhub">FinHub </a>). The FinHub will serve as a resource for public engagement on the SEC's FinTech-related issues and initiatives, such as distributed ledger technology (including digital assets), automated investment advice, digital marketplace financing, and artificial intelligence/machine learning. The FinHub also replaces and builds on the work of several internal working groups at the SEC that have focused on similar issues. * * * <a href="">top </a> </p> <p> - and - </p> <p> <a name="CybersecurityFortune"> </a> <strong> <a href="https://www.thecorporatecounsel.net/blog/2018/10/cybersecurity-fortune-100-disclosure-practices.html" title="Permalink to Cybersecurity: Fortune 100 Disclosure Practices" > Cybersecurity: Fortune 100 disclosure practices </a> </strong> (TheCorporateCounsel.net, 23 Oct 2018) - The SEC continues to ratchet up its scrutiny of cybersecurity issues. It issued <a href="https://www.thecorporatecounsel.net/blog/2018/02/sec-approves-cybersecurity-guidance-our-big-webcast-coming-soon.html" > disclosure guidance </a> earlier this year & recently turned its attention to <a href="https://www.thecorporatecounsel.net/blog/2018/10/sec-issues-section-21a-report-on-ceo-impersonator-emails.html" > internal control implications </a> of cybersecurity lapses. But are companies getting the message? This <a href="https://www.thecorporatecounsel.net/member/Memos/EY/10_18_cyber.pdf" > recent EY report </a> provides some clues on the disclosure front. It analyzes cybersecurity-related disclosures of Fortune 100 companies in proxy statements and Form 10-K filings. Not surprisingly, disclosure practices vary widely. Here are some key findings: * * * <a href="">top </a> </p> <p> <a name="FederalCourt"> </a> <strong> <a href="https://www.lawfareblog.com/federal-court-ruling-georgia-shows-judges-have-role-play-election-security" > Federal court ruling in Georgia shows judges have a role to play in election security </a> </strong> (Lawfare, 12 Oct 2018) - In the wake of Russia's interference in U.S. elections, <a href="https://www.nytimes.com/2018/09/26/magazine/election-security-crisis-midterms.html" > questions persist </a> as to whether Russia changed vote totals and changed the outcome of the election. Former <a href="https://www.pbs.org/newshour/politics/jeh-johnson-says-hacking-didnt-alter-ballot-counts" > Homeland Security Secretary Jeh Johnson </a> and the <a href="https://www.usatoday.com/story/news/politics/2018/05/08/senate-report-no-evidence-russians-changed-vote-tallies-2016/592978002/" > Senate intelligence committee </a> each say there is no evidence that the Russians did so. But as technologist Matt Blaze <a href="https://www.nytimes.com/2018/09/26/magazine/election-security-crisis-midterms.html" > told </a> the New York Times <em>, </em> that's "less comforting than it might sound at first glance, because we haven't looked very hard." And <a href="https://www.nytimes.com/2018/09/26/magazine/election-security-crisis-midterms.html" > experts agree </a> that our outdated voting technology certainly exposes voters to the risk of interference, as election security experts and election administrators have known for more than a decade. Last month, the U.S. District Court for the Northern District of Georgia <a href="http://gaverifiedvoting.org/pdf-litigation/20180917-309_0-Order-Denying-Curling-Motion-PI.pdf" > recognized </a> that the risk of election hacking is of constitutional significance-and that courts can do something about it. In <em>Curling v. Kemp </em>, two groups of Georgia voters contend that Georgia's old paperless voting machines are so unreliable that they compromise the plaintiffs' constitutional right to vote. In ruling on the voters' motion for preliminary injunction, Judge Amy Totenberg held that the plaintiffs had demonstrated a likelihood of success on the merits-in other words, Georgia's insecure voting system likely violated their constitutional rights. While the court declined to order relief in time for the 2018 elections, the ruling suggests that Georgia may eventually be ordered to move to a more secure voting system. <a href="">top </a> </p> <p> <a name="RealEstate"> </a> <strong> <a href="https://www.attorneyatwork.com/real-estate-lawyers-become-big-phish-for-cyberfraud/" > Real estate lawyers have become big "phish" for cyberfraudsters </a> </strong> (Attorney at Work, 12 Oct 2018) - Cyberfraud is a major issue in any industry, but especially in real estate where property transactions can net a hacker hundreds of thousands of dollars in a single wire diversion. Attorneys who practice real estate law and their clients have become prime targets for hackers. According to published <a href="https://www.miamiherald.com/news/business/real-estate-news/article181726486.html" > FBI data </a> , $969 million was diverted or attempted to be diverted to "criminally controlled" accounts in real estate transactions in fiscal year 2017. Compare that with 2016, when comparable real estate wire transfer frauds amounted to just $19 million. * * * It's extremely difficult to recover funds that have been wired to a fraudulent account, though not impossible. Those who realize the mistake immediately have a better chance. As is the case with many things in life, prevention is the best tactic. Here are ways to lower the risk of real estate cyberfraud. * * * <a href="">top </a> </p> <p> <a name="ThreeDprinters"> </a> <strong> <a href="https://www.sciencedaily.com/releases/2018/10/181018151044.htm" > 3D printers have 'fingerprints,' a discovery that could help trace 3D-printed guns </a> </strong> (Science Daily, 18 Oct 2018) - Like fingerprints, no 3D printer is exactly the same. That's the takeaway from a new study that describes what's believed to be the first accurate method for tracing a 3D-printed object to the machine it came from. The advancement could help law enforcement and intelligence agencies track the origin of 3D-printed guns, counterfeit products and other goods. <a href="">top </a> </p> <p> <a name="AppealsCourtSays"> </a> <strong> <a href="https://www.techdirt.com/articles/20181019/12232640876/appeals-court-says-course-georgias-laws-including-annotations-are-not-protected-copyright-free-to-share.shtml" > Appeals court says of course Georgia's laws (including annotations) are not protected by copyright and free to share </a> </strong> <strong> </strong> (TechDirt, 19 Oct 2018) - The 11th Circuit appeals court has just <strong> <a href="https://assets.documentcloud.org/documents/5010673/Georgia-v-Malamud-6th-Circ.pdf" target="_blanK" > overturned a lower court ruling </a> </strong> and said that Georgia's laws, including annotations, are not covered by copyright, and it is not infringing to post them online. This is big, and a huge win for online information activist Carl Malamud whose Public.Resource.org was the unfortunate defendant in a fight to make sure people actually understood the laws that ruled them. The details here matter, so let's dig in: * * * [ <strong>Polley </strong>: This is an important victory, and Carl deserves our thanks. Hats off to Alston & Bird, David Halperin (Public Resource), and the ACLU. <em>See also </em> <strong> <a href="https://www.law.com/dailyreportonline/2018/10/22/11th-circuit-georgia-cant-copyright-annotated-legal-code/" > 11th Circuit: Georgia can't copyright annotated legal code </a> </strong> (Law.com, 22 Oct 2018), <em>and </em> <strong> <a href="https://www.aclu.org/blog/free-speech/court-tells-georgia-it-cant-charge-people-read-law" > Court tells Georgia it can't charge people to read the law </a> </strong> (ACLU, 22 Oct 2018)] <a href="">top </a> </p> <p> <a name="ABAethicsOpinion"> </a> <strong> <a href="http://www.abajournal.com/news/article/aba_ethics_opinion_offers_guidance_on_data_breaches/?utm_source=maestro&utm_medium=email&utm_campaign=weekly_email" > ABA ethics opinion offers guidance on data breaches </a> </strong> (ABA Journal, 17 Oct 2018) - Lawyers have to safeguard client data and notify clients of a data breach, and the ABA Standing Committee on Ethics and Professional Responsibility has issued a formal opinion that reaffirms that duty. In <a href="https://www.americanbar.org/content/dam/aba/images/news/formal_op_483.pdf" > Formal Opinion 483 </a> , issued Tuesday, the standing committee also provided new guidance to help attorneys take reasonable steps to meet this obligation. "Lawyers today face daunting challenges from the risk of data breaches and cyber attacks that can lead to disclosure of client confidences," says Barbara S. Gillers, chair of the standing committee. "Formal Opinion 483 offers helpful guidance on how the ABA Model Rules of Professional Conduct should inform lawyers' approaches to these risks in order to comply with the duty to protect client information." This opinion builds on the standing committee's <a href="https://www.americanbar.org/content/dam/aba/administrative/law_national_security/ABA%20Formal%20Opinion%20477.authcheckdam.pdf" > Formal Opinion 477R </a> released in May 2017, which set forth a lawyer's ethical obligation <a href="http://www.abajournal.com/magazine/article/lawyers_ethical_safeguard_confidential_information_cloud" > to secure protected client information when communicating digitally </a> . "When a breach of protected client information is either suspected or detected, <a href="https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_1_competence/" > Rule 1.1 </a> requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach," Formal Opinion 483 says. To that end, this week's new formal opinion only discusses the breach of client data, not other data breaches that may also require action on the part of an attorney or firm. "As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach," states the opinion. "The decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach." The opinion ends on a somber reminder that even if attorneys follow the Model Rules and make "reasonable efforts" to prevent disclosure and access to client information, they may still experience a data breach. "When they do, they have a duty to notify clients of the data breach under Model Rule 1.4 in sufficient detail to keep clients 'reasonably informed' and with an explanation 'to the extent necessary to permit the client to make informed decisions regarding the representation,'" the opinion closes. [ <strong>Polley </strong>: The Opinion also contains language suggesting that lawyers must "monitor" internet activity-e.g., using IDS tools.] <a href="">top </a> </p> <p> <a name="NewCopyright"> </a> <strong> <a href="https://www.theverge.com/circuitbreaker/2018/10/25/18024332/us-copyright-office-right-to-repair-dcma-exemptions" > New copyright exemptions let you legally repair your phone or jailbreak voice assistants </a> </strong> (The Verge, 25 Oct 2018) - In a big victory for hacker, tinkerers, and the right to repair movement, <a href="https://www.copyright.gov/1201/2018/">the US Copyright Office </a> has ruled some major changes to the legal exemption to the DMCA, making it far easier for owners to build software tools to hack, modify, and repair their own devices, as <a href="https://ifixit.org/blog/11951/1201-copyright-final-rule/"> explained by <em>iFixit </em> founder Kyle Wiens </a> . Under section 1201 of the Digital Millennium Copyright Act (DMCA), it is "unlawful to circumvent technological measures used to prevent unauthorized access to copyrighted works." Because software has become so integral to all the devices we use - everything from phones to speakers to even trackers - device manufacturers have long used section 1201 to prevent owners from taking apart or repairing their own devices, arguing that breaking the software locks as part of replacing parts or modifying your gadgets is a violation of that statute. But as part of that law, citizens are allowed to petition for exemptions to section 1201 every three years, when the Copyright Office rules what kind of repairs and software tools are and aren't allowed by the law. The final ruling for this cycle was just released (it goes into effect as law on October 28th), and it enacts broad new protections for repairing devices. <a href="https://ifixit.org/blog/11951/1201-copyright-final-rule/"> Wiens' post breaks </a> down the biggest changes, which include: * * * <a href="">top </a> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <strong> <a href="https://lawprofessors.typepad.com/media_law_prof_blog/2018/10/clarke-and-pipe-on-a-legal-framework-to-govern-online-political-expression-by-public-servants-carlet.html" > Clarke and Piper on A Legal Framework to Govern Online Political Expression by Public Servants @Carleton_U </a> </strong> <strong> </strong> (MLPB, 23 Oct 2018) - Amanda Clarke, Carleton University School of Public Policy and Administration, and Benjamin Pipe, National Judicial Institute, have published <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3251375"> A Legal Framework to Govern Online Political Expression by Public Servants </a> at 21 Canadian Labour and Employment Law Journal 1 (2018). Here is the abstract: <em> This paper considers the extent to which public servants should be allowed to engage in political activities in online fora such as Facebook, Twitter, and YouTube. The question of the appropriate balance between the principle of political neutrality binding public servants and their Charter-protected right to political expression has been extensively addressed in the case law. However, the framework set out in the existing jurisprudence was developed in the context of more traditional forms of political engagement, and fails to provide clear guidance in an age when the political activities of public servants, like those of Canadians as a whole, have to a large degree migrated to social media and other platforms on the web. In an effort to remedy this deficiency, the authors lay the foundation for a revised framework for assessing the permissibility of online political activity by public servants, consisting of four analytical factors: the level and nature of a public servant's position; the visibility of the online activity; the substance of the online activity; and the identifiability of the online actor as a public servant. Adopting this test, the authors contend, would enable adjudicators to strike a reasonable balance between freedom of expression and the principle of political neutrality, by recognizing that in today's world both politics and life as a public servant play out online. </em> <a href="">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <strong> <a href="https://arstechnica.com/tech-policy/2008/01/smartphones-seat-belts-searches-and-the-fourth-amendment/" > Smartphones, seat belts, searches, and the Fourth Amendment </a> </strong> (ArsTechnica, 24 Jan 2008) - When Steve Jobs introduced the iPhone as a "revolutionary" device, he probably wasn't thinking of its effect on the Fourth Amendment. But a new paper by Adam Gershowitz, a professor at the South Texas College of Law, argues that unless courts or legislators make significant changes to the rules governing law enforcement searches, the increasing ubiquity of devices like Apple's übergadget will permit police to routinely gather massive amounts of citizens' sensitive personal data without a warrant. The Fourth Amendment guarantees that Americans will not be subject to "unreasonable searches and seizures." Normally, this means police must show a judge that there is "probable cause" to believe a search will uncover evidence of a crime before tapping our phones or digging through our papers. But the courts have always recognized a variety of special circumstances under which a search may be reasonable even without a court warrant. One important such exception is for "search incident to arrest." This allows police to search the person and immediate vicinity of anyone being placed under arrest, to ensure that the arrestee can't destroy evidence or pull a concealed weapon. The problem with this, argues Gershowitz, is that with the proliferation of iPhone-like devices, the officer digging through your coat pocket suddenly has access to gigabytes worth of potentially sensitive e-mail, videos, photographs, browsing histories, and other documents. If you're in the habit of keeping your passwords saved, they may even be able to reach bank statements, file servers, and that Nerve Personals account you opened "just for fun." Though the underlying rationale for searches incident to arrest is officer safety, courts have adopted a "bright line" rule permitting an arresting officer to search any object in a suspect's possession, such as a cigarette pack, even if it unlikely to conceal a miniature Glock. And since the Supreme Court has ruled that police have broad authority to arrest people for even trivial infractions, such as failure to wear a seat belt, the current rule gives law enforcement officers broad discretion to transform a routine traffic stop into a highly intrusive excavation of your digital life. <a href="">top </a> </p> <p> <strong> <a href="https://www.mercurynews.com/2008/05/19/google-makes-health-service-publicly-available/" > Google makes health service publicly available </a> </strong> (SiliconValley.com, 19 May 2008) - Google is now offering the general public electronic access to their medical records and other health-related information. The Mountain View-based Web search leader announced the public launch of Google Health during a Webcast today. It lets users import records from a variety of care providers and pharmacies. Google tested the service by storing medical records for a few thousand patient volunteers at the not-for-profit Cleveland Clinic. [Editor <strong>in 2008 </strong>: Now, I want Google to offer search for health-care providers, by cost and reputation; then, they'll offer health care insurance coverage.] <a href="">top </a> </p>Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-77417265974760309162018-10-06T07:15:00.000-04:002018-10-06T07:15:08.851-04:00MIRLN --- 16 Sept - 6 Oct 2018 (v21.13)<p> <a name="TOP"> </a> MIRLN --- 16 Sept - 6 Oct 2018 (v21.13) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_16_sept_6_oct_2018_v2113/" > permalink </a> </p> <p> <a href="">ANNOUNCEMENTS </a> | <a href="">NEWS </a>| <a href="">RESOURCES </a>| <a href="">LOOKING BACK </a>| <a href="http://www.knowconnect.com/mirln/sources/">NOTES</a> </p> <p> <a name="ANNOUNCEMENT"> </a> <h3> ANNOUNCEMENT </h3> </p> <p> MIRLN began in 1997 and I've have published around 250 times, using an evolving, idiosyncratic approach to stories (not too new, not too obvious, etc.), with an idiosyncratic cross-section of readers (steady at about 3000: techies, lawyers, judges, international types, people in the IC, two former US AGs, etc.). This year probably will be MIRLN's last. (With curated Twitter/RSS feeds you may not miss it at all.) It's been fun; thanks for reading! </p> <p> <a name="NEWS"> </a> <h3> NEWS </h3> </p> <ul> <li> <a href=""> 2018 corporate counsel breach statistics - prepare to groan </a> </li> <li> <a href=""> Roca Labs' anti-review clause violates FTC Act-FTC v. Roca Labs </a> </li> <li> <a href=""> When art created by artificial intelligence sells, who gets paid? </a> </li> <li> <a href=""> Congressional Research Service reports now officially publicly available </a> </li> <li> <a href="">Philippa Ryan: Developing trust through blockchain </a> </li> <li> <a href=""> Walmart is betting on the blockchain to improve food safety </a> </li> <li> <a href="">Blockchains for Business Process Management </a> </li> <li> <a href=""> Law firms can learn from other industries' missteps on cybersecurity awareness and prevention </a> </li> <li> <a href=""> Cybersecurity: Your ethical obligations outlined by legal tech experts </a> </li> <li> <a href="">Teaming up on cybersecurity </a> </li> <li> <a href="">Interplanetary spacecraft </a> </li> <li> <a href=""> Do laws requiring people to report crimes violate the First Amendment? </a> </li> <li> <a href="">SEC charges firm with deficient cybersecurity procedures </a> </li> <li> <a href=""> Judging judges - how Gavelytics' judicial analytics are reshaping litigation </a> </li> <li> <a href=""> New Zealand travellers refusing digital search now face $5000 Customs fine </a> </li> <li> <a href=""> More on the Five Eyes statement on encryption and backdoors </a> </li> </ul> <p> <a name="TwentyEighteen"> </a> <strong> <a href="http://ridethelightning.senseient.com/2018/09/2018-corporate-counsel-breach-statistics-prepare-to-groan.html" > 2018 corporate counsel breach statistics - prepare to groan </a> </strong> (RideTheLightning, 17 Sept 2018) - Here's the news in a nutshell: Data breaches of in-house legal departments have doubled in the last year. Assuming that elicited a groan, the source is the <a href="https://www.acc.com/aboutacc/newsroom/pressreleases/2018cybersecurityreport.cfm" target="_blank" > 2018 survey by the Association for Corporate Counsel </a> , which reported one-third of in-house counsel offices experienced a data breach in 2017, up from 15 percent in 2016. A related recent <a href="http://www.abajournal.com/magazine/article/clients_outside_counsels_cybersecurity" target="_blank" > ABA Journal article </a> quoted Sterling Miller, general counsel of Marketo Inc., an online marketing technology company: "The possibility that your outside law firm could be breached and your sensitive data stolen is a huge nightmare for in-house lawyers. Outside counsel need to start taking this very seriously. If a breach happens, that law firm is probably no longer working for you and the malpractice claim could be very large." It doesn't really matter whether you are in-house or outside counsel - the odds are that you need to up your security game. That ABA article analyzed the ABA TechReport 2017 and found that "only 26 percent of responding firms had an incident response plan in place to address a security breach, and only two-thirds with 500 lawyers or more had such a plan in place. These plans were not a priority with smaller firms, as 31 percent of firms with 10 to 49 lawyers, 14 percent of firms with two to nine lawyers, and 10 percent of solo practices had such plans." </p> <p> <a name="RocaLabs"> </a> <strong> <a href="https://blog.ericgoldman.org/archives/2018/09/roca-labs-anti-review-clause-violates-ftc-act-ftc-v-roca-labs.htm" > Roca Labs' anti-review clause violates FTC Act-FTC v. Roca Labs </a> </strong> (Eric Goldman, 17 Sept 2018) - Good news: a court ruled that Roca Labs anti-review clause violates the law. It's shocking that Roca Labs chose to defend this practice in court, so it's not surprising that the judge didn't endorse it. Bad news: the court relied on the "unfairness" prong of the FTC Act, and the FTC's unfairness authority can be the basis of FTC overreaching. Good news: the Consumer Review Fairness Act will apply to future cases (this case was initiated before the CRFA's effectiveness), so this topic won't require the FTC to stretch its unfairness authority in the future. Thus, this case reinforces the prevailing wisdom: anti-review clauses are legally toxic; they don't belong in any business' toolkit; and if your contract still contains them, shame on you. * * * </p> <p> <a name="WhenArt"> </a> <strong> <a href="https://www.artsy.net/gene/old-masters"> When art created by artificial intelligence sells, who gets paid? </a> </strong> (Artsy.net, 17 Sept 2018) - Christie's will auction off an artificial intelligence (AI) artwork for the first time this October, hard on the heels of a pioneering all-AI art exhibition held at New Delhi gallery <a href="https://www.artsy.net/nature-morte">Nature Morte </a>. While the market is eager to move the work, the field raises questions about ownership, obsolescence, and the art world jobs that algorithms can't do. Many makers of AI art use generative adversarial networks (GANs), technology that allows a computer to study a library of images or sounds, make its own content according to what it has learned, test its own success against the original media, and then try again, improving incrementally through trial and error. The artworks resulting from this back-and-forth between two artificial neural networks-which include prints on paper, videos, and multimedia installations-are often disquietingly lifelike, the flora and fauna of the uncanny valley. Munich-based Mario Klingemann, for instance, trained an algorithm on portraits of <a href="https://www.artsy.net/gene/old-masters" target="_blank"> Old Masters </a> paintings before exposing it to webcam footage of himself. The process results in a video of melting, many-eyed grotesques that are often compared to the works of <a href="https://www.artsy.net/artist/francis-bacon" target="_blank"> Francis Bacon </a> . * * * In press materials for "Gradient Descent," Nature Morte stated that the works are created "entirely by AI in collaboration with artists." Obvious even signed their work with the mathematical equation for the algorithm they used, rather than the collective's name. As much as artists and gallerists may enjoy attributing authorship to AI, and emphasize that they cannot anticipate just what an AI algorithm will produce, legally, there is no doubt as to whether it's the human artist or the AI who owns the finished work. AI is simply a tool artists use, the way a photographer uses a camera or Adobe Photoshop in the creation of their images, says Jessica Fjeld, assistant director of the Cyberlaw Clinic at Harvard Law School. "Humans are deeply involved with every aspect of the creation and training of today's AI technologies, and this will continue to be true tomorrow and for the foreseeable future," Fjeld says. "For me, the far more interesting question is who among these people acquire rights in the outputs, not whether the software itself could have any claim of ownership," she adds. </p> <p> <a name="CRS"> </a> <strong> <a href="https://www.techdirt.com/articles/20180918/13025240667/congressional-research-service-reports-now-officially-publicly-available.shtml" > Congressional Research Service reports now officially publicly available </a> </strong> (TechDirt, 18 Sept 2018) - For many, many years we've been writing about the ridiculousness of the Congressional Research Service's reports <a href="https://www.techdirt.com/blog/?tag=congressional+research+service"> being kept secret </a> . If you don't know, CRS is a sort of in-house think tank for Congress, that does, careful, thoughtful, non-partisan research on a variety of topics (sometimes tasked by members of Congress, sometimes of its own volition). The reports are usually quite thorough and free of political nonsense. Since the reports are created by the federal government, they are technically in the public domain, but many in Congress (including many who work at CRS itself) have long <a href="https://www.techdirt.com/articles/20110226/18203513291/ask-congress-to-make-public-domain-congressional-research-services-reports-public.shtml" > resisted </a> requests to make those works public. Instead, we were left with relying on members of Congress themselves to occasionally (and selectively) share reports with the public, rather than giving everyone access to the reports. Every year or so, there were efforts made to make all of that research available to the public, and it kept getting <a href="https://www.techdirt.com/articles/20150515/17414631023/congress-continues-to-withhold-congressional-research-service-documents-public.shtml" > rejected </a> . Two years ago, two members of Congress agreed to share all of the reports they had access to with a private site put together by some activists and think tanks, creating <a href="https://www.everycrsreport.com/" target="_blank"> EveryCRSReport.com </a> , which was a <a href="https://www.techdirt.com/articles/20161019/23533935842/this-is-huge-new-project-releases-all-current-non-confidential-congressional-research-service-reports.shtml" > useful step forward </a> . At the very least, we've now had two years to show that, when these reports are made public, the world does not collapse (many people within CRS feared that making the reports public would lead to more political pressure). Earlier this year, in the <a href="https://www.congress.gov/bill/115th-congress/house-bill/1625" target="_blanK" > Consolidated Appropriations Act of 2018 </a> , there was a nice little line item <a href="https://www.washingtonpost.com/blogs/post-partisan/wp/2018/03/27/that-big-spending-bill-contained-a-buried-gem/?noredirect=on&utm_term=.0f4067967660" target="_blank" > to officially make CRS reports publicly available </a> . And, this week, it has come to pass. As <a href="https://blogs.loc.gov/loc/2018/09/trending-congressional-research-service-reports-now-available-online/" target="_blank" > announced by Librarian of Congress Carla Hayden </a> , there is now an official site to find CRS reports at <a href="https://crsreports.congress.gov/" target="_blank"> crsreports.congress.gov </a> . It appears that the available catalog is still limited, but they're hoping to expand backwards to add older reports to the system (a few quick test searches only shows fairly recent reports). But all new reports will be added to the database. </p> <p> <a name="PhilippaRyan"> </a> <strong> <a href="http://www.abajournal.com/legalrebels/article/philippa_ryan_developing_trust_blockchain/?utm_source=maestro&utm_medium=email&utm_campaign=weekly_email" > Philippa Ryan: Developing trust through blockchain </a> </strong> (ABA Journal, 19 Sept 2018) - Philippa Ryan thinks a lot about trust. A barrister in Australia, she lectures on the subject, and her PhD thesis focused on the breach of trust and the liability of third parties. So when Ryan heard about trustless relationships enabled by blockchain technology, her interest was piqued. However, when she typed "trustless relationships" into her search engine, she says, "the only thing that came up was an ad for Ashley Madison," the notorious dating website for married people looking to keep infidelity discreet. She deleted her search history. Today, Ryan, a lecturer at the University of Technology Sydney, can find more suitable material online. In fact, she's helping fill the gap by writing and speaking around the world on the subject. With knowledge in law and blockchain, she is a leading member of the International Organization for Standardization technical committee on blockchain and distributed ledger technologies. Being a part of <a href="https://www.standards.org.au/">Standards Australia </a> and the committee's secretariat, she says the work intends to produce high-level guidelines for governments and technologists to use when legislating or developing the technology around the globe. "What we will be hoping to support is interoperability" between technical and legal systems, says Ryan, 52, who also leads the smart contracts working group at the ISO alongside a German delegation. </p> <p> - and - </p> <p> <a name="Walmart"> </a> <strong> <a href="https://techcrunch.com/2018/09/24/walmart-is-betting-on-the-blockchain-to-improve-food-safety/" > Walmart is betting on the blockchain to improve food safety </a> </strong> (TechCrunch, 24 Sept 2018) - <a href="http://walmart.com/">Walmart </a> has been working with <a href="http://ibm.com/">IBM </a> on a food safety blockchain solution and today it announced it's requiring that all suppliers of leafy green vegetable for Sam's and Walmart upload their data to the blockchain by September 2019 . Most supply chains are bogged down in manual processes. This makes it difficult and time consuming to track down an issue should one like the <a href="https://www.npr.org/sections/thesalt/2018/08/29/642646707/investigators-track-contaminated-lettuce-outbreak-to-a-cattle-feedlot" > E. coli romaine lettuce </a> problem from last spring rear its head. By placing a supply chain on the blockchain, it makes the process more traceable, transparent and fully digital. Each node on the blockchain could represent an entity that has handled the food on the way to the store, making it much easier and faster to see if one of the affected farms sold infected supply to a particular location with much greater precision. * * * </p> <p> - and - </p> <p> <a name="BlockchainsFor"> </a> <strong> <a href="http://campaign.r20.constantcontact.com/render?m=1102594616158&ca=cd265623-6eff-446b-85e8-630b57e8dce0#LETTER.BLOCK157" > Blockchains for Business Process Management </a> </strong> (Cebe's KIT, 1 Oct 2018) - This title is probably a good way to describe most non-cryptocurrency applications of distributed ledgers, and deserves to be adopted. It is the title of a paper (the full title is " <a href="https://dl.acm.org/citation.cfm?id=3183367" target="_blank"> Blockchains for Business Process Management -- Challenges and Opportunities </a> "), co-authored by a record 32 researchers and published in the February 2018 the ACM Transactions on Management Information Systems (TMIS). The authors summarize their conclusions as follows: <em> "The BPM and Information Systems communities have a unique opportunity to help shape this fundamental shift toward a distributed, trustworthy infrastructure to promote interorganizational processes." </em> </p> <p> <a name="LawFirmsCanLearn"> </a> <strong> <a href="http://www.abajournal.com/magazine/article/law_firms_cybersecurity_awareness_prevention" > Law firms can learn from other industries' missteps on cybersecurity awareness and prevention </a> </strong> (ABA Journal, 19 Sept 2018; part of the <em> <a href="http://www.abajournal.com/magazine/cyber/">Digital Dangers </a> </em> <em> </em> series) - Equifax. Yahoo. Anthem. Sony. In the past few years, these companies experienced some of the most significant data breaches to date. And all of these companies found themselves subject to intense worldwide media coverage over their failure to secure their information. The industries affected-from health care to entertainment-know all too well that the struggle to secure data in the digital age never ends. While individual businesses within these industries will continue to find themselves vulnerable to breaches, they have an advantage over law firms. They have been fighting this battle for a long time. The legal industry is lagging well behind when it comes to data security, says Rich Santalesa, a member of the boutique cybersecurity firm SmartEdgeLaw Group and of counsel to the New York City-based Bortstein Legal Group. "Law firms as a whole can learn a lot about cybersecurity by looking at other industries," says Santalesa. "Unfortunately, other industries have had to learn their lessons the hard way-by having breaches that have received media attention." Santalesa says data security involves three different, simultaneous focuses: "the technology, the people you have, and needs of the industry in which you work." In addition, data security can't be a one-size-fits-all situation. The cybersecurity needs of a small law firm will be different than the needs of an international firm, just like the needs of Target are different from the needs of a small retail website. However, all law firms, just like all businesses, must pay close attention to the applicable privacy laws, Santalesa says. </p> <p> - and - </p> <p> <a name="CybersecurityYour"> </a> <strong> <a href="https://beta.americanbar.org/news/abanews/publications/youraba/2018/october-2018/learn-the-ethical-obligations-inherent-in-protecting-your-firms-/" > Cybersecurity: Your ethical obligations outlined by legal tech experts </a> </strong> (ABA Journal, 25 Sept 2018) - Data breaches are an everyday event, and legal professionals have a specific obligation to protect themselves and their clients from exposure to these threats. The webinar "Darkest Hour? Shining a Light on Cyber Ethical Obligations," is one in a five-part series sponsored by the ABA Cybersecurity Task Force and supported by "The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals, Second Edition." The first thing lawyers must know is that it's not usually obvious when a firm has been hacked. "The vast majority of the time, (hackers) are using your stolen credentials, as opposed to breaking through technical walls," said panelist Arlan McMillan, chief security officer at Kirkland & Ellis in Chicago. "Then they act like you in the firm's network, accessing all the files you have access to." Another common threat comes through malware in an email, also known as a phishing attack, where an individual is asked to click on a link or open an attachment that has been weaponized in such a way that the attacker gains access to your computer. Nation-state attackers target private businesses in 21 percent of breaches to steal data to advance their espionage activities or interests. And firm employees often don't realize they've been hacked for weeks or months, and they usually find out after being contacted by the FBI. "This is not an IT issue," McMillan said. "This is a risk management issue about how you protect your data." He recommends five steps to improve a firm's security posture: * * * </p> <p> - and - </p> <p> <a name="Teaming"> </a> <strong> <a href="https://www.attorneyatwork.com/teaming-up-on-cybersecurity/"> Teaming up on cybersecurity </a> </strong> (AttorneyAtWork, 26 Sept 2018) - Cybersecurity, the new "IT" word (see what we did there?) has everyone's attention, from small firm lawyers to the BigLaw front office. It's also the focus of the 2018 College of Law Practice Management (COLPM) Futures Conference, <a href="https://www.collegeoflpm.org/futures-conference-schedule" target="_blank" > "Cybersecurity: This Way There Be Dragons." </a> The Futures Conference, presented with Suffolk University School of Law, will take place Oct. 25-26 in Boston. While the two-day event is chock-full of useful information, one session in particular caught my attention: "Security as a Team Sport: Collaboration - An Essential Tool and a Security Hole." It raises an interesting question: Can all the departments that make up a law firm advance its cybersecurity efforts? Not just IT, but management, finance, human resources, marketing, PR? </p> <p> <a name="Interplanetary"> </a> <strong> <a href="https://patentlyo.com/patent/2018/09/interplanetary-spacecraft.html" > Interplanetary spacecraft </a> </strong> <strong> </strong> (Patently-O, 23 Sept 2018) - Patent application publication US 2017/0259946 A1 * * * I'm looking forward to reading the first office action in this case - pretty cool approach for thinking through how to use a hollowed-out asteroid for a manned interplanetary spaceship. In his IDS, inventor Wayne White includes a set of interesting references - including a citation to the Greg Bear's 1985 SciFi novel EON that included an alien hollowed-out asteroid. </p> <p> <a name="DoLaws"> </a> <strong> <a href="https://reason.com/volokh/2018/09/26/do-laws-requiring-people-to-report-crime" > Do laws requiring people to report crimes violate the First Amendment? </a> </strong> (Eugene Volokh, 26 Sept 2018) - Generally speaking, Americans don't have a legal duty to report crimes they witness or learn about. We must generally testify when subpoenaed, but we need not ourselves alert the authorities. But some states have enacted <a href="http://www.law.ucla.edu/volokh/rescue.pdf"> statutes requiring such reporting </a> (at least as to certain serious crimes); still more require certain job categories (such as teachers, whether in public or private schools) to report certain crimes. Do these laws violate the First Amendment protection against compelled speech? The Supreme Court has generally said that requiring people to say certain things is presumptively unconstitutional; and it has also <a href="https://scholar.google.com/scholar_case?case=9948071992011994778"> held </a> , in some contexts, that "compelled statements of 'fact'" are generally treated the same as "compelled statements of opinion." But requirements to convey facts <em>to the government -- </em> in tax returns, census questionnaires, draft registrations, and a vast range of other contexts, federal and state -- are so commonplace that it's not clear that the Supreme Court means to cast them all in doubt. (Recall that if something is treated as a presumptively unconstitutional speech compulsion, the government may rebut that presumption only by showing that the compulsion is the <em>least burdensome means </em> of serving a <em>compelling government interest </em>; even if there is a compelling interest in collecting federal and state taxes, conducting the census, and so on, courts have never required a showing that the laws are the least burdensome means.) And indeed, when mandatory crime reporting laws have been challenged, state courts have upheld them, generally concluding that compelled reporting of facts to the government doesn't really trigger the compelled speech doctrine. See <em>State v. Grover </em> (Minn. 1989) ("The statute [which requires reporting of suspected child abuse] does not compel the dissemination of an 'ideological point of view,' but only mandates the reporting of information-a requirement not altogether dissimilar from that imposed by the Internal Revenue Code."); <em>White v. State </em> (Tex. Ct. App. 2001) (taking the same view). But in May of this year, the Second Circuit handed down a decision, <em> <a href="https://scholar.google.com/scholar_case?case=2045838972266139366" > Burns v. Martuscello </a> </em> , that suggests the laws are unconstitutional after all. In <em>Burns </em>, prison guards placed Burns in involuntary protective custody because he refused to agree to report on future misbehavior by other prisoners. And this penalty, the court held, violated the First Amendment right not to be compelled to speak, even taking into account prisoners' sharply reduced First Amendment rights: </p> <p> <a name="SECcharges"> </a> <strong> <a href="https://www.sec.gov/news/press-release/2018-213?utm_source=eloqua&utm_medium=email_57744&utm_campaign=26663" > SEC charges firm with deficient cybersecurity procedures </a> </strong> (SEC, 26 Sept 2018) - The Securities and Exchange Commission today announced that a Des Moines-based broker-dealer and investment adviser has agreed to pay $1 million to settle charges related to its failures in cybersecurity policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers. The SEC charged Voya Financial Advisors Inc. (VFA) with violating the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft. This is the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule. According to the SEC's order, cyber intruders impersonated VFA contractors over a six-day period in 2016 by calling VFA's support line and requesting that the contractors' passwords be reset. The intruders used the new passwords to gain access to the personal information of 5,600 VFA customers. The SEC's order finds that the intruders then used the customer information to create new online customer profiles and obtain unauthorized access to account documents for three customers. The order also finds that VFA's failure to terminate the intruders' access stemmed from weaknesses in its cybersecurity procedures, some of which had been exposed during prior similar fraudulent activity. According to the order, VFA also failed to apply its procedures to the systems used by its independent contractors, who make up the largest part of VFA's workforce. "This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models," said Robert A. Cohen, Chief of the SEC Enforcement Division's Cyber Unit. "They also must review and update the procedures regularly to respond to changes in the risks they face." </p> <p> <a name="JudgingJudges"> </a> <strong> <a href="https://www.lawsitesblog.com/2018/10/lawnext-episode-12-judging-judges-gavelytics-judicial-analytics-reshaping-litigation.html" > Judging judges - how Gavelytics' judicial analytics are reshaping litigation </a> </strong> (Robert Ambrogi, 28 Sept 2018) - What if a lawyer could know how a judge is likely to rule in a case or how heavy is a judge's workload? <a href="https://www.linkedin.com/in/rick-merrill-a2727a13/"> Rick Merrill </a> was a litigator at a large law firm who became frustrated over his inability to get meaningful information about the judges before whom he appeared. So last year, he launched <a href="https://www.gavelytics.com/">Gavelytics </a>, a California company that uses analytics and artificial intelligence to analyze docket data and provide lawyers with a range of insights about judges' propensities, workloads and leanings. In this episode of LawNext, I visited Gavelytics' office in Santa Monica, where I sat down with Merrill, now the company's CEO, and <a href="https://www.linkedin.com/in/justinbrownstone/"> Justin Brownstone </a> , VP of sales and litigation counsel, to talk about the product one year after its launch, how lawyers use analytics for strategic and competitive purposes, and how analytics and AI are being used more broadly in law. * * * </p> <p> <a name="NewZealand"> </a> <strong> <a href="https://www.msn.com/en-nz/news/national/travellers-refusing-digital-search-now-face-dollar5000-customs-fine/ar-BBNLCFW" > New Zealand travellers refusing digital search now face $5000 Customs fine </a> </strong> (RNZ, 1 Oct 2018) - Travellers who refuse to hand over their phone or laptop passwords to Customs officials can now be slapped with a $5000 fine. The Customs and Excise Act 2018 - which comes into effect today - sets guidelines around how Customs can carry out "digital strip-searches". Previously, Customs could stop anyone at the border and demand to see their electronic devices. However, the law did not specify that people had to also provide a password. The updated law makes clear that travellers must provide access - whether that be a password, pin-code or fingerprint - but officials would need to have a reasonable suspicion of wrongdoing. "It is a file-by-file [search] on your phone. We're not going into 'the cloud'. We'll examine your phone while it's on flight mode," Customs spokesperson Terry Brown said. If people refused to comply, they could be fined up to $5000 and their device would be seized and forensically searched. </p> <p> - and - </p> <p> <a name="MoreOnThe"> </a> <strong> <a href="https://www.schneier.com/blog/archives/2018/10/more_on_the_fiv.html" > More on the Five Eyes statement on encryption and backdoors </a> </strong> (Bruce Schneier, 1 Oct 2018) - Earlier this month, I <a href="https://www.schneier.com/blog/archives/2018/09/five-eyes_intel.html" > wrote about </a> a statement by the Five Eyes countries about encryption and back doors. (Short summary: they like them.) One of the weird things about the statement is that it was clearly written from a law-enforcement perspective, though we normally think of the Five Eyes as a consortium of intelligence agencies. Susan Landau <a href="https://www.lawfareblog.com/five-eyes-statement-encryption-things-are-seldom-what-they-seem" > examines </a> the details of the statement, explains what's going on, and why the statement is a lot less than what it might seem. </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> ICYMI: <strong> <a href="https://www.ncsc.gov.uk/content/files/protected_files/article_files/the_cyber_threat_to_uk_legal_sector_NCSC_2.pdf" > The Cyber Threat to UK Legal Sector </a> </strong> (Nat'l Cyber Security Centre, 19 July 2018) - In common with many other industries, the cyber threat to the UK legal sector is significant and the number of reported incidents has grown substantially over the last few years. According to the 2017 PricewaterhouseCoopers Law Firm survey, 60% of law firms reported an information security incident in the last year, up from 42% in 2014. The financial and reputational impact of cyber attacks on law firms is also significant. The costs arise from the attack itself, the remediation and repairing reputational damage by regaining public trust. The SRA reports that over £11 million of client money was stolen due to cyber crime in 2016-17. There are several factors that make law firms an attractive target for cyber attack - they hold sensitive client information, handle significant funds and are a key enabler in commercial and business transactions. The risk may be greater for law firms that advise particularly sensitive clients or work in locations that are hostile to the UK. For example, firms acting for organisations that engage in work of a controversial nature such as Life Sciences or the energy sector may also be targeted by groups with a political or ideological agenda. The move to offer legal services digitally will not only provide new opportunities but also further avenues for malicious cyber exploitation. The primary threat to the UK legal sector stems from cyber criminals with a financial motive. However, nation states are likely to play an increasingly significant role in cyber attacks at a global level, to gain strategic and economic advantage. There has also been some growth in the hacktivist community targeting law firms to achieve political, economic or ideological ends. The most significant cyber threats that law firms should be aware of are: * * * </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <strong> <a href="https://arstechnica.com/tech-policy/2008/04/oregon-publishing-our-laws-online-is-a-copyright-violation/" > Oregon: Publishing our laws online is a copyright violation </a> </strong> (Ars Technica, 16 April 2008) - The State of Oregon takes exception to Web sites that republish the state's Revised Statutes in full, claiming that the statutes contain copyrighted information in the republication causes the state to lose money it needs to continue putting out the official version of the statutes. Oregon's Legislative Counsel, Dexter Johnson, has therefore requested that legal information site Justia remove the information or (preferably) take out a paid license from the state. All citizens are legally presumed to know the law, so claiming copyright over it might seem like an odd position for a state to take; wouldn't massive copying be a goal rather than a problem? But in his letter to Justia, Johnson makes a more nuanced case. While the text of the law is not copyrighted, the "arrangement and subject-matter compilation of Oregon statutory law, the prefatory and explanatory notes, the leadlines and numbering for each statutory section, the tables, index and annotations and other such incidents" are under copyright. A quick visit to the Legislative Counsel's web site shows that Johnson is serious about two things: order forms and copyright. The only items in red on the entire page are a copyright notice that includes "Oregon Laws, the Oregon Revised Statutes, and all specialty publications" and a set of links to order forms for such scintillating works as Landlord and Tenant Laws of Oregon 2008. The state also makes the complete text of its laws available online, and it welcomes sites like Justia to link these up. Republishing them, though, is strongly frowned upon, and Johnson indicates his hope that "it will not be necessary to litigate this matter" (translation: "we are willing to litigate this matter"). </p> <p> <strong> <a href="http://www.steptoe.com/publications-5275.html"> French court eviscerates website immunity for user-generated content </a> </strong> (Steptoe & Johnson's E-Commerce Law Week, 24 April 2008) - In France, as in the United States, Internet companies are supposed to enjoy legal protection from suits over content provided by third parties. But, if recent U.S. decisions have chipped away at the immunity available to websites under section 230(c)(1) of the Communications Decency Act, a recent French decision has blown a gaping hole in the defenses available under French law. Article 6-I-2 of the French Law for Confidence in the Digital Economy (LCEN) (which mirrors Article 14 of the EU E-Commerce Directive) states that public providers of "communications services" cannot be held liable for "information stored at the request of a recipient of those services" if the provider "did not have actual knowledge of [the] illegal nature" of the information, or if the provider "acted expeditiously to remove the data or make access impossible" after learning of its illegality. But the Paris Court of First Instance held last month that Bloobox.net was not immune for hosting a user-submitted link on its Fuzz.fr service, and was liable as an editor for its putative involvement in the "organization and presentation" of the link and associated headline. This decision extends a trend in which European courts have increasingly been willing to find Internet companies liable for user-generated content. If this trend continues, websites and Internet providers will be looking at major legal problems in Europe. </p> Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-81615545378967294782018-09-15T07:58:00.000-04:002018-09-15T07:58:05.005-04:00MIRLN --- 26 Aug – 15 Sept 2018 (v21.12)<p> <a name="TOP"> </a> MIRLN --- 26 Aug - 15 Sept 2018 (v21.12) --- by Vince Polley and KnowConnect PLLC </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_26_aug_15_sept_2018_v2112/" > permalink </a> </p> <p> <a href="">NEWS </a> | <a href="">RESOURCES </a>| <a href="">LOOKING BACK </a>| <a href="http://www.knowconnect.com/mirln/sources/">NOTES</a> </p> <ul> <li> <a href=""> Intel rips up microcode security fix license that banned benchmarking </a> </li> <li> <a href="">Patent office shows new respect for software </a> </li> <li> <a href=""> Microsoft will soon automatically transcribe video files in OneDrive for Office 365 subscribers </a> </li> <li> <a href=""> Open internet saves accused copyright infringer from liability </a> </li> <li> <a href="">Bitcoin and other cryptocurrencies are useless </a> </li> <li> <a href=""> Marshall Islands warned against adopting digital currency </a> </li> <li> <a href="">FINRA takes down an unregistered cryptocurrency security </a> </li> <li> <a href=""> FBI fights viral influence campaigns with informational videos </a> </li> <li> <a href=""> Court shuts down feds' attempt to expand the 'border search' exception to cover inland GPS monitoring </a> </li> <li> <a href=""> Prosecutors charge Russian accused of hacking JP Morgan, Dow Jones </a> </li> <li> <a href=""> Vizio, sued for making creepy smart TVs, will notify customers via the TVs </a> </li> <li> <a href="">In a few days, credit freezes will be fee-free </a> </li> <li> <a href=""> UK's mass surveillance regime violated human rights law, finds ECHR </a> </li> <li> <a href="">Security risks of government hacking </a> </li> <li> <a href="">How the Times verifies eyewitness videos </a> </li> </ul> <p> <a name="NEWS"> </a> </p> <p> <a name="IntelRips"> </a> <strong> <a href="https://www.theregister.co.uk/2018/08/23/intel_microcode_license/" > Intel rips up microcode security fix license that banned benchmarking </a> </strong> (The Register, 23 Aug 2018) - Intel has backtracked on the license for its latest microcode update that mitigates security vulnerabilities in its processors - after the previous wording outlawed public benchmarking of the chips. The software, <a href="https://downloadcenter.intel.com/download/28039/Linux-Processor-Microcode-Data-File?v=t" target="_blank" > released this month </a> , counters the <a href="https://www.theregister.co.uk/2018/08/14/intel_l1_terminal_fault_bugs/" target="_blank" > Foreshadow aka L1TF </a> Spectre-related flaws in its CPUs. However, its terms of use and redistribution were problematic. Following <em>The Register </em>'s <a href="https://www.theregister.co.uk/2018/08/21/intel_cpu_patch_licence/" target="_blank" > report on Tuesday </a> that Linux distro Debian decided to withhold packages containing the microcode security fix over concerns about its license, open-source pioneer Bruce Perens out Intelfor trying to gag netizens. Intel's gagging order came in the form of this license clause: "You will not, and will not allow any third party to … publish or provide any Software benchmark or comparison test results." That made it impossible for free-software bastion Debian to push Intel's microcode to its users as a security update. The reason for Intel's insistence on a vow of silence is that - even with the new microcode in place - turning off hyper-threading is necessary to protect virtual machines from attack via Foreshadow - and that move comes with a potential performance hit. Red Hat, which evidently didn't get the memo to shut up about benchmarks, earlier this month <a href="https://access.redhat.com/security/vulnerabilities/L1TF-perf" target="_blank" > noted </a> : "The performance impact when HT is disabled is dependent on many factors. Measured impact ranges from a +30 per cent gain, to -50 per cent loss and beyond. Most HT testing, however, showed losses in the 0-30 per cent range." Predictably, Intel's contractual omertà had the opposite effect and drew attention to the problem. "Performance is so bad on the latest Spectre patch that Intel had to prohibit publishing benchmarks," <a href="https://twitter.com/laffer1/status/1032429542214971399" target="_blank" > said </a> Lucas Holt, MidnightBSD project lead, via Twitter. <a href="">top </a> </p> <p> <a name="PatentOffice"> </a> <strong> <a href="https://patentlyo.com/patent/2018/08/patent-respect-software.html" > Patent office shows new respect for software </a> </strong> <strong> </strong> (Patently-O, 27 Aug 2018) - Software patents and applications are making a quiet comeback under Director Andrei Iancu's leadership of the U.S. Patent and Trademark Office. This is a welcome shift, since thousands of applications have been held captive in the Office in the wake of Supreme Court decisions culminating in <em>Alice v. CLS Bank </em>, 134 S.Ct. 2347 (2014). In the hands of reductionists, the <em>Alice </em> formula for rejection/invalidation was easy to apply. Every invention can be reduced to an abstract idea. Whatever is left can be explained away as "routine" or "conventional." In the last four years, many software patent applications suffered repeated rejection and the ignoble death of abandonment for lack of will or lack of funds. Even when granted, many software patents were mowed down in <em>inter partes </em> review (IPR) in the Patent Trial and Appeal Board (PTAB). The Federal Circuit's February 2018 decision in <em>Berkheimer </em>, 881 F.3d 1360 (citing <em>Alice </em> and other authority), paved the way for recent progress, holding that when there are genuine issues of material fact concerning alleged routineness or conventionality, <em>evidence </em> of the same must be presented before patent claims properly can be invalidated on such grounds. * * * <a href="">top </a> </p> <p> <a name="MicrosoftWill"> </a> <strong> <a href="https://techcrunch.com/2018/08/28/microsoft-will-soon-automatically-transcribe-video-files-in-onedrive-for-office-365-subscribers/" > Microsoft will soon automatically transcribe video files in OneDrive for Office 365 subscribers </a> </strong> (TechCrunch, 28 Aug 2018) - today <a href="https://www.microsoft.com/en-us/microsoft-365/blog/2018/08/28/microsoft-365-is-the-smartest-place-to-store-your-content/?utm_campaign=ai-news-brief" > announced </a> a couple of AI-centric updates for OneDrive and SharePoint users with an Office 365 subscription that bring more of the company's machine learning smarts to its file storage services. The highlight of these announcements is that starting later this year, both services will get automated transcription services for video and audio files. While video is great, it's virtually impossible to find any information in these files without spending a lot of time. And once you've found it, you still have to transcribe it. Microsoft says this new service will handle the transcription automatically and then display the transcript as you're watching the video. The service can handle over 320 file types, so chances are it'll work with your files, too. <a href="">top </a> </p> <p> <a name="OpenInternet"> </a> <strong> <a href="https://patentlyo.com/patent/2018/08/copyright-infringer-liability.html" > Open internet saves accused copyright infringer from liability </a> </strong> (Patently-O, 29 Aug 2018) - <em>Cobbler Nevada, LLC v. Gonzales </em> ( <a href="https://www.bloomberglaw.com/public/desktop/document/Cobbler_Nev_LLC_v_Gonzales_No_1735041_2018_BL_307235_9th_Cir_Aug_?1535487542" > 9th Cir. 2018 </a> ) This copyright lawsuit involves cute Adam Sandler movie titled The Cobbler. In the movie, Sandler's character free-rides off of the experiences of others by using a magical shoe-cobbling machine. The movie copyright holders did not reciprocate that freedom when American Pirates began downloading and distributing the movie through BitTorrent. Cobbler-Nevada was able to trace the Internet Protocol (IP) address associated with the infringing activity and then filed suit in a John Doe lawsuit. Comcast responded to a subpoena in the case with information that the IP address was assigned to its customer Thomas Gonzales. The Copyright holder then amended its complaint to name Gonzales - accusing him of copyright infringement as well as contributory copyright infringement (for failing to secure his internet connection). Note here that Gonzales operates an adult care home and that the internet service was open to residents and visitors. The appeal here focuses on the pleadings and whether the complaint states a claim. In <em>Iqbal </em>, the Supreme Court explained that a complaint must be plausible - allegation of plausible facts that create a plausible "entitlement to relief." Reviewing the allegations here, the 9th Circuit found that the facts alleged against Gonzalez here are "not enough to raise a right to relief above a speculative level." (quoting <em>Twombly </em>): * * * <a href="">top </a> </p> <p> <strong> </strong> </p> <p> <a name="BitcoinAnd"> </a> <strong> <a href="https://www.economist.com/leaders/2018/08/30/bitcoin-and-other-cryptocurrencies-are-useless" > Bitcoin and other cryptocurrencies are useless </a> </strong> (The Economist, 30 Aug 2018) - An old saying holds that markets are ruled by either greed or fear. Greed once governed cryptocurrencies. The price of Bitcoin, the best-known, rose from about $900 in December 2016 to $19,000 a year later. Recently, fear has been in charge. Bitcoin's price has fallen back to around $7,000; the prices of other cryptocurrencies, which followed it on the way up, have collapsed, too. No one knows where prices will go from here. Calling the bottom in a speculative mania is as foolish as calling the top. It is particularly hard with cryptocurrencies because, as our <a href="https://www.economist.com/technology-quarterly/2018/08/30/what-to-make-of-cryptocurrencies-and-blockchains" > Technology Quarterly </a> this week points out, there is no sensible way to reach any particular valuation. It was not supposed to be this way. Bitcoin, the first and still the most popular cryptocurrency, began life as a techno-anarchist project to create an online version of cash, a way for people to transact without the possibility of interference from malicious governments or banks. A decade on, it is barely used for its intended purpose. Users must wrestle with complicated software and give up all the consumer protections they are used to. Few vendors accept it. Security is poor. Other cryptocurrencies are used even less. With few uses to anchor their value, and little in the way of regulation, cryptocurrencies have instead become a focus for speculation. Some people have made fortunes as cryptocurrency prices have zoomed and dived; many early punters have cashed out. Others have lost money. It seems unlikely that this latest boom-bust cycle will be the last. Economists define a currency as something that can be at once a medium of exchange, a store of value and a unit of account. Lack of adoption and loads of volatility mean that cryptocurrencies satisfy none of those criteria. That does not mean they are going to go away (though scrutiny from regulators concerned about the fraud and sharp practice that is rife in the industry may dampen excitement in future). But as things stand there is little reason to think that cryptocurrencies will remain more than an overcomplicated, untrustworthy casino. <a href="">top </a> </p> <p> - and - </p> <p> <a name="MarshallIslands"> </a> <strong> <a href="https://www.bbc.com/news/technology-45485685"> Marshall Islands warned against adopting digital currency </a> </strong> (BBC, 11 Sept 2018) - The Republic of the Marshall Islands has been warned against adopting a digital currency as a second form of legal tender. The International Monetary Fund (IMF) said the country, which consists of hundreds of islands in the Pacific Ocean, should "seriously reconsider". Currently, only the US dollar counts as legal tender in the islands. A law to adopt a <a href="https://www.sov.global/">digital currency named "Sovereign" </a> alongside the dollar was passed in February. The first virtual coins are due to be issued to members of the public via an initial coin offering (ICO) later this year. However, <a href="https://www.imf.org/en/Publications/CR/Issues/2018/09/10/Republic-of-the-Marshall-Islands-2018-Article-IV-Consultation-Press-Release-Staff-Report-and-46216" > IMF directors said </a> the potential benefits of the move were much smaller than the potential costs of "economic, reputational and governance risks". <em> "[Marshall Island] authorities should seriously reconsider the issuance of the digital currency as legal tender," wrote the directors in their report, which was first spotted by <a href="https://www.coindesk.com/imf-advises-against-crypto-as-legal-tender-in-marshall-islands-report/" > cryptocurrency news site Coindesk </a> . </em> There is just one domestic commercial bank in the country and it is at risk of losing its only correspondent banking relationship with another bank in the US. <a href="">top </a> </p> <p> - and - </p> <p> <strong> </strong> </p> <p> <a name="FINRA"> </a> <strong> <a href="https://techcrunch.com/2018/09/12/finra-takes-down-an-unregistered-cryptocurrency-security/" > FINRA takes down an unregistered cryptocurrency security </a> </strong> (TechCrunch, 12 Sept 2018) - FINRA, the non-profit organization that tasks itself with policing the securities industry, is charging Timothy Tilton Ayre of Agawam, Mass. with fraud and unlawful distribution of unregistered cryptocurrency securities. Ayre claimed that users could buy equity in his company, Rocky Mountain Ayre, Inc., buy purchasing HempCoin, a cryptocurrency. From the <a href="https://www.finra.org/newsroom/2018/finra-charges-broker-fraud-and-unlawful-distribution-unregistered-cryptocurrency" > release </a> : <em> In the complaint, FINRA alleges that, from January 2013 through October 2016, Ayre attempted to lure public investment in his worthless public company, Rocky Mountain Ayre, Inc. (RMTN) by issuing and selling HempCoin - which he publicized as "the first minable coin backed by marketable securities" - and by making fraudulent, positive statements about RMTN's business and finances. RMTN was quoted on the Pink Market of OTC Markets Group and traded over the counter. According to the complaint, FINRA also alleges that in June 2015, Ayre bought the rights to HempCoin and repackaged it as a security backed by RMTN common stock. Ayre marketed HempCoin as "the world's first currency to represent equity ownership" in a publicly traded company and promised investors that each coin was equivalent to 0.10 shares of RMTN common stock. Investors mined more than 81 million HempCoin securities through late 2017 and bought and sold the security on two cryptocurrency exchanges. FINRA charges Ayre with the unlawful distribution of an unregistered security because he never registered HempCoin and no exemption to registration applied. </em> Because FINRA is not a government body its charges are rarely very onerous but, in the case of brokerage fraud, Ayre could face further scrutiny if he tries to sell securities in the future. The company, Rocky Mountain Ayre, seems to be associated with a restaurant and medical marijuana sales operation, although it is unclear what the company actually does. <a href="">top </a> </p> <p> <a name="FBIfights"> </a> <strong> <a href="https://www.nextgov.com/cybersecurity/2018/08/fbi-fights-viral-influence-campaigns-informational-videos/150960/" > FBI fights viral influence campaigns with informational videos </a> </strong> (Nextgov, 31 Aug 2018) - With midterm elections fast approaching, the FBI on Thursday released a dozen informational videos detailing ways political campaigns can protect themselves against cyberattacks from foreign powers. The <a href="https://www.fbi.gov/investigate/counterintelligence/foreign-influence/protected-voices" target="_blank" > Protected Voices </a> initiative covers a wide range of cybersecurity topics-including software patching, secure communications, password protection and browser safety-that can help campaigns fend off the most common attacks. "Foreign influence operations … are not a new problem," officials said on the site, "but the interconnectedness of the modern world, combined with the anonymity of the Internet, have changed the nature of the threat and how the FBI and its partners must address it." In the videos, FBI personnel explain how foreign actors use phishing emails, public Wi-Fi and insecure routers to infiltrate and disrupt campaigns, and how virtual private networks, cloud services and cyber hygiene principles could mitigate those threats. They stress that anyone who goes online regularly could benefits from such cyber best practices, not just political campaigns. [ <strong>Polley </strong>: these 5-minute videos are very good, and usable by everybody, not just election campaigns.] <a href="">top </a> </p> <p> <strong> </strong> </p> <p> <a name="CourtShuts"> </a> <strong> <a href="https://www.techdirt.com/articles/20180902/16180240569/court-shuts-down-feds-attempt-to-expand-border-search-exception-to-cover-inland-gps-monitoring.shtml" > Court shuts down feds' attempt to expand the 'border search' exception to cover inland GPS monitoring </a> </strong> (TechDirt, 6 Sept 2018) - Cyrus Farivar of Ars Technica <a href="https://arstechnica.com/tech-policy/2018/09/judge-to-feds-no-you-cant-warrantlessly-put-a-gps-device-on-truck-entering-us/?amp=1" target="_blank" > has put together a hell of a read from a suppression order obtained by defendants in a drug case </a> . It involves a truckload of cheese danishes, cocaine trafficking, and the US government's attempt to apply the "border exception" everywhere in the United States. At the heart of it is a GPS tracking device. The government installed it on a truck driven by suspected drug smugglers when it crossed the Canadian border into the US. It then used that device to track the truck as it traveled down to California. The resulting bust only uncovered some bags of sugar, but a previous stop of the same truck had turned up 194 kilos of cocaine. The defendants in the case have had the evidence suppressed. The <a href="https://assets.documentcloud.org/documents/4815006/Tracking-Warrant.pdf" target="_blank" > ruling </a> [PDF] was handed down late last month. It points to the Supreme Court's <a href="https://www.techdirt.com/articles/20120123/11261317515/fourth-amendment-lives-supreme-court-says-gps-monitoring-is-search-that-may-require-warrant-updated.shtml" > 2012 <em>Jones </em> decision </a> , which held that placing GPS devices on vehicles was a search under the Fourth Amendment. Warrants are needed to place the devices. Long-term tracking is also out of the question if warrants aren't obtained. The government argued it didn't need a warrant because it placed the device on the truck at the Canadian border. This would be the " <a href="https://www.techdirt.com/articles/20160419/10290134211/court-border-search-warrant-exception-beats-riley-constitution-free-zone.shtml" > border exception </a> " to the Fourth Amendment -- one carved out by the courts which allows all kinds of warrantless searches to be performed in the name of border security. But the judge doesn't buy this attempt to salvage ill-gotten evidence. The government cites a number of cases involving searches of vehicles performed <em>at </em> the border -- some more invasive than others -- where warrants weren't needed. The court finds these citations unavailing because they don't actually address what happened here: the placement of a GPS device <em>at </em> the border which was subsequently used to track a vehicle as it traveled far <em>beyond </em> the Canadian border. <a href="">top </a> </p> <p> <strong> </strong> </p> <p> <a name="ProsecutorsCharge"> </a> <strong> <a href="https://techcrunch.com/2018/09/10/prosecutors-charge-russian-accused-of-hacking-jp-morgan-dow-jones/" > Prosecutors charge Russian accused of hacking JP Morgan, Dow Jones </a> </strong> <strong> </strong> (TechCrunch, 10 Sept 2018) - <strong> </strong>New York prosecutors have extradited a Russian hacker accused of breaking into one of the world's largest banking institutions. Moscow resident Andrei Tiurin, 35, was <a href="https://www.justice.gov/usao-sdny/pr/manhattan-us-attorney-announces-extradition-alleged-russian-hacker-responsible-massive" > charged Friday </a> after he was extradited from neighboring Georgia, with the theft of over 80 million records from the bank in 2014. The alleged hacker is said to have been under the direction of Gery Shalon, who was <a href="https://techcrunch.com/2015/11/10/three-men-indicted-in-u-s-over-last-years-massive-j-p-morgan-hack/" > separately indicted a year later </a> following the breach. Tiurin was also charged wire and securities fraud, and aggravated identity theft, racking up the maximum possible prison time to over 80 years. Although <a href="https://www.documentcloud.org/documents/4852366-Andrei-Tyurin-Indictment.html" > the indictment </a> did not name the New York-based financial news agency, The Wall Street Journal previously reported the victim as <a href="http://www.wsj.com/articles/prosecutors-announce-charges-in-connection-with-j-p-morgan-hack-1447169646" > its parent company Dow Jones </a> , following the following the first round of charges in 2015. Tiurin was also accused of trying to artificially inflate the "price of certain stocks publicly traded in the United States," and obtained "hundreds of millions of dollars in illicit proceeds" from various hacking campaigns. <a href="">top </a> <strong> </strong> </p> <p> <strong> </strong> </p> <p> <a name="VizioSued"> </a> <strong> <a href="https://arstechnica.com/tech-policy/2018/09/vizio-smart-tv-owners-to-learn-of-snooping-settlement-via-their-snoopy-tvs/?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > Vizio, sued for making creepy smart TVs, will notify customers via the TVs </a> </strong> (ArsTechnica, 10 Sept 2018) - In what is likely a first in the industry, Vizio is on the verge of agreeing to display a class-action lawsuit message through its previously sold "Smart TV" televisions as part of a legal settlement. This message is meant to alert customers who bought the TV that they will be party to the forthcoming settlement and likely will get a small amount of money. As Ars has <a href="https://arstechnica.com/tech-policy/2017/02/vizio-smart-tvs-tracked-viewers-around-the-clock-without-consent/" > reported </a> previously, the manufacturer has been under scrutiny since a revelation that it was snooping on its customers. The tracking started in February 2014 on both new TVs and previously sold devices that didn't originally ship with ACR software installed. The software periodically appended IP addresses to the collected data and also made it possible for more detailed personal information-including age, sex, income, marital status, household size, education level, home ownership, and home values-to be associated. In a court filing <a href="https://www.documentcloud.org/documents/4852526-bf2b965b-8599-4051-aee4-75fdfc12cc8e.html#document/p2/a452592" > submitted </a> last Wednesday, lawyers for both sides asked the judge to push back approval of the preliminary settlement to October 3. "The Parties are developing a class notice program with direct notification to the class through VIZIO Smart TV displays, which requires testing to make sure any TV notice can be properly displayed and functions as intended," they wrote. "The additional time requested will allow the parties to confirm that the notice program proposed in the motion for preliminary approval is workable and satisfies applicable legal standards." <a href="">top </a> </p> <p> <a name="InAfewDays"> </a> <strong> <a href="https://krebsonsecurity.com/2018/09/in-a-few-days-credit-freezes-will-be-fee-free/" > In a few days, credit freezes will be fee-free </a> </strong> (Krebs on Security, 11 Sept 2018) - Later this month, all of the three major consumer credit bureaus will be required to offer free credit freezes to all Americans and their dependents. Maybe you've been holding off freezing your credit file because your home state currently charges a fee for placing or thawing a credit freeze, or because you believe it's just not worth the hassle. If that accurately describes your views on the matter, this post may well change your mind. * * * <a href="">top </a> </p> <p> <a name="UKsMass"> </a> <strong> <a href="https://techcrunch.com/2018/09/13/uks-mass-surveillance-regime-violated-human-rights-law-finds-echr/" > UK's mass surveillance regime violated human rights law, finds ECHR </a> </strong> (TechCrunch, 13 Sept 2018) - In another blow to the UK government's record on bulk data handling for intelligence purposes the European Court of Human Rights (ECHR) has ruled that state surveillance practices violated human rights law. Arguments against the UK intelligence agencies' bulk collection and data sharing practices were heard by the court in <a href="https://techcrunch.com/2017/11/07/uk-bulk-spying-challenge-in-european-court-of-human-rights/" > November last year </a> . In today's ruling the ECHR has ruled that only some aspects of the UK's surveillance regime violate human rights law. So it's not all bad news for the government - which has faced a barrage of legal actions (and quite a few black marks against its spying practices in recent years) ever since its love affair with mass surveillance was revealed and denounced by NSA whistleblower back in 2013. The judgement reinforces a sense that the government has been seeking to push as close to the legal line as possible on surveillance, and sometimes stepping over it - reinforcing earlier strikes against legislation for not setting tight enough boundaries to surveillance powers, and likely providing additional fuel for fresh challenges. The complaints before the ECHR focused on three different surveillance regimes: 1) The bulk interception of communications (aka 'mass surveillance'); 2) Intelligence sharing with foreign governments; and 3) The obtaining of communications data from communications service providers. * * * <a href="">top </a> </p> <p> <strong> </strong> </p> <p> <a name="SecurityRisks"> </a> <strong> <a href="https://www.schneier.com/blog/archives/2018/09/security_risks_14.html" > Security risks of government hacking </a> </strong> (Bruce Schneier, 13 Sept 2018) - Some of us -- myself included -- have proposed lawful government hacking as an alternative to backdoors. A new report from the Center of Internet and Society looks at <a href="https://cyberlaw.stanford.edu/files/publication/files/2018.09.04_Security_Risks_of_Government_Hacking_Whitepaper.pdf" > the security risks </a> of allowing government hacking. They include: Disincentive for vulnerability disclosure; Cultivation of a market for surveillance tools; Attackers co-opt hacking tools over which governments have lost control; Attackers learn of vulnerabilities through government use of malware; Government incentives to push for less-secure software and standards; and Government malware affects innocent users. These risks are real, but I think they're much less than mandating backdoors for everyone. From the report's conclusion: <em> Government hacking is often lauded as a solution to the "going dark" problem. It is too dangerous to mandate encryption backdoors, but targeted hacking of endpoints could ensure investigators access to same or similar necessary data with less risk. Vulnerabilities will never affect everyone, contingent as they are on software, network configuration, and patch management. Backdoors, however, mean everybody is vulnerable and a security failure fails catastrophically. In addition, backdoors are often secret, while eventually, vulnerabilities will typically be disclosed and patched. </em> The key to minimizing the risks is to ensure that law enforcement (or whoever) report all vulnerabilities discovered through the normal process, and use them for lawful hacking during the period between reporting and patching. Yes, that's a big ask, but the alternatives are worse. <a href="https://scholarlycommons.law.northwestern.edu/cgi/viewcontent.cgi?article=1209&context=njtip" > This </a> is the canonical lawful hacking paper [from 2014]. <a href="">top </a> </p> <p> <a name="NowTheTimes"> </a> <strong> <a href="https://www.nytimes.com/2018/09/04/reader-center/social-media-video-how-to-verify.html" > How the Times verifies eyewitness videos </a> </strong> (Sept 14, 2018) - Was a video of a chemical attack really filmed in Syria? What time of day did an airstrike happen? Which military unit was involved in a shooting in Afghanistan? Is this dramatic image of glowing clouds really showing wildfires in California? These are some of the questions the video team at The New York Times has to answer when reviewing raw eyewitness videos, often posted to social media. It can be a highly challenging process, as misinformation shared through digital social networks is a serious problem for a modern-day newsroom. Visual information in the digital age is easy to manipulate, and even easier to spread. What is thus required for conducting <a href="https://www.nytimes.com/video/investigations"> visual investigations </a> based on social media content is a mix of traditional journalistic diligence and cutting-edge internet skills, as can be seen in our recent investigation into the <a href="https://www.nytimes.com/video/world/middleeast/100000005840873/syria-chlorine-bomb-assad.html" > chemical attack in Douma, Syria </a> . The following provides some insight into our video verification process. It is not a comprehensive overview, but highlights some of our most trusted techniques and tools. * * * <a href="">top </a> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <strong> <a href="https://reason.com/volokh/2018/09/12/new-draft-article-compelled-decryption-a" > New draft article: "Compelled Decryption and the Privilege Against Self-Incrimination" </a> </strong> (Volokh Conspiracy, Orin Kerr, 12 Sept 2018) - I recently posted to SSRN a new draft article, " <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3248286"> Compelled Decryption and the Privilege Against Self-Incrimination </a> ," forthcoming in the <em>Texas Law Review </em>. Here's the abstract: <em> This essay considers the Fifth Amendment barrier to orders compelling a suspect to enter in a password to decrypt a locked phone, computer, or file. It argues that a simple rule should apply: An assertion of privilege should be sustained unless the government can independently show that the suspect knows the password. The act of entering in a password is testimonial, but the only implied statement is that the suspect knows the password. When the government can prove this fact independently, the assertion is a foregone conclusion and the Fifth Amendment poses no bar to the enforcement of the order. This rule is both doctrinally correct and sensible policy. It properly reflects the distribution of government power in a digital age when nearly everyone is carrying a device that comes with an extraordinarily powerful lock. </em> As regular readers may note, I've blogged about these issues before. The new draft builds on the themes of my blog posts, elaborating on the argument and offering my responses to several counteraguments. Comments are very welcome, especially critical ones (and especially from techies). <a href="">top </a> </p> <p> <strong> <a href="https://scholarship.law.tamu.edu/cgi/viewcontent.cgi?article=1080&context=journal-of-property-law" > Ethics of Using Artificial Intelligence to Augment Drafting Legal Documents </a> </strong> (David Hricik in TAMU's Journal of Property Law, 2018) - Skynet is not and may never be self-aware, but machines are already doing legal research, drafting legal documents, negotiating disputes such as traffic tickets and divorce schedules, and even drafting patent applications. Machines learn from us, and each other, to augment the ability of lawyers to represent clients - and even to replace lawyers completely. While it also threatens lawyers' jobs, the exponential increase in the capacity of machines to transmit, store, and process data presents the opportunity for lawyers to use these services to provide better, cheaper, or faster legal representation to clients. By way of familiar example, instead of determining whether a precedential opinion remains "good law" by manually going through multiple books - "Shepardizing a case" as an older lawyer would put it - lawyers can use on-line legal services to instantly learn, not just whether an earlier decision has been limited or overruled, but the depth of analysis given to the issue by a later court opinion. Because technology may be able to do some tasks better, or at a lower cost, or both, lawyers should use technology when it will, considering the risks, benefit clients. That obligation requires lawyers to stay "keep abreast of changes in. . . practice, including the benefits and risk associated with relevant technology. . . ." Assessing the benefits and risks of a particular technology obviously requires due diligence into the practical and legal risks of the technology, and comparing that to the benefits it brings to a representation. That assessment requires applying existing ethical rules in a process that can best be analyzed as comprising two stages. The first step requires determining whether the technology does what it is supposed to do in a reasonably competent manner. For example, just as a lawyer could not use a paralegal to use a form to create the first draft of a contract for a client if the paralegal's work was known to be unreliable or unreasonably expensive, a lawyer cannot use an automated contract drafting service with the same shortcomings. The first step, in other words, requires reasonable efforts by the lawyer to determine the competency of the service. If the service does not provide competent assistance, the lawyer obviously cannot use it. The second step requires determining whether a competent service can be used while complying with the ethical obligations of the lawyer, beyond competency. Just as a lawyer must ensure that non-lawyer employees and agents maintain the confidentiality of client information consistent with the lawyer's ethical obligations, he must do so with all services provided by third parties, including automated services. Likewise, lawyers must ensure non-lawyer assistants - even those who are independent contractors hired for a particular matter, and not firm employees - must not have conflicts of interest or violations of other ethical rules. This article focuses on the second step in the due diligence process. <a href="">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <strong> <a href="https://www.wired.com/2008/01/securitymatters-0110/"> Steal this Wi-Fi </a> </strong> (Wired, Article by Bruce Schneier, 10 Jan 2008) - Whenever I talk or write about my own security setup, the one thing that surprises people - and attracts the most criticism - is the fact that I run an open wireless network at home. There's no password. There's no encryption. Anyone with wireless capability who can see my network can use it to access the internet. To me, it's basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it's both wrong and dangerous. <a href="">top </a> </p> <p> <strong> <a href="https://www.steptoe.com/publications-5331.html"> FTC adopts final Can-Spam rules </a> </strong> (Steptoe & Johnson's E-Commerce Law Week, 22 May 2008) - The Federal Trade Commission announced on May 12 that it had approved new rules governing the regulation of commercial email under the CAN-SPAM Act. Most notably, the rules modify the definition of "sender" to address situations where a single email message contains advertisements from multiple parties. In such a situation, if only one person is identified in the "from" line of the commercial email, then this person will generally be considered the "sole sender" of the email and will be exclusively responsible for handling opt-out requests. Moreover, the rules state that a sender may not require a recipient of a commercial email message to pay a fee, provide information other than an email address and opt-out preferences, or take any steps other than sending a reply email or visiting a single webpage in order to opt-out of future emails. The rules become effective July 7, 2008. <a href="">top </a> </p> Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-70698197545406144502018-08-25T07:49:00.000-04:002018-08-25T07:49:02.830-04:00MIRLN --- 29 July - 25 August 2018 (v21.11)<p> <a name="TOP"> </a> MIRLN --- 29 July - 25 August 2018 (v21.11) --- by Vince Polley and KnowConnect PLLC </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_29_july_25_august_2018_v2111/" > permalink </a> </p> <p> <a href="">NEWS </a> | <a href="">RESOURCES </a>| <a href="">LOOKING BACK </a>| <a href="http://www.knowconnect.com/mirln/sources/">NOTES</a> </p> <p> <a name="NEWS"> </a> </p> <ul> <li> <a href=""> South Carolina requires insurers to have plans safeguarding customer data </a> </li> <li> <a href=""> Cyber experts: Attacks inevitable, preparation for law firms essential </a> </li> <li> <a href=""> Ohio enacts law giving affirmative defense to businesses which beef up cybersecurity </a> </li> <li> <a href="">NIST Small Business Cybersecurity Act becomes law </a> </li> <li> <a href=""> 5 lessons learned on data breach management after 2 months of GDPR: Friday is calling </a> </li> <li> <a href="">Welcome to the Quiet Skies </a> </li> <li> <a href="">Fending off cyberattacks in international arbitration </a> </li> <li> <a href="">Videorecording public servants in public </a> </li> <li> <a href="">Legal protection for ethical hackers </a> </li> <li> <a href=""> The Defense Department has produced the first tools for catching deepfakes </a> </li> <li> <a href="">SpiderOak's Warrant Canary died </a> </li> <li> <a href=""> Security flaws on Comcast's login page exposed customers' personal information </a> </li> <li> <a href=""> The "Arrest and Alleged Charges No Longer Exist -- as If It Never Happened" </a> </li> <li> <a href=""> GCs are flirting with the big four - but they remain wary </a> </li> <li> <a href=""> Hack causes pacemakers to deliver life-threatening shocks </a> </li> <li> <a href=""> West Virginia to offer mobile blockchain voting app for overseas voters in November election </a> </li> <li> <a href="">The World Bank is getting in on blockchain </a> </li> <li> <a href=""> Fax machines may be vulnerable to hackers, new report finds </a> </li> <li> <a href="">US court authorizes service by Twitter on WikiLeaks </a> </li> <li> <a href=""> Hundreds of researchers from Harvard, Yale and Stanford were published in fake academic journals </a> </li> <li> <a href=""> Public utility's recording of home energy consumption every 15 minutes is a "search," Seventh Circuit rules </a> </li> </ul> <p> <a name="SouthCarolina"> </a> <strong> <a href="http://www.abajournal.com/news/article/south_carolina_requires_insurers_to_have_cybersecurity_plan/?icn=sidebar&ici=text" > South Carolina requires insurers to have plans safeguarding customer data </a> </strong> (ABA Journal, 6 July 2018) - Less than a year from now, insurers doing business in South Carolina will be required to have a "comprehensive information security program" that protects consumer data. As of Jan. 1, 2019, insurers licensed in the state will be required to create and maintain data security standards based on an ongoing risk assessment, oversee third-party service providers, investigate breaches and notify regulators within 72 hours of a cyber event that affects more than 250 state residents. "It provides some consumer protection to further help safeguard that extremely important and private information," said South Carolina Department of Insurance director Ray Farmer after the passage of the <a href="https://www.scstatehouse.gov/sess122_2017-2018/bills/4655.htm"> Insurance Data Security Act </a> in May, according to the <a href="https://www.southcarolinaradionetwork.com/2018/05/15/sc-first-in-nation-to-pass-cybersecurity-law-for-insurance-companies/" > South Carolina Radio Network </a> . "It requires insurance companies to beef up their data security." * * * The law was based on <a href="https://www.naic.org/Releases/2017_docs/naic_passes_data_security_model_law.htm" > model legislation </a> created by the National Association of Insurance Commissioners, a standards setting body. The committee that drafted the legislation was chaired by Farmer. Maria Sasinoski, an associate at the Pittsburgh office of McGuireWoods LLP, told <a href="https://www.bna.com/south-carolina-insurance-n73014477055/"> Bloomberg BNA </a> that insurers like the NAIC model because it will "ward off" a patchwork of different state-level laws. She said that Rhode Island is also considering a <a href="http://webserver.rilin.state.ri.us/BillText18/HouseText18/H7789.pdf" > version </a> of the legislation. In South Carolina, the law, including its notification requirement, goes into effect Jan. 1, 2019, and insurers will be required to provide written security plans to state regulators starting July 1, 2019. <a href="">top </a> </p> <p> - and - </p> <p> <a name="CyberExperts"> </a> <strong> <a href="https://www.americanbar.org/news/abanews/aba-news-archives/2018/08/cyber_experts_attac.html" > Cyber experts: Attacks inevitable, preparation for law firms essential </a> </strong> (ABA Journal, 4 Aug 2018) - After the 9/11 attack on the United States, a national commission that analyzed the tragedy found that the country's national security apparatus failed in two major regards: it showed a lack of imagination for the unthinkable and no unity in communication and cooperation to face the developing terrorist threat. Fast forward 17 years. A panel at the American Bar Association Annual Meeting in Chicago raised concerns Saturday that U.S. businesses -- and law firms particularly -- might be going down a similar pre-9/11 path by failing to comprehend the full threat, vulnerabilities and consequences of cyberattacks from around the globe. The program, <a href="https://www.americanbar.org/content/dam/aba/administrative/law_national_security/Cyber_wake_up.pdf" > Cybersecurity Wake Up Call: The Business You Save May Be Your Own </a> , included two key players in the cybersecurity space during the Obama administration - Rajesh De, former general counsel of the National Security Agency, and Suzanne Spaulding, former undersecretary for National Protection and Programs Directorate in the Department of Homeland Security. Also participating were lawyers Thomas Smedinghoff and moderator Ruth Hill Bro, both members of the <a href="https://www.americanbar.org/content/aba/groups/cybersecurity.html"> ABA Cybersecurity Legal Task Force </a> , which sponsored the 90-minute program. The consensus of the panel was that cyberattacks are inevitable, and that preparation for law firms was necessary not only to avoid the hardware issues but also post-attack consequences. A post-attack communications plan was essential, the panelists said. So is thorough due diligence and planning with vendors and others in the supply chain to avoid legal consequences after a breach. The panelists also explored legal issues related to payments and other issues dealing with "ransomware," the concept of criminals shaking down businesses and others for money and bitcoins through cyber breaches. De noted this is a corporate governance issue, and that there should be a plan when an incident occurs on notifying authorities, deciding whether a payment should be made and how to communicate the situation to stakeholders, including governing boards. "It is always the disclosure issues that tend to trip people up," said De, a partner at Mayer Brown in Washington, D.C. Bro, who co-chairs the task force which recently published a book, " <a href="https://shop.americanbar.org/eBus/Store/ProductDetails.aspx?productId=309654847&term=cybersecurity+handbook" > The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals </a> ," reminded the audience that cybersecurity "is a process not a product" requiring persistent vigilance and constant review. She touted the motto of the Boy Scouts: "Be prepared." <a href="">top </a> </p> <p> - and - </p> <p> <a name="OhioEnacts"> </a> <strong> <a href="http://ridethelightning.senseient.com/2018/08/ohio-enacts-law-giving-affirmative-defense-to-businesses-which-beef-up-cybersecurity.html" > Ohio enacts law giving affirmative defense to businesses which beef up cybersecurity </a> </strong> (Ride The Lightning, 8 Aug 2018) - Columbus Business First <a href="https://www.bizjournals.com/columbus/news/2018/08/03/kasich-signs-bill-protecting-businesses-that.html" target="_blank" > reported </a> on August 3 <sup>rd </sup> that Ohio Governor John Kasich had signed into law a bill that aims to prod businesses to beef up security by giving companies something of a "safe harbor" if they voluntarily invest in better cybersecurity to protect customer information. The Ohio Data Protection Act provides an affirmative legal defense for companies that suffer a data breach who are then sued for not implementing reasonable security protocols. Eligible organizations may rely on conformity to certain cybersecurity frameworks as an affirmative defense against tort claims in data breach litigation. To qualify for this new defense, the organization must implement a written cybersecurity program designed to (1) protect the security and confidentiality of personal information, (2) protect against anticipated threats or hazards to the security or integrity of personal information, and (3) protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or fraud. The scale of the cybersecurity program should be appropriate to the organization based on its size and complexity, the nature and scope of its activities, the sensitivity of the personal information protected under the program, the cost and availability of tools to improve its information security and the resources available to the organization. This is a good recognition that one size does not fit all, but makes conforming to the safe harbor more difficult to establish. * * * <a href="">top </a> </p> <p> - and - </p> <p> <a name="NISTsmall"> </a> <strong> <a href="https://www.securityweek.com/nist-small-business-cybersecurity-act-becomes-law?" > NIST Small Business Cybersecurity Act becomes law </a> </strong> (Security Week, 16 Aug 2018) - Donald Trump signed the NIST Small Business Cybersecurity Act, S. 770 (formerly known as the <a href="https://www.securityweek.com/senate-passes-main-street-cybersecurity-act-small-business" > MAIN STREET Cybersecurity Act </a> ) into law on Tuesday (August 14, 2018). It requires NIST to "disseminate clear and concise resources to help small business concerns identify, assess, manage, and reduce their cybersecurity risks." The resources to be provided are informational. They must be generally applicable to a wide range of small businesses; vary with the nature and size of small businesses; promote cybersecurity awareness and workplace cybersecurity culture; and include practical application strategies. The resources must further be technology-neutral and compatible with COTS solutions; and as far as possible consistent with international standards and the Stevenson-Wydler Technology Innovation Act of 1980. Use of these resources by small businesses is voluntary. * * * Small businesses, and many large organizations, struggle to comply with the existing NIST Security Framework. "This change sets the stage for greater compliance and readiness from smaller organizations who previously thought that NIST compliance was too costly or complex to obtain," adds Dr. Bret Fund, founder and CEO at SecureSet. The basic problem is small organizations cannot afford extensive cybersecurity resources in-house, while many still believe they will not be a target for cyber attackers. * * * Counterintuitively, small businesses suffer more from a successful attack than do the larger companies. "In fact," suggests Anupam Sahai, Vice President of Product Management at Cavirin, "recent reports shows that smaller businesses lose proportionately more to cyberattacks since they are targeted just as often, and are less able to recover due to less resilient infrastructures." <a href="">top </a> </p> <p> <a name="FiveLessons"> </a> <strong> <a href="https://www.mayerbrown.com/5-lessons-learned-on-data-breach-management-after-2-months-of-gdpr-friday-is-calling-07-25-2018/?utm_source=eloqua&utm_medium=email_56234&utm_campaign=25790&elqTrackId=078A4A8DB7CE2CEAC26CA087ABCA4737&elq=a93282500e7b4d9abb49e1ab4e85cf6b&elqaid=56234&elqat=1&elqCampaignId=25790" > 5 lessons learned on data breach management after 2 months of GDPR: Friday is calling </a> </strong> (Mayer Brown, 25 July 2018) - The GDPR mandates controllers and processors to have technical and organizational measures in place to ensure an appropriate level of security for personal data. They should have the ability to detect, address and report data breaches in a timely manner. Many internal procedures were drafted in anticipation of the entry into force of the GDPR. Now, two months after GDPR Day, here are five lessons learned from data breach management, as, yes, numerous personal data breaches have occurred since then, of which authorities were notified, in pretty significant numbers and in a variety of sectors. * * * [ <strong>Polley </strong>: Interesting; also notable for quickly conveying some useful lessons. More to come, I'm sure.] <a href="">top </a> </p> <p> <a name="WelcomeTo"> </a> <strong> <a href="http://apps.bostonglobe.com/news/nation/graphics/2018/07/tsa-quiet-skies/?p1=HP_SpecialTSA" > Welcome to the Quiet Skies </a> </strong> <strong> </strong> (Boston Globe, 28 July 2018) - Federal air marshals have begun following ordinary US citizens not suspected of a crime or on any terrorist watch list and collecting extensive information about their movements and behavior under a new domestic surveillance program that is drawing criticism from within the agency. The previously undisclosed program, called "Quiet Skies," specifically targets travelers who "are not under investigation by any agency and are not in the Terrorist Screening Data Base," according to a Transportation Security Administration bulletin in March. But some air marshals, in interviews and internal communications shared with the Globe, say the program has them tasked with shadowing travelers who appear to pose no real threat - a businesswoman who happened to have traveled through a Mideast hot spot, in one case; a Southwest Airlines flight attendant, in another; a fellow federal law enforcement officer, in a third. It is a time-consuming and costly assignment, they say, which saps their ability to do more vital law enforcement work. Already under Quiet Skies, thousands of unsuspecting Americans have been subjected to targeted airport and inflight surveillance, carried out by small teams of armed, undercover air marshals, government documents show. The teams document whether passengers fidget, use a computer, have a "jump" in their Adam's apple or a "cold penetrating stare," among other behaviors, according to the records. Air marshals note these observations - minute-by-minute - in two separate reports and send this information back to the TSA. All US citizens who enter the country are automatically screened for inclusion in Quiet Skies - their travel patterns and affiliations are checked and their names run against a terrorist watch list and other databases, according to agency documents. <a href="">top </a> </p> <p> <a name="FendingOff"> </a> <strong> <a href="https://www.law.com/newyorklawjournal/2018/08/03/protocol-to-fend-off-cyberattacks-in-international-arbitration/?kw=Fending%20Off%20Cyberattacks%20in%20International%20Arbitration&et=editorial&bu=ALMcyberSecure&cn=20180810&src=EMC-Email&pt=cyberSecureNews" > Fending off cyberattacks in international arbitration </a> </strong> (NY Law Journal, 3 Aug 2018) - In the context of ever-escalating data breaches, international arbitration is not immune to cyberattacks. One widely reported cyberattack targeted the Permanent Court of Arbitration in The Hague (PCA) in July 2015, while the court was administering a hearing between the Philippines and China over disputed territorial waters in the South China Sea. During that arbitration, a malicious software originating in China targeted the PCA's website, the Philippines Department of Justice, the law firm representing the Philippines in the arbitration, and anyone visiting a specific page of the PCA devoted to the dispute, allowing the hackers to access classified information. A similar cyberintrusion occurred in 2008 in the case of <em>Libananco Holdings Co. v. Rep. of Turkey (ICSID Case No ARB/06/9) </em>, where, in the course of a separate court-ordered money laundering investigation, the Turkish government intercepted privileged communications and materials that had been exchanged between Libananco and its counsel in connection with the arbitration. It is therefore of no surprise that international arbitration may become a prime target for cybercriminals. This is for various reasons. <em>First </em>, as a neutral forum for the resolution of complex international disputes, international arbitration often involves parties that are themselves prominent targets of cyberattacks such as multinational corporations, governments, state entities, and public figures. <em>Second </em>, in these types of disputes, digital discovery is the norm and inevitably involves the exchange of highly sensitive information such as trade secrets, business plans, and case strategy, which have the potential of influencing politics and moving financial markets. <em>Third </em>, the risk of exposure to cyberattacks is relatively high because of the way international arbitration is conducted. The information collected is typically organized in easily searchable data sets, such as pleadings, witness statements, expert reports, transcripts of hearings, and arbitral deliberation materials, including draft and final awards. Each fixed or portable device (computers, laptops, smartphones, tablets), cloud-based storage (file-sharing platforms, virtual data rooms), and courtroom technology (real-time translations, live e-transcripts, telepresence technologies) is a digital portal allowing for unauthorized access to arbitration-related materials. The fact that the information is hosted and exchanged by a variety of digitally interdependent players such as in-house and outside counsel, government officers and agencies, arbitral institutions and tribunals, experts and witnesses, and other custodians of large electronic information repositories only increases the likelihood that a data breach of one participant will impact all participants. The data custodians involved in the process also tend to sit in different jurisdictions and communicate through various means, including unencrypted email. Therefore, large amounts of information travel around the world in an unsecured way. Even larger amounts of information may be compromised if U.S.-style discovery takes place. <a href="">top </a> </p> <p> <a name="Videorecording"> </a> <strong> <a href="https://reason.com/volokh/2018/08/04/videorecording-public-servants-in-public" > Videorecording public servants in public </a> </strong> (Volokh Conspiracy, 4 Aug 2018) - I think the <a href="https://scholar.google.com/scholar_case?case=9753439108429422949#r%5B27%5D" > federal circuit court decisions </a> recognizing a right to videorecord in public places -- decisions that have so far dealt with recording police officers -- are correct: A right to speak must include some right to gather the information needed to speak (what is often labeled the "right to gather news"), and recording what government officials do in public places is important to be able to speak credibly about it. * * * But courts haven't figured out how far this extends, especially when we get beyond recording the police. Here is an interesting 2017 opinion ( <em> <a href="https://scholar.google.com/scholar_case?case=12253193552882349367" > People v. Rivas </a> </em> ) from the New York intermediate appellate court; Rivas was convicted of fourth-degree stalking, which punishes anyone who "intentionally, and for no legitimate purpose, engages in a course of conduct directed at a specific person, and knows or reasonably should know that such conduct ... is likely to cause reasonable fear of material harm to the physical health, safety or property of such person," and of first-degree harassment, which punishes anyone who "intentionally and repeatedly harasses another person by following such person in or about a public place or places or by engaging in a course of conduct or by repeatedly committing acts which places such person in reasonable fear of physical injury." * * * <a href="">top </a> </p> <p> <a name="LegalProtection"> </a> <strong> <a href="http://ridethelightning.senseient.com/2018/08/legal-protection-for-ethical-hackers.html" > Legal protection for ethical hackers </a> </strong> (Ride The Lightning, 6 Aug 2018) - <em>The Washington Post </em> (sub. req.) <a href="https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/08/03/the-cybersecurity-202-the-law-doesn-t-protect-ethical-hackers-this-new-project-could-help-close-that-gap/5b6330421b326b0207955ecb/" target="_blank" > reported </a> on August 3 <sup>rd </sup> about a new project called <a href="https://disclose.io/" target="_blank">Disclose.io </a> which is dedicated to providing legal protection to ethical hackers. The site itself says disclose.io is a collaborative and vendor-agnostic project to standardize best practices around safe harbor for good-faith security research. The project originated with the cybersecurity firm Bugcrowd and a University of California researcher. It aims to protect well-intentioned hackers from legal action when they reveal security vulnerabilities in an organization's networks or software. The project offers companies, academic institutions or even government agencies a standard legal agreement they can post that fundamentally says that it's okay to hack us if you do it in good faith. It tells ethical hackers that they won't get sued or face criminal charges if they find a flaw on an organization's systems and report it responsibly. Laws such as the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act don't contain protections for researchers who disclose bugs, creating a legal gray area discouraging ethical hacking. In recent years, companies have sued or threatened legal action against researchers who have uncovered serious vulnerabilities - sometimes to prevent an embarrassing flaw from being disclosed publicly. In one example last year, the FBI investigated security researchers in Georgia who discovered that millions of voter registration records were publicly accessible on the state's election website. And boy oh boy, was that something that needed to be disclosed! Understandably, researchers are sometimes reluctant to report potentially serious security flaws because they fear the repercussions. Disclose.io offers a template with boilerplate language that spells out in plain terms what security researchers can and can't do if they decide to probe for bugs, and offers them legal safe harbor if they play by the rules. The template is open sourced - anyone is free to use it or modify it. <a href="">top </a> </p> <p> <a name="TheDefense"> </a> <strong> <a href="https://www.technologyreview.com/s/611726/the-defense-department-has-produced-the-first-tools-for-catching-deepfakes/" > The Defense Department has produced the first tools for catching deepfakes </a> </strong> <strong> </strong> (Technology Review, 7 Aug 2018) - The first forensics tools for catching revenge porn and fake news created with AI have been developed through a program run by the US Defense Department. Forensics experts have rushed to find ways of detecting videos synthesized and manipulated using machine learning because the technology makes it far easier to create convincing fake videos that could be used to sow disinformation or harass people. Video trickery involves using a machine-learning technique known as generative modeling, which lets a computer learn from real data before producing fake examples that are statistically similar. A recent twist on this involves having two neural networks, known as generative adversarial networks, work together to produce ever more convincing fakes. The tools for catching deepfakes were developed through a program-run by the US Defense Advanced Research Projects Agency (DARPA)-called <a href="https://www.darpa.mil/program/media-forensics" target="_blank"> Media Forensics </a> . The program was created to automate existing forensics tools, but has recently turned its attention to AI-made forgery. "We've discovered subtle cues in current GAN-manipulated images and videos that allow us to detect the presence of alterations," says Matthew Turek, who runs the Media Forensics program. <a href="">top </a> </p> <p> <a name="SpiderOak"> </a> <strong> <a href="https://www.schneier.com/blog/archives/2018/08/spideroaks_warr.html" > SpiderOak's Warrant Canary died </a> </strong> (Bruce Schneier, 8 Aug 2018) - " <em> I have never quite trusted the idea of a warrant canary. But here it seems to have worked. (Presumably, if SpiderOak wanted to replace the warrant canary with a transparency report, they would have written something explaining their decision. To have it simply disappear is what we would expect if SpiderOak were being forced to comply with a US government request for personal data.)" </em> </p> <p> <strong>* * * which leads to the underlying Boing Boing story: </strong> </p> <p> <strong> <a href="https://boingboing.net/2018/08/06/spideroak-warrant-canary-to-be.html" > SpiderOak warrant canary to be replaced by 'transparency report' </a> </strong> (Boing Boing, 6 August 2018) - SpiderOak is a cloud backup service with a <a href="https://en.wikipedia.org/wiki/Warrant_canary">warrant canary </a>: a formal statement that <a href="https://spideroak.com/canary"> assured users that the company and its operators had never been made to secretly cooperate with the government </a> , law enforcement or other surveilling authority. <a href="https://www.reddit.com/r/privacy/comments/94nspi/spideroak_cans_its_warrant_canary_suffers/" > The canary reportedly disappeared this weekend </a> , then reappeared, along <a href="https://twitter.com/SpiderOak/status/1025488889564327936"> with a statement saying it was being replaced by a " </a> <a href="https://spideroak.com/transparency/">transparency report </a> ." </p> <p> <strong>* * * which leads to: </strong> </p> <p> a 3 August tweet from @SpiderOak, that itself says " <em> the final version of the canary is available at <a href="https://spideroak.com/canary">spideroak.com/canary </a> </em> ." In turn, the slightly-convoluted canary includes this language: <em> "On top of this, the canary's effectiveness as a tool has been questioned, the usage of it at other companies is not consistent, and verifying it and keeping track of it is complicated for users." </em> [ <strong>Polley </strong>: First, I'm struck by Schneier's comment: suggests that canaries <u>can </u>work, if done carefully. Digging into the actual postings by SpiderOak on their Twitter feed suggests a fascinating back-story. Would have been fun being on that legal team. (Sorry for the recursive structure.)] <a href="">top </a> </p> <p> <em> </em> </p> <p> <a name="SecurityFlaws"> </a> <strong> <a href="https://www.buzzfeednews.com/article/nicolenguyen/a-comcast-security-flaw-exposed-millions-of-customers" > Security flaws on Comcast's login page exposed customers' personal information </a> </strong> (BuzzFeed, 8 Aug 2018) - Comcast Xfinity inadvertently exposed the partial home addresses and Social Security numbers of <a href="https://www.cmcsa.com/news-releases/news-release-details/comcast-reports-2nd-quarter-2018-results" target="_blank" > more than 26.5 million </a> customers, according to security researcher <a href="https://twitter.com/Phobia" target="_blank">Ryan Stevenson, </a> who discovered the security flaws. Two previously unreported vulnerabilities in the high-speed internet service provider's online customer portal made it easy for even an unsophisticated hacker to access this sensitive information. After BuzzFeed News reported the findings to Comcast, the company patched the flaws. Spokesperson David McGuire told BuzzFeed News, "We quickly investigated these issues and within hours we blocked both vulnerabilities, eliminating the ability to conduct the actions described by these researchers. We take our customers' security very seriously, and we have no reason to believe these vulnerabilities were ever used against Comcast customers outside of the research described in this report." While Comcast has not found any foul play yet, its review is ongoing. <a href="">top </a> </p> <p> <a name="TheArrest"> </a> <strong> <a href="http://reason.com/volokh/2018/08/08/the-arrest-and-alleged-charges-no-longer" > The "Arrest and Alleged Charges No Longer Exist -- as If It Never Happened" </a> </strong> (Volokh Conspiracy, 8 Aug 2018) - Expungement laws let people who have been arrested-and often even ones who have been convicted-get their records removed from government databases, or sometimes sealed so that some government agencies can access them but the public can't. There's an interesting and important policy debate about whether this should happen, and when it should happen. But the expungement laws do <em>not </em> require private organizations, such as newspapers, to delete information about the arrest or conviction from their archives. (In a few places, they cover private databases of information, sometimes just ones that charge money to remove material from those database; that itself poses First Amendment problems, but those laws are sharply limited and don't purport to cover newspapers.) Nor does an expungement make the original report of the arrest or conviction libelous; it may change what facts the government keeps in its files, or what facts the criminal justice system can later use about the arrest, but it doesn't change reality of the original arrest, and it doesn't bar people from keeping up articles about the arrest. Yet some lawyers' demand letters, unsurprisingly, argue the contrary; here, for instance, is a <a href="https://www.lumendatabase.org/file_uploads/files/4356090/004/356/090/original/s25_Redacted.pdf?1533653088" > letter </a> sent in November by New York lawyer Gregg M. Sidoti to the Stillwater (Okla.) News Press about an expungement of a 19-year-old's arrest for public intoxication. * * * <a href="">top </a> </p> <p> <a name="GCsAreFlirting"> </a> <strong> <a href="https://www.law.com/corpcounsel/2018/08/09/gcs-are-flirting-with-the-big-four-but-they-remain-wary/" > GCs are flirting with the big four - but they remain wary </a> </strong> (Corporate Counsel, 9 Aug 2018) - Within the past couple of months, <a href="https://www.law.com/corpcounsel/2018/08/07/summer-internships-in-silicon-valley-offer-new-route-in-house-for-law-students/" > Adobe Systems Inc </a> . has taken a less traditional path in handling some of its corporate legal work overseas. The company has shifted some matters away from traditional international and regional law firms and hired one of the Big Four accounting firms to take on this work instead. What prompted the switch? According to Lisa Konie, senior director of legal operations for Adobe, it was primarily a predictable <a href="https://www.law.com/corpcounsel/2018/08/07/the-american-arbitration-association-announces-alternative-fee-options/" > alternative fee arrangement </a> . The San Jose, California-based software company pays the firm, which Konie declined to name, an annual fixed fee that depends on the country where the work is being done and the services being provided. "What I don't think a lot of law firms appreciate is that we are held accountable to our CFO," Konie said. "When I come in and tell my CFO that we have 75 percent accountability with billing I come off looking like a rock star." While some companies, like Adobe, are on board with the Big Four, others are hanging back, despite the apparent advantages that these accounting behemoths have over traditional law firms, including more predictable and flexible pricing and Scrooge McDuck-sized bank vaults. Those who remain hesitant say they're still waiting for the Big Four to prove that they offer a better alternative to the traditional firm model. <a href="">top </a> </p> <p> <a name="HackCauses"> </a> <strong> <a href="https://arstechnica.com/information-technology/2018/08/lack-of-encryption-makes-hacks-on-life-saving-pacemakers-shockingly-easy/" > Hack causes pacemakers to deliver life-threatening shocks </a> </strong> (ArsTechnica, 9 Aug 2018) - Life-saving pacemakers manufactured by Medtronic don't rely on encryption to safeguard firmware updates, a failing that makes it possible for hackers to remotely install malicious wares that threaten patients' lives, security researchers said Thursday. At the Black Hat security conference in Las Vegas, researchers Billy Rios and Jonathan Butts said they first alerted medical device maker Medtronic to the hacking vulnerabilities in January 2017. So far, they said, the proof-of-concept attacks they developed still work. The duo on Thursday demonstrated one hack that compromised a <a href="http://www.medtronic.com/ca-en/healthcare-professionals/products/cardiac-rhythm/patient-management-carelink/medtronic-carelink-programmer.html" > CareLink 2090 programmer </a> , a device doctors use to control pacemakers after they're implanted in patients. Because updates for the programmer aren't delivered over an encrypted HTTPS connection and firmware isn't digitally signed, the researchers were able to force it to run malicious firmware that would be hard for most doctors to detect. From there, the researchers said, the compromised machine could cause implanted pacemakers to make life-threatening changes in therapies, such as increasing the number of shocks delivered to patients. <a href="">top </a> </p> <p> <a name="WestVirginia"> </a> <strong> <a href="https://www.washingtonpost.com/technology/2018/08/10/west-virginia-pilots-mobile-blockchain-voting-app-overseas-voters-november-election/?utm_term=.4740a9982267" > West Virginia to offer mobile blockchain voting app for overseas voters in November election </a> </strong> (WaPo, 10 Aug 2018) - West Virginia will provide a mobile blockchain voting option, in addition to absentee ballots, for overseas military service members in elections this November, after receiving audit results this week from a pilot program. It will be the first state to offer this technology to improve voting accessibility for deployed members of the military and their families, according to West Virginia's secretary of state. Eligible voters will be able to cast their ballots through a mobile application that uses <a href="https://www.washingtonpost.com/news/the-switch/wp/2018/01/10/how-the-technology-behind-bitcoin-could-change-your-life-even-if-you-never-buy-a-single-coin/?utm_term=.74200502ddac" > blockchain technology </a> , which stores data on a decentralized database, meaning there's no owner, allowing for more transparent transactions. Information is stored publicly, but to ensure privacy, West Virginia voters' personal information will remain anonymous. * * * West Virginia is offering blockchain ballots only to overseas military members, and state officials remain wary of advocating the technology for in-state voters or other state elections. "This is a solution to West Virginia's problems [with overseas voters] specifically. We didn't have the money to build a new system or buy a new one that's already created," Kersey said. "I don't know if blockchain is the answer. It was just the answer we found here." <a href="">top </a> </p> <p> - and - </p> <p> <a name="TheWorldBank"> </a> <strong> <a href="https://money.cnn.com/2018/08/10/technology/world-bank-blockchain-bond/index.html" > The World Bank is getting in on blockchain </a> </strong> (CNN, 10 Aug 2018) - The international lender is planning to issue what it says is the world's first global blockchain bond, a notable mainstream endorsement of the emerging technology. Blockchain is best known as the technology underpinning bitcoin and other cryptocurrencies. It serves as a digital record of financial transactions. The World Bank has hired Commonwealth Bank of Australia ( <a href="https://money.cnn.com/quote/quote.html?symb=CBAUF&source=story_quote_link" > CBAUF </a> ) to manage <a href="http://www.worldbank.org/en/news/press-release/2018/08/09/world-bank-mandates-commonwealth-bank-of-australia-for-worlds-first-blockchain-bond" target="_blank" > the bond </a> , which is expected to raise as much as 100 million Australian dollars ($73 million). They have named it the "Blockchain Offered New Debt Instrument," or "bond-i," a nod to Sydney's famous Bondi Beach. The World Bank follows German automaker Daimler, which <a href="https://www.daimler.com/investors/refinancing/blockchain.html" target="_blank" > used blockchain </a> technology to issue a type of German bond in a pilot project last year. Blockchain could hugely streamline the process of issuing bonds, which has been heavily reliant on physical paperwork for the past 200 years, according to James Wall, a senior institutional banking executive at Commonwealth Bank. Moving the process to the blockchain could cut costs and speed up trading for both bond issuers and investors. <a href="">top </a> </p> <p> <a name="FaxMachines"> </a> <strong> <a href="https://www.washingtonpost.com/technology/2018/08/13/fax-machines-may-be-vulnerable-hackers-new-report-finds/?utm_term=.97bebbb42491" > Fax machines may be vulnerable to hackers, new report finds </a> </strong> (WaPo, 13 Aug 2018) - The fax ma­chine is wide­ly con­sid­ered to be a di­no­saur of in­ter­of­fice com­mu­ni­ca­tions, but it may also pres­ent a vul­nera­ble point where hack­ers can in­fil­trate an or­gan­i­za­tion's net­work, <a href="https://blog.checkpoint.com/2018/08/12/faxploit-hp-printer-fax-exploit/" target="_blank" > ac­cord­ing to a new re­port </a> from Israel-based soft­ware com­pany Check Point. The com­pany said that the vul­ner­a­bil­i­ty was iden­ti­fied as a re­sult of re­search in­tend­ed to dis­cover po­ten­tial se­curi­ty risks, and not as the re­sult of any attack. Hack­ers can gain ac­cess to a net­work <strong>using the phone line </strong>con­nected to a fax ma­chine, which is of­ten con­nected to the rest of an or­gan­i­za­tion's net­work. By send­ing an image file that con­tains ma­li­cious soft­ware over the phone line, hack­ers can take con­trol of the de­vice and ac­cess the rest of the net­work. The re­search­ers were able to do this using only a fax num­ber, which is of­ten wide­ly dis­tri­but­ed by or­gan­i­za­tions on busi­ness cards and websites. <a href="">top </a> </p> <p> <a name="UScourtAuthorizes"> </a> <strong> <a href="https://reason.com/volokh/2018/08/13/us-court-authorizes-service-by-twitter-o" > US court authorizes service by Twitter on WikiLeaks </a> </strong> (Volokh Conspiracy, 13 Aug 2018) - Folkman is a leading expert on (among other things) international service of process, a technical but tremendously important field of civil procedure; read <a href="https://lettersblogatory.com/2018/08/13/us-court-authorizes-service-by-twitter-on-wikileaks/" > his post </a> for more details on this issue, but here's the introduction: <em> The Democratic National Committee has obtained leave of court to serve process on Wikileaks via Twitter in its lawsuit against Russia, Wikileaks, Julian Assange and others. I have written previously about the <a href="https://lettersblogatory.com/2018/04/20/quick-thoughts-on-the-dncs-lawsuit-against-trump-russia-and-wikileaks/" > FSIA [Foreign Sovereign Immunities Act] issue </a> in the case and the <a href="https://lettersblogatory.com/2018/04/23/more-on-the-dnc-lawsuit-serving-assange/" > issues about serving process on Mr. Assange </a> in the Ecuadoran embassy in London. But serving process on Wikileaks poses difficulties, too. The DNC's <a href="https://static.lettersblogatory.com/wp-content/uploads/2018/08/S.D.N.Y.-18-cv-03501-dckt-000149_000-filed-2018-07-20.pdf" > motion </a> gives several reasons for seeking leave to serve process by Twitter rather than by a more traditional means. Wikileaks, it says, is an "organization of unknown structure" that has "more of a virtual than a physical presence." It has post office boxes in California and in Australia, but it is unclear to the DNC whether Wikileaks uses them for business. Lawyers who have represented Wikileaks in prior US litigation have said they no longer represent the organization or are not authorized to accept service. And Wikileaks, or someone purporting to act on its behalf, does have an active Twitter presence.... </em> [ <strong>Polley </strong>: <em>see also </em> <strong> <a href="https://www.cbsnews.com/news/dnc-serves-wikileaks-with-lawsuit-via-twitter/" > DNC serves WikiLeaks with lawsuit via Twitter </a> </strong> (CBS, 10 Aug 2018)] <a href="">top </a> </p> <p> <a name="HundredsOf"> </a> <strong> <a href="https://motherboard.vice.com/en_us/article/3ky45y/hundreds-of-researchers-from-harvard-yale-and-stanford-were-published-in-fake-academic-journals" > Hundreds of researchers from Harvard, Yale and Stanford were published in fake academic journals </a> </strong> (Motherboard, 14 Aug 2018) - In the so-called " <a href="https://mitpress.mit.edu/books/post-truth" target="_blank"> post-truth era </a> ," science seems like one of the last bastions of objective knowledge, but what if science itself were to succumb to fake news? Over the past year, German journalist <a href="https://motherboard.vice.com/en_us/article/gygx7y/your-anonymous-browsing-data-isnt-actually-anonymous" target="_blank" > Svea Eckert </a> and a small team of journalists went undercover to investigate a massive underground network of fake science journals and conferences. In the course of the investigation, which was chronicled in the documentary " <a href="http://www.daserste.de/information/reportage-dokumentation/dokus/videos/exclusiv-im-ersten-fake-science-die-luegenmacher-englische-version-video-100.html" target="_blank" > Inside the Fake Science Factory </a> ," the team analyzed over 175,000 articles published in predatory journals and found hundreds of papers from academics at leading institutions, as well as substantial amounts of research pushed by pharmaceutical corporations, tobacco companies, and others. Last year, one fake science institution run by a Turkish family was estimated to have earned over $4 million in revenue through conferences and journals. * * * <a href="">top </a> </p> <p> <a name="PublicUtilitys"> </a> <strong> <a href="https://reason.com/volokh/2018/08/17/public-utilitys-recording-of-home-energy" > Public utility's recording of home energy consumption every 15 minutes is a "search," Seventh Circuit rules </a> </strong> (Orin Kerr on Volokh Conspiracy, 17 Aug 2018) - In a fascinating new decision, <em> <a href="http://media.ca7.uscourts.gov/cgi-bin/rssExec.pl?Submit=Display&Path=Y2018/D08-16/C:16-3766:J:Kanne:aut:T:fnOp:N:2203659:S:0" > Naperville Smart Meter Awareness v. City of Naperville, </a> </em> the Seventh Circuit has held that a public utility commits a "search" of a home when it records every 15 minutes how much electricity the utility is providing the home, at least until the smart readers that enable this data collection come into general public use. At the same time, the court says, the utility's search of the home is reasonable and therefore permitted without any cause or suspicion. The Seventh Circuit's analysis relies on <em> <a href="https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf"> Carpenter v. United States </a> </em> for a significant step in its reasoning. Given that, the new decision is an interesting measure of where Fourth Amendment law may be going in the post- <em>Carpenter </em> era. * * * [ <strong>Polley </strong>: There's much more here, and Prof. Kerr's take on it is interesting, as always.] <a href="">top </a> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <strong> <a href="http://lawprofessors.typepad.com/media_law_prof_blog/2018/08/adler-on-why-art-does-not-need-copyright-nyulaw.html" > Adler on Why Art Does Not Need Copyright </a> </strong> <strong>- </strong> (MLPB, 1 Aug 2018) - Amy Adler, New York University School of Law, is publishing <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3206830"> Why Art Does Not Need Copyright </a> in volume 86 of the George Washington Law Review (2018). Here is the abstract: <em> This Article explores the escalating battles between visual art and copyright law in order to upend the most basic assumptions on which copyright protection for visual art is grounded. It is a foundational premise of intellectual property law that copyright is necessary for the "progress" of the arts. This Article demonstrates that this premise is flatly wrong when it comes to visual art. United States courts and scholars have come to understand copyright law almost universally in utilitarian terms; by this account, the reason we grant copyright to authors is to give them economic incentives to create culturally valuable works. But legal scholars have failed to recognize that their paradigm makes no sense when applied to visual art, one of the highest profile and most hotly contested fields in intellectual property law. This is because scholars have failed to take into account the single most important value for participants in the art market: the norm of authenticity, which renders copyright law superfluous. The fundamental assumption of copyright law - that the copy poses a threat to creativity - is simply not true for visual art. By juxtaposing copyright theory with the reality of the art market, this Article shows why copyright law does not - and cannot - incentivize the creation of visual art. In fact, copyright law, rather than being necessary for art's flourishing, actually impedes it. </em> <a href="">top </a> </p> <p> <strong> <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3221625"> Twenty years of web scraping and the Computer Fraud and Abuse Act </a> </strong> (BU Journal of Science and Technology Law, 14 Aug 2018) - Abstract: <em> "Web scraping" is a ubiquitous technique for extracting data from the World Wide Web, done through a computer script that will send tailored queries to websites to retrieve specific pieces of content. The technique has proliferated under the ever-expanding shadow of the Computer Fraud and Abuse Act (CFAA), which, among other things, prohibits obtaining information from a computer by accessing the computer without authorization or exceeding one's authorized access. Unsurprisingly, many litigants have now turned to the CFAA in attempt to police against unwanted web scraping. Yet despite the rise in both web scraping and lawsuits about web scraping, practical advice about the legality of web scraping is hard to come by, and rarely extends beyond a rough combination of "try not to get caught" and "talk to a lawyer." Most often the legal status of scraping is characterized as something just shy of unknowable, or a matter entirely left to the whims of courts, plaintiffs, or prosecutors. Uncertainty does indeed exist in the caselaw, and may stem in part from how courts approach the act of web scraping on a technical level. In the way that courts describe the act of web scraping, they misstate some of the qualities of scraping to suggest that the technique is inherently more invasive or burdensome. The first goal of this piece is to clarify how web scrapers operate, and explain why one should not think of web scraping as being inherently more burdensome or invasive than humans browsing the web. The second goal of this piece is to more fully articulate how courts approach the all-important question of whether a web scraper accesses a website without authorization under the CFAA. I aim to suggest here that there is a fair amount of madness in the caselaw, but not without some method. Specifically, this piece breaks down the twenty years of web scraping litigation (and the sixty-one opinions that this litigation has generated) into four rough phases of thinking around the critical access question. The first runs through the first decade of scraping litigation, and is marked with cases that adopt an expansive interpretation of the CFAA, with the potential to extend to all scrapers so long as a website can point to some mechanism that signaled access was unauthorized. The second, starting in the late 2000s, was marked by a narrowing of the CFAA and a focus more on the code-based controls of scraping, a move that tended to benefit scrapers. In the third phase courts have receded back to a broad view of the CFAA, brought about by the development of a "revocation" theory of unauthorized access. And most recently, spurred in part by the same policy concerns that led courts to initially constrain the CFAA in the first place, courts have begun to rethink this result. The conclusion of this piece identifies the broader questions about the CFAA and web scraping that courts must contend with in order to bring more harmony and comprehension to this area of law. They include how to deal with conflicting instructions on authorization coming different channels on the same website, how the analysis should interact with existing technical protocols that regulate web scraping, including the Robots Exclusion Standard, and what other factors beyond the wishes of the website host should govern application of the CFAA to unwanted web scraping. </em> <a href="">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <strong> <a href="http://www.theregister.co.uk/2008/11/25/havenco/"> Offshore hosting firm Havenco lost at sea </a> </strong> (The Register, 25 Nov 2008) - Controversial hosting provider HavenCo - which operated from the 'nation' of Sealand, an old naval fort off the coast of Suffolk which was declared a 'sovereign principality' by its quirky owner Roy Bates - has finally gone offline. As of last week, the HavenCo website is gone and the domain is now hosted outside the Sealand subnet. Founded in 2000 by Bates' son and Michael with $1m in seed money, the company initially offered an everything goes-policy along with an offshore fat-pipe data haven. Child pornography, spamming and malicious hacking were strictly prohibited, but with no restrictions on copyright or intellectual property for data hosted on its servers, file-sharing certainly looked like a possibility. Many existing customers had left by 2003. With no investment backing bandwidth never materialised, and the location was vulnerable to DoS attacks. However, what probably scared most potential customers was the fact all internet connectivity went through the UK and that the UK claimed the platform was within its territorial waters. HavenCo was one of many failed business ventures in an attempt to profit from the world's smallest country. A scheme to build a hotel and gambling complex never materalised. Since last year, the principality has been put up for sale. Last year, Swedish bittorrent search site The Pirate Bay said it was in negotiations with Prince Michael of Sealand about purchasing the principality to use it as a base for its own operations, but Bates declared he would never sell the micronation - currently priced at €750m - to a BitTorrent tracker. <a href="">top </a> </p> <p> <strong> <a href="http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9112041&source=rss_topic17" > Ohio official sues e-voting vendor for lost votes </a> </strong> (Computerworld, 8 August 2008) - Ohio Secretary of State Jennifer Brunner has filed a lawsuit against an electronic-voting machine vendor, saying the vendor should pay damages for dropped votes in the state's March primary election. E-voting machines from Premier Election Solutions, formerly known as Diebold Election Systems, dropped hundreds of votes in 11 Ohio counties during the primary election, as the machine's memory cards were uploaded to vote-counting servers, Brunner's office said. Officials in Brunner's office later discovered the dropped votes in other counties after voting officials in Butler County discovered about 150 dropped votes, said Jeff Ortega, Brunner's assistant director of communications. Brunner's lawsuit, filed in Franklin County Common Pleas Court in Ohio on Wednesday, is a counter claim to an earlier lawsuit filed by Premier. In May, Premier filed a lawsuit against Brunner's office and Cuyahoga County, Ohio, seeking a judgment that Premier did not violate any contracts or warranties. Brunner's lawsuit accuses Premier of not fulfilling its contracts with election officials. The lawsuit also alleges breach of warranty and fraud. Premier e-voting machines are used in half of Ohio's 88 counties. Butler County officials discovered the dropped votes in post-election checks. That set off a statewide investigation, which found dropped votes in 11 other counties, according to information from Brunner's office. Butler County officials sent letters to Premier on April 4 and 9, seeking an explanation for the dropped votes, and on May 16, Premier issued a report, suggesting human error or conflicts with antivirus software were to blame. Brunner and Butler County officials have suggested that the May report and a follow-up issued by Premier lacked evidence that antivirus software caused the problems. A Premier report on May 29 suggested counties disable antivirus software on vote-tabulation servers, but the servers had been certified in Ohio with the antivirus software installed, Brunner said. In December, Brunner's office issued a report questioning the security of touch-screen e-voting machines like those sold by Premier. Machines from Premier and two other vendors had "critical security failures," the report said. <a href="">top </a> </p> Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-4950943493042331822018-07-28T07:21:00.000-04:002018-07-28T07:21:06.606-04:00MIRLN --- 8-28 July 2018 (v21.10)<p> <a name="TOP"> </a> MIRLN --- 8-28 July 2018 (v21.10) --- by Vince Polley and KnowConnect PLLC </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_8_28_july_2018_v2110/" > permalink </a> </p> <p> <a href="">ANNOUNCEMENTS </a> | <a href="">NEWS </a>| <a href="">PODCASTS </a>| <a href="">RESOURCES </a>| <a href="">LOOKING BACK </a>| <a href="http://www.knowconnect.com/mirln/sources/">NOTES</a> </p> <p> <a name="ANNOUNCEMENTS"> </a> <h3> ANNOUNCEMENTS </h3> </p> <p> ABA attendees at the Chicago annual meeting next week may want to attend a showcase program (August 4 10:00-11:30 Central), featuring Raj De (former NSA GC), Suzanne Spaulding (former DHS Undersecretary), and others. " <em> Cybersecurity Wake-up Call: The Business You Save May Be Your Own." </em> Info <a href="https://www.americanbar.org/content/dam/aba/administrative/law_national_security/Cyber_wake_up.authcheckdam.pdf" > here </a> . See you there! </p> <p> <a name="NEWS"> </a> <h3> NEWS </h3> </p> <ul> <li> <a href=""> In world first, Danish court rules stream-ripping site illegal </a> </li> <li> <a href=""> US government drops prohibition on files for 3D printed arms </a> </li> <li> <a href=""> SEC probes why Facebook didn't warn sooner on privacy lapse </a> </li> <li> <a href=""> Top voting machine vendor admits it installed remote-access software on systems sold to states </a> </li> <li> <a href=""> Businesses cannot contractually ban "abusive" consumer reviews </a> </li> <li> <a href=""> Ponemon Institute: Average cost of a data breach exceeds $3.8 million </a> </li> <li> <a href=""> Cyber security advice issued to law firms in first legal threat report </a> </li> <li> <a href=""> US energy regulator wants more disclosure of cyber attacks </a> </li> <li> <a href="">Some colleges cautiously embrace Wikipedia </a> </li> <li> <a href=""> Flabbergasted Twitter trashes Forbes story that suggests replacing libraries with Amazon </a> </li> <li> <a href="">Growing role of Amazon in library acquisitions </a> </li> <li> <a href=""> Public domain advocate gets appellate win in bid to publish copyrighted standards referenced in laws </a> </li> <li> <a href="">The blockchain begins finding its way in the enterprise </a> </li> <li> <a href="">1Password's travel mode </a> </li> <li> <a href=""> Canadian court affirms citizens still have an expectation of privacy in devices being repaired by third parties </a> </li> <li> <a href=""> How clients are pushing their outside counsels to adopt stricter cybersecurity standards and protections </a> </li> <li> <a href="">Carpenter and the end of bulk surveillance of Americans </a> </li> </ul> <p> <a name="InWorld"> </a> <strong> <a href="https://torrentfreak.com/in-world-first-danish-court-rules-stream-ripping-site-illegal-180710/" > In world first, Danish court rules stream-ripping site illegal </a> </strong> (Torrent Freak, 10 July 2018) - While millions of users still obtain pirate music from peer-to-peer platforms such as BitTorrent, in recent years a new challenge has appeared on the horizon. Sites like YouTube, which offer millions of copies of almost every song imaginable, are now an unwitting player in the piracy ecosystem. Every day, countless people use special tools to extract music from video tracks before storing them on their local machines. This so-called 'stream-ripping' phenomenon is now cited as being one of the greatest piracy threats to the record labels but thus far, no single action has been able to stem the tide. Over in Denmark, however, there has been a breakthrough of sorts following action by local anti-piracy outfit RightsAlliance taken on behalf of IFPI, collecting society <a href="https://www.koda.dk/eng">KODA </a>, the <a href="https://www.artisten.dk/">Danish Artist Union </a>, and the <a href="https://www.dmf.dk/om/english/">Danish Musicians Association </a>. The action targeted <a href="http://convert2mp3.net/">Convert2MP3 </a>, a site that allows users to download audio and video from platforms including YouTube. The recording industry groups wanted the stream-ripping platform blocked by Internet service providers in Denmark but first, they needed it to be declared illegal in the country. That decision came last week from a court in Frederiksberg. * * * <a href="">top </a> </p> <p> <a name="USgovernment"> </a> <strong> <a href="https://reason.com/volokh/2018/07/10/us-government-drops-prohibition-on-files" > US government drops prohibition on files for 3D printed arms </a> </strong> (Volokh Conspiracy, 10 July 2018) - Last week the U.S. Department of Defense and U.S. Department of State settled a lawsuit and agreed to end their prior restraint of distribution of computer files for the production of 3D printed firearms. The "International Traffic in Arms Regulations (ITAR)" are a collection of regulations covering the export of military weapons from the United States. The regulations are based on the 1976 Arms Export Control Act. The ITAR export controls apply to all arms on the U.S. Munitions List ["USML"], which is created by the State Department. An ITAR export permit costs at least $2,250 annually. Starting in 2012, the Department of Defense issued regulations asserting that many U.S. gunsmiths are required to obtain ITAR export permits <em>even if they never export anything. </em> <a href="https://blog.princelaw.com/2018/05/15/trump-to-alleviate-itar-obligations-for-firearm-and-ammunition-manufactures-and-gunsmiths/" target="_blank" > Details are available </a> on the website of Prince Law Offices, P.C., which specializes in firearms commerce regulation. Under the Obama administration, the U.S. Munitions List grew to include many ordinary firearms, as well as the computer files for 3D printing of ordinary firearms. In 2015, a lawsuit against the ban on distributing 3D printing files within the U.S. was brought by the Second Amendment Foundation (a civil rights litigation organization) and by Defense Distributed (a producer of 3D printing files). Plaintiffs' attorneys included Alan Gura (winner of the Heller and McDonald cases) and Josh Blackman (law professor at South Texas College of Law). There were many arguments in the case, but the principle one was that ban constituted a prior restraint of speech, contrary to the First Amendment. The plaintiffs sought a preliminary injunction against the restraint on speech. The U.S. government prevailed in the District Court, and before a Fifth Circuit panel. A petition for rehearing en banc was rejected by a 9-5 vote. Fifth Circuit Judges voting to grant the petition were Jones, Smith, Clement, Owen, and Elrod. Voting against the petition were Stewart, Jolly, Dennis, Prado, Southwick, Haynes, Graves, Higginson, and Costa. In January 2018, the U.S. Supreme Court denied the petition for certiorari. The preliminary injunction having been utterly defeated, the next stage for the case was factual development in district court. In the view of attorney Alan Gura, the main reason for the loss on the preliminary injunction was reluctance to upset the status quo, rather than an expectation that the government could prevail on the merits of the First Amendment issue. <a href="http://joshblackman.com/blog/about-josh/defense-distributed-v-u-s-department-of-state/" target="_blank" > Documents in the case are available here </a> . In May 2018, the Trump administration proposed revising revise the ITAR regulations. The move for regulatory reform actually began under the Obama administration, but the proposed reforms were never published. Now they have been. Export controls for many ordinary firearms and accessories will be removed from the ITAR list. Exports of such items will instead by controlled by the Department of Commerce. Among the items remaining under the ITAR system are automatic firearms, firearms of greater than .50 caliber, magazines with more than 50 rounds, and sound moderators (a/k/a "silencers"). Non-automatic firearms of.50 caliber or less will no longer be covered under ITAR; among the firearms no longer under ITAR is the semiautomatic AR-15 rifle, the most common rifle in American history. Its typical calibers are .223 and .308--well under the new .50+ caliber rule. Accordingly, the government defendants revisited the <em>Defense Distributed </em>case. If a particular arm (e.g., the AR-15) is no longer part of ITAR, then it would be illogical for ITAR to be applied to instructions for making the arm. Under today's settlement agreement, plaintiffs and others may freely publish 3D printing instructions for firearms that are not covered under ITAR. Restrictions on distribution of 3D printing information for items that are still under ITAR, such as machine guns or rifles over .50 caliber, remain in place. [ <strong>Polley </strong>: I.e., this is NOT a 1st Amendment case.] <a href="">top </a> </p> <p> <a name="SECprobes"> </a> <strong> <a href="https://www.wsj.com/articles/sec-probes-why-facebook-didnt-warn-sooner-on-privacy-lapse-1531422043?mod=e2fb" > SEC probes why Facebook didn't warn sooner on privacy lapse </a> </strong> (WSJ, 12 July 2018) - Securities regulators are investigating whether <a href="http://quotes.wsj.com/FB">Facebook </a>Inc. adequately warned investors that developers and other third parties may have obtained users' data without their permission or in violation of Facebook policies, people familiar with the matter said. The Securities and Exchange Commission's probe of the social-media company, <a href="https://www.wsj.com/articles/sec-fbi-question-facebook-over-user-data-1530575905?mod=searchresults&page=1&pos=1&mod=article_inline" > first reported in early July </a> , follows revelations that Cambridge Analytica, a data-analytics firm that had ties to President Donald Trump's 2016 campaign, got access to information on millions of Facebook users. The SEC has requested information from Facebook as it seeks to understand how much the company knew about Cambridge Analytica's use of the data, these people said. The agency also wants to know how Facebook analyzed the risk it faced if developers were to share data with others in violation of its policies, they added. The SEC, one of several government agencies investigating Facebook and its handling of user data, enforces securities laws governing what must be disclosed to shareholders so they can make informed investment decisions. It could close its investigation, which is in its early stages, without taking enforcement action against Facebook. <a href="">top </a> </p> <p> <a name="TopVoting"> </a> <strong> <a href="https://motherboard.vice.com/en_us/article/mb4ezy/top-voting-machine-vendor-admits-it-installed-remote-access-software-on-systems-sold-to-states" > Top voting machine vendor admits it installed remote-access software on systems sold to states </a> </strong> (Motherboard, 17 July 2018) - The nation's top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them. In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had "provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006," which was installed on the election-management system ES&S sold them. The statement contradicts what the company <a href="https://www.nytimes.com/2018/02/21/magazine/the-myth-of-the-hacker-proof-voting-machine.html" target="_blank" > told me and fact checkers for a story I wrote for the <em>New York Times </em> </a> in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. "None of the employees, … including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software," the spokesperson said. ES&S is the top voting machine maker in the country, a position it held in the years 2000-2006 when it was installing pcAnywhere on its systems. The company's machines were used statewide in a number of states, and at least 60 percent of ballots cast in the US in 2006 were tabulated on ES&S election-management systems. It's not clear why ES&S would have only installed the software on the systems of "a small number of customers" and not all customers, unless other customers objected or had state laws preventing this. <a href="">top </a> </p> <p> <a name="BusinessesCannot"> </a> <strong> <a href="https://blog.ericgoldman.org/archives/2018/07/businesses-cannot-contractually-ban-abusive-consumer-reviews.htm" > Businesses cannot contractually ban "abusive" consumer reviews </a> </strong> (Eric Goldman, 17 July 2018) - An article recently posted to SSRN argues that the Consumer Review Fairness Act (CRFA) purportedly lets businesses contractually ban "abusive" reviews. If this is correct, it could affect millions of businesses and hundreds of millions of consumers. However, the article's argument is clearly wrong, and this error exposes millions of businesses to potentially severe liability. This post explains why and how. Note: unavoidably, this blog post counterproductively draws greater attention to a bad argument. Because of the stakes, I concluded a public correction was, on balance, necessary. However, to reinforce my view that the article doesn't merit your independent review, I've deliberately not identified the article's author or title or linked to it (is there a blogging equivalent of subtweeting?). I recommend reading the article as "enthusiastically" as I "recommend" watching <a href="https://www.rottentomatoes.com/m/the_emoji_movie/"> The Emoji Movie </a> . TL;DR <a href="">top </a> </p> <p> <a name="Ponemon"> </a> <strong> <a href="http://ridethelightning.senseient.com/2018/07/ponemon-institute-average-cost-of-a-data-breach-exceeds-38-million.html" > Ponemon Institute: Average cost of a data breach exceeds $3.8 million </a> </strong> (Ride the Lightning, 19 July 2018) - The <em>2018 Cost of a Data Breach Study </em>is available for download from IBM <a href="https://www.ibm.com/security/data-breach" target="_blank">here </a> . The study was done by the Ponemon Institute and IBM. This year's study reports that the global average cost of a data breach is up 6.4% over the previous year to $3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8% over the previous year to $148. IBM Security and Ponemon conducted interviews with nearly 500 companies that experienced data breaches, and they collected information on hundreds of cost factors surrounding a breach, including technical investigations and recovery, notifications, legal and regulatory requirements, cost of lost business, and loss of reputation. As <a href="https://venturebeat.com/2018/07/10/ibm-security-study-mega-data-breaches-cost-40-million-to-350-million/" target="_blank" > reported </a> by VentureBeat, the study found that hidden costs in data breaches - such as lost business, negative impact on reputation and employee time spent on recovery - are difficult and expensive to manage. For example, the study found that a third of the cost of "mega breaches" (over 1 million lost records) were derived from lost business. And that is course why the C-Suite has nightmares about data breaches. The reputational damages can be extraordinary. In the past five years, the amount of mega breaches (breaches of more than 1 million records) has increased from nine mega breaches in 2013 to 16 mega breaches in 2017. Due to the small amount of mega breaches in the past, the Cost of a Data Breach study historically analyzed data breaches of around 2,500 to 100,000 lost records. The vast majority of the mega-breaches (10 out of 11) were caused by malicious attacks rather than technical failures or human error. The average time to detect and contain a mega breach was 365 days - almost 100 days longer than a smaller scale breach (266 days). <a href="">top </a> </p> <p> <a name="CyberSecurityAdvice"> </a> <strong> <a href="https://www.ncsc.gov.uk/news/cyber-security-advice-issued-law-firms-first-legal-threat-report" > Cyber security advice issued to law firms in first legal threat report </a> </strong> (GCHQ, 19 July 2018) - The NCSC's first legal threat report has been issued to law firms. Law firms have been urged to follow expert cyber security guidance after a <a href="https://www.ncsc.gov.uk/legalthreat">report published today </a>(19 July) showed the scale of the threat they face. The National Cyber Security Centre (NCSC) has published its first report into the cyber threat to the UK legal sector, which reveals that more than £11 million of client money was stolen by cyber criminals between 2016-17. In the last year, 60% of law firms reported an information security incident - an increase of almost 20% from the previous 12 months. The report outlines clear and actionable guidance that firms can follow, such as how to defend your practice against phishing, reduce the risk of malware infection and take effective control of your supply chain. <a href="">top </a> </p> <p> <a name="USenergy"> </a> <strong> <a href="https://www.reuters.com/article/us-cyber-energy-regulator/u-s-energy-regulator-wants-more-disclosure-of-cyber-attacks-idUSKBN1K92OB" > US energy regulator wants more disclosure of cyber attacks </a> </strong> (Reuters, 19 July 2018) - The Federal Energy Regulatory Commission (FERC), an energy industry regulator, called for the power industry's regulating body, the North American Electric Reliability Corp, to expand rules that require reporting of cyber security incidents to include attempts that might facilitate future efforts to disrupt the grid. FERC requested the increased disclosure after the administration of President Donald Trump blamed the Russian government in March for a campaign of cyber attacks stretching back at least two years that targeted the U.S. power grid. That marked the first time the United States had publicly accused Moscow of hacking into American energy infrastructure. Current NERC rules only mandate reporting of cyber attacks if they compromise or disrupt a "core activity" toward maintaining the reliability of the electric grid, according to a 67-page report issued by FERC. That threshold "may understate the true scope of cyber-related threats" facing the industry, the report said. <a href="">top </a> </p> <p> <a name="SomeColleges"> </a> <strong> <a href="https://www.chronicle.com/article/Some-Colleges-Cautiously/243968" > Some colleges cautiously embrace Wikipedia </a> </strong> (Chronicle of Higher Ed, 19 July 2018) - Anna Davis remembers when people didn't want to talk to her at academic conferences: <em> "I had this woman one time who held her folder up over her head and was like, 'Don't let my department chair see me talking to you guys, but I'm so glad you're here.'" </em> Davis works for Wikipedia, the online encyclopedia that was once considered anathema to the academic mission. She's director of programs for its higher-education-focused nonprofit arm, Wiki Education. Academics have traditionally distrusted Wikipedia, citing the inaccuracies that arise from its communally edited design and lamenting students' tendency to sometimes plagiarize assignments from it. Now, Davis said, higher education and Wikipedia don't seem like such strange bedfellows. At conferences these days, "everyone's like, 'Oh, Wikipedia, of course you guys are here.'" One initiative Davis oversees at Wiki Education aims to forge stronger bonds between Wikipedia and higher education. The Scholars program, which began in 2015, pairs academics at colleges with experienced Wikipedia editors. Institutions provide the editors with access to academic journals, research databases, and digital collections, which the editors use to write and expand Wikipedia articles on topics of mutual interest. A dozen institutions, including Rutgers University, Brown University, and the University of Pittsburgh, are participating. * * * Scholars' skepticism about Wikipedia also stems from its community-authorship model, said Amanda Rust, a digital-humanities librarian at Northeastern University. Not all academics felt that way about Wikipedia in its fledgling days, but a critical mass perceived the online encyclopedia as a threat, Rust said. As Wikipedia has matured, however, that consensus began to shift. And students' widespread use of Wikipedia has forced some cynics to acknowledge its role in higher education. "Whether or not you think a crowdsourced encyclopedia can work, that ship has sailed, and students are using it all the time," Rust said. <a href="">top </a> </p> <p> - and - </p> <p> <a name="Flabbergasted"> </a> <strong> <a href="https://mashable.com/2018/07/22/forbes-library-amazon/?utm_campaign=Mash-Prod-RSS-Feedburner-All-Partial&utm_cid=Mash-Prod-RSS-Feedburner-All-Partial&utm_source=feedly&utm_medium=webfeeds#_XL4ttGQaqqp" > Flabbergasted Twitter trashes Forbes story that suggests replacing libraries with Amazon </a> </strong> (Mashable, 23 July 2018) - There are bad takes, and then there's the take by Forbes contributor Panos Mourdoukoutas (who also serves as Chair of the Department of Economics at Long Island University) that local libraries <a href="https://www.forbes.com/sites/panosmourdoukoutas/2018/07/21/amazon-should-replace-local-libraries-to-save-taxpayers-money/#2f244e6460a8" target="_blank" > should be replaced by Amazon book stores </a> . Among the reasons Mourdoukoutas offers are: libraries don't have as many public events as they used to because of school auditoriums; people go to places like Starbucks to hang out and work and read now instead of their library; and because technology makes physical books obsolete. * * * [ <strong>Polley </strong>: wild idea, wild story, great Tweets/comments (some NSFW).] <a href="">top </a> </p> <p> - and - </p> <p> <a name="GrowingRole"> </a> <strong> <a href="https://www.insidehighered.com/quicktakes/2018/07/23/growing-role-amazon-library-acquisitions?utm_source=Inside+Higher+Ed&utm_campaign=16fd5b76fd-DNU_COPY_01&utm_medium=email&utm_term=0_1fcbc04421-16fd5b76fd-197618481&mc_cid=16fd5b76fd&mc_eid=012fe6c04c" > Growing role of Amazon in library acquisitions </a> </strong> (InsideHigherEd, 23 July 2018) - Research on where academic libraries buy their books has revealed the increasingly important role of nontraditional vendors such as Amazon. A <a href="http://www.sr.ithaka.org/publications/library-acquisition-patterns-preliminary-findings/" target="_blank" > preliminary study </a> , published last week by Ithaka S+R, found that Amazon was the second most popular venue through which academic libraries purchased books in 2017. GOBI Library Solutions, a popular acquisition-management platform, took the No. 1 spot. It controls nearly half of the market share. The research included data from 54 libraries at a range of institutions -- from small private liberal arts colleges to public research universities. During 2017, these 54 libraries purchased 178,120 academic books. The clear majority of these were in print format (96 percent) rather than ebooks (4 percent). Ebooks were found to be significantly more expensive than print titles. In a <a href="http://www.sr.ithaka.org/blog/library-acquisition-patterns/" target="_blank" > blog post </a> , Katherine Daniel, an analyst at Ithaka S+R, explained that the study was prompted by questions of whether libraries are really buying fewer books, or simply purchasing them in ways that are not currently captured in acquisition analyses. Further research will include data from large research institutions and will be published in a final report this fall. <a href="">top </a> </p> <p> <a name="PublicDomain"> </a> <strong> <a href="http://www.abajournal.com/news/article/public_domain_advocate_gets_appeals_win_in_quest_to_publish_copyrighted_sta" > Public domain advocate gets appellate win in bid to publish copyrighted standards referenced in laws </a> </strong> (ABA Journal, 19 July 2018) - A federal appeals court on Tuesday told a federal judge to reconsider whether the fair use doctrine allows a nonprofit to post technical standards created by private industry groups that are later referenced in government regulations. The U.S. Court of Appeals for the D.C. Circuit vacated injunctions that had prevented Public.Resource.org, known as PRO, from publishing copyrighted best-practice standards developed by six organizations. PRO had purchased copies of the technical standards that had been incorporated into laws, scanned them into digital files, and posted them online. Its founder, public domain advocate Carl Malamud, tweeted this about the appellate decision: "I bought the law, and the law won." The <a href="https://www.cadc.uscourts.gov/internet/opinions.nsf/533D47AF883C8194852582CD0052B8D4/$file/17-7035.pdf" > appeals court ruled </a> in a combined appeal of two lawsuits. A federal judge had ruled the standards organizations held valid and enforceable copyrights, and PRO failed to create a triable issue of fact on whether its publication of the materials constituted fair use. On appeal, PRO argued incorporation of the standards by reference make the works a part of the law, and the law can never be copyrighted. PRO asserted that allowing private ownership of the law is inconsistent with the First Amendment principle that citizens should be able to freely discuss the law and a due process notion that citizens must have free access to the law. PRO also argued that, even if the standards remain copyrighted, its copying qualifies as a fair use because it facilitates public discussion about the law. The appeals court said PRO "raises a serious constitutional concern," but it is better to first address the fair use issue. The district court had concluded PRO distributed the standards to undermine the organizations' ability to raise revenue. According to the appeals court, the record does not support that blanket conclusion. "Rather, by all accounts, PRO distributed these standards for the purpose of educating the public about the specifics of governing law," the court said in an opinion by Judge David Tatel. In addition, Tatel said, the district court failed to account for the variation among the standards at issue and consider the legal status of each incorporated work. In a concurrence, <a href="http://www.abajournal.com/news/article/trump_nominates_white_house_lawyer_a_former_jones_day_partner_to_dc_circuit" > Judge Gregory Katsas </a> strongly supported PRO. "As a matter of common-sense, this cannot be right: access to the law cannot be conditioned on the consent of a private party, just as it cannot be conditioned on the ability to read fine print posted on high walls," he wrote, referencing a book about the Roman emperor Caligula. PRO was represented by the Electronic Frontier Foundation, the law firm of Fenwick & West, and attorney David Halperin. An EFF press release <a href="https://www.eff.org/press/releases/win-public-right-know-court-vacates-injunction-against-publishing-law" > is here </a> . [ <strong>Polley </strong>: congrats, Carl.] <a href="">top </a> </p> <p> <a name="TheBlockchain"> </a> <strong> <a href="https://techcrunch.com/2018/07/22/the-blockchain-begins-finding-its-way-in-the-enterprise/" > The blockchain begins finding its way in the enterprise </a> </strong> (TechCrunch, 23 July 2018) - the blockchain is in the middle of a major hype cycle at the moment, and that makes it hard for many people to take it seriously, but if you look at the core digital ledger technology, there is tremendous potential to change the way we think about trust in business. Yet these are still extremely early days and there are a number of missing pieces that need to be in place for the blockchain to really take off in the enterprise. Suffice it to say that it has caught the fancy of major enterprise vendors with the likes of SAP, IBM, Oracle, Microsoft and Amazon all looking at providing some level of Blockchain as a service for customers. While the level of interest in blockchain remains fluid, <a href="https://www.juniperresearch.com/press/press-releases/6-in-10-large-corporations-considering-blockhain" > a July 2017 survey </a> of 400 large companies by UK firm Juniper Research found 6 in 10 respondents were "either actively considering, or are in the process of, deploying blockchain technology." In spite of the growing interest we have seen over the last 12-18 months, blockchain lacks some basic underlying system plumbing, the kind any platform needs to thrive in an enterprise setting. Granted, some companies and the open source community are recognizing this as an opportunity and trying to build it, but many challenges remain. * * * [ <strong>Polley </strong>: <em>see </em>" <a href="">Resources </a>" below.] <a href="">top </a> </p> <p> <a name="OnePassword"> </a> <strong> <a href="https://www.schneier.com/blog/archives/2018/07/1passwords_trav.html" > 1Password's travel mode </a> </strong> (Bruce Schneier, 23 July 2018) - The 1Password password manager has just <a href="https://blog.agilebits.com/2017/05/18/introducing-travel-mode-protect-your-data-when-crossing-borders/" > introduced </a> "travel mode," which allows you to delete your stored passwords when you're in other countries or crossing borders: <em> Your vaults aren't just hidden; they're completely removed from your devices <a href="https://support.1password.com/travel-mode"> as long as Travel Mode is on </a> . That includes every item and all your encryption keys. There are no traces left for anyone to find. So even if you're asked to unlock 1Password by someone at the border, there's no way for them to tell that Travel Mode is even enabled. In 1Password Teams, Travel Mode is even cooler. If you're a team administrator, you have total control over which secrets your employees can travel with. You can turn Travel Mode on and off for your team members, so you can ensure that company information stays safe at all times. </em> The way this works is important. If the scary border police demand that you unlock your 1Password vault, those passwords/keys are not there for the border police to find. The only flaw -- and this is minor -- is that the system requires you to lie. When the scary border police ask you "do you have any other passwords?" or "have you enabled travel mode," you can't tell them the truth. In the US, lying to a federal office is a felony. I <a href="https://www.schneier.com/blog/archives/2009/07/laptop_security.html" > previously described </a> a system that doesn't require you to lie. It's more complicated to implement, though. This is a great feature, and I'm happy to see it implemented. <a href="">top </a> </p> <p> <a name="CanadianCourt"> </a> <strong> <a href="https://www.techdirt.com/articles/20180708/14144940199/canadian-court-affirms-citizens-still-have-expectation-privacy-devices-being-repaired-third-parties.shtml" > Canadian court affirms citizens still have an expectation of privacy in devices being repaired by third parties </a> </strong> (TechDirt, 23 July 2018) - A Canadian appeals court has decided in favor of greater privacy protections for Canadians. The case involves the discovery of child porn by a computer technician who was repairing the appellant's computer. This info was handed over to the police who obtained a "general warrant" to image the hard drive to scour it for incriminating evidence. Yes, "general warrants" <a href="http://criminalnotebook.ca/index.php/General_Warrants" target="_blank" > are still a thing </a> in the Crown provinces. The same thing we fought against with the institution of the Fourth Amendment exists in Canada. These days, it has more in common with <a href="https://www.techdirt.com/articles/20141129/07385129274/doj-using-antiquated-1789-all-writs-act-to-try-to-force-phone-manufacturers-to-help-unlock-encrypted-phones.shtml" > All Writs orders </a> than the general warrants of the pre-Revolution days, but there's still a hint of tyrannical intent to them. (Again, much like our All Writs orders, which date back to 1789.) "General warrants" are something the government uses when the law doesn't specifically grant permission for what it would like to do. * * * The appellant's challenge of the general warrant (rather than a more particular search warrant) almost went nowhere, but this decision grants him (and others like him) the standing to challenge the warrant in the first place. <a href="https://www.canlii.org/en/ab/abca/doc/2018/2018abca220/2018abca220.html" target="_blank" > As the court notes </a> , handing a computer over to a technician doesn't deprive the device's owner of an expectation of privacy. * * * So, while this didn't end up giving the defendant the suppression he was seeking, it did at least affirm an expectation of privacy in devices being handled and repaired by third parties. Better, the opinion contains the government's concession that this privacy expectation exists. Hopefully, this will help deter violations -- erroneous or not -- in the future. <a href="">top </a> </p> <p> <a name="HowClients"> </a> <strong> <a href="http://www.abajournal.com/magazine/article/clients_outside_counsels_cybersecurity/?utm_source=maestro&utm_medium=email&utm_campaign=tech_monthly&ici=text" > How clients are pushing their outside counsels to adopt stricter cybersecurity standards and protections </a> </strong> (ABA Journal, 25 July 2018) - In a profession defined by zealous representation of clients, it's no surprise that clients are starting to push their outside counsels to beef up cybersecurity. "The possibility that your outside law firm could be breached and your sensitive data stolen is a huge nightmare for in-house lawyers," says Sterling Miller, general counsel of Marketo Inc., an online marketing technology company. "Outside counsel need to start taking this very seriously. If a breach happens, that law firm is probably no longer working for you and the malpractice claim could be very large." These aren't just idle words. In fact, they underline how serious clients have become when it comes to cybersecurity. * * * The legal industry is one of the most targeted sectors for a cyberattack because of the trove of information it possesses about clients and cases. In a profession based on precedent and history, the legal sector often has been slow to adapt to new risks and technological changes. One alarming statistic is that cybersecurity company Mandiant estimates at least 80 of the 100 largest firms in the country, by revenue, have been hacked since 2011. As law firms wade into cybersecurity best practices, the glaring reality is most law firms are not prepared to respond to a major breach. According to the <em>ABA TechReport 2017 </em>, only 26 percent of responding firms had an incident response plan in place to address a security breach, and only two-thirds with 500 lawyers or more had such a plan in place. These plans were not a priority with smaller firms, as 31 percent of firms with 10 to 49 lawyers, 14 percent of firms with two to nine lawyers, and 10 percent of solo practices had such plans. * * * <a href="">top </a> </p> <p> <a name="Carpenter"> </a> <strong> <a href="https://www.lawfareblog.com/carpenter-and-end-bulk-surveillance-americans" > Carpenter and the end of bulk surveillance of Americans </a> </strong> (Sharon Bradford Franklin on Lawfare, 25 July 2018) - Writing for the majority in <a href="https://www.supremecourt.gov/opinions/17pdf/16-402_h315.pdf"> <em>Carpenter v. United States </em> </a> <em>, </em> Chief Justice John Roberts called the court's momentous Fourth Amendment decision "a narrow one." The specific holding-that a warrant is required for law enforcement to access historical cell site location information (CSLI)-may indeed be narrow, and the decision rightfully cautions that "the Court must tread carefully" when considering new technologies. Yet, despite its limited scope, the opinion provides a framework for recognizing that the digital trails Americans create through their daily lives are protected by the Fourth Amendment. The decades-old "third-party doctrine," under which Fourth Amendment rights are extinguished whenever individuals share their information with third parties such as banks and telephone companies, has appropriately been confined to the pre-digital age scenarios in which it arose. As others have <a href="https://balkin.blogspot.com/2018/06/carpenter-s-curiosities-and-its.html" > already </a> <a href="https://www.lawfareblog.com/carpenter-v-united-states-and-law-chancellors-foot" > argued </a> , the <em>Carpenter </em>decision does not provide a clear legal standard for when the Fourth Amendment applies to data shared with a third party, and it raises many questions about the future of Fourth Amendment doctrine. But the decision does offer a resounding declaration that Fourth Amendment analysis must take account of the "seismic shifts in digital technology" and the power of modern surveillance tools. In particular, the <em>Carpenter </em>decision should foreclose, once and for all, any claim that bulk surveillance of Americans-or bulk collection of their digital records-would be constitutional. Through the <a href="https://www.congress.gov/114/plaws/publ23/PLAW-114publ23.pdf"> USA </a> <a href="https://www.congress.gov/114/plaws/publ23/PLAW-114publ23.pdf"> Freedom </a> <a href="https://www.congress.gov/114/plaws/publ23/PLAW-114publ23.pdf"> Act </a> of 2015, Congress ended <a href="https://www.congress.gov/109/plaws/publ177/PLAW-109publ177.pdf"> the government's bulk telephone records program, known as the Section 215 program, </a> and provided new authority for collection of call detail records using a "specific selection term." With reauthorization of this act to be considered next year, <em>Carpenter's </em>analysis should preclude any attempt to retreat from the narrowing of surveillance authorities achieved under the 2015 law. From the fall of 2013 through January 2017, I served as executive director of the Privacy and Civil Liberties Oversight Board (PCLOB). I was part of a skeletal staff of attorneys who supported the board in its examination of the Section 215 program. The PCLOB's January 2014 <a href="https://www.pclob.gov/library/215-Report_on_the_Telephone_Records_Program.pdf" > report on </a> <a href="https://www.pclob.gov/library/215-Report_on_the_Telephone_Records_Program.pdf" > the Section 215 program </a> found that the program was illegal; this report was highly influential in the debates in Congress that led to the ultimate demise of the program. Still, the report stopped short of finding that the program was unconstitutional. The board noted that "[t]o date ... the Supreme Court has not modified the third-party doctrine or overruled its conclusion that the Fourth Amendment does not protect telephone dialing records." Its recommendation for ending the Section 215 program was based on statutory and policy analyses. When the Second Circuit considered the Section 215 program in <a href="https://www.aclu.org/sites/default/files/field_document/clapper-ca2-opinion.pdf" > <em>ACLU v. Clapper </em> </a> in May 2015, it too found that the program was illegal under the terms of the statute and declined to reach the constitutional questions. * * * <a href="">top </a> </p> <p> <a name="PODCASTS"> </a> <h3> NOTED PODCASTS/MOOCS </h3> </p> <p> <strong> <a href="https://the1a.org/shows/2018-07-23/reclaim-your-data"> Reclaim Your Data </a> </strong> (NPR podcast, 23 July 2018; 47 minutes) - Michael Chertoff, former Homeland Security Secretary and co-author of the Patriot Act, says data collection has gotten out of control. [ <strong>Polley </strong>: Spotted by MIRLN reader <a href="http://professionalpresence.com/html/home/home.php"> Corinne Cooper </a> - @ucc2] <a href="">top </a> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <strong> <a href="http://blockchainforlawstudents.com/"> Blockchain for law students </a> </strong> (website by Walter Effross at American U) - Offers: (1) a list <strong> </strong>of recommended resources (for self-directed study and research, as well as for constructing or supplementing syllabi); (2) summaries of and/or excerpts from the emerging body of caselaw <strong> </strong>concerning blockchain and cryptocurrency; (3) a collection of legal issues and responsive law review articles (and other sources), ordered by field of law; (4) a categorization of major types of participants in the blockchain economy; (5) suggestions <strong> </strong>on selecting law school courses relevant to blockchain practice; and (6) various questions, opinions, and observations about blockchain-related legal issues. If any reader would like to contribute a guest post on how law students (or practitioners new to this area) can best prepare (e.g., recommended reading, potential paper topics, organizations to become active in, suggestions for programming courses or tutorials), please e-mail <a href="mailto:effross@wcl.american.edu">effross@wcl.american.edu </a>. <a href="">top </a> </p> <p> <a name="NOTES"> </a> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <strong> <a href="http://www.nytimes.com/2008/04/16/technology/16whale.html?_r=1&ref=business&oref=slogin" > Larger prey are targets of phishing </a> </strong> (New York Times, 16 April 2008) - An e-mail scam aimed squarely at the nation's top executives is raising new alarms about the ease with which people and companies can be deceived by online criminals. Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive's name, company and phone number, and commands the recipient to appear before a grand jury in a civil case. A link embedded in the message purports to offer a copy of the entire subpoena. But a recipient who tries to view the document unwittingly downloads and installs software that secretly records keystrokes and sends the data to a remote computer over the Internet. Another piece of the software allows the computer to be controlled remotely. According to researchers who have analyzed the downloaded file, less than 40 percent of commercial antivirus programs were able to recognize and intercept the attack. The tactic of aiming at the rich and powerful with an online scam is referred to by computer security experts as whaling. The term is a play on phishing, an approach that usually involves tricking e-mail users - in this case the big fish - into divulging personal information like credit card numbers. Phishing attacks that are directed at a particular person, rather than blasted out to millions, are also known as spear phishing. Security researchers at several firms indicated they believed there had been at least several thousand victims of the attack whose computers had been compromised. "I think that it was well done in terms of something people would feel compelled to respond to," said Steve Kirsch, the chief executive of Abaca, an antispam company based in San Jose, Calif. Mr. Kirsch himself received a copy of the message and forwarded it to the company lawyer. "It had my name, phone number, company and correct e-mail address on it and looked pretty legitimate," Mr. Kirsch said. "Even the U.R.L. to find out more looked legitimate at first glance." The software used in the latest attack tries to communicate with a computer in Singapore. That system was still functioning on Tuesday evening, but security researchers said many Internet service providers had blocked access to it. <a href="">top </a> </p> <p> <strong> <a href="http://www.fas.org/sgp/crs/natsec/RS22857.pdf"> Avatars, virtual reality technology, and the US military: Emerging policy issues </a> </strong> (Congressional Research Service, 9 April 2008) - This report describes virtual reality technology, which uses three-dimensional user- generated content, and its use by the U.S. military and intelligence community for training and other purposes. Both the military and private sector use this new technology, but terrorist groups may also be using it to train more realistically for future attacks, while still avoiding detection on the Internet. The issues for Congress to consider may include the cost-benefit implications of this technology, whether sufficient resources are available for the communications infrastructure needed to support expanded use of virtual reality technology, and whether there might be national security considerations if the United States falls behind other nations in developing or adopting this new technology. This report will be updated as events warrant. [Editor: the USG is beginning a detailed analysis of legal, policy, and technical implications from VR applications.] <a href="">top </a> </p>Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-40273224340026424592018-07-07T07:42:00.000-04:002018-07-07T07:42:14.235-04:00MIRLN --- 17 June - 7 July 2018 (v21.09)<p> <a name="TOP"> </a> MIRLN --- 17 June - 7 July 2018 (v21.09) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_17_june_7_july_2018_v2109/" > permalink </a> </p> <p> <a href="">ANNOUNCEMENTS </a> | <a href="">NEWS </a>| <a href="">RESOURCES </a>| <a href="">LOOKING BACK </a>| <a href="http://www.knowconnect.com/mirln/sources/">NOTES</a> </p> <p> <a name="ANNOUNCEMENTS"> </a> <h3> ANNOUNCEMENTS </h3> </p> <p> Register now for the next cybersecurity ABA CLE webinar " <a href="https://shop.americanbar.org/eBus/Default.aspx?TabID=1538&productId=326198535" > Bumps in the Night: Cybersecurity Legal Requirements, Government Enforcement, and Litigation </a> ". This second in a 5-part series airs July 18, followed by other episodes in August, September, and October. Each 90-minute episode parses related parts of the best-selling (and winner of the 2018 ACLEA "Best Publication" award) " <a href="http://bit.ly/2x7HNbJ">ABA Cybersecurity Legal Handbook </a>". For more information, visit ambar.org/cyberwakeup to register. Get 20% off if you subscribe to the full series (recordings of earlier ones are available), along with a free e-copy of the handbook. </p> <p> ABA attendees at the Chicago annual meeting will also want to attend our showcase program (August 4 10:00-11:30 Central), featuring Raj De (former NSA GC), Suzanne Spaulding (former DHS Undersecretary), and others. Info <a href="https://www.americanbar.org/content/dam/aba/administrative/law_national_security/Cyber_wake_up.authcheckdam.pdf" > here </a> : <a href="">top </a> </p> <p> <a name="NEWS"> </a> <h3> NEWS </h3> </p> <ul> <li> <a href=""> Why destruction of information is so difficult and so essential: The case for defensible disposal </a> </li> <li> <a href=""> A student, a worried girlfriend, a shared password and an admissions lawsuit </a> </li> <li> <a href="">Why your FOIA request might not get text messages </a> </li> <li> <a href=""> Verizon will stop selling real-time location data to third-party brokers </a> </li> <li> <a href=""> Are free societies at a disadvantage in national cybersecurity </a> </li> <li> <a href=""> GDPR and browser fingerprinting: How it changes the game for the sneakiest web trackers </a> </li> <li> <a href=""> Should media publish government's child-detention photos? </a> </li> <li> <a href="">Bad news cut from Michigan State alumni magazine </a> </li> <li> <a href=""> SEC provides further guidance on when digital assets may be deemed securities </a> </li> <li> <a href=""> MIT to conduct an environmental scan of open source publishing </a> </li> <li> <a href=""> FirstNet launches, giving police and firefighters a dedicated wireless network and infinite possibilities </a> </li> <li> <a href=""> Potential clients are confident in law firms' cybersecurity. Should they be? </a> </li> <li> <a href="">Legal Tracker LDO Index </a> </li> <li> <a href=""> AT&T collaborates on NSA spying through a web of secretive buildings in the US </a> </li> <li> <a href=""> How social networks set the limits of what we can say online </a> </li> <li> <a href=""> Instagram now lets you 4-way group video chat as you browse </a> </li> <li> <a href="">8 states impose new rules on Equifax after data breach </a> </li> <li> <a href=""> Homeland Security subpoenas Twitter for data breach finder's account </a> </li> <li> <a href="">Carpenter v. United States: Big data is different </a> </li> <li> <a href=""> It's time for a chemistry lesson. Put on your virtual reality goggles. </a> </li> </ul> <p> <a name="WhyDestruction"> </a> <strong> <a href="https://businesslawtoday.org/2018/06/destruction-information-difficult-essential-case-defensible-disposal/" > Why destruction of information is so difficult and so essential: The case for defensible disposal </a> </strong> (ABA's Business Law Today, 15 June 2018) - IN BRIEF: (1) Information is growing unfettered for most businesses and impacting their ability to function; (2) Lawyers must find a way to get rid of information without creating greater business and legal issues for their clients; (3) Defensible disposition rids businesses of information that no longer has business or legal value without employees having to involve themselves in classification. * * * <a href="">top </a> </p> <p> <a name="Astudent"> </a> <strong> <a href="https://www.insidehighered.com/admissions/article/2018/06/18/shared-password-leads-unusual-lawsuit-about-admissions?utm_source=Inside+Higher+Ed&utm_campaign=49ba6d8014-DNU_COPY_01&utm_medium=email&utm_term=0_1fcbc04421-49ba6d8014-197618481&mc_cid=49ba6d8014&mc_eid=012fe6c04c" > A student, a worried girlfriend, a shared password and an admissions lawsuit </a> </strong> (InsideHigherEd, 18 June 2018) - Most admissions lawsuits are about applicants who are rejected. But Eric Abramovitz won 375,000 Canadian dollars (about $284,000) last week over an admissions offer he turned down. Actually, his then girlfriend turned it down, pretending to be Abramovitz. That set up the unusual court ruling. As outlined in <a href="https://www.canlii.org/en/on/onsc/doc/2018/2018onsc3684/2018onsc3684.html" target="_blank" > the ruling </a> issued by a Canadian judge last week, Abramovitz and Jennifer Lee met in 2013 and became a couple while both were studying music at McGill University. While they were involved, Abramovitz shared his laptop -- and his passwords -- with Lee. Abramovitz was a star student of clarinet, winning numerous prizes. He aspired to finish his bachelor's degree at Colburn Conservatory of Music, in Los Angeles, where he hoped to study with Yehuda Gilad, who only accepts two students a year. In December 2013, Abramovitz applied and went to Los Angeles when he was invited to audition. On March 27, 2014, he was admitted -- and his admission brought with it a full scholarship. On that fateful day, Lee checked Abramovitz's email before he did. Using his email account, she turned down the offer and created a fake email account in Gilad's name. Then she sent an email, pretending to be Gilad, rejecting Abramovitz. Lee could not be reached for comment. She did not contest Abramovitz's suit. The court ruling says that she was apparently afraid he would move to Los Angeles, leaving her behind at McGill, in Montreal. Eventually, Abramovitz did leave for Los Angeles and enrolled in a certificate program at the University of Southern California in which Gilad also taught. That program charged about $25,000, which Abramovitz paid. (He couldn't afford USC's master's degree program, which would have cost him about twice as much in tuition.) Abramovitz was "completely taken in," the court decision says, and only went to USC after staying in Montreal -- with Lee -- to finish his bachelor's degree. The scheme unraveled when Abramovitz met Gilad, who is not used to being turned down. As Abramovitz told <em> <a href="http://nationalpost.com/news/canada/music-student-must-pay-for-sabotaging-boyfriends-clarinet-career" target="_blank" > National Post </a> </em> , when he auditioned for Gilad to enter the USC program, Gilad asked him, "Why did you reject me?" When Gilad showed him the email Lee had sent, Abramovitz was stunned. But he also had Lee's passwords, and he found the fake emails. He also found she had done the same thing when he won admission to the Juilliard School -- another institution that few admitted applicants turn down. The Canadian court judged that Lee was responsible for the tuition paid by Abramovitz to USC, the lost opportunities of the scholarship to the conservatory and for delaying the start of his career. The court ruling found that Lee's conduct was "morally reprehensible." <a href="">top </a> </p> <p> <a name="WhyYourFOIA"> </a> <strong> <a href="http://ridethelightning.senseient.com/2018/06/why-your-foia-request-might-not-get-text-messages.html" > Why your FOIA request might not get text messages </a> </strong> (Ride the Lightning, 19 June 2018) - Hat tip to my friend Doug Austin at CloudNine for a marvelous <a href="https://ediscovery.co/ediscoverydaily/electronic-discovery/freedom-of-information-not-necessarily-for-text-messages-ediscovery-trends/" target="_blank" > post </a> on his <em>EDiscovery Daily Blog </em>. As Doug asks, what percentage of Freedom of Information Act (FOIA) requests actually result in receiving all of the information requested? According to the <a href="https://www.smarsh.com/whitepapers/2018-Government-Survey?" target="_blank" > 2018 Public Sector Text & Mobile Communications Survey </a> from Smarsh, 70 percent of federal, state, county and city government organizations surveyed report allowing SMS/text for official business communication. But, almost half of those (46 percent) are not formally capturing and retaining these messages. There were 236 total respondents in the survey. The information below is directly from Doug's post. And I fully agree with his conclusion at the end! "The vast majority of agencies allow organizational e-mail (97 percent) on mobile devices, but right behind it is SMS/text messaging, with 70 percent allowing it for official government business. Social channels Facebook and Twitter are the next most frequently cited, with 58 percent and 44 percent, respectively. Two-thirds of surveyed organizations allow employees to use their own BYOD devices for official business, for those devices, only 35 percent of respondents are retaining SMS/text messages (as opposed to 62 percent for Corporate Owned Personally Enabled (COPE) devices). The top four reasons SMS/Text records are NOT captured are: 1) Don't currently have budget this year, 2) SMS/text isn't required to be retained by law, 3) Waiting for Capstone/FOIA guidance, 4) Existing capture technologies are too complicated. The majority of respondents, 62 percent or nearly 2/3, lacked confidence that they could provide specifically requested mobile text messages promptly if responding to a public records or litigation request. Agencies with no retention solution in place have very little confidence in their ability to fulfill requests. 23 percent reported that if requested, it was unlikely they could produce SMS/text messages from their organizational leader at all. When you hear these stats, you might be surprised the numbers aren't higher. Last year, Federal Freedom of Information Act (FOIA) litigation jumped 26 percent over the previous year. In 2018, that number is on track to increase again. While an average of 2.08 lawsuits were filed each day in 2017, 2018 has seen the average increase to 2.72 lawsuits per day. Last year, there were 823,222 Federal FOIA requests - 78 percent of those requests yielded censored files or no records at all. In other words, only 22 percent of FOIA requestors got everything they asked for. 22 percent! And, the Federal government spent $40.6 million in legal fees defending its withholding of files in 2017. Freedom of information isn't free, apparently." <a href="">top </a> </p> <p> <a name="VerizonWill"> </a> <strong> <a href="https://www.theverge.com/2018/6/19/17478934/verizon-selling-real-time-location-data-third-party-securus-wyden" > Verizon will stop selling real-time location data to third-party brokers </a> </strong> (The Verge, 19 June 2018) - Verizon has pledged to stop selling data that can pinpoint the location of its mobile users to third-party intermediaries, according to <em> <a href="https://apnews.com/8582857aff8146f8ac81d247533b2177"> The Associated Press </a> </em> . Verizon is the first carrier to end the controversial practice after Sen. Ron Wyden (D-OR) revealed that one of the companies that purchased the real-time location-tracking data from carriers wasn't verifying if its users had legal permission to track cellphone users through its service. <a href="https://www.documentcloud.org/documents/4457320-Wyden-Securus-Location-Tracking-Letter-to-FCC.html" > In a letter </a> to <a href="https://www.wyden.senate.gov/imo/media/doc/at&t%20letter%20to%20RW%206.15.pdf" > carriers </a> and the FCC, Sen. Wyden said that Securus Technologies - a company that mainly monitors phone calls to inmates in jails and prisons across the country and also sells real-time location data to law enforcement agencies who must upload legal documents such as a warrant stating they have the right to access the data - wasn't actually verifying if those documents were legitimate. Securus did not "conduct any review of surveillance requests," Wyden wrote in his letter to the FCC. A sheriff in Missouri was charged with illegally tracking people 11 times without court orders using Securus, according to The New York Times. While all four major carriers have now cut off access to Securus, only Verizon has said it will stop selling data to geolocation aggregators who can then turn around and sell that data to someone else. Verizon said 75 companies obtained data from the two companies it sells location data directly to: LocationSmart and Zumigo. Last month, KrebsOnSecurity reported that LocationSmart - which supplies Securus with the location-tracking data - was leaking the real-time location data of customers on every major US carrier through a free demo tool on its website, which was subsequently taken down. "Verizon did the responsible thing and promptly announced it was cutting these companies off," Wyden said in a statement to the AP. [ <em>see also </em>, <strong> <a href="https://www.theverge.com/2018/6/19/17479490/att-follows-verizon-user-location-data-sale-brokers?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > AT&T and Sprint to follow Verizon in ending its sale of user location data to third-party brokers </a> </strong> (The Verge, 19 June 2018)] <a href="">top </a> </p> <p> <a name="AreFree"> </a> <strong> <a href="https://www.schneier.com/blog/archives/2018/06/free_societies_.html" > Are free societies at a disadvantage in national cybersecurity </a> </strong> (Bruce Schneier, 19 June 2018) - Jack Goldsmith and Stuart Russell just published an interesting <a href="https://www.hoover.org/sites/default/files/research/docs/381100534-strengths-become-vulnerabilities.pdf" > paper </a> , making the case that free and democratic nations are at a structural disadvantage in nation-on-nation cyberattack and defense. From a <a href="https://www.lawfareblog.com/strengths-become-vulnerabilities-how-digital-world-disadvantages-united-states-its-international-0" > blog post </a> : <em> It seeks to explain why the United States is struggling to deal with the "soft" cyber operations that have been so prevalent in recent years: cyberespionage and cybertheft, often followed by strategic publication; information operations and propaganda; and relatively low-level cyber disruptions such as denial-of-service and ransomware attacks. The main explanation is that constituent elements of U.S. society -- a commitment to free speech, privacy and the rule of law; innovative technology firms; relatively unregulated markets; and deep digital sophistication -- create asymmetric vulnerabilities that foreign adversaries, especially authoritarian ones, can exploit. These asymmetrical vulnerabilities might explain why the United States so often appears to be on the losing end of recent cyber operations and why U.S. attempts to develop and implement policies to enhance defense, resiliency, response or deterrence in the cyber realm have been ineffective. </em> I have long thought this to be true. There are defensive cybersecurity measures that a totalitarian country can take that a free, open, democratic country cannot. And there are attacks against a free, open, democratic country that just don't matter to a totalitarian country. That makes us more vulnerable. (I don't mean to imply -- and neither do Russell and Goldsmith -- that this disadvantage implies that free societies are overall worse, but it is an asymmetry that we should be aware of.) I do worry that these disadvantages will someday become intolerable. Dan Geer often <a href="https://web.stanford.edu/class/msande91si/www-spr04/slides/geer.pdf" > said </a> that "the price of freedom is the probability of crime." We are willing to pay this price because it isn't that high. As technology makes individual and small-group actors <a href="https://www.wired.com/2013/03/security-when-the-bad-guys-have-technology-too-how-do-we-survive/" > more powerful </a> , this price will get higher. Will there be a point in the future where free and open societies will no longer be able to survive? I honestly don't know. EDITED TO ADD (6/21): Jack Goldsmith also wrote <a href="https://knightcolumbia.org/content/failure-internet-freedom"> this </a> . <a href="">top </a> </p> <p> <a name="GDPRand"> </a> <strong> <a href="https://www.eff.org/deeplinks/2018/06/gdpr-and-browser-fingerprinting-how-it-changes-game-sneakiest-web-trackers?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > GDPR and browser fingerprinting: How it changes the game for the sneakiest web trackers </a> </strong> (EFF, 19 June 2018) - Browser fingerprinting is on a collision course with privacy regulations. For almost a decade, EFF has been raising awareness about this tracking technique with projects like <a href="https://panopticlick.eff.org/">Panopticlick </a>. Compared to more well-known tracking "cookies," browser fingerprinting is trickier for users and browser extensions to combat: websites can do it without detection, and it's very difficult to modify browsers so that they are less vulnerable to it. As cookies have become more visible and easier to block, companies have been increasingly tempted to turn to sneakier fingerprinting techniques. But companies also have to obey the law. And for residents of the European Union, the General Data Protection Regulation (GDPR), which entered into force on May 25th, is intended to cover exactly this kind of covert data collection. The EU has also begun the process of updating its ePrivacy Directive, best known for its mandate that websites must warn you about any cookies they are using. If you've ever seen a message asking you to approve a site's cookie use, that's likely based on this earlier Europe-wide law. This leads to a key question: Will the GDPR require companies to make fingerprinting as visible to users as the original ePrivacy Directive required them to make cookies? The answer, in short, is yes. Where the purpose of fingerprinting is tracking people, it will constitute "personal data processing" and will be covered by the GDPR. <a href="">top </a> </p> <p> <a name="ShouldMedia"> </a> <strong> <a href="https://www.washingtonpost.com/lifestyle/style/propaganda-or-news-should-media-publish-governments-child-detention-photos/2018/06/19/a03acce8-73da-11e8-b4b7-308400242c2e_story.html?utm_campaign=Newsletters&utm_medium=email&utm_source=sendgrid&utm_term=.2c4267cae182" > Should media publish government's child-detention photos? </a> </strong> (WaPo, 19 June 2018) - Based on the photographic evidence, living conditions inside <a href="https://www.washingtonpost.com/local/inside-casa-padre-the-converted-walmart-where-the-us-is-holding-nearly-1500-immigrant-children/2018/06/14/0cd65ce4-6eba-11e8-bd50-b80389a4e569_story.html?utm_term=.0e1e17caadc4" > government-run detention centers </a> for immigrant children separated from their parents in south Texas look reasonably orderly and clean. But there's a major catch: All of the photographs depicting life inside the facilities have been supplied by the government itself. There's been no independent documentation; federal officials, citing the children's privacy, have barred journalists from taking photographs or video when they've been permitted inside. This has left news organizations with a quandary: Do they publish the handouts supplied by <a href="https://www.cbp.gov/">U.S. Customs and Border Protection </a> (CBP) - which has an incentive to make its facilities look as humane and comfortable as possible - or do they reject the photos as essentially propaganda? The New York Times, for one, has taken the latter course. On Monday, it said it would not publish CBP-supplied photos. "We thought it was a bad precedent to accept government handout photos when [photojournalists aren't] allowed in," <a href="https://www.nytimes.com/by/dean-baquet">Dean Baquet </a>, the paper's editor, said in an interview. "It would hurt any future case for access. And given the sensitivity of this story, I don't think we can assure readers that we are seeing a full picture when the government makes the choice of what we see and show. Readers want to know what these places look like, from the view of journalists who are witnesses." One of the government-supplied photos - <a href="https://apnews.com/6e04c6ee01dd46669eddba9d3333f6d5"> a shot of children sprawled on thin mattresses under mylar blankets </a> - was featured prominently by many news organizations on Tuesday. <a href="">top </a> </p> <p> <a name="BadNews"> </a> <strong> <a href="https://www.insidehighered.com/quicktakes/2018/06/21/sources-bad-news-cut-michigan-state-alumni-magazine?utm_source=Inside+Higher+Ed&utm_campaign=6e78d7216b-DNU_COPY_01&utm_medium=email&utm_term=0_1fcbc04421-6e78d7216b-197618481&mc_cid=6e78d7216b&mc_eid=012fe6c04c" > Bad news cut from Michigan State alumni magazine </a> </strong> (InsideHigherEd, 21 June 2018) - After a review by Michigan State University interim president John Engler, an upcoming edition of the university's alumni magazine will not include planned long-form essays exploring how the Larry Nassar sexual abuse case has tainted the university, multiple anonymous administration sources told the <em> <a href="https://www.freep.com/story/news/local/michigan/2018/06/20/engler-msu-magazine-nassar/714919002/" target="_blank" > Detroit Free Press </a> </em> . It will also apparently not include a striking black-and-white cover image of a woman wearing teal lipstick -- teal is the color that Nassar survivors and supporters wear to show solidarity. Sources told the <em>Free Press </em> that Engler saw the planned image, among others, and said, "Get that teal shit out of here." While the magazine issue will address the crisis, sources said, it will showcase positive moves Engler has made since taking over, such as adding more counselors. Several people close to Engler who were not authorized to speak to the media said the effort is part of his push to "pivot toward positive news" in the wake of the scandal. <a href="">top </a> </p> <p> <a name="SECprovides"> </a> <strong> <a href="https://www.nixonpeabody.com/en/ideas/articles/2018/06/21/sec-provides-further-cryptocurrency-guidance?_lrsc=adc449cc-d315-4c73-9d21-465e0538f9f7&utm_source=social&utm_medium=elevate&utm_campaign=twitter" > SEC provides further guidance on when digital assets may be deemed securities </a> </strong> (Nixon Peabody, 21 June 2018) - On June 14, 2018, William Hinman, Director of the Securities and Exchange Commission's (SEC's) Division of Corporation Finance, provided important but nonbinding guidance on when a digital asset may be deemed a security in his remarks at the Yahoo Finance All Markets Summit in San Francisco, California. Slowly, the SEC has continued to reveal its views on the approaches taken by some crypto and digital asset industry participants―such as the pioneers of the Simple Agreement for Future Tokens (or SAFT), who have attempted to structure digital asset sales in such a way that the digital asset is not a security. As noted by Director Hinman in his remarks, these are still the "early days" of crypto, but with this latest guidance, the SEC has provided more clarity around securities law-compliant digital asset sales. The following is a summary of certain key takeaways from Director Hinman's remarks and related analysis. * * * <a href="">top </a> </p> <p> <a name="MITtoConduct"> </a> <strong> <a href="http://news.mit.edu/2018/mit-receives-grant-to-analyze-audit-open-source-publishing-platforms-0622" > MIT to conduct an environmental scan of open source publishing </a> </strong> (MIT, 22 June 2018) - The MIT Press has announced the award of a grant from The Andrew W. Mellon Foundation to conduct a landscape analysis and code audit of all known open source (OS) authoring and publishing platforms. By conducting this environmental scan, the MIT Press will be providing a comprehensive and critical analysis of OS book production and hosting systems to the scholarly publishing community. As noted by Amy Brand, director of the MIT Press, "Open source book production and publishing platforms are a key strategic issue for not-for-profit scholarly publishers, and the wide-spread utilization of these systems would foster greater institutional and organizational self-determination. The MIT Press has long been a leader in digital publishing. We are very grateful for the generous support from The Mellon Foundation for this project." The grant affords the MIT Press the unique opportunity to provide the university press community and other not-for-profit scholarly publishers with a comprehensive overview of the numerous OS publishing platforms that are currently in use or under development. These systems, which produce and host platforms for scholarly books and journals, have proliferated in the last decade. The forthcoming analysis will highlight the availability, affordances, and current limitations of these systems, and thereby encourage the adoption and continued development of OS publishing technologies. Open infrastructure could prove to be a durable alternative to complex and costly proprietary services. The results of the environmental scan and the accompanying code audit, expected later this year, will be made openly accessible. The final report will inform the MIT Press's roadmap for the publishing platform <a href="https://www.pubpub.org/" target="_blank">PubPub </a> currently being codeveloped with the MIT Media Lab. <a href="">top </a> </p> <p> <a name="FirstNet"> </a> <strong> <a href="https://www.washingtonpost.com/news/true-crime/wp/2018/06/25/firstnet-launches-giving-police-and-firefighters-a-dedicated-wireless-network-and-infinite-possibilities/?utm_campaign=Newsletters&utm_medium=email&utm_source=sendgrid&utm_term=.b5e126814e76" > FirstNet launches, giving police and firefighters a dedicated wireless network and infinite possibilities </a> </strong> (WaPo, 25 June 2018) - Though it's not a renowned high-tech hub, Brazos County, Tex., has become the showroom for what technology can do for police officers, paramedics and firefighters nationwide, through the newly created FirstNet wireless network. When Brazos sheriff's deputies entered a standoff with an armed man inside his home, they positioned four cars around the building and streamed live video through FirstNet back to their command center from their phones. When firefighters launched a swiftwater rescue recently, they were able to show it in real time through FirstNet to their supervisors. When a man tried to fraudulently register a stolen car, a patrol lieutenant was able to patch into the government center cameras through FirstNet and watch the crime in progress. "It's given us some incredible communication," said Brazos Sheriff Chris Kirk, "that we've been able to put to good use. It makes us much more efficient." The idea for FirstNet was long in gestation, beginning with the terrorist attacks of Sept. 11, 2001, but has rapidly come to fruition in the year since AT&T won a contract to build it for the federal government. The idea was a dedicated wireless network exclusively for first responders, enabling them to communicate in emergencies on a secure system built to handle massive amounts of data. Former Boston police commissioner Ed Davis witnessed two major problems of emergency communication firsthand. On 9/11, police helicopters flying over the World Trade Center could see the danger of building collapse but could not reach firefighters inside the towers, who were using a different radio system. And after the Boston Marathon bombing, cellular networks were overwhelmed with traffic, and police could not communicate with each other, Davis said. FirstNet addresses both problems. The government agency was created after 9/11 to devise the interoperability of first responders, and then to enable video, data and text capabilities in addition to voice. In March 2017, <a href="https://www.washingtonpost.com/news/the-switch/wp/2017/03/30/att-is-building-a-new-cell-network-thatll-give-cops-and-firefighters-priority-over-regular-people/?utm_term=.ae8640a06d65" > FirstNet accepted AT&T's $40 billion bid </a> to build out the network. The governments of all 50 states and the District of Columbia opted in, and in March of this year, the core network went live. More than 1,000 agencies in 52 states and U.S. territories have signed up, including Boston police and fire and the Texas Department of Public Safety. <a href="">top </a> </p> <p> <a name="PotentialClients"> </a> <strong> <a href="https://www.law.com/legaltechnews/2018/06/25/potential-clients-are-confident-in-law-firms-cybersecurity-should-they-be/?kw=Potential%20Clients%20are%20Confident%20in%20Law%20Firms%27%20Cybersecurity.%20Should%20They%20Be?&et=editorial&bu=ALMcyberSecure&cn=20180629&src=EMC-Email&pt=cyberSecureNews" > Potential clients are confident in law firms' cybersecurity. Should they be? </a> </strong> (Legal Tech News, 25 June 2018) - Despite an increasingly malicious cyberthreat environment, most potential law firm clients are confident in the legal industry's ability to protect client data, according to a survey of more than 1,000 small business owners and the U.S. general public conducted by data disposal company Shred-it and market research company Ipsos Public Affairs. Almost half of the respondents, 47 percent, said data protection considerations were "very important" when deciding which law firm to hire, while 36 percent said such considerations were at least "somewhat important." But a majority, 61 percent, expressed little or no concern about providing sensitive information to lawyers, underscoring the widespread trust potential clients have in law firms ability to protect their data. * * * What's more, overconfidence may already be harming law firms security preparations, according to ALM Intelligence's "Challenges at the Intersection of Cybersecurity and Legal Services," <a href="https://www.law.com/legaltechnews/sites/legaltechnews/2017/12/14/both-firms-and-in-house-feel-confident-in-cyber-prep-but-that-might-be-overconfidence/" > a survey of 194 law firms </a> and legal departments. While the survey found that most law firms were confident they had adequate cybersecurity protections in place, their cybersecurity programs failed to meet client expectations. <a href="">top </a> </p> <p> - and - </p> <p> <a name="LEGALTRACKER"> </a> <strong> <a href="https://img.en25.com/Web/SerengetiLaw/%7B20e14ca9-8ce4-4931-9e2a-5c67feee239e%7D_Legal-Tracker-LDO-Report-2018.pdf" > Legal Tracker LDO Index </a> </strong> (ThomsonReuters, July 2018) - The volume of work for legal departments continues to grow, yet the overall legal department budget is not increasing at the same rate. Legal departments are dealing with how to do more with less. To address this challenge, departments are focusing on legal operations. With an operational focus, legal departments are looking at process improvements and technology to deliver on key department initiatives like controlling outside counsel costs and simplifying workflow and manual processes. Sixty-eight percent of organizations say the volume of legal work - defined by the number of legal matters - is increasing. Fifty-four percent of survey respondents report the percentage of work handled in-house is increasing, while 48% of survey respondents report increasing outside counsel spending. Seventy-one percent of organizations report that outside counsel hourly rates are increasing, while only 8% of organizations report decreases. With the increases in volume of work, 35% of legal departments report increasing the total legal department budget in the last 12 months, 25% report a budget decrease, and 40% report flat legal department budgets. When it comes to the budget for technology, 34% report increasing the budget, 52% are flat, and 13% report decreasing the technology budget. We asked legal departments to rank a variety of initiatives from no priority to high priority. The top five priorities among legal departments surveyed are: * * * [ <strong>Polley </strong>: Lots of interesting data here; spotted by MIRLN reader <a href="http://www.icgpartners.com/">Gordon Housworth </a>] <a href="">top </a> </p> <p> <a name="ATTcollaborates"> </a> <strong> <a href="https://techcrunch.com/2018/06/25/nsa-att-intercept-surveillance/" > AT&T collaborates on NSA spying through a web of secretive buildings in the US </a> </strong> <strong> </strong> (TechCrunch, 25 June 2018) - A <a href="https://theintercept.com/2018/06/25/att-internet-nsa-spy-hubs/"> new report from The Intercept </a> sheds light on the NSA's close relationship with communications provider AT&T. The Intercept identified eight facilities across the U.S. that function as hubs for efforts to collaborate with the intelligence agency. The site <a href="https://theintercept.com/2016/11/16/the-nsas-spy-hub-in-new-york-hidden-in-plain-sight/" > first identified one potential hub </a> of this kind in 2017 in lower Manhattan. The report reveals that eight AT&T data facilities in the U.S. are regarded as high-value sites to the NSA for giving the agency direct "backbone" access to raw data that passes through, including emails, web browsing, social media and any other form of unencrypted online activity. The NSA uses the web of eight AT&T hubs for a surveillance operation code-named FAIRVIEW, a program previously <a href="https://www.nytimes.com/2015/08/16/us/politics/att-helped-nsa-spy-on-an-array-of-internet-traffic.html" > reported by The New York Times </a> . The program, first established in 1985, "involves tapping into international telecommunications cables, routers, and switches" and only coordinates directly with AT&T and not the other major U.S. mobile carriers. <a href="">top </a> </p> <p> <a name="HowSocialNetworks"> </a> <strong> <a href="https://www.wired.com/story/how-social-networks-set-the-limits-of-what-we-can-say-online/" > How social networks set the limits of what we can say online </a> </strong> (Wired, 26 June 2018) - <a href="https://www.wired.com/story/diamond-and-silk-expose-facebooks-burden-of-moderation/" > Content moderation </a> is hard. This should be obvious, but it's easily forgotten. It is resource intensive and relentless; it requires making difficult and often untenable distinctions; it is wholly unclear what the standards should be, especially on a global scale; and one failure can incur enough public outrage to overshadow a million quiet successes. We as a society are partly to blame for having put platforms in this situation. We sometimes decry the intrusions of moderators, and sometimes decry their absence. Even so, we have handed to private companies the power to set and enforce the boundaries of appropriate public speech. That is an enormous cultural power to be held by so few, and it is largely wielded behind closed doors, making it difficult for outsiders to inspect or challenge. Platforms frequently, and conspicuously, fail to live up to our expectations. In fact, given the enormity of the undertaking, most platforms' own definition of success includes failing users on a regular basis. The social media companies that have profited most have done so by selling back to us the promises of the web and participatory culture. But those promises have begun to sour. While we cannot hold platforms responsible for the fact that some people want to post pornography, or mislead, or be hateful to others, we are now painfully aware of the ways in which platforms invite, facilitate, amplify, and exacerbate those tendencies. For more than a decade, social media platforms have portrayed themselves as mere conduits, obscuring and disavowing their active role in content moderation. But the platforms are now in a new position of responsibility-not only to individual users, but to the public more broadly. As their impact on public life has become more obvious and more complicated, these companies are grappling with how best to be stewards of public culture, a responsibility that was not evident to them-or us-at the start. For all of these reasons, we need to rethink how content moderation is done and what we expect of it. And this begins by reforming Section 230 of the Communications Decency Act-a law that gave Silicon Valley an enormous gift, but asked for nothing in return. * * * <a href="">top </a> </p> <p> <a name="InstagramNow"> </a> <strong> <a href="https://techcrunch.com/2018/06/26/instagram-group-video-calling/" > Instagram now lets you 4-way group video chat as you browse </a> </strong> (TechCrunch, 26 June 2018) - latest assault on Snapchat, FaceTime and Houseparty launches today. <a href="https://techcrunch.com/2018/03/01/instagram-audio-video-calling/"> TechCrunch scooped back in March </a> that Instagram would launch video calling, and the feature was officially <a href="https://techcrunch.com/2018/05/01/instagram-launches-video-chat/"> announced </a> at F8 in May. Now it's <a href="https://instagram-press.com/blog/2018/06/26/introducing-video-chat-a-new-explore-and-more/" > actually rolling out </a> to everyone on iOS and Android, allowing up to four friends to group video call together through Instagram Direct. With the feed, Stories, messaging, Live, IGTV and now video calling, Instagram is hoping to become a one-stop-shop for its 1 billion users' social needs. This massive expansion in functionality over the past two years is paying off, SimilarWeb told TechCrunch in an email, which estimates that the average U.S. user has gone from spending 29 minutes per day on the app in September 2017 to 55 minutes today. More time spent means more potential ad views and revenue for the Facebook subsidiary that a <a href="https://www.bloomberg.com/news/articles/2018-06-25/value-of-facebook-s-instagram-estimated-to-top-100-billion" > Bloomberg analyst just valued at $100 billion </a> after it was bought for less than $1 billion in 2012. <a href="">top </a> </p> <p> <a name="EightStates"> </a> <strong> <a href="https://www.nytimes.com/2018/06/27/business/equifax-data-security.html" > 8 states impose new rules on Equifax after data breach </a> </strong> (NYT, 27 June 2018) - Equifax agreed to a number of data security rules under a consent order with eight state financial regulators that was announced on Wednesday, the latest regulatory response to the breach that <a href="https://www.nytimes.com/interactive/2017/your-money/equifax-data-breach-credit.html" target="_blank" > allowed hackers to steal sensitive personal information </a> on more than 147 million people. The order describes specific steps the credit bureau must take, including conducting security audits at least once a year, developing written data protection policies and guides, more closely monitoring its outside technology vendors, and improving its software patch management controls. Equifax has said that the attackers gained access to its systems last year through a known software flaw that was inadvertently left unfixed for months. If Equifax falls short on any of its new promises, regulators in the states - Alabama, California, Georgia, Maine, Massachusetts, New York, North Carolina and Texas - will be able to take punitive action. Equifax said that "a good number" of the measures it agreed to in the order had already been completed. Equifax has spent nearly $243 million so far on the fallout from the data breach, including its spending on legal costs, new security tools and credit monitoring services <a href="https://www.nytimes.com/2017/09/08/your-money/identity-theft/equifaxs-instructions-are-confusing-heres-what-to-do-now.html" target="_blank" > it offered for free </a> after the break-in was revealed in September. The company's chief executive and several other top officials were forced out in the aftermath. Government regulators and law enforcement officials are still looking into Equifax's data safeguards. The company remains under investigation by the Federal Trade Commission, the Consumer Finance Protection Bureau and the Securities and Exchange Commission, among others. <a href="">top </a> </p> <p> <a name="HomelandSecurity"> </a> <strong> <a href="https://www.zdnet.com/article/homeland-security-subpoenas-twitter-for-data-breach-finders-account/" > Homeland Security subpoenas Twitter for data breach finder's account </a> </strong> (ZDnet, 2 July 2018) - Homeland Security has served Twitter with a subpoena, demanding the account information of a data breach finder, credited with finding several large caches of exposed and leaking data. The New Zealand national, whose name isn't known but goes by the handle <a href="https://twitter.com/s7nsins" target="_blank">Flash Gordon </a>, revealed the subpoena <a href="https://twitter.com/s7nsins/status/1007073789295788032" target="_blank" > in a tweet last month </a> . The pseudonymous data breach finder regularly tweets about leaked data found on exposed and unprotected servers. Last year, he found a trove of <a href="https://www.zdnet.com/article/thousands-of-patients-data-leaks-telemarketers-bad-security/" target="_blank" > almost a million patients' data </a> leaking from a medical telemarketing firm. A recent find included <a href="https://www.zdnet.com/article/a-massive-cache-of-law-enforcement-personnel-data-has-leaked/" target="_blank" > an exposed cache of law enforcement data </a> by ALERRT, a Texas State University-based organization, which trains police and civilians against active shooters. The database, secured in March but reported last week, revealed that several police departments were under-resourced and unable to respond to active shooter situations. Homeland Security's export control agency, Immigration and Customs Enforcement (ICE), served the subpoena to Twitter on April 24, demanding information about the data breach finder's account. Twitter informed him of the subpoena, per <a href="https://help.twitter.com/en/rules-and-policies/twitter-legal-faqs" target="_blank" > its policy </a> on disclosing legal processes to its users. A legal effort to challenge the subpoena by a June 20 deadline was unsuccessful. Attorneys from the Electronic Frontier Foundation provided Flash Gordon legal assistance. ICE demanded Twitter turn over his screen name, address, phone number -- and any other identifying information about the account, including credit cards on the account. The subpoena also demanded the account's IP address history, member lists, and any complaints filed against the Twitter account. The subpoena did not demand the account's private messages or any other content, which typically requires a court order or a search warrant. It's not known why the subpoena was issued. Twitter spokesperson Emily Horne said the company does not comment on individual accounts for privacy and security reasons. <a href="">top </a> </p> <p> <a name="Carpenter"> </a> <strong> <a href="https://www.gwlr.org/carpenter-v-united-states-big-data-is-different/" > Carpenter v. United States: Big data is different </a> </strong> (GW Law Review, 2 July 2018) - A central truism of U.S. privacy law is that if you share information, you do not have an expectation of privacy in it. This reasoning runs through both Fourth Amendment jurisprudence and privacy tort cases, and has repeatedly been identified as a central failing of American privacy law in the digital age. On June 22, in <em>Carpenter v. United States </em>, the Supreme Court did away with this default. While repeatedly claiming to be fact-bound and incremental, Chief Justice Roberts's opinion has paradigm-shifting implications not only for Fourth Amendment law, but also for private-sector privacy law. In short, the Court in <em>Carpenter </em> has declared that Big Data is different. Just how different remains to be seen. The question addressed in <em>Carpenter- </em>whether obtaining historic location information from cellular phone service providers constitutes a search under the Fourth Amendment-arose at the confluence of two lines of cases. One addresses location tracking in public spaces, and the other addresses records that have been shared with third parties. Until recently, neither doctrinal thicket looked particularly good for Timothy Carpenter, or for privacy. But the <em>Carpenter </em> decision does not come out of thin air. Starting with the Court's recent GPS-tracking decision in <em>United States v. Jones- </em>and what has been referred to as the <em>Jones </em> "shadow majority"-the Supreme Court has recently appeared to take a different approach to Big Data. <em>Carpenter </em> cements this change. * * * [ <em>see also </em> <strong> <a href="http://thehill.com/opinion/cybersecurity/394215-gorsuchs-dissent-in-carpenter-case-has-implications-for-the-future-of?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > Gorsuch's dissent in 'Carpenter' case has implications for the future of privacy </a> </strong> <strong> </strong> (The Hill, 26 June 2018), <em>and </em> <strong> <a href="https://www.lawfareblog.com/when-does-carpenter-search-start-and-when-does-it-stop" > When does a Carpenter search start-and when does it stop? </a> </strong> <strong> </strong> (Orin Kerr on Lawfare, 6 July 2018)] <a href="">top </a> </p> <p> <a name="ItsTimeFor"> </a> <strong> <a href="https://www.nytimes.com/2018/07/03/science/chemistry-virtual-reality.html?em_pos=small&emc=edit_ct_20180705&nl=technology&nl_art=4&nlid=50122138emc%3Dedit_ct_20180705&ref=headline&te=1" > It's time for a chemistry lesson. Put on your virtual reality goggles. </a> </strong> (NYT, 3 July 2018) - There was a time when biochemists had a lot in common with sculptors. Scientists who had devoted their lives to studying a molecule would building a model, using metal and a forest of rods to hold up the structure of thousands of atoms. " <a href="https://www.nobelprize.org/nobel_prizes/chemistry/laureates/2013/levitt-lecture.html" target="_blank" > Slow work, but at the end you really know the molecule </a> ," said Michael Levitt, who shared the Nobel Prize in Chemistry in 2013. These days simulations on screens have replaced such models, sacrificing some of their tactile value while gaining the ability to show movement. But what if you could enter a virtual reality environment where the molecules lie before you, obeying all the laws of molecular physics as calculated by supercomputers, and move them around in three dimensions? In <a href="http://advances.sciencemag.org/content/4/6/eaat2731" target="_blank" > a new paper in the journal Science Advances </a> , researchers report that they have constructed just such an environment, and that users who manipulate the proteins in VR can perform simple tasks nearly ten times faster in virtual reality than on a screen. The researchers asked users to perform three separate manipulations of molecules and timed how long each took. They had to thread a molecule of methane through a simulated carbon nanotube; unwind a helical molecule and wind it up in the opposite direction; and tie a knot in a simulated protein. They also did the same tasks on computers using a touchscreen or a mouse. Each task resembles research that is current in biology and chemistry. In tallying the time each task took, the researchers found that in VR, threading the nanotube and tying the knot went much quicker. The knot task, in particular, was completed nearly ten times as rapidly. By using 2D screen-based simulations of molecules, said Dr. Glowacki, "we might actually be doing things a lot slower than we could be." Scientists who use VR to get familiar with molecules may be able to gain intuition about their movements more quickly. [ <strong>Polley </strong>: pretty interesting animation videos on the website version of the story.] </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <strong> <a href="https://www.lawsitesblog.com/tech-competence/"> Tech Competence </a> </strong> (Robert Ambrogi) - In 2012, something happened that <a href="http://catalystsecure.com/blog/2012/08/new-aba-ethics-rule-underscores-what-edd-lawyers-should-already-know-theres-no-hiding-from-technology/" target="_blank" > I called </a> a sea change in the legal profession: The American Bar Association formally approved a change to the <a href="http://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/model_rules_of_professional_conduct_table_of_contents.html" target="_blank" > Model Rules of Professional Conduct </a> to make clear that lawyers have a duty to be competent not only in the law and its practice, but also in technology. * * * On this page, I track the states that have formally adopted the revised comment to Rule 1.1. The total so far is 31. [ <strong>Polley </strong>: nice interactive map of the states.] <a href="">top </a> </p> <p> <strong> <a href="http://lawprofessors.typepad.com/media_law_prof_blog/2018/06/grimmelmann-on-whether-robot-transmissions-are-speech-for-first-amendment-purposes-grimmelm.html" > Grimmelmann on Whether Robot Transmissions Are Speech For First Amendment Purposes </a> </strong> <strong> </strong> (MLPB, 20 June 2018) - James Grimmelmann, Cornell Law School, is publishing <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3195421"> Speech in, Speech Out </a> in Robotica: Speech Rights and Artificial Intelligence (Ronald K. L. Collins and David M. Skover, eds., Cambridge University Press 2018). Here is the abstract: <em> This invited short response was published as part of Ronald K.L. Collins and David M. Skover's book Robotica: Speech Rights and Artificial Intelligence (Cambridge University Press 2018). Collins and Skover make a two-step argument about "whether and why First Amendment coverage given to traditional forms of speech should be extended to the data processed and transmitted by robots." First, they assert (based on reader-response literary criticism) that free speech theory can be "intentionless": what matters is a listener's experience of meaning rather than a speaker's intentions. Second, they conclude that therefore utility will become the new First Amendment norm. The premise is right, but the conclusion does not follow. Sometimes robotic transmissions are speech and sometimes they aren't, so the proper question is not "whether and why?" but "when?" Collins and Skover are right that listeners' experiences can substitute for speakers' intentions, and in a technological age this will often be a more principled basis for grounding speech claims. But robotic "speech" can be useful for reasons that are not closely linked to listeners' experiences, and in these cases their proposed "norm of utility" is not really a free speech norm. </em> <a href="">top </a> </p> <p> <strong> <a href="https://www.yjolt.org/lola-v-skadden-and-automation-legal-profession" > Lola v. Skadden and the Automation of the Legal Profession </a> </strong> (Yale Journal of Law & Technology) - <em> Technological innovation has accelerated at an exponential pace in the last few decades, ushering in an era of unprecedented advancements in algorithms and artificial intelligence technologies. Traditionally, the legal field has protected itself from technological disruptions by maintaining a professional monopoly over legal work and limiting the "practice of law" to only those who are licensed. </em> <em> This article analyzes the long-term impact of the Second Circuit's opinion in </em> Lola v. Skadden, Arps, Slate, Meagher & Flom LLP <em> , 620 F. App'x 37 (2d Cir. 2015), on the legal field's existing monopoly over the "practice of law." In </em> Lola <em> , the Second Circuit underscored that "tasks that could otherwise be performed entirely by a machine" could not be said to fall under the "practice of law." By distinguishing between mechanistic tasks and legal tasks, the Second Circuit repudiated the legal field's oft-cited appeals to tradition insisting that tasks fall under the "practice of law" because they have always fallen under the practice of law. The broader implications of this decision are threefold: (1) as machines evolve, they will encroach on and limit the tasks considered to be the "practice of law"; (2) mechanistic tasks removed from the "practice of law" may no longer be regulated by professional rules governing the legal field; and (3) to survive the rise of technology in the legal field, lawyers will need to adapt to a new "practice of law" in which they will act as innovators, purveyors of judgment and wisdom, and guardians of fairness, impartiality, and accountability within the law. The article proceeds by first discussing the procedural history and decision in </em> Lola v. Skadden <em> . It then explains the technological advances that will impact the legal field and the tools used by the legal field to perpetuate its self-regulating monopoly. The article then turns to the socioeconomic implications of technological disruption within the legal field and concludes with a discussion on how lawyers may prepare themselves for, and thrive within, an inevitably automated future. </em> <a href="">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <strong> <a href="https://www.techdirt.com/articles/20080310/012214486.shtml"> Patent Office agrees to review infamous JPEG patent </a> </strong> (TechDirt, 12 March 2008) - Last month, we noted that there was some effort being made to get the Patent Office to do a re-exam of a patent that attorney Ray Niro had been using to go after any site that had a JPEG image. While the patent itself had been re-examed before, one claim had been left intact, which Niro has said covers anyone using JPEG compression. It appears that the effort to get the USPTO to look into the patent once again has succeeded, though it's a long and rather involved process that won't come to fruition for quite a long time. The request includes a long list of prior art on that one particular claim, which the Patent Office admits it did not look at earlier and that raise substantial questions about the patentability of the remaining claim in the patent. This is rather good news. <a href="">top </a> </p> <p> <strong> <a href="https://www.techdirt.com/articles/20080213/230419254.shtml"> Administration shutting down economic indicators site </a> </strong> (TechDirt, 14 Feb 2008) - While there was some decent news suggesting the economy might not be falling into a recession, there are still plenty of knowledgeable folks who think some sort of recession is likely. Last week, in New York, plenty of folks I spoke to seemed to believe we were already in one. Of course, to actually call a recession, the general consensus is that there would need to be two consecutive quarters of negative economic growth. So how would you measure that growth? Well, apparently the White House would prefer to make it as difficult as possible. Reader Jon writes in to note the rather inconvenient timing of the Administration suddenly deciding to shut down its own website that aggregated economic indicators. The site, EconomicIndicators.gov had even won awards from Forbes as a great resource. <a href="">top </a> </p>Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-28193221188417382402018-06-16T07:18:00.000-04:002018-06-16T07:18:01.403-04:00MIRLN --- 27 May - 16 June 2018 (v21.08)<p> <a name="TOP"> </a> MIRLN --- 27 May - 16 June 2018 (v21.08) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_27_may_16_june_2018_v2108/" > permalink </a> </p> <p> <a href="">ANNOUNCEMENTS </a> | <a href="">NEWS </a>| <a href="">RESOURCES </a>| <a href="">LOOKING BACK </a>| <a href="http://www.knowconnect.com/mirln/sources/">NOTES</a> </p> <p> <a name="ANNOUNCEMENTS"> </a> <h3> ANNOUNCEMENTS </h3> </p> <p> Register now for the upcoming ABACLE webinar series "Cybersecurity Wake-Up Call: The Business You Save May Be Your Own". This 5-part series starts June 27 (with ethics CLE credit!), followed by other episodes in July, August, September, and October. Each episode parses related parts of the best-selling " <a href="http://bit.ly/2x7HNbJ">ABA Cybersecurity Legal Handbook </a>". For more information, visit ambar.org/cyberwakeup to register. The "colleagues" discount is 15% - use code FACMARK at checkout. Get 20% off if you subscribe to the full series, along with a free e-copy of the handbook. </p> <p> <a name="NEWS"> </a> <h3> NEWS </h3> </p> <ul> <li> <a href=""> Law firm cybersecurity 'an imperative' as clients make demands clear </a> </li> <li> <a href="">The law firm cybersecurity audit grows up </a> </li> <li> <a href="">Pentagon cracks down on personal mobile devices </a> </li> <li> <a href="">Chase Bank sues Landry's for $20M over data breach </a> </li> <li> <a href=""> This Frida Kahlo digital collection is massive & free </a> </li> <li> <a href=""> Four days into GDPR, US publishers are starting to feel the effects </a> </li> <li> <a href=""> A trip to the ER with your phone may mean injury lawyer ads for weeks </a> </li> <li> <a href="">Cybersecurity: Why it matters in M&A transactions </a> </li> <li> <a href=""> New data show substantial gains and evolution in internet use </a> </li> <li> <a href=""> Special counsel Robert Mueller's team is requesting that witnesses turn in their personal phones to inspect their encrypted messaging programs </a> </li> <li> <a href=""> FTC rebuked in LabMD case: What's next for data security? </a> </li> <li> <a href=""> Blockchain's once-feared 51% attack is now becoming regular </a> </li> <li> <a href=""> Not just corporate: Law firms too are struggling with GDPR compliance </a> </li> <li> <a href="">On Facebook, a place for civil discussion </a> </li> <li> <a href="">Apple will update iOS to block police hacking tool </a> </li> <li> <a href="">Google adds federal data to college searches </a> </li> <li> <a href=""> How Firefox is using Pocket to try to build a better news feed than Facebook </a> </li> <li> <a href="">Free MOOCs face the music </a> </li> <li> <a href=""> Beware of buying a competitor's name to market your law practice </a> </li> </ul> <p> <a name="LawFirmCybersecurity"> </a> <strong> <a href="https://www.law.com/thelegalintelligencer/2018/05/21/law-firm-cybersecurity-an-imperative-as-clients-make-demands-clear/" > Law firm cybersecurity 'an imperative' as clients make demands clear </a> </strong> (Law.com, 21 May 2018) - As corporate clients fret over the potential threat posed by cyber breaches, Pennsylvania law firms are increasingly making data privacy and cybersecurity a top priority, putting time and resources behind the effort. Legal software company Aderant this month released its second "Business of Law and Legal Technology" <a href="https://www.aderant.com/wp-content/uploads/2018/05/2018-Business-of-Law-Survey-Global.pdf?utm_source=research&utm_medium=web" target="_blank" > survey </a> , which <a href="https://www.law.com/americanlawyer/2018/05/16/law-firm-optimism-up-as-pressures-remain-on-rates-cybersecurity-survey/" target="_blank" > showed general optimism </a> among law firm professionals. But when respondents were asked about the key challenges they faced, more than 32 percent of them named cybersecurity as a top concern. Pennsylvania law firms are grappling with the issue- <a href="https://www.law.com/newyorklawjournal/almID/1202764719920" target="_blank" > and the cost </a> -along with the rest of the industry. Law firm technology professionals and firm management in the region say the days are gone when clients could treat their outside lawyers' cybersecurity efforts as an afterthought. Devin Chwastyk, chair of the privacy and data security group at <a href="https://www.law.com/mid-market-report/2018/05/01/mcnees-wallace-how-one-of-pa-s-biggest-midsize-firms-straddles-two-worlds/" target="_blank" > McNees Wallace & Nurick </a> , said the driver for law firm clients has been demands from their customers for assurance of data privacy. More and more, he said, clients are putting data security addenda on their fee agreements. "Every RFP now requires us to disclose how we protect confidential information," said Jeff Lobach, managing partner of Barley Snyder. And that requires a greater investment of time and money, he said. Lobach said clients have never been dissatisfied with the measures his firm has put in place. But if they were, he said, the firm would likely be expected to change its practices to keep the work. <strong>" </strong>Cybersecurity as a line item has certainly become a bigger expense for us," Chwastyk said. "That was inevitable regardless of client demands." <a href="">top </a> </p> <p> - and - </p> <p> <a name="TheLawFirmCybersecurity"> </a> <strong> <a href="https://www.law.com/legaltechnews/2018/05/29/the-law-firm-cybersecurity-audit-grows-up/?kw=The%20Law%20Firm%20Cybersecurity%20Audit%20Grows%20Up&et=editorial&bu=ALMcyberSecure&cn=20180601&src=EMC-Email&pt=cyberSecureNews" > The law firm cybersecurity audit grows up </a> </strong> (Law.com, 29 May 2018) - A few years ago, law firms faced a wake-up call. More and more, their networks were being infiltrated, their staff exposed to a new threat called ransomware. They saw the crosshairs on their backs, understood the risks of their coveted position as holders of clients' sensitive information. But they didn't come to this realization entirely on their own. Clients in heavily regulated industries, like finance, demanded protections for crucial sensitive data. And slowly, through client security audits and questionnaires, a high of standard cybersecurity awareness at law firms became the norm. * * * But in response, law firm cybersecurity requirements have evolved, too. There are now more in-depth cybersecurity assessments, more expectations around transparency, and more engagement between client and law firm. Cybersecurity questionnaires and audits have been, and still remain, the foundation of law firm cybersecurity assessments. Now, though, they are performed far more rigorously than they were in the past. For one thing, the time between audits is shrinking. "Typically, audits used to be once every three years, then they became once every two years. Now, with big clients, they increasingly tend to be every year," says Paul Greenwood, chief information officer at Clifford Chance. Clients have also become more demanding, seeing cybersecurity reviews as more of a collaborative and custom process than a simple matter of housekeeping. "It's more of an engagement than a point-in-time audit," says Robert Kerr, chief information officer at Cooley. "It used to be a check-the-box type of exercise; now it's an interactive exercise where they seek clarifications." And often, these audits will get into the weeds. Brett Don, chief information officer at Stradley Ronon, says that from his experience working with information security prior to entering the law firm world, corporations have "gotten more granular, they've gotten more specific in terms of the information they are trying to glean from their business partners, including law firms." The details that clients usually ask from a law firm will vary, but oftentimes will focus around the technical minutiae of their data security. "The client security questionnaires will ask how we protect their data, and our protocol is to share the results of our ongoing penetration tests and vulnerability scans with them," says Andrea Markstrom, chief information officer at Blank Rome. This means that, at a minimum, modern law firms need to hold "routine and regular scans of vulnerabilities in their systems," Don adds. But demanding and detailed audits, even yearly, may not be enough in today's cyberthreat world. "The other thing that I think we're seeing more of is these one-off, what I call 'diligence inquiries' around high risk vulnerabilities," Don says, pointing to "Spectre" and "Meltdown" microprocessor vulnerabilities that were disclosed in January 2018 as examples. Such inquiries come "outside the questionnaire process," he explains, and may encompass several questions about the firm's susceptibility to the vulnerability. In some cases, he says, clients ask the firm directly to certify that they've addressed a particular vulnerability. <a href="">top </a> </p> <p> <a name="PentagonCracks"> </a> <strong> <a href="https://fcw.com/articles/2018/05/23/pentagon-mobile-secure-ban.aspx" > Pentagon cracks down on personal mobile devices </a> </strong> (FCW, 23 May 2018) - The Defense Department is cracking down on personal mobile devices inside secure areas of the Pentagon. Under a <a href="https://media.defense.gov/2018/May/22/2001920731/-1/-1/1/PENTAGON-MOBILE-DEVICE-POLICY.PDF" target="_blank" > new policy memo </a> released May 22, DOD personnel, contractors and visitors to the building and supporting facilities in Arlington County, Va., are restricted from having mobile devices in areas designated or accredited for "processing, handling, or discussion of classified information." Personal and unclassified government-issued mobile devices are prohibited in secure spaces but may be used in common areas. Government-issued unclassified devices being used as desktop replacements must have approved "interim mitigations applied until replaced with compliant devices" within 180 days. Mitigations include disabling the camera, microphone and Wi-Fi settings. Government-issued classified mobile devices can continue to operate per previous authorization while exemptions are reviewed. <a href="">top </a> </p> <p> <a name="ChaseBank"> </a> <strong> <a href="https://www.chron.com/business/article/Chase-Bank-sues-Landry-s-for-20M-over-data-12935324.php?utm_source=eloqua&utm_medium=email_54850&utm_campaign=25011" > Chase Bank sues Landry's for $20M over data breach </a> </strong> (Houston Chronicle, 23 May 2018) - Chase and its credit card payment processor Paymentech filed a breach-of-contract lawsuit Thursday in federal court in Houston, claiming Landry's failed to comply with credit card data security standards and is refusing to reimburse the Ohio-based financial institutions for assessments imposed by Visa and MasterCard in the wake of the data breach. Hackers in 2014 and 2015 compromised point-of-sale systems at more than 40 Landry's properties, including Bubba Gump, McCormick & Schmick's, Rainforest Cafe and Saltgrass restaurants. In response, Landry's hired a cyber security firm to examine its payment-card systems and implemented enhanced security measures for processing credit cards, including end-to-end encryption. <a href="">top </a> </p> <p> <a name="ThisFrida"> </a> <strong> <a href="http://remezcla.com/culture/frida-kahlo-digital-collection-google-arts-and-culture/" > This Frida Kahlo digital collection is massive & free </a> </strong> (Remezcle, 25 May 2018) - More than six decades after her death, there is still immense interest in <a href="http://remezcla.com/lists/culture/frida-kahlo-rare-photos/" target="_blank" > Frida Kahlo </a> . And a new retrospective will allow fans to learn more about the Mexican artist right from their homes. Google Arts & Culture has collaborated with 33 museums from seven countries across the world to bring us <em>Faces of Frida </em>, the largest collection of photographs, documents, and artworks associated with Kahlo. The collection promises to give us a multi-faceted look at the queer, feminist, and disabled icon. "It's a true global effort," said Jesús García, Google's Head of Hispanic Communications, according to <em> <a href="https://www.forbes.com/sites/veronicavillafane/2018/05/23/google-unveils-frida-kahlo-retrospective-with-never-before-seen-artifacts/#1425c83f4f27" target="_blank" > Forbes </a> </em> . "Frida's name kept coming up as a top contender when we started to think of what artists would be the best to feature in a retrospective. There's so much of her that was not known and could still be explored from an artistic perspective and life experience." Excitingly, the collection gives us a look into items and artworks that have rarely been displayed, including a sketch Kahlo made of New York in 1932 for Mexican actress <a href="https://artsandculture.google.com/asset/view-of-new-york-dedicated-to-dolores-del-r%C3%ADo/jwEt-KSTb8c_6w" target="_blank" > Dolores del Río </a> . She sketched what she saw from the Barbizon Plaza Hotel. If you've also wanted to visit <a href="http://remezcla.com/features/culture/frida-kahlo-gisele-freund-photographs-casa-azul/" target="_blank" > La Casa Azul </a> , where she lived and worked, but haven't had a chance, Google also has you covered. "This expertly curated online exhibition presents an intimate view of Frida Kahlo's life and loves through her vibrant letters, candid photographs, and unpublished essays," added Kate Haw, director of the Smithsonian Archives of American Art. "Through the story threads of these original records - a total of 54 rare documents drawn from our collections - we gain a deeper understanding of Frida's relationships with historian Florence Arquin, artist Emmy Lou Packard, photographer Nickolas Muray, art collector Chester Dale, and writer John Weatherwax." Enjoy it in its full glory <a href="https://artsandculture.google.com/project/frida-kahlo" target="_blank" > here </a> . <a href="">top </a> </p> <p> <a name="FourDays"> </a> <strong> <a href="https://www.cjr.org/the_new_gatekeepers/gdpr-rules-publishers.php?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > Four days into GDPR, US publishers are starting to feel the effects </a> </strong> <strong> </strong> (Columbia Journalism Review, 29 May 2018) - For something that has been in the works for <a href="https://www.cjr.org/tow_center_reports/understanding-general-data-protection-regulation.php/" > more than two years </a> , the EU's General Data Protection Regulation seemed to take at least some people by surprise when it went into effect May 25th-including more than a few publishers. And some warn the long-term effects of the regulations could be severe: Ad exchanges used by many news sites reportedly <a href="https://digiday.com/media/gdpr-mayhem-programmatic-ad-buying-plummets-europe/" target="_blank" > saw an immediate drop </a> in demand of between 25 and 40 percent, and many believe this could help increase the dominance of platforms like Google and Facebook, since <a href="https://twitter.com/Carnage4Life/status/1000355153503899648" target="_blank" > they are better prepared </a> for the data-handling rules and have deeper pockets. When the new rules on how to handle user information went into effect, a number of news sites <a href="https://www.nytimes.com/2018/05/25/business/media/europe-privacy-gdpr-us.html" target="_blank" > responded by </a> simply shutting off access to anyone who appeared to be coming from a European address, and for many that continued to be the case right through the Memorial Day weekend. As of Monday, for example, several of the papers belonging to the tronc chain-including the <em>Los Angeles Times </em> and <em>Chicago Tribune- </em>were still showing EU visitors <a href="http://www.tronc.com/gdpr/latimes.com/" target="_blank"> a message saying </a> : "Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism." Other news sites such as <em>USA Today's </em>responded to the new rules-under which multi-million-dollar fines can be issued for improper use of data-by removing some or all of the ad-related software that harvests information from users and tracks their behavior. <a href="https://twitter.com/paulcalvano/status/1000094333524201473" target="_blank" > According to one web engineer </a> , the US version of the <em>USA Today </em>site was 5.5 megabytes in size and included more than 800 ad-related requests for information involving 188 different domains. The EU version was less than half a megabyte in size and contained no third-party content at all, meaning it not only didn't track as much data but also loaded much faster. <a href="">top </a> </p> <p> <a name="AtripToTheER"> </a> <strong> <a href="https://arstechnica.com/tech-policy/2018/05/injury-lawyers-push-ads-to-patients-phones-when-they-go-to-geofenced-ers/" > A trip to the ER with your phone may mean injury lawyer ads for weeks </a> </strong> (ArsTechnica, 29 May 2018) - With digital traps in hospitals, there's no need for personal injury lawyers to chase ambulances these days. Law firms are using <a href="https://www.npr.org/sections/health-shots/2018/05/25/613127311/digital-ambulance-chasers-law-firms-send-ads-to-patients-phones-inside-ers" > geofencing in hospital emergency rooms </a> to target advertisements to patients' mobile devices as they seek medical care, according to Philadelphia public radio station WHYY. Geofencing can essentially create a digital perimeter around certain locations and target location-aware devices within the borders of those locations. Patients who unwittingly jump that digital fence may see targeted ads for more than a month, and on multiple devices, the outlet notes. While the reality may seem like a creepy nuisance to some, privacy experts are raising alarms. "Private medical information should not be exploited in this way," Massachusetts Attorney General Maura Healey told WHYY. "Especially when it's gathered secretly without a consumer's knowledge-without knowledge or consent." Last year, <a href="http://www.mass.gov/ago/news-and-updates/press-releases/2017/2017-04-04-copley-advertising-geofencing.html" > Healey's office barred a digital firm from using geofencing in healthcare settings </a> in the state after the firm was hired by a Christian pregnancy counseling and adoption agency to use digital perimeters to target ads to <a href="https://www.reuters.com/article/us-massachusetts-abortion/firm-settles-massachusetts-probe-over-anti-abortion-ads-sent-to-phones-idUSKBN1761PX" > anyone who entered reproductive health facilities, including Planned Parenthood clinics </a> . The goal was to make sure "abortion-minded women" saw certain ads on their mobile devices as they sat in waiting rooms. The ads had text such as "Pregnancy Help" or "You Have Choices," which, if clicked, would direct them to information about abortion alternatives. <a href="">top </a> </p> <p> <a name="CybersecurityWhy"> </a> <strong> <a href="https://www.schoenherr.eu/publications/publication-detail/cybersecurity-why-it-matters-in-ma-transactions/?utm_source=eloqua&utm_medium=email_54994&utm_campaign=25134" > Cybersecurity: Why it matters in M&A transactions </a> </strong> (Schonherr, 30 May 2018) - At a time when we are all dependent on our IT systems and when digital assets are of central importance, cybersecurity is one of the most critical aspects to protect our businesses, know-how and data from being stolen, disclosed, deleted and/or manipulated. In light of the global threats that potentially could affect every business ("no one is safe"), public regulators have started adopting regulations on cybersecurity (e.g. <a href="https://schoenherr.us6.list-manage.com/track/click?u=ca484c7d4831cf58fcd047a48&id=694554b872&e=23be8296da" target="_blank" > the Austrian Financial Market Authority published guidelines for IT security in financial institutions </a> ). In addition, the GDPR specifically deals with data breach issues. Still, it feels that awareness of cybersecurity issues is lacking. This is particularly true for private M&A transactions. A recent regulation of the New York Department of Financial Services (" <strong>NYDFS </strong>") now specifically addresses <a href="https://schoenherr.us6.list-manage.com/track/click?u=ca484c7d4831cf58fcd047a48&id=a4136d91bd&e=23be8296da" target="_blank" > cybersecurity risks in M&A transactions </a> . The NYDFS's regulation was issued in the context of the 2014 large-scale data breach of Yahoo! and Yahoo!'s failure to disclose the breach until September 2016, shortly before the sale of its operating unit to Verizon Communications Inc. The non-disclosure of the 2014 data breach had a direct impact on the sale, i.e. <a href="https://schoenherr.us6.list-manage.com/track/click?u=ca484c7d4831cf58fcd047a48&id=023ea4c4cc&e=23be8296da" target="_blank" > Yahoo! and Verizon agreed to a USD 350 million reduction in the acquisition price </a> , among other things because Yahoo! had positively represented to Verizon in the publicly available stock purchase agreement that, to the best of its knowledge, there had been no security breaches. In its <a href="https://schoenherr.us6.list-manage.com/track/click?u=ca484c7d4831cf58fcd047a48&id=7fcd7a347c&e=23be8296da" target="_blank" > FAQ </a> , the NYDFS now has clarified the importance of cybersecurity also in M&A transactions: <em> "when Covered Entities are acquiring or merging with a new company, Covered Entities will need to do a factual analysis of how these regulatory requirements apply to that particular acquisition. Some important considerations include, but are not limited to, what business the acquired company engages in, the target company's risk for cybersecurity including its availability of PII, the safety and soundness of the Covered Entity, and the integration of data systems. The [NYDFS] emphasizes that Covered Entities need to have a serious due diligence process and cybersecurity should be a priority when considering any new acquisitions." </em> Now, the NYDFS regulation underlines that cybersecurity has become an issue to be also considered in M&A processes, namely in the due diligence and in the transaction documents. <a href="">top </a> </p> <p> <a name="NewDataShow"> </a> <strong> <a href="https://www.ntia.doc.gov/blog/2018/new-data-show-substantial-gains-and-evolution-internet-use?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > New data show substantial gains and evolution in internet use </a> </strong> (NTIA, 6 June 2018) - The digital divide is showing signs of giving way as more Americans from all walks of life connect to the Internet. Several historically disadvantaged groups showed significant increases in online adoption, according to initial results from NTIA's most recent survey on Internet use conducted by the U.S. Census Bureau. The survey, which was conducted in November 2017, reveals new contours of Americans' Internet use. In 2017, more households had a mobile data plan than wired broadband service. Additionally, for the first time since NTIA began tracking use of different types of computing devices, tablets were more popular than desktop computers among Americans, and the number of people who used multiple types of devices also increased substantially. The data show that 78 percent of Americans ages 3 and older used the Internet as of November 2017, compared with 75 percent in July 2015, when our <a href="https://www.ntia.doc.gov/blog/2016/first-look-internet-use-2015"> previous survey </a> was conducted. This increase of 13.5 million users was driven by increased adoption among low-income families, seniors, African Americans, Hispanics, and other groups that have been less likely to go online. For example, among Americans living in households with family incomes below $25,000 per year, Internet use increased from 57 percent in 2015 to 62 percent in 2017, while households earning $100,000 or more showed no change during this period. While the trend is encouraging, low-income Americans are still significantly less likely to go online (see Figure 1). <a href="">top </a> </p> <p> <a name="SpecialCounsel"> </a> <strong> <a href="https://www.benton.org/headlines/special-counsel-robert-muellers-team-requesting-witnesses-turn-their-personal-phones?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > Special counsel Robert Mueller's team is requesting that witnesses turn in their personal phones to inspect their encrypted messaging programs </a> </strong> (Benton, 7 June 2018) - Apparently, special counsel Robert Mueller's team is requesting that witnesses turn in their personal phones to inspect their encrypted messaging programs and potentially view conversations between associates linked to President Donald Trump. Since as early as April, Mueller's team has been asking witnesses in the Russia probe to turn over phones for agents to examine private conversations on WhatsApp, Confide, Signal and Dust, apparently. Fearing a subpoena, the witnesses have complied with the request and have given over their phones. While it's unclear what Mueller has discovered, if anything, through this new request, investigators seem to be convinced that the apps could be a key to exposing conversations that weren't previously disclosed to them. [ <em>see also </em> , <strong> <a href="https://www.washingtonpost.com/news/the-switch/wp/2018/06/08/are-any-encrypted-messaging-apps-fail-safe-subjects-of-muellers-investigation-are-about-to-find-out/?utm_campaign=Newsletters&utm_medium=email&utm_source=sendgrid&utm_term=.eff2e6703ab9" > Are any encrypted messaging apps fail-safe? Subjects of Mueller's investigation are about to find out. </a> </strong> (WaPo, 8 June 2018)] <a href="">top </a> </p> <p> <a name="FTCrebuked"> </a> <strong> <a href="https://www.wileyrein.com/newsroom-articles-FTC_Rebuked_in_LabMD_Case_Whats_Next_for_Data_Security.html" > FTC rebuked in LabMD case: What's next for data security? </a> </strong> <strong> </strong> (Wiley Rein, 7 June 2018) - On June 6, the U.S. Court of Appeals for the Eleventh Circuit decided the long-awaited LabMD saga. As Wiley Rein attorneys recently explained in <a href="https://wileyrein.mediaplatform.com/#!/video/152/What+You+Should+Know+About+the+New+FTC:+Top+10+Issues+and+Priorities" target="_blank" > a webinar </a> on agency priorities, this case is an important milestone and inflection point for the new Federal Trade Commission (FTC) leadership. The FTC's authority and role in data security has been key to ongoing debates over federal privacy and security policy domestically and globally. This case raised issues going to FTC power and practice, but ultimately turned on the remedy imposed by the agency which was found to be so vague as to be unenforceable. The court did not address the key substantive questions: (1) First, in a data breach case, what type of consumer injury gives rise to "unfairness" under Section 5 of the FTC Act, an issue sometimes identified as the "informational injury" question? (2) Second what type of notice is the FTC required to provide regarding reasonable data security measures? Despite its failure to answer these questions, the decision has implications for those issues and the agency's overall approach to data security. In particular the Eleventh Circuit's decision was a rebuke to the agency's remedial efforts, which lean heavily on consent decrees to prod action the agency could not otherwise mandate. The Court found that the FTC's cease and desist order "mandates a complete overhaul of LabMD's data-security program and says precious little about how this is to be accomplished." According to three appeals court judges, "[t]his is a scheme that Congress could not have envisioned." * * * [ <strong>Polley </strong>: good analysis.] <a href="">top </a> </p> <p> <a name="Blockchain"> </a> <strong> <a href="http://telegra.ph/Blockchains-Once-Feared-51-Attack-Is-Now-Becoming-Regular-06-08" > Blockchain's once-feared 51% attack is now becoming regular </a> </strong> (Telegra.ph, 8 June 2018) - Monacoin, bitcoin gold, zencash, verge and now, litecoin cash. At least five cryptocurrencies have recently been hit with an attack that used to be more theoretical than actual, all in the last month. In each case, attackers have been able to amass enough computing power to compromise these smaller networks, rearrange their transactions and abscond with millions of dollars in an effort that's perhaps the crypto equivalent of a bank heist. More surprising, though, may be that so-called 51% attacks are a <a href="https://www.coindesk.com/51-attacks-real-threat-bitcoin/" target="_blank" > well-known and dangerous </a> cryptocurrency attack vector. While there have been some instances of such attacks working successfully in the past, they haven't exactly been all that common. They've been so rare, some technologists have gone as far as to argue miners on certain larger blockchains would never fall victim to one. The age-old (in <a href="https://www.coindesk.com/life-crypto-time/" target="_blank"> crypto time </a> ) argument? It's too costly and they wouldn't get all that much money out of it. But that doesn't seem to be the case anymore. NYU computer science researcher Joseph Bonneau released research <a href="https://www.coindesk.com/ponzis-death-stranger-ways-lose-crypto/" target="_blank" > last year </a> featuring estimates of how much money it would cost to execute these attacks on top blockchains by simply renting power, rather than buying all the equipment. One conclusion he drew? These attacks were likely to increase. And, it turns out he was right. [ <em>see also </em>, <strong> <a href="https://www.nytimes.com/2018/06/13/technology/bitcoin-price-manipulation.html" > Bitcoin's price was artificially inflated, fueling skyrocketing value, researchers say </a> </strong> (NYT, 13 June 2018)] <a href="">top </a> </p> <p> <a name="NotJustCorporate"> </a> <strong> <a href="https://www.law.com/legaltechnews/2018/06/11/not-just-corporate-law-firms-too-are-struggling-with-gdpr-compliance/" > Not just corporate: Law firms too are struggling with GDPR compliance </a> </strong> (Law.com, 11 June 2018) - Despite the yearslong build up to the EU's <a href="https://www.law.com/legaltechnews/2018/05/25/everyones-worried-about-gdpr-but-it-may-be-the-y2k-of-data-privacy-397-8303/" > General Data Protection Regulation </a> (GDPR), which came into force on May 25, many organizations are still <a href="https://www.law.com/legaltechnews/2018/05/21/most-u-s-and-eu-companies-not-ready-for-new-data-privacy-law-survey-says-397-8136/" > behind </a> in their compliance efforts. And while much attention has been paid to corporations' compliance shortcomings, a recent Wolters Kluwer survey found that law firms are also lagging in meeting GDPR mandates. Conducted among 74 medium (26-100 staff members) to large (100-plus) law firms, the survey found that only 47 percent of law firms said they were "fully prepared" to meet the GDPR's requirements. While 16 percent said they were "somewhat prepared," more than a third, 37 percent, said they have not prepared specifically for the GDPR at all. Barry Ader, vice president of product management and marketing at Wolters Kluwer, noted that part of the reason why many law firms were unprepared for GDPR was because they thought there would be an extension to the deadline. "Many of the law firms kind of half expected that there would be a delay, and they wouldn't have had to solve the problem by May 25 <sup>, </sup>" he said. However, Ader noted that the lack of preparation was also a sign that "law firms just don't have the necessary skills, people, and budget to figure out how to handle GDPR." Indeed, law firms are in a unique situation when it comes to the GDPR, given that many not only have to ensure their own firm's compliance while also managing and directing their clients' GDPR compliance efforts. Such " <a href="https://www.law.com/legaltechnews/2018/05/01/as-gdpr-looms-law-firms-do-double-duty-on-compliance-405-14214/" > double duty </a> " is forcing some firms to staff up and overextend their attorneys. Yet even with added staff and hours, firms can find it challenging to meet GDPR demands. London-based Squire Patton Boggs partner Ann LaFrance, for example, <a href="https://www.law.com/legaltechnews/2018/05/01/as-gdpr-looms-law-firms-do-double-duty-on-compliance-405-14214/" > told The American Lawyer </a> that hiring cannot keep up with the wide-ranging compliance needs of their clients. "It still isn't enough, and there isn't enough experience out there." Still, while firms may have a lot of GDPR preparation to do, 60 percent had already assigned a point person, consultant or team to spearhead GDPR compliance efforts, while 72 percent were investing in cybersecurity. What's more, 43 percent assigned a data protection officer (DPO), though they were not required to under the regulation. Such a mandate only applies to companies classified as "data controllers" who determine the purposes for, and the means of, processing EU personal data. One area where many firms' GDPR preparations lagged behind is with employee training. The survey found that only 43 percent of law firms conducted security and privacy training annually, while 24 percent had done training in the past three years. An additional 15 percent said that while they did not currently train employees, they were planning to do so in the near future. Seventeen percent did not and had no plans to train at all. [ <strong>Polley </strong>: Spotted by MIRLN reader <a href="http://www.icgpartners.com/">Gordon Housworth </a>] <a href="">top </a> </p> <p> <a name="OnFacebook"> </a> <strong> <a href="https://www.nytimes.com/2018/06/12/insider/facebook-group-new-york-times.html" > On Facebook, a place for civil discussion </a> </strong> (NYT, 12 June 2018) - In the run-up to the 2016 election, Russian trolls wielding ads and memes used Facebook as a tool to darken lines of division. More recently, one corner of Facebook has emerged in pursuit of the opposite: civil conversation, even among those who disagree. It has become part of Bethany Grace Howe's morning routine, right alongside her yogurt and cup of tea. The New York Times's Reader Center <a href="https://www.nytimes.com/2017/12/06/reader-center/facebook-group-nomination.html" target="_blank" > put out a call </a> early last December inviting readers to apply to join a Facebook group where they could offer feedback on The Times's coverage and talk about how the news affects them. Ms. Howe, 49 - a longtime media scholar, journalist and reader of The Times since she was 13 - was among the first 100 people chosen to join the group. "It was like, O.K., this is too good to be true," she said. And it soon became clear that the group was a lot more than just a place to talk about the Gray Lady. "I joined because I thought I was going to learn a lot about The New York Times from the people who work at The Times," Ms. Howe said. "What's ended up happening is I've learned an amazing amount about this country by talking to the readers of The Times." It has come to mean enough that she is now working to organize a real life meet-up of group members near her in Oregon, where she is a doctoral student of mass media studies examining questions of transgender identity and depictions in media. The <a href="https://www.facebook.com/groups/nytreadercenter/" target="_blank"> Reader Center group </a> is one of four Facebook groups that The Times has created since last spring. There's <a href="https://www.facebook.com/groups/nytaustralia/" target="_blank"> NYT Australia </a> , where the focus is Australia but the discussion regularly stretches wider, run by the journalists in The Times's Australia bureau. There's <a href="https://www.facebook.com/groups/NowReadThisBookClub/" target="_blank" > Now Read This </a> , an online book club co-managed by The New York Times Book Review and "PBS Newshour" where members discuss a different book every month, guided in part by questions from the two news organizations. And there's <a href="https://www.facebook.com/groups/nytpodcastclub" target="_blank"> The New York Times Podcast Club </a> (which I help run), where podcast lovers can talk about what they're listening to and Times employees select a show every week for discussion. These are different from The Times's institutional Facebook page, or pages run by sections like Styles or Science, which you might follow to see their news articles show up in your feed. In these groups, people at The Times - and collaborators - guide discussions and often engage with group members. Administrators must approve people before they can join, and must sign off on individual posts, too. They can also delete comments or remove members if things get nasty or inappropriate. <a href="">top </a> </p> <p> <a name="AppleWillUpdate"> </a> <strong> <a href="https://www.theverge.com/2018/6/13/17461464/apple-update-graykey-ios-police-hacking" > Apple will update iOS to block police hacking tool </a> </strong> (The Verge, 13 June 2018) - For months, police across the country have been using <a href="https://motherboard.vice.com/en_us/article/vbxxxd/unlock-iphone-ios11-graykey-grayshift-police" > a device called a GrayKey </a> to unlock dormant iPhones, using an undisclosed technique to sidestep Apple's default disk encryption. The devices are currently in use in <a href="https://motherboard.vice.com/en_us/article/8xeaep/who-has-bought-graykey-iphone-unlocking-map" > at least five states and five federal agencies </a> , seen as a breakthrough in collecting evidence from encrypted devices. But <a href="https://www.reuters.com/article/us-apple-iphone-cracking/apple-to-undercut-popular-law-enforcement-tool-for-cracking-iphones-idUSKBN1J92ZY?feedType=RSS&feedName=topNews&utm_source=twitter&utm_medium=Social" > according to a new Reuters report </a> , Apple is planning to release a new feature to iOS that would make those devices useless in the majority of cases, potentially sparking a return to the encryption standoff between law enforcement and device manufacturers. Under the new feature, iPhones will cut off all communication through the USB port if they have not been unlocked in the past hour. Once the hour expires, the USB port can only be used to charge the device. The result will give police an extremely short window of time to deploy GrayKey devices successfully. According to <a href="https://blog.malwarebytes.com/security-world/2018/03/graykey-iphone-unlocker-poses-serious-security-concerns/" > a Malware Bytes report </a> published in March, GrayKey works by installing some kind of low-level software through the iPhone's Lightning port. After plugging into the GrayKey device briefly, the target iPhone will continue to run the GrayKey software on its own, displaying the device's passcode on-screen between two hours and three days after the software was installed. While politically sensitive, the change will close off an entire class of attacks through the iPhone's Lightning port, including attacks that copy GrayKey's techniques. Apple described the change as a general security update rather than a response to law enforcement specifically. <a href="">top </a> </p> <p> <a name="GoogleAdds"> </a> <strong> <a href="https://www.insidehighered.com/quicktakes/2018/06/13/google-adds-federal-data-college-searches?utm_source=Inside+Higher+Ed&utm_campaign=450d1e6802-DNU_COPY_01&utm_medium=email&utm_term=0_1fcbc04421-450d1e6802-197618481&mc_cid=450d1e6802&mc_eid=012fe6c04c" > Google adds federal data to college searches </a> </strong> (Inside Higher Ed, 13 June 2018) - Search for a four-year college on Google, and you'll now be presented with data on admission rates, graduation rates and tuition costs, in addition to the usual link to Wikipedia. Google said the addition of more information to college search results would make it easier for prospective students to choose the right institution for them. Writing in <a href="https://www.blog.google/products/search/college-search-google/" target="_blank" > a blog post </a> Tuesday, Jacob Schonberg, product manager for Google, said the process for finding information on colleges is "confusing" and that it is "not always clear what factors to consider and which pieces of information will be most useful for your decision." Schonberg said Google used data from the U.S. Department of Education's College Scorecard and Integrated Postsecondary Education Data System (IPEDS). Though IPEDS is one of the most comprehensive sources of data on four-year colleges, its numbers are often <a href="https://www.insidehighered.com/news/2014/09/26/ipeds-survey-misses-thousands-online-students-often-counts-too-many" target="_blank" > criticized </a> for not being representative of student populations, particularly at open-access colleges, as IPEDS data tend to reflect only first-time, full-time students. In addition to data from IPEDS, Google has introduced new college-search features such as lists of notable alumni and suggestions for "similar colleges." <a href="">top </a> </p> <p> <a name="HowFirefox"> </a> <strong> <a href="https://www.theverge.com/2018/6/13/17446660/mozilla-firefox-pocket-recommendations-ceo-nate-weiner-interview-converge-podcast" > How Firefox is using Pocket to try to build a better news feed than Facebook </a> </strong> (The Verge, 13 June 2018) - On this week's episode of <a href="https://go.redirectingat.com/?id=66960X1514734&xs=1&url=https%3A%2F%2Fitunes.apple.com%2Fus%2Fpodcast%2Fconverge-with-casey-newton%2Fid1385113107%3Fmt%3D2" > <em>Converge </em> </a> , <a href="http://www.getpocket.com/">Pocket </a> founder and CEO Nate Weiner tells us why he sold his company to Mozilla, and how he's working to build a better version of Facebook's News Feed into the Firefox browser. Pocket, which lets you save articles and videos you find around the web to consume later, now has a home inside Firefox as the engine powering recommendations to 50 million people a month. By analyzing the articles and videos people save into Pocket, Weiner believes the company can show people the best of the web - in a personalized way - without building an all-knowing, Facebook-style profile of the user. "We're testing this really cool personalization system within Firefox where it uses your browser history to target personalized [recommendations], but none of that data actually comes back to Pocket or Mozilla," Weiner said. "It all happens on the client, inside the browser itself. There is this notion today... I feel like you saw it in the Zuckerberg hearings. It was like, 'Oh, users. They will give us their data in return for a better experience." That's the premise, right? And yes, you could do that. But we don't feel like that is the required premise. There are ways to build these things where you don't have to trade your life profile in order to actually get a good experience." Pocket can analyze which articles and videos from around the web are being shared as well as which ones are being read and watched. Over time, that gives the company a good understanding of which links lead to high-quality content that users of either Pocket or Firefox might enjoy. In a world where trust in social feeds has begun to collapse, Pocket offers a low-key but powerful alternative. And as Mozilla has integrated it deeper into Firefox, Pocket has become a significant source of traffic for some publishers, <em>The Verge </em> included. [ <strong>Polley </strong>: I love Pocket.] <a href="">top </a> </p> <p> <a name="FreeMOOCs"> </a> <strong> <a href="https://www.insidehighered.com/news/2018/06/14/edx-introduces-support-fee-free-online-courses?utm_source=Inside+Higher+Ed&utm_campaign=365ebc9b26-DNU_COPY_01&utm_medium=email&utm_term=0_1fcbc04421-365ebc9b26-197618481&mc_cid=365ebc9b26&mc_eid=012fe6c04c" > Free MOOCs face the music </a> </strong> (Inside Higher Ed, 14 June 2018) - Massive open online courses got a little less open with edX's recent announcement that it is introducing support fees for some of its MOOCs. Midway through an <a href="https://blog.edx.org/furthering-the-edx-mission?track=blog" target="_blank" > innocuous-looking blog post </a> , Anant Agarwal, CEO of edX, said the nonprofit would be "moving away from our current model of offering virtually everything for free." On May 3, edX began testing the introduction of a "modest support fee" that will "enable edX and partners to continue to invest in our global learning platform." Adam Medros, edX COO and president, said in an interview that the support fee was just one option being explored to ensure the long-term sustainability of the MOOC provider. Previously edX users were able to take most of its courses at no cost, an option that edX calls "auditing" a course. Those who want a certificate to show they have completed a course typically pay between $50 and $300. Some options, such as edX's <a href="https://www.edx.org/micromasters" target="_blank"> MicroMasters programs </a> , cost over $1,000. Now some users will be asked to pay a support fee, "from $9 up to some portion of the certification cost," said Medros. The price of the support fee "will be aligned to the value and experience" that a course gives to a learner, said Medros, suggesting that the best courses will also be the most expensive. By introducing a support fee, Medros said, there is a possibility that completion rates may go up. "There is a lot of evidence showing that having some 'skin in the game' is beneficial in online learning," said Medros. Medros did not say how many courses the support fee would be applied to, but he said it was edX's intention that "some portion" of its content "will always be free." He said edX had not decided which content will remain free and what proportion of the total catalog it will represent. <a href="">top </a> </p> <p> <a name="BewareOfBuying"> </a> <strong> <a href="https://myshingle.com/2018/06/articles/ethics-malpractice-issues/beware-of-buying-a-competitors-name-to-market-your-law-practice/" > Beware of buying a competitor's name to market your law practice </a> </strong> (MyShingle.com, 14 June 2018) - Can lawyers use a competitor's name as a keyword to market their own law practice? Although Google allows law firms' to purchase competitors' names as keywords, at least two states - <a href="https://myshingle.com/2015/04/articles/ethics-malpractice-issues/lawyers-can-use-competitors-names-to-advertisebut-should-they/" > North Carolina </a> and <a href="http://media.mcguirewoods.com/publications/Ethics-Programs/9723312.pdf" > South Carolina </a> - forbid this practice, finding it inherently deceptive. By contrast, <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2594435"> Florida </a> and <a href="http://www.abajournal.com/magazine/article/search_engine_marketing_legal_ethics" > Texas </a> -allow lawyers to use keywords to advertise with the caveat that the ads must be designed so as not to trick consumers into thinking they are going to one firm's website when they are instead lead to another. But the bar regulations don't much matter because increasingly, law firms whose names have been appropriated are suing competitors and winning. As the <a href="https://www.law.com/dailyreportonline/2018/06/08/marketing-firm-that-misappropriated-law-firm-names-enjoined-in-3-states/" > Daily Report Online </a> reports, a Georgia court recently enjoined a Texas marketing firm called ELM from running ads for a law firm that used a rival firm's trade name to draw traffic to the advertising firm's site. Further compounding the confusion, the marketing company used photos of the rival firm's site as background for the ads and included phone numbers to call centers where operators were instructed to use a generic greeting so that callers would believe that they had reached the rival firm's answering service. <a href="">top </a> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <strong> <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2938033"> Encryption Workarounds </a> </strong> (Orin Kerr and Bruce Schneier, Georgetown Law Journal, revised 13 May 2018) - Abstract <em> : The widespread use of encryption has triggered a new step in many criminal investigations: The encryption workaround. We define an encryption workaround as any lawful government effort to reveal unencrypted plaintext of a target's data that has been concealed by encryption. This Article provides an overview of encryption workarounds. It begins with a taxonomy of the different ways investigators might try to bypass encryption schemes. We classify six kinds of workarounds: find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. For each approach, we consider the practical, technological, and legal hurdles raised by its use. The remainder of this Article develops lessons about encryption workarounds and the broader public debate about encryption in criminal investigations. First, encryption workarounds are inherently probabilistic. None work every time, and none can be categorically ruled out every time. Second, the different resources required for different workarounds will have significant distributional effects on law enforcement. Some techniques are inexpensive and can be used often by many law enforcement agencies; some are sophisticated or expensive and likely to be used rarely and only by a few. Third, the scope of legal authority to compel third-party assistance will be a continuing challenge. And fourth, the law governing encryption workarounds remains uncertain and underdeveloped. Whether encryption will be a game changer or a speed bump depends on both technological change and the resolution of important legal questions that currently remain unanswered. </em> <a href="">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <strong> <a href="https://www.informationweek.com/cia-monitors-youtube-for-intelligence/d/d-id/1064289?piddl_msgorder=asc" > CIA monitors YouTube for intelligence </a> </strong> (Information Week, 6 Feb 2008) - In keeping with its mandate to gather intelligence, the CIA is watching YouTube. U.S. spies, now under the Director of National Intelligence (DNI), are looking increasingly online for intelligence; they have become major consumers of social media. "We're looking at YouTube, which carries some unique and honest-to-goodness intelligence," said Doug Naquin, director of the DNI Open Source Center (OSC), in remarks to the Central Intelligence Retirees' Association last October. "We're looking at chat rooms and things that didn't exist five years ago, and trying to stay ahead. We have groups looking at what they call 'Citizens Media': people taking pictures with their cell phones and posting them on the Internet." In November 2005, the OSC subsumed the CIA's Foreign Broadcast Information Service, which housed the agency's foreign media analysts. The OSC is responsible for collecting and analyzing public information, including Internet content. Steven Aftergood, director of the Federation of American Scientists project on government secrecy, posted transcript of Naquin's remarks on his blog. "I found the speech interesting and thoughtful," he said in an e-mail. "I would not have thought of YouTube as an obvious source of intelligence, but I think it's a good sign that the Open Source Center is looking at it, and at other new media." <a href="">top </a> </p> <p> <strong> <a href="http://abcnews.go.com/Technology/story?id=4610457&page=1"> Google, UN unveil project to map movement of refugees </a> </strong> (SiliconValley.com, 8 April 2008) - Internet search giant Google Inc. unveiled a new feature Tuesday for its popular mapping programs that shines a spotlight on the movement of refugees around the world. The maps will aid humanitarian operations as well as help inform the public about the millions who have fled their homes because of violence or hardship, according to the office of the U.N. High Commissioner for Refugees, which is working with Google on the project. "All of the things that we do for refugees in the refugee camps around the world will become more visible," U.N. Deputy High Commissioner for Refugees L. Craig Johnstone said at the launch in Geneva. Users can download Google Earth software to see satellite images of refugee hot spots such as Darfur, Iraq and Colombia. Information provided by the U.N. refugee agency explains where the refugees have come from and what problems they face. Google says more than 350 million people have already downloaded Google Earth. The software was launched three years ago and originally intended for highly realistic video games, but its use by rescuers during Hurricane Katrina led the company to reach out to governments and nonprofit organizations. <a href="">top </a> </p>Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-69899566870262833662018-05-26T07:15:00.000-04:002018-05-26T07:15:04.854-04:00MIRLN --- 6-26 May 2018 (v21.07)<p> <a name="TOP"> </a> MIRLN --- 6-26 May 2018 (v21.07) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_6_26_may_2018_v2107/" > permalink </a> </p> <p> <a href="#ANNOUNCEMENTS">ANNOUNCEMENTS </a> | <a href="#NEWS">NEWS </a> | <a href="#RESOURCES">RESOURCES </a> | <a href="#LOOKINGBACK">LOOKING BACK </a> | <a href="http://www.knowconnect.com/mirln/sources/">NOTES</a> </p> <p> <a name="ANNOUNCEMENTS"> </a> <h3> ANNOUNCEMENTS </h3> </p> <p> Take a look at the new <em> <a href="https://shop.americanbar.org/eBus/Store/ProductDetails.aspx?productId=280127783" > ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals </a> </em> (2nd Edition). Published in November, it's already out-sold the 1st edition, probably because cyberattacks on law firms are in the news every day. The Handbook contains actionable information about "reasonable" security precautions for lawyers in every practice setting (solos, smalls, and large firms; in-house, government, and public-interest practitioners). Produced by the ABA Cybersecurity Legal Task Force (which I co-chair), it complements other resources for ABA members. Learn more here: ambar.org/cyber </p> <p> <a name="NEWS"> </a> <h3> NEWS </h3> </p> <ul> <li> <a href="#WorkingGroup"> Working group releases draft protocol on cybersecurity in international arbitration </a> </li> <li> <a href="#CorporateAmerica"> Corporate America takes action as awareness of risk to key assets grows </a> </li> <li> <a href="#WashingtonUtility"> Washington utility boosts security after Bitcoin mining moratorium </a> </li> <li> <a href="#TheRoleOfNorms"> The role of norms in internet security: Reputation and its limits </a> </li> <li> <a href="#LawFirmData">Law firm data is catnip for hackers </a> </li> <li> <a href="#ImportantFourth"> Important Fourth Circuit ruling on cell phone border searches </a> </li> <li> <a href="#EleventhCircuit"> Eleventh Circuit creates circuit split on cell phone border searches </a> </li> <li> <a href="#SECnotLooking"> SEC not looking to file many cybersecurity cases, official says </a> </li> <li> <a href="#AlexaAndSiri"> Alexa and Siri can hear this hidden command. You can't. </a> </li> <li> <a href="#IBMbansAll"> IBM bans all removable storage, for all staff, everywhere </a> </li> <li> <a href="#TheSantaClara"> The Santa Clara Principles on transparency and accountability in content moderation </a> </li> <li> <a href="#InsustryInsight"> Industry insight: Collaboration tools might be the next great security risk </a> </li> <li> <a href="#TwentyYears">20 years of the Laws of Cyberspace </a> </li> <li> <a href="#DoAttorneysNeed"> Do attorneys need mandatory technology CLEs? N.C. Bar says yes </a> </li> <li> <a href="#PlayDoh">Play-Doh smell trademarked </a> </li> <li> <a href="#TheWaybackMachine"> The Wayback Machine is deleting evidence of malware sold to stalkers </a> </li> <li> <a href="#PrivacyPolicy">Privacy Policy </a> </li> <li> <a href="#TakeAlook"> Take a look at your Twitter timeline 10 years ago </a> </li> <li> <a href="#ThanksToGoogle"> Thanks to Google, you can now view Frida Kahlo's artwork from the comfort of your home </a> </li> </ul> <p> <a name="WorkingGroup"> </a> <strong> <a href="http://www.nycbar.org/media-listing/media/detail/working-group-releases-draft-protocol-on-cybersecurity-in-international-arbitration" > Working group releases draft protocol on cybersecurity in international arbitration </a> </strong> (NY City Bar, 16 April 2018) - Stating that "[i]nternational arbitration in the digital landscape warrants consideration of what constitutes reasonable cybersecurity measures to protect the information exchanged during the process," a Working Group on Cybersecurity has released a <a href="http://bit.ly/2J1bLBb" target="_blank"> Draft Cybersecurity Protocol </a> for International Arbitration. The Working Group, consisting of the International Council for Commercial Arbitration (ICCA), the International Institute for Conflict Prevention & Resolution (CPR), and the New York City Bar Association, presented the Draft Protocol at the ICCA Congress in Sydney, Australia, on April 15, local time. "International arbitration is not uniquely vulnerable to cyber breaches, but the stakes are often quite high," said Mark Morril, an independent arbitrator who represents the New York City Bar Association along with independent arbitrator Stephanie Cohen and Lea Haber Kuck of Skadden Arps Slate Meagher & Flom LLP. "Like any sector that involves high value data, international transmissions and multiple actors, it will require strong security going forward." * * * Ms. Cohen noted that the Protocol purposefully avoids specific cybersecurity recommendations. She said, "We considered but unanimously rejected the 'one size fits all approach.' The Protocol guides parties and arbitrators through a risk-based approach to determine reasonable cybersecurity measures that fit each individual matter." [ <strong>Polley </strong>: <em>see also, </em> <strong> <a href="https://www.transnational-dispute-management.com/news.asp?key=1707" > TDM Call for Papers: Special Issue on Cybersecurity in International <em> </em>Arbitration </a> </strong> (TDM 18 Amy 2018); spotted by MIRLN reader Phil Ray - @philray66] <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="CorporateAmerica"> </a> <strong> <a href="https://www.kilpatricktownsend.com/en/Insights/News/News-Release/2018/4/The-Second-Annual-Study-on-the-Cybersecurity-Risk-to-Knowledge-Assets" > Corporate America takes action as awareness of risk to key assets grows </a> </strong> (Kilpatrick Townsend, 24 April 2018) - Continuing to respond to the ever-increasing targeted attacks on organizations' most vital confidential information - their "knowledge assets" - Kilpatrick Townsend & Stockton and the Ponemon Institute released today their findings from <em> <a href="http://www.kilpatricktownsend.com/en/Insights/Publications/2018/4/2018-Ponemon-Survey" > The Second Annual Study on the Cybersecurity Risk to Knowledge Assets </a> </em> . The first study, <em> <a href="http://www.kilpatricktownsend.com/en/Insights/News/News-Release/2016/7/DATA-THEFT-CORPORATE-AMERICAS-KEY-ASSETS-AT-RISK" > Cybersecurity Risk to Knowledge Assets </a> </em> , was released in July 2016. <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="WashingtonUtility"> </a> <strong> <a href="http://www.govtech.com/public-safety/Washington-Utility-Boosts-Security-After-Bitcoin-Mining-Moratorium.html" > Washington utility boosts security after Bitcoin mining moratorium </a> </strong> (GT Magazine, 3 May 2018) - Bitcoin belligerence is on the rise, according to Chelan County PUD staff reports, prompting a boost in employee safety and security measures that include bulletproof panels and security cameras at PUD headquarters. The reported bad behavior stems from two cryptocurrency-related groups - unauthorized miners whose power has been disconnected and high-density load service applicants denied because of the current moratorium. "PUD employees in the field and those in the office who are handling issues related to high-density load service have encountered an increasing number of upset customers and potential customers," said PUD spokeswoman Kimberlee Craig. "In some cases people can get agitated and argumentative. Our goal always is to provide excellent customer service, as well as to keep customers, the public and employees safe, especially when emotions may be running high." None of the incidents have escalated to the point of calling law enforcement, she said. "The volume of requests and the sense of urgency by applicants has changed the dynamics of the interaction by staff with the cryptocurrency customers," she said. As a result, staff is taking some proactive steps, which PUD Security Director Rich Hyatt outlined for commissioners on Monday. The increase in tension follows steps taken to put the brakes on blockchain operations that use specialized computer equipment and require a large amount of electricity, running continuously, which can put a strain on the system. The PUD commissioners in March declared an emergency moratorium on new high-density load hookups to give staff time to develop a plan for dealing with the demand for electricity from digital currency miners. The demand spiked when Bitcoin values topped $19,000 last fall. It's now down to about $7,000, but still up from $500 in 2013. Staff also reported concerns about unauthorized bitcoin operators overloading the system, creating fire hazards and damaging power grid infrastructure. [ <strong>Polley </strong>: Remember 15 years ago or so when some employees were punished for unauthorized use of computer power (via screensavers like SETI@home) to solve computer problems for others (like folding proteins)? Some of these bitcoin apps sound like that, on steroids. <em>See also, </em> <strong> <a href="https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/" > Cryptojacking campaign exploits Drupal bug, over 400 websites attacked </a> </strong> (Threat Post, 7 May 2018)] <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="TheRoleOfNorms"> </a> <strong> <a href="https://www.lawfareblog.com/role-norms-internet-security-reputation-and-its-limits" > The role of norms in internet security: Reputation and its limits </a> </strong> (Lawfare, 8 May 2018) - Who maintains the security and stability of the internet-and how do they do it? It's a simple question, but a difficult one to answer. Internet security, writ large, comprises a diverse set of social and technical tools and an equally diverse set of industry norms around mitigating and remediating abusive behavior. Those tools are developed and used by what I term operational security communities-groups of individuals, largely unaffiliated with governments, that do the day-to-day work of maintaining the security and stability of the internet. What these communities actually do, and the scope and nature of the challenges that they face, is often poorly understood, even among sophisticated state actors. But one of the key mechanisms on which operational security communities rely is a surprisingly familiar one: reputation. * * * [ <strong>Polley </strong>: Interesting. I've been involved with some international norms-development activities in the cyber-warfare arena, and the process is glacial.] <a href="#TOP">top </a> <strong> </strong> </p> <p> <strong> </strong> </p> <p> <a name="LawFirmData"> </a> <strong> <a href="https://securityboulevard.com/2018/05/law-firm-data-is-catnip-for-hackers/" > Law firm data is catnip for hackers </a> </strong> (Security Boulevard, 8 May 2018) - Dig into a law firm, and you'll find secrets. Sometimes these secrets are mundane, like who's getting divorced, or who's getting cut out of the will. Sometimes, however, these secrets can shake nations and economies. Huge companies are merging and getting acquired, national leaders are hiding graft in numbered accounts, and you might find all those secrets within the server at a nondescript law firm - which might be possibly the most unsafe place to hide it. Law firms may be extremely discrete when protecting their clients' identities from judges, the media, and other lawyers, but their track record is less than stellar when it comes to the digital realm. Those who've heard of the firm Mossack Fonseca or the Panama Papers (a 2TB data leak that exposed how the wealthy avoid paying taxes) may know that the firm in question was: (1) running a version of WordPress that was 2 years out of date; (2) running a version of Drupal that was three years out of date; (3) running its web server on the same network as its mail server; (4) running its web server without a firewall; (5) running an out-of-date plugin known as "Revolution Slider," which contained a file upload vulnerability that had been documented since 2014. This multitude of sins collectively led to a scandal that, among other things, brought down the Icelandic Prime Minister. What's more troubling, however, is that Mossack Fonseca wasn't a standout among law firms. Many if not most law firms have an equally bad security posture. [ <em>see </em> <a href="#ANNOUNCEMENTS">ANNOUNCEMENTS </a>, above.] <a href="#TOP">top </a> <strong> </strong> </p> <p> <strong> </strong> </p> <p> <a name="ImportantFourth"> </a> <strong> <a href="https://reason.com/volokh/2018/05/09/important-fourth-circuit-ruling-on-cell" > Important Fourth Circuit ruling on cell phone border searches </a> </strong> (Orin Kerr on Volokh Conspiracy, 9 May 2018) - The Fourth Circuit handed down a significant ruling today in <em> <a href="http://www.ca4.uscourts.gov/opinions/164687.P.pdf"> United States v. Kolsuz </a> </em> on how the Fourth Amendment applies to cell phone searches of cell phones seized at the border. Although the court ultimately affirmed the conviction based on the good-faith exception, the court also introduced a new and significant limit on border searches. Judge Pamela Harris penned the majority opinion, and Judge Wilkinson added a concurrence. There's a lot going on in the opinion, and it merits a close read, but I'll try to offer some highlights and commentary here. * * * [ <strong>Polley </strong>: Orin Kerr is <em>THE </em> expert on this area of the law in the US; his article is thorough, and interesting. <em>See also, </em> <strong> <a href="https://www.eff.org/deeplinks/2018/05/fourth-circuit-rules-suspicionless-forensic-searches-electronic-devices-border-are" > Fourth Circuit rules that suspicionless forensic searches of electronic devices at the border are unconstitutional </a> </strong> <strong> </strong> (EFF, 9 May 2018)] <a href="#TOP">top </a> <strong> </strong> </p> <p> - and - </p> <p> <strong> </strong> </p> <p> <a name="EleventhCircuit"> </a> <strong> <a href="https://reason.com/volokh/2018/05/23/eleventh-circuit-creates-circuit-split-o" > Eleventh Circuit creates circuit split on cell phone border searches </a> </strong> (Orin Kerr on Volokh Conspiracy, 23 May 2018) - The Eleventh Circuit has handed down an important new ruling on cell phone searches at the border, <em> <a href="http://media.ca11.uscourts.gov/opinions/pub/files/201711561.pdf" > United States v. Touset </a> </em> . In an opinion by Judge William Pryor, the court disagrees with the Fourth Circuit and Ninth Circuit caselaw requiring suspicion to conduct a forensic search at the border. The basic issue in these cases is this: When the government seizes a computer or cell phone at the border, and they want to search it using forensic equipment, do they need some sort of suspicion that evidence or contraband is on the device? Or does the traditional border search exception (which ordinarily permits searches of property crossing the border without suspicion) apply? Regular readers of this blog have heard a lot about this question over the years. Just two weeks ago, I post on the Fourth Circuit's May 9th ruling in <em> <a href="https://reason.com/volokh/2018/05/09/important-fourth-circuit-ruling-on-cell" > United States v. Kolsuz </a> </em> , by Judge Pamela Harris, which required some kind of suspicion to conduct such a search. And I've <a href="http://volokh.com/2013/03/08/en-banc-ninth-circuit-holds-that-computer-forensic-searches-are-like-virtual-strip-searches-and-require-reasonable-suspicion-at-the-border/" > blogged extensively </a> about the Ninth Circuit's en banc ruling from 2013 in <em> <a href="http://cdn.ca9.uscourts.gov/datastore/opinions/2013/03/08/09-10139.pdf" > United States v. Cotterman </a> </em> , authored by Judge Margaret McKeown, which required reasonable suspicion for forensic searches at the border. The new Eleventh Circuit decision disagrees with <em>Kolsuz </em> and <em>Cotterman </em>, arguing that no suspicion should be required for a forensic border search. * * * <a href="#TOP">top </a> <strong> </strong> </p> <p> <strong> </strong> </p> <p> <a name="SECnotLooking"> </a> <strong> <a href="https://www.bna.com/sec-not-looking-n73014475067/"> SEC not looking to file many cybersecurity cases, official says </a> </strong> (BNA, 9 May 2018) - The SEC isn't planning to make cybersecurity cases part of the "bread and butter" of its enforcement activity, despite its multimillion-dollar penalty against the former Yahoo! Inc. in a first-of-its-kind case in the space, a senior Securities and Exchange Commission official said May 9. The remarks by SEC Cyber Unit Chief Robert Cohen at an enforcement conference in New York came after Yahoo successor Altaba Inc. reached a $35 million settlement with the agency in April to resolve claims that it delayed telling investors about a massive data breach. Cohen didn't rule out more SEC cases like the one against Yahoo. But, he said, the commission looks to bring cybersecurity cases in which the "facts are particularly bad and when the conduct really violates the statute very clearly." Insider trading, market manipulation, and accounting fraud are the kinds of matters that will continue to populate a majority of the SEC's case roster, Cohen said. "We're not looking to bring dozens and dozens of cybersecurity cases every year," he said at the conference organized by the Practising Law Institute. The agency in February issued new <a href="https://www.sec.gov/rules/interp/2018/33-10459.pdf">guidance </a> on how to inform investors about cyber threats and breaches. The document stressed that companies should have procedures to notify company leaders and shareholders about cyberattacks. The SEC, however, doesn't seek to "second-guess good-faith, reasonable decisions" on cybersecurity disclosure, Cohen said, echoing similar comments from other SEC officials. <a href="#TOP">top </a> <strong> </strong> </p> <p> <strong> </strong> </p> <p> <a name="AlexaAndSiri"> </a> <strong> <a href="https://www.nytimes.com/2018/05/10/technology/alexa-siri-hidden-command-audio-attacks.html?smprod=nytcore-ipad&smid=nytcore-ipad-share" > Alexa and Siri can hear this hidden command. You can't. </a> </strong> (NYT, 10 May 2018) - Many people have grown accustomed to talking to their smart devices, asking them to read a text, play a song or set an alarm. But someone else might be secretly talking to them, too. Over the last two years, researchers in China and the United States have begun demonstrating that they can send hidden commands that are undetectable to the human ear to Apple's Siri, Amazon's Alexa and Google's Assistant. Inside university labs, the researchers have been able to secretly activate the artificial intelligence systems on smartphones and smart speakers, making them dial phone numbers or open websites. In the wrong hands, the technology could be used to <a href="https://www.forbes.com/sites/aarontilley/2017/02/16/amazon-alexa-can-now-unlock-your-front-door" target="_blank" > unlock doors </a> , <a href="https://www.youtube.com/watch?v=Jwb4kdDk2wg" target="_blank"> wire money </a> or buy stuff online - simply with music playing over the radio. A group of students from University of California, Berkeley, and Georgetown University showed in 2016 that they could hide commands in white noise played over loudspeakers and through YouTube videos to get smart devices to turn on airplane mode or open a website. This month, some of those Berkeley researchers published a research paper that went further, saying they could embed commands directly into recordings of music or spoken text. So while a human listener hears someone talking or an orchestra playing, Amazon's Echo speaker might hear an instruction to add something to your shopping list. <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="IBMbansAll"> </a> <strong> <a href="https://www.theregister.co.uk/AMP/2018/05/10/ibm_bans_all_removable_storage_for_all_staff_everywhere/" > IBM bans all removable storage, for all staff, everywhere </a> </strong> (The Register, 10 May 2018) - IBM has banned its staff from using removable storage devices. In an advisory to employees, IBM global chief information security officer Shamla Naidoo said the company "is expanding the practice of prohibiting data transfer to all removable portable storage devices (e.g.,: USB, SD card, flash drive)." The advisory stated some pockets of IBM have had this policy for a while, but "over the next few weeks we are implementing this policy worldwide." Big Blue's doing this because "the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised." IBMers are advised to use Big Blue's preferred sync 'n' share service to move data around. But the advisory also admitted that the move may be "disruptive for some." She's not wrong: <em>The Register </em> understands that frontline IBM staff sometimes need to download patches so they can be installed on devices they manage for clients and that bootable USB drives are one means of installing those patches. Indeed, IBM offers <a href="https://www.ibm.com/support/knowledgecenter/en/linuxonibm/liabw/liabwp9qsg_8335.htm" target="_blank" > advice </a> on how to install Linux on its own POWER 9 servers using a USB key. <a href="#TOP">top </a> <strong> </strong> </p> <p> <strong> </strong> </p> <p> <a name="TheSantaClara"> </a> <strong> <a href="https://www.benton.org/headlines/santa-clara-principles-transparency-and-accountability-content-moderation" > The Santa Clara Principles on transparency and accountability in content moderation </a> </strong> (Benton Foundation, 10 May 2018) - The Santa Clara Principles offer guidance to internet platforms on how to provide users with meaningful due process when their posts are taken down or their accounts are suspended, and to help ensure that the enforcement of company content guidelines is fair, unbiased, and respectful of users' free expression rights. The three principles urge companies to: (a) <strong>Publish the numbers of posts removed </strong> and accounts permanently or temporarily suspended due to violations of their content guidelines; (b) <strong> Provide clear notice to all users about what types of content are prohibited </strong> , and clear notice to each affected user about the reason for the removal of their content or the suspension of their account; and (c) <strong>Enable users to engage in a meaningful and timely appeals </strong> process for any content removals or account suspensions. <a href="#TOP">top </a> <strong> </strong> </p> <p> <strong> </strong> </p> <p> <a name="InsustryInsight"> </a> <strong> <a href="https://www.pcmag.com/article/360965/industry-insight-collaboration-tools-the-next-great-securi" > Industry insight: Collaboration tools might be the next great security risk </a> </strong> <strong> </strong> (PC Magazine, 14 May 2018) - Collaboration tools have become hugely popular with all kinds of businesses because they enable strategies like virtual teams and keep employees working tightly together no matter how far apart they might be physically. But whether it's a workflow-based utility such as Asana or a chat-oriented app such as Slack, these tools have also created new opportunities for cybercriminals looking to access your company's most vital information. Bad actors can infiltrate your collaboration software through application programming interfaces (APIs) or through accidental authorizations that leak private information outside of your organization. In other words, even if they're being hosted elsewhere, your collaboration tools might still be putting a huge security hole in your network. Greg Arnette is the Director of Data Protection Platform Strategy at Campbell, Calif-based Barracuda Networks, a security, networking, and storage products provider. We recently sat down with Arnette to discuss the sort of attacks that could happen via collaboration services and how businesses can protect themselves. <a href="#TOP">top </a> <strong> </strong> </p> <p> <strong> </strong> </p> <p> <a name="TwentyYears"> </a> <strong> <a href="https://today.law.harvard.edu/20-years-laws-cyberspace/"> 20 years of the Laws of Cyberspace </a> </strong> (Harvard, 16 May 2018) - It's been two decades since Harvard Law School Professor <a href="https://hls.harvard.edu/faculty/directory/10519/Lessig"> Lawrence Lessig </a> published <a href="https://cyber.harvard.edu/works/lessig/laws_cyberspace.pdf"> "The Laws Of Cyberspace," </a> which, in the words of Professor Jonathan Zittrain, "imposed some structure over the creative chaos of what maybe was a field that we'd call cyberlaw." Lessig's groundbreaking paper describes four types of constraints that together regulate behavior - law, social norms, the market, and architecture - and argues that due to its special architecture, cyberspace is different from "real" space and thus subject to new possibilities for control by governments and other centers of power. "The world we are entering is not a world where freedom is assured," Lessig wrote in 1998, but instead, "has the potential to be the most fully, and extensively, regulated space in our history." On April 16, the Berkman Klein Center of Internet & Society hosted <a href="https://cyber.harvard.edu/events/2018/04/Lessig"> a special event </a> commemorating the 20th anniversary of the publication of "The Laws of Cyberspace," with Lessig, Harvard Law School Professors <a href="https://hls.harvard.edu/faculty/directory/11409/Okediji"> Ruth Okediji </a> and <a href="https://hls.harvard.edu/faculty/directory/10992/Zittrain"> Jonathan Zittrain </a> , and Dr. <a href="https://www.american.edu/soc/faculty/denardis.cfm"> Laura DeNardis </a> of American University. The panelists reflected on the paper, and where the field of cyberlaw has taken us over the last two decades, and they considered how some of the concerns raised in 1998 might apply today. <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="DoAttorneysNeed"> </a> <strong> <a href="https://biglawbusiness.com/do-attorneys-need-mandatory-technology-cles-n-c-bar-says-yes/" > Do attorneys need mandatory technology CLEs? N.C. Bar says yes </a> </strong> (Bloomberg, 21 May 2018) - Lawyers need technological expertise, whether to protect a client's sensitive information, apply a data analytics tool during discovery, or simply to be adept at using a word processing program. But though lawyers are ethically bound to understand the technology they use to practice, only one state requires continuing legal education on technology. A new proposal would make North Carolina the second. The North Carolina State Bar later this year will ask the state's high court to approve an <a href="https://www.ncbar.gov/for-lawyers/ethics/proposed-amendments-to-the-rules-of-professional-conduct/" > amendment </a> that would require attorneys to complete a one-hour class devoted to technology training, as part of their 12-hour annual CLE requirements. North Carolina would join Florida in requiring technology CLE credits. The Florida Supreme Court in 2016 amended the rules regulating the state bar to require that lawyers obtain three hours of technology CLE credits every three years, of the 33-hour total. The new CLE requirement is a step towards encouraging attorneys to stay current with technological advancements, academics told Bloomberg Law. "The change sends an important message: that lawyers need to understand how technology is affecting the delivery of legal services," Andrew M. Perlman, dean of Suffolk University School of Law in Boston, told Bloomberg Law. Perlman is also chair of the American Bar Association's Center for Innovation. <a href="#TOP">top </a> <strong> </strong> </p> <p> <strong> </strong> </p> <p> <a name="PlayDoh"> </a> <strong> <a href="http://loweringthebar.net/2018/05/play-doh-smell-trademarked.html" > Play-Doh smell trademarked </a> </strong> <strong> </strong> (Lowering the Bar, 21 May 2018) - Bad news for those of you who currently emit a sweet, slightly musky, vanilla fragrance, with slight overtones of cherry, combined with the smell of a salted, wheat-based dough. You need to stop doing that immediately, because that particular <a href="https://tmog.uspto.gov/#/issueDate=2018-05-15&serialNumber=87335817" > smell has just been trademarked by the Hasbro Corporation </a> . Hasbro <a href="http://newsroom.hasbro.com/news-releases/news-release-details/hasbro-trademarks-favorite-smell-childhood-play-doh-scent" > announced on Friday </a> that the trademark it claimed for the "iconic" Play-Doh scent had been officially recognized by the U.S. Patent and Trademark Office. That makes it one of <a href="http://www.jetlaw.org/2017/03/20/the-nose-knows-the-powerful-potential-of-scent-trademarks/" > only about a dozen scent trademarks </a> that the PTO has recognized to date, <a href="http://mentalfloss.com/article/69760/10-scent-trademarks-currently-recognized-us-patent-office" > including </a> Verizon's "flowery musk" store scent, the bubble-gum smell of Grendene jelly sandals, and the scent of strawberries with which Lactona toothbrushes are "impregnated." Why so few trademarks, when there are so many smells? Well, <a href="http://www.ipwatchdog.com/2017/12/21/scent-trademarks-complexities/id=91071/" > it isn't easy </a> to trademark a smell, and the concept itself is a little controversial. The main problem seems to be the requirement that a trademarked feature be "nonfunctional," designed to keep trademarks from limiting competition too much and probably also to keep them from overlapping with patents. This, ironically, means that the smell of a <em>perfume </em> cannot be trademarked, because the PTO considers that to be its function. It is possible to patent a scent <em>molecule </em>, as we have discussed here before. <em>See </em>"' <a href="https://loweringthebar.net/2017/10/pretty-sure-stank-is-patented.html" > Pretty Sure Stank Is Patented,' Lawyer Claims-But It's Complicated </a> ," <em>Lowering the Bar </em> (Oct. 18, 2017). But that too is rare. <a href="#TOP">top </a> <strong> </strong> </p> <p> <strong> </strong> </p> <p> <a name="TheWaybackMachine"> </a> <strong> <a href="https://motherboard.vice.com/en_us/article/nekzzq/wayback-machine-deleting-evidence-flexispy" > The Wayback Machine is deleting evidence of malware sold to stalkers </a> </strong> (Motherboard, 22 May 2018) - The Internet Archive's goal, according to its website, is "universal access to all knowledge." As part of that mission, the non-profit runs <a href="https://archive.org/web/" target="_blank">the Wayback Machine </a>, an online tool that anyone can use to digitally preserve a snapshot of a website. It provides an important public service, in that if a company tries to quietly change its policy, or perhaps a government tries to scrub a position from its website, the Wayback Machine can provide robust proof of the switch. But the Internet Archive has been purging its banks of content related to a company which marketed powerful malware for <a href="https://motherboard.vice.com/en_us/article/53vm7n/inside-stalkerware-surveillance-market-flexispy-retina-x" target="_blank" > abusive partners to spy on their spouses </a> . The news highlights <a href="https://motherboard.vice.com/en_us/article/7xdn8y/joy-reid-and-the-weaponization-of-internet-archives" target="_blank" > the broader issue </a> of the fragility of online archives, including those preserving information in the public interest. "Journalists and human rights defenders often rely on archiving services such as the Wayback Machine as tools to preserve evidence that might be key to demand accountability," Claudio Guarnieri, a technologist at human rights charity Amnesty International, told Motherboard in an online chat. The company in question is FlexiSpy, <a href="https://motherboard.vice.com/en_us/article/aemeae/meet-flexispy-the-company-getting-rich-selling-stalkerware-to-jealous-lovers" target="_blank" > a Thailand-based firm </a> which offers desktop and mobile malware. The spyware can intercept phone calls, remotely turn on a device's microphone and camera, steal emails and social media messages, as well as track a target's GPS location. Previously, pages from FlexiSpy's website saved to the Wayback Machine showed a customer survey, with over 50 percent of respondents saying they were interested in a spy phone product because they believe their partner may be cheating. That particular graphic was mentioned in <a href="https://www.nytimes.com/2018/05/19/technology/phone-apps-stalking.html" target="_blank" > a recent <em>New York Times </em>piece </a> on the consumer spyware market. In another example, a Wayback Machine archive of FlexiSpy's homepage showed one of the company's catchphrases: "Many spouses cheat. They all use cell phones. Their cell phone will tell you what they won't." Now, those pages are no longer on the Wayback Machine. Instead, when trying to view seemingly any page from FlexiSpy's domain on the archiving service, the page reads "This URL has been excluded from the Wayback Machine." (After Motherboard <a href="https://motherboard.vice.com/en_us/topic/when-spies-come-home" target="_blank" > published a series of articles </a> about the consumer spyware market, FlexiSpy purged its own website of content relating to illegal spying on spouses.) <a href="#TOP">top </a> <strong> </strong> </p> <p> <strong> </strong> </p> <p> <a name="PrivacyPolicy"> </a> <strong> <a href="https://writershq.co.uk/privacy-policy/">Privacy Policy </a> </strong> (Writers HQ, 23 May 2018) - " <em> Wow has anyone ever read one of these? We have to have one of these dealios to explain how we comply with the GDPR (General Data Protection Regulation), the DPA (Data Protection Act) and the PECR (Privacy and Electronic Communications Regulations) because God knows there's not enough actual interesting things in the world to read, you need to read 1,000 words of legalese nonsense that makes literally not one bit of difference to anyone, ever. Also we don't really know what these things are. We're just two under-heighted writers who thought we'd have a laugh and get other people writing with us. The best bit about the GDPR is that all this has to be "concise, transparent, intelligible and easily accessible" so hold on to your hats, motherf*&^ers, this is going to be the shortest, clearest and best freakin' privacy policy you ever did see. So. Here we go… </em> * * * [ <strong>Polley </strong>: Hilarious. And possibly compliant.] <a href="#TOP">top </a> <strong> </strong> </p> <p> <strong> </strong> </p> <p> <a name="TakeAlook"> </a> <strong> <a href="https://techcrunch.com/2018/05/24/take-a-look-at-your-twitter-timeline-10-years-ago/" > Take a look at your Twitter timeline 10 years ago </a> </strong> (TechCrunch, 25 May 2018) - Here's a fun thing for a Friday: go back and see what your Twitter timeline looked like 10 years ago. Twitter has pretty powerful search settings, but <a href="https://waxy.org/">Andy Baio </a> - of Kickstarter fame and more - did the heavy-lifting for us all by sharing a link that lets you look at your timeline exactly a decade ago, assuming you followed the same people. <a href="https://twitter.com/waxpancake/status/999699093277442048"> Try it here </a> . (The search will work even if you didn't have an account 10 years ago.) <a href="#TOP">top </a> <strong> </strong> </p> <p> <strong> </strong> </p> <p> <a name="ThanksToGoogle"> </a> <strong> <a href="https://mashable.com/2018/05/25/frida-kahlo-google-exhibit/?utm_campaign=Mash-Prod-RSS-Feedburner-All-Partial&utm_cid=Mash-Prod-RSS-Feedburner-All-Partial&utm_source=feedly&utm_medium=webfeeds#_XL4ttGQaqqp" > Thanks to Google, you can now view Frida Kahlo's artwork from the comfort of your home </a> </strong> (Mashable, 25 May 2018) - There's nothing quite like going to a museum to view a retrospective of a renowned artist. But for those who cannot do so, Google's offered up a neat solution. The Arts & Culture arm of the tech company has worked with museums and collections around the world to create an online exhibit dedicated to the life and art of Frida Kahlo. The exhibition is called " <a href="https://artsandculture.google.com/project/frida-kahlo" target="_blank" > Faces of Frida </a> ," and features Kahlo's paintings, snippets of <a href="https://artsandculture.google.com/exhibit/sAKymDksayhmJA" target="_blank" > her diary </a> , <a href="https://artsandculture.google.com/exhibit/cwJCFPqI3_B3Jw" target="_blank" > reimagined works </a> , and editorial pieces exploring <a href="https://artsandculture.google.com/theme/mQKyGedVVCABLQ" target="_blank" > hidden meaning behind her paintings </a> and her <a href="https://artsandculture.google.com/theme/YQJSCGJhOSHbIA" target="_blank" > relationship to folk art </a> . According to <a href="https://www.forbes.com/sites/veronicavillafane/2018/05/23/google-unveils-frida-kahlo-retrospective-with-never-before-seen-artifacts/#430397704f27" target="_blank" > <em>Forbes </em> </a> , there are 800 items in total, and the exhibit is a joint effort between 33 museums spanning 7 countries. <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <strong> <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2938033"> Encryption Workarounds </a> </strong> (Orin Kerr and Bruce Schneier, Georgetown Law Journal, revised 13 May 2018) - Abstract <em> : The widespread use of encryption has triggered a new step in many criminal investigations: The encryption workaround. We define an encryption workaround as any lawful government effort to reveal unencrypted plaintext of a target's data that has been concealed by encryption. This Article provides an overview of encryption workarounds. It begins with a taxonomy of the different ways investigators might try to bypass encryption schemes. We classify six kinds of workarounds: find the key, guess the key, compel the key, exploit a flaw in the encryption software, access plaintext while the device is in use, and locate another plaintext copy. For each approach, we consider the practical, technological, and legal hurdles raised by its use. The remainder of this Article develops lessons about encryption workarounds and the broader public debate about encryption in criminal investigations. First, encryption workarounds are inherently probabilistic. None work every time, and none can be categorically ruled out every time. Second, the different resources required for different workarounds will have significant distributional effects on law enforcement. Some techniques are inexpensive and can be used often by many law enforcement agencies; some are sophisticated or expensive and likely to be used rarely and only by a few. Third, the scope of legal authority to compel third-party assistance will be a continuing challenge. And fourth, the law governing encryption workarounds remains uncertain and underdeveloped. Whether encryption will be a game changer or a speed bump depends on both technological change and the resolution of important legal questions that currently remain unanswered. </em> <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <strong> <a href="https://www.cnet.com/news/google-begins-blurring-faces-in-street-view/" > Google begins blurring faces in street view </a> </strong> <strong> </strong> (CNET, 13 May 2008) - Google has begun testing face-blurring technology for its Street View service, responding to privacy concerns from the search giant's all-seeing digital camera eye. The technology uses a computer algorithm to scour Google's image database for faces, then blurs them, said John Hanke, director of Google Earth and Google Maps, in an interview at the Where 2.0 conference here. Google has begun testing the technology in Manhattan, the company announced on its LatLong blog. Ultimately, though, Hanke expects it to be used more broadly. Dealing with privacy-both legal requirements and social norms-is hard but necessary, Hanke said. Street View poses other privacy issues besides just faces. Some people aren't eager to have their houses on display, for example. But much of the hubbub seems to have waned since Google launched Street View in May 2007, and indeed other companies such as Blue Dasher are working on similar technology. Street View presents a view of dozens of United States cities from a driver's perspective. It appears Google has begun collecting imagery in Europe as well, along with detailed 3D maps, including Milan, Rome, and Paris. <a href="#TOP">top </a> <strong> </strong> </p> <p> <strong> <a href="https://www.cnet.com/news/fbis-net-surveillance-proposal-raises-privacy-legal-concerns/" > FBI's net surveillance proposal raises privacy, legal concerns </a> </strong> (CNET, 25 April 2008) - The FBI director and a Republican congressman sketched out a far-reaching plan this week for warrantless surveillance of the Internet. During a House of Representatives Judiciary Committee hearing, the FBI's Robert Mueller and Rep. Darrell Issa of California talked about what amounts to a two-step approach. Step 1 involves asking Internet service providers to open their networks to the FBI voluntarily; step 2 would be a federal law forcing companies to do just that. Both have their problems, legal and practical, but let's look at step 1 first. Issa suggested that Internet providers could get "consent from every single person who signed up to operate under their auspices" for federal police to monitor network traffic for attempts to steal personal information and national secrets. Mueller said "legislation has to be developed" for "some omnibus search capability, utilizing filters that would identify the illegal activity as it comes through and give us the ability to pre-empt" it. These are remarkable statements. The clearest reading of them points to deep packet inspection of network traffic--akin to the measures Comcast took against BitTorrent and to what Phorm in the United Kingdom has done, in terms of advertising--plus additional processing to detect and thwart any "illegal activity." "That's very troubling," said Greg Nojeim, director of the project on freedom, security, and technology at the Center for Democracy and Technology. "It could be an effort to achieve, through unknowing consent, permission to monitor communications in a way that would otherwise be prohibited by law." Unfortunately, neither Issa nor Mueller recognized that such a plan is probably illegal. California law, for instance, says anyone who "intentionally and without the consent of all parties to a confidential communication" conducts electronic surveillance shall be imprisoned for one year. (I say "probably illegal" because their exchange didn't offer much in the way of details.) "I think there's a substantial problem with what Mueller's proposing," said Al Gidari, a partner at the Perkins Coie law firm who represents telecommunications providers. "He forgets the states have the power to pass more restrictive rules, and 12 of them have. He also forgets that we live in a global world, and the rest of the world doesn't quite see eye to eye on this issue. That consent would be of dubious validity in Europe, for instance, where many of our customers reside." <a href="#TOP">top </a> <strong> </strong> </p> Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-91189500105772718232018-05-05T07:11:00.000-04:002018-05-05T07:11:08.659-04:00MIRLN --- 15 April - 5 May 2018 (v21.06)<p> <a name="TOP"> </a> MIRLN --- 15 April - 5 May 2018 (v21.06) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_15_april_5_may_2018_v2106/" > permalink </a> </p> <p> <a href="">ANNOUNCEMENTS </a> | <a href="">NEWS </a>| <a href="">RESOURCES </a>| <a href="">LOOKING BACK </a>| <a href="http://www.knowconnect.com/mirln/sources/">NOTES</a> </p> <p> <a name="ANNOUNCEMENTS"> </a> <h3> ANNOUNCEMENTS </h3> </p> <p> Join me in Washington, D.C. on May 9-10 at the ABA's Internet of Things National Institute. Conference keynotes include US Sen. Mark Warner and Rep. Jerry McNerney (who introduced the Securing IoT Act), Rep. Robin Kelly (Ranking Member of the Subcommittee on Information Technology), Commerce Department GC Peter Davidson, and former FTC Commissioner Terrell McSweeny. DC Bar ABA members get a discount with <strong>DCBAR2018iot </strong>. <strong> </strong>Learn more here: <em>ambar.org/iot2018 </em> </p> <p> <a name="NEWS"> </a> <h3> NEWS </h3> </p> <ul> <li> <a href=""> Oil and gas cybersecurity projects went 'to the bottom of the pile' in energy slump </a> </li> <li> <a href="">Facebook and Cambridge Analytica </a> </li> <li> <a href=""> OLPC's $100 laptop was going to change the world - then it all went wrong </a> </li> <li> <a href="">Virtual annual meetings: updated "best practices" </a> </li> <li> <a href=""> Cybersecurity standards for private companies: Taking notes from the SEC's public company guidance </a> </li> <li> <a href="">Cybersecurity: NIST's new framework (Version 1.1) </a> </li> <li> <a href=""> New standard accepted by Federal Energy Regulatory Commission for critical infrastructure protection </a> </li> <li> <a href=""> BSA releases international cybersecurity framework to promote strong and consistent cybersecurity governance </a> </li> <li> <a href=""> DOD releases new guidance giving teeth to cybersecurity rules to protect data within the supply chain </a> </li> <li> <a href=""> Facebook moves 1.5bn users out of reach of new European privacy law </a> </li> <li> <a href=""> Survey reveals that many companies are behind schedule to achieve Global Data Protection Regulation compliance </a> </li> <li> <a href=""> Here's why you're getting all those terms of service update emails </a> </li> <li> <a href=""> Federal judge adopts CFTC position that cryptocurrencies are commodities </a> </li> <li> <a href="">Goldman Sachs to open a bitcoin trading operation </a> </li> <li> <a href="">Abbott issues software patches for more cardiac devices </a> </li> <li> <a href=""> Newly disclosed documents on the Five Eyes Alliance and what they tell us about intelligence-sharing agreements </a> </li> <li> <a href=""> US regulator fines Altaba $35 million over 2014 Yahoo email hack </a> </li> <li> <a href=""> How hackers could cause chaos on America's roads and railways </a> </li> <li> <a href=""> Top federal IT contractors leave emails vulnerable to phishing, spoofing </a> </li> <li> <a href=""> Building on sand isn't stable: Correcting a misunderstanding of the National Academies report on encryption </a> </li> <li> <a href=""> Encryption policy and its international impacts: A framework for understanding extraterritorial ripple effects </a> </li> <li> <a href="">Equifax data breach cost hits $242 million </a> </li> <li> <a href=""> 25 years ago today, the web opened up and the world changed </a> </li> <li> <a href=""> Facebook says it will let users remove data from outside sites </a> </li> <li> <a href=""> Under the Foreign Sovereign Immunities Act, where do hacking torts happen? </a> </li> <li> <a href="">The digital vigilantes who hack back </a> </li> <li> <a href=""> Data breach that revealed client file sparks legal malpractice action </a> </li> <li> <a href="">Pirate radio stations explode on YouTube </a> </li> </ul> <p> <a name="OilAndGas"> </a> <strong> <a href="https://www.chron.com/business/energy/article/Oil-and-gas-cybersecurity-projects-went-to-the-12827690.php" > Oil and gas cybersecurity projects went 'to the bottom of the pile' in energy slump </a> </strong> (Houston Chronicle, 12 April 2018) - Oil companies put cybersecurity initiatives on hold while crude prices languished at multi-year lows in 2015 and 2016, falling behind in hardening their systems while state-sponsored hacking groups only got more proficient at probing U.S. energy networks, security experts say. As oil companies cut thousands of jobs and pared back drilling operations in the downturn, cybersecurity teams faced funding shortfalls for projects to secure computer networks that run rigs, pipelines and other oil field assets, increasing pressure for a field already challenged by finite resources and competing priorities. In an oil bust, "projects, capabilities and needs that aren't exactly on top of mind go to the bottom of the pile," said Paul Brager Jr., a cybersecurity professional at Houston oil field services firm Baker Hughes, a GE company. But among federal agencies and security professionals called in to respond to online attacks, there's <a href="https://www.houstonchronicle.com/business/article/Cyberattacks-on-energy-companies-should-come-as-12811823.php" > no longer any doubt </a> foreign adversaries in Russia, Iran and North Korea have planned and executed attacks to plant themselves in U.S. critical infrastructure, which includes pipelines, refineries and petrochemical plants. <a href="">top </a> </p> <p> <a name="FacebookAnd"> </a> <strong> <a href="https://www.schneier.com/crypto-gram/archives/2018/0415.html#1" > Facebook and Cambridge Analytica </a> </strong> (Bruce Schneier, 15 April 2018) - In the wake of the Cambridge Analytica scandal, news articles and commentators have focused on what Facebook knows about us. A lot, it turns out. It collects data from our posts, our likes, our photos, things we type and delete without posting, and things we do while not on Facebook and even when we're offline. It buys data about us from others. And it can infer even more: our sexual orientation, political beliefs, relationship status, drug use, and other personality traits -- even if we didn't take the personality test that Cambridge Analytica developed. But for every article about Facebook's creepy stalker behavior, thousands of other companies are breathing a collective sigh of relief that it's Facebook and not them in the spotlight. Because while Facebook is one of the biggest players in this space, there are thousands of other companies that spy on and manipulate us for profit. Harvard Business School professor Shoshana Zuboff calls it "surveillance capitalism." And as creepy as Facebook is turning out to be, the entire industry is far creepier. It has existed in secret far too long, and it's up to lawmakers to force these companies into the public spotlight, where we can all decide if this is how we want society to operate and -- if not -- what to do about it. There are 2,500 to 4,000 data brokers in the United States whose business is buying and selling our personal data. Last year, Equifax was in the news when hackers stole personal information on 150 million people, including Social Security numbers, birth dates, addresses, and driver's license numbers. You certainly didn't give it permission to collect any of that information. Equifax is one of those thousands of data brokers, most of them you've never heard of, selling your personal information without your knowledge or consent to pretty much anyone who will pay for it. Surveillance capitalism takes this one step further. Companies like Facebook and Google offer you free services in exchange for your data. Google's surveillance isn't in the news, but it's startlingly intimate. We never lie to our search engines. Our interests and curiosities, hopes and fears, desires and sexual proclivities, are all collected and saved. Add to that the websites we visit that Google tracks through its advertising network, our Gmail accounts, our movements via Google Maps, and what it can collect from our smartphones. That phone is probably the most intimate surveillance device ever invented. It tracks our location continuously, so it knows where we live, where we work, and where we spend our time. It's the first and last thing we check in a day, so it knows when we wake up and when we go to sleep. We all have one, so it knows who we sleep with. Uber used just some of that information to detect one-night stands; your smartphone provider and any app you allow to collect location data knows a lot more. Surveillance capitalism drives much of the internet. It's behind most of the "free" services, and many of the paid ones as well. Its goal is psychological manipulation, in the form of personalized advertising to persuade you to buy something or do something, like vote for a candidate. And while the individualized profile-driven manipulation exposed by Cambridge Analytica feels abhorrent, it's really no different from what every company wants in the end. This is why all your personal information is collected, and this is why it is so valuable. Companies that can understand it can use it against you. * * * [ <strong>Polley </strong>: Good perspective.] <a href="">top </a> </p> <p> <a name="OLPC"> </a> <a href="https://www.theverge.com/2018/4/16/17233946/olpcs-100-laptop-education-where-is-it-now" > <strong> OLPC's $100 laptop was going to change the world - then it all went wrong </strong> </a> (The Verge, 16 April 2018) - It was supposed to be the laptop that saved the world. In late 2005, tech visionary and MIT Media Lab founder Nicholas Negroponte pulled the cloth cover off a small green computer with a bright yellow crank. The device was the first working prototype for Negroponte's new nonprofit One Laptop Per Child, dubbed "the green machine" or simply "the $100 laptop." And it was like nothing that Negroponte's audience - at either his panel at a UN-sponsored tech summit in Tunis, or around the globe - had ever seen. After UN Secretary-General Kofi Annan offered a glowing introduction, Negroponte explained exactly why. The $100 laptop would have all the features of an ordinary computer but require so little electricity that a child could power it with a hand crank. It would be rugged enough for children to use anywhere, instead of being limited to schools. Mesh networking would let one laptop extend a single internet connection to many others. A Linux-based operating system would give kids total access to the computer - OLPC had reportedly turned down an offer of free Mac OS X licenses from Steve Jobs. And as its name suggested, the laptop would cost only $100, at a time when its competitors cost $1,000 or more. Then, Negroponte and Annan rose for a photo-op with two OLPC laptops, and reporters urged them to demonstrate the machines' distinctive cranks. Annan's crank handle fell off almost immediately. As he quietly reattached it, Negroponte managed half a turn before hitting the flat surface of the table. He awkwardly raised the laptop a few inches, trying to make space for a full rotation. "Maybe afterwards…" he trailed off, before sitting back down to field questions from the crowd. The moment was brief, but it perfectly foreshadowed how critics would see One Laptop Per Child a few years later: as a flashy, clever, and idealistic project that shattered at its first brush with reality. If you remember the OLPC at all, you probably remember the hand crank. It was OLPC's most striking technological innovation - and it was pure vaporware. Designers dropped the feature almost immediately after Negroponte's announcement, because the winding process put stress on the laptop's body and demanded energy that kids in very poor areas couldn't spare. * * * <a href="">top </a> </p> <p> <a name="VirtualAnnual"> </a> <a href="https://www.thecorporatecounsel.net/blog/2018/04/virtual-annual-meetings-updated-best-practices.html" > <strong>Virtual annual meetings: updated "best practices" </strong> </a> (CorporateCounsel.net, 16 April 2018) - Like it did back in 2012, Broadridge recently convened a group of 17 different stakeholders to look at the state of virtual annual meetings - both "virtual only" and hybrid. The end product is this set of " <a href="https://www.thecorporatecounsel.net/member/memos/Broadridge/04_18_virtual.pdf" > Principles & Best Practices for Virtual Annual Meetings. </a> " Like before, the report's conclusions are not that profound - but can be useful to help guide those considering virtual meetings (and it includes a useful appendix that summarizes each state's laws governing electronic participation in shareholder meetings). <a href="">top </a> </p> <p> <a name="CybersecurityStandards"> </a> <strong> <a href="http://web20.nixonpeabody.com/peblog/Lists/Posts/Post.aspx?ID=279&Title=Cybersecurity+standards+for+private+companies:+Taking+notes+from+the+SEC%E2%80%99s+public+company+guidance&_lrsc=823c21f9-09d3-4e9e-be8a-b49302d2439a&utm_source=social&utm_medium=elevate&utm_campaign=twitter" > Cybersecurity standards for private companies: Taking notes from the SEC's public company guidance </a> </strong> (Nixon Peabody, 18 April 2018) - The Securities and Exchange Commission ("SEC") recently updated and expanded its guidance to public companies on cybersecurity risks and incidents in its " <a href="https://www.sec.gov/rules/interp/2018/33-10459.pdf" target="_blank" > Commission Statement and Guidance on Public Company Cybersecurity Disclosures </a> " (the "2018 Guidance"). The 2018 Guidance represents a broad recognition of the critical role that cybersecurity plays in the health of companies and the stability of markets. "There is no doubt that the cybersecurity landscape and the risks associated with it continue to evolve," said a statement released by <a href="https://www.sec.gov/news/public-statement/statement-clayton-2018-02-21" target="_blank" > SEC Chairman Jay Clayton </a> . "Public companies must stay focused on these issues and take all required action to inform investors about material cybersecurity risks and incidents in a timely fashion." To support this effort, the SEC has created a <a href="https://www.sec.gov/spotlight/cybersecurity" target="_blank"> cybersecurity website </a> with helpful alerts and bulletins, compliance toolkits, and educational resources. In addition, the Unit charged with targeting a wide range of cyber-related misconduct, such as market manipulation through the spread of false information, hacking, and intrusions and attacks on trading platforms and market infrastructure. While a private company can be reassured that a member of the Cyber Unit will not show up at its door, the 2018 Guidance offers useful insights about the evolving risks in the digital marketplace, as well as effective controls and procedures to manage these risks-all of which can inform a private company that must navigate similar pitfalls in the modern e-commerce environment. Cybersecurity is, as the SEC's website states, "a responsibility of every market participant." To that end, the following are some key takeaways for private companies from the 2018 Guidance: * * * <a href="">top </a> </p> <p> - and - </p> <p> <a name="CybersecurityNIST"> </a> <strong> <a href="https://www.thecorporatecounsel.net/blog/2018/04/__trashed-9.html" > Cybersecurity: NIST's new framework (Version 1.1) </a> </strong> (CorporateCounsel.net, 20 April 2018) - Recently, NIST released an <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf"> updated cybersecurity framework </a> . This popular framework is entitled "Version 1.1" rather than the "2.0" that some have been calling it (including us) when the proposal was released last year. Here's an excerpt from this <a href="https://www.thecorporatecounsel.net/Member/Memos/Wachtell/04_18_NIST.pdf" > Wachtell Lipton memo </a> : <em> The updated Framework, entitled Version 1.1, is intended to clarify and refine (rather than replace) NIST's original 2014 Cybersecurity Framework, Version 1.0, and builds on the original version's five core cybersecurity functions-Identify, Protect, Detect, Respond, and Recover-and tiered implementation system. Instead of a "one-size-fits-all" approach, the Framework continues to be a flexible platform that can be customized to address the particular cybersecurity risks faced by any company. Of broader import, the updated Framework encourages companies to integrate cybersecurity objectives into strategic planning and governance structures and to ensure that cybersecurity is a central part of overall risk management. In terms of other specific changes, Version 1.1 provides new guidance on how to use the Framework to conduct self-assessments of internal and third-party cybersecurity risks and mitigation strategies, includes an expanded discussion of how to manage cyber risks associated with third parties and supply chains, advances new standards for authentication and identity proofing protocols, and addresses how to apply the Framework to a wide range of contexts, such as industrial controls, the use of off-the-shelf software, and the Internet of Things. </em> <a href="">top </a> </p> <p> - and - </p> <p> <a name="NewStandardAccepted"> </a> <strong> <a href="https://www.scmagazine.com/new-standard-accepted-by-federal-energy-regulatory-commission-for-critical-infrastructure-protection/article/760519/" > New standard accepted by Federal Energy Regulatory Commission for critical infrastructure protection </a> </strong> (SC Media, 23 April 2018) - The Federal Energy Regulatory Commission (FERC) approved a new standard to improve electronic access controls to low impact Bulk Electronic Systems (BES), mandatory security controls for mobile devices and develop modifications to critical infrastructure protection (CIP) reliability standards. Work on the new standard began in October 2017 when FERC asked NERC to clarify electronic access controls, adopt mandatory requirements for transient electronic devices and to require the creation of a response policy in case of a system threat. The genesis of this request comes from a group of bipartisan bills that were advanced out of the House Energy and Commerce subcommittee to improve the government's response to cybersecurity attacks on the electric grid. Particularly against less critical facilities. "CIP-003-7 pushes forward on FERC's concern that even the less critical assets covered by these standards (referred to as low impact facilities) present risks to the bulk electric system that need to be addressed," said Daniel Skees, a partner at the law firm Morgan Lewis. Skees represents electric utilities before FERC. FERC officially approved the new CIP reliability standard CIP-003-7 (Cybersecurity Security Management Controls that were submitted by the North American Electric Reliability Corporation (NERC). By accepting the standard NERC is tasked with implementing the new standards. FERC noted that the new rules developed by NERC improve upon the prior CIP reliability standards by clarifying the obligations pertaining to electronic access control for low impact BES Cyber Systems, adopting mandatory security controls for transient electronic devices such as thumb drives, laptop computers, and other portable devices used frequently with a low impact BES Cyber Systems; and for adding the requirement to have responsible entities have in place a policy for declaring and responding to CIP Exceptional Circumstances related to low impact BES Cyber Systems. <a href="">top </a> </p> <p> - and - </p> <p> <a name="BSAreleases"> </a> <strong> <a href="http://www.bsa.org/news-and-events/news/2018/april/en-04252018-bsa-releases-international-cybersecurity-framework?sc_lang=en-US&utm_source=eloqua&utm_medium=email_54037&utm_campaign=24503" > BSA releases international cybersecurity framework to promote strong and consistent cybersecurity governance </a> </strong> (BSA, 25 April 2018) - The Software Alliance released an <a href="http://www.bsa.org/cybersecframework"> International Cybersecurity Policy Framework </a> to serve as a tool both for policymakers considering foundational cybersecurity legislation and for those examining gaps and shortfalls in existing policies. <a href="">top </a> </p> <p> - and - </p> <p> <a name="DODreleases"> </a> <strong> <a href="https://www.csoonline.com/article/3269526/data-protection/dod-releases-new-guidance-giving-teeth-to-cybersecurity-rules-to-protect-data-within-the-supply-cha.html" > DOD releases new guidance giving teeth to cybersecurity rules to protect data within the supply chain </a> </strong> (CSO, 30 April 2018) - The US Department of Defense issued <a href="https://www.regulations.gov/docket?D=DARS-2018-0023"> new guidance </a> on how it might penalize business partners that do not adequately adhere to new security rules codified in NIST SP 800-171. NIST has prescribed a set of 110 security requirements that are derived from a larger standard called NIST SP 800-53 that governs cybersecurity standards for government systems. December 31, 2017 was the designated deadline for implementing the controls as part of DFARS 252.204-7012 to protect confidential unclassified information (CUI). To facilitate gradual adoption, DoD allowed businesses to specify a future date for implementing security controls through the Plan of Actions & Milestones (POAM) artifact. Many organizations have resorted to "POAM'ing" requirements in a checkbox exercise and generated System Security Plans that are very light and do not adequately describe the security posture of the vendor. The new <a href="https://www.regulations.gov/document?D=DARS-2018-0023-0005"> DOD guidance </a> for reviewing system security plans and the NIST SP 800-171 security requirements not yet implemented assigns risk scores to controls. Security controls that are deemed high risk and have not been implemented pose a continued risk to the government. The latest guidance helps ensure that businesses can assess and prioritize how they wish to go about implementing the 110 security controls. The <a href="https://www.regulations.gov/document?D=DARS-2018-0023-0002"> new guidance </a> also provides specific information on the downsides of not implementing the new security controls. The "Assessing the State of a Contractor's Internal Information System in a Procurement Action" document outlines the specific conditions during the request for proposals (rfp), source selection and subsequent contract award that will looked at by government officials related to NIST SP 800-171 compliance. <a href="">top </a> </p> <p> <a name="FacebookMoves"> </a> <strong> <a href="https://www.theguardian.com/technology/2018/apr/19/facebook-moves-15bn-users-out-of-reach-of-new-european-privacy-law?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > Facebook moves 1.5bn users out of reach of new European privacy law </a> </strong> (The Guardian, 19 April 2018) - Facebook has moved more than 1.5 billion users out of reach of European privacy law, despite a promise from Mark Zuckerberg to apply the "spirit" of the legislation globally. In a tweak to its terms and conditions, Facebook is shifting the responsibility for all users outside the US, Canada and the EU from its international HQ in Ireland to its main offices in California. It means that those users will now be on a site governed by US law rather than Irish law. The shift highlights the cautious phrasing Facebook has applied to its promises around GDPR. <a href="https://www.theguardian.com/technology/2018/apr/04/facebook-gdpr-stronger-privacy-protections-eu-data-protection-law-mark-zuckerberg" > Earlier this month </a> , when asked whether his company would promise GDPR protections to its users worldwide, Zuckerberg demurred. "We're still nailing down details on this, but it should directionally be, in spirit, the whole thing," he said. A week later, during his hearings in front of the US Congress, Zuckerberg was <a href="https://www.theguardian.com/technology/2018/apr/11/mark-zuckerbergs-facebook-hearing-five-things-we-learned" > again asked </a> if he would promise that GDPR's protections would apply to all Facebook users. His answer was affirmative - but only referred to GDPR "controls", rather than "protections". Worldwide, Facebook has <a href="https://www.theguardian.com/technology/2018/mar/28/facebook-privacy-tools-put-people-control-data" > rolled out a suite of tools </a> to let users exercise their rights under GDPR, such as downloading and deleting data, and the company's <a href="https://www.theguardian.com/technology/2018/apr/18/facebook-facial-recognition-gdpr-targeted-advertising" > new consent-gathering controls </a> are similarly universal. <a href="">top </a> </p> <p> - and - </p> <p> <a name="SurveyReveals"> </a> <a href="https://www.mwe.com/en/press-room/2018/04/the-race-to-gdpr-report-release" > <strong> Survey reveals that many companies are behind schedule to achieve Global Data Protection Regulation compliance </strong> </a> (McDermott Will & Emery, 20 April 2018) - A major survey sponsored by international law firm <a href="https://www.mwe.com/en" target="_blank"> McDermott Will & Emery </a> and carried out by the <a href="https://www.ponemon.org/" target="_blank">Ponemon Institute </a> has revealed that many companies are behind schedule to achieve Global Data Protection Regulation (GDPR) compliance by the looming May deadline. The survey results show that 40% of companies only expect to achieve compliance with the regulation <em>after </em> May 25th when the Regulation comes into effect. The McDermott-Ponemon study surveyed companies across the US and Europe on their understanding of the impact of GDPR and their readiness for it. Key findings of this important benchmark survey are: * * * [ <strong>Polley </strong>: thorough <a href="https://iapp.org/media/pdf/resource_center/Ponemon_race-to-gdpr.pdf" > report </a> , as usual. I was surprised how un-ready so many organizations are - it's almost laughable. Reminds me of how long organizations were running without full compliance with the DPD, dating from 1995.] <a href="">top </a> </p> <p> - and - </p> <p> <a name="HeresWhyYoure"> </a> <strong> <a href="https://mashable.com/2018/04/25/terms-of-service-update-emails/#Bvye11mUaOqW" > Here's why you're getting all those terms of service update emails </a> </strong> (Mashable, 25 April 2018) - Get the feeling you're suddenly being bombarded with emails from companies about updated terms of service policies? You are. And there's a good reason: the European Union's forthcoming efforts to protect our personal data. And though the law is based in the EU, the GDPR has a worldwide impact because any global online company that collects data from someone <em>living </em> in the EU will be held accountable. While the specific updates made to each terms of service policy will be individual to every company, the law expands the definition of what information is considered personal data. This means companies will likely be adjusting their privacy policies to inform users that less basic information such as IP addresses, location data, web browsing cookies, and other details are also defined as personal data. Though the new internet regulations don't go into effect until May 25, 2018, companies like Facebook, Instagram, Google, and more, are starting to prepare by updating their terms of services and privacy policies now. <a href="">top </a> </p> <p> <a name="FederalJudgeAdopts"> </a> <strong> <a href="https://businesslawtoday.org/2018/04/federal-judge-adopts-cftc-position-cryptocurrencies-commodities/" > Federal judge adopts CFTC position that cryptocurrencies are commodities </a> </strong> (ABA's Business Law Today, 20 April 2018) - A New York federal judge held that virtual currencies are commodities that can be regulated by the Commodity Futures Trading Commission ("CFTC"), enjoining the defendants, an individual and affiliated entity, from trading cryptocurrencies on their own or others' behalf or soliciting funds from others, and ordering an expedited accounting. <em>CFTC v. McDonnell </em>, No. 18-cv-0361, Dkt. 29 (E.D.N.Y. Filed Jan 18, 2018). While the CFTC announced its position that cryptocurrencies are commodities in 2015, this case marks the first time a court has weighed in on whether cryptocurrencies are commodities. Having answered that question in the affirmative, the court went on to hold that the CFTC has jurisdictional authority over defendants' alleged cryptocurrency fraud under 7 U.S.C. § 9(1), which permits the CFTC to regulate fraud and manipulation in underlying commodity spot markets. <a href="">top </a> </p> <p> - and - </p> <p> <a name="GoldmanSachs"> </a> <strong> <a href="https://www.nytimes.com/2018/05/02/technology/bitcoin-goldman-sachs.html" > Goldman Sachs to open a bitcoin trading operation </a> </strong> (NYT, 2 May 2018) - Most big banks have tried to stay far away from the scandal-tainted virtual currency Bitcoin. But Goldman Sachs, perhaps the most storied name in finance, is bucking the risks and moving ahead with plans to set up what appears to be the first Bitcoin trading operation at a Wall Street bank. In a step that is likely to lend legitimacy to virtual currencies - and create new concerns for Goldman - the bank is about to begin using its own money to trade with clients in a variety of contracts linked to the price of Bitcoin. While Goldman will not initially be buying and selling <a href="https://www.nytimes.com/2017/10/01/technology/what-is-bitcoin-price.html" > actual Bitcoins </a> , a team at the bank is looking at going in that direction if it can get regulatory approval and figure out how to deal with the additional risks associated with holding the virtual currency. * * * Over the last two years a growing number of hedge funds and other large investors around the world have expressed an interest in virtual currencies. Tech companies like Square have begun offering Bitcoin services to their customers, and the commodity exchanges in Chicago started allowing customers to trade Bitcoin futures contracts in December. But until now, regulated financial institutions have steered clear of Bitcoin, with some going so far as to shut down the accounts of customers who traded Bitcoin. Jamie Dimon, the chief executive of JPMorgan Chase, famously called it a fraud, and many other bank chief executives have said Bitcoin is nothing more than a speculative bubble. <a href="">top </a> </p> <p> <a name="AbbottIssues"> </a> <strong> <a href="http://www.govinfosecurity.com/abbott-issues-software-patches-for-more-cardiac-devices-a-10869" > Abbott issues software patches for more cardiac devices </a> </strong> (Gov Info Security, 20 April 2018) - Abbott Laboratories has issued software updates for certain implantable cardiac devices to address cybersecurity flaws and battery issues that pose potential safety risks to patients. The products were previously sold by device maker St. Jude Medical, which Abbott acquired last year. More than 382,000 of these affected devices are distributed in the U.S., including 350,000 devices that are currently implanted in patients, according to the Food and Drug Administration and Abbott. The remainder of the devices are in inventories and will be updated "in-box," an Abbott spokeswoman says. The device problems were also the subject of previous warnings by the <a href="https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm604706.htm" target="_blank" > FDA </a> and the Department of Homeland Security's <a href="https://ics-cert.us-cert.gov/advisories/ICSMA-18-107-01" target="_blank" > Industrial Control Systems Cyber Emergency Response Team </a> , which both issued new advisories on April 17 about the availability of the Abbott software patches. The impacted devices include certain families of Abbott implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators, which are devices that provide pacing for slow heart rhythms and electrical shock or pacing to stop dangerously fast heart rhythms, the FDA notes in its alert. Last August, Abbott also issued software updates to address similar cybersecurity vulnerabilities in certain implantable cardiac pacemaker devices (see <a href="https://www.healthcareinfosecurity.com/fda-first-cyber-recall-for-implantable-device-a-10238" > <em>A FDA First: Cyber Recall for Implantable Devices </em> </a> ). <a href="">top </a> </p> <p> <a name="NewlyDisclosed"> </a> <strong> <a href="https://www.lawfareblog.com/newly-disclosed-documents-five-eyes-alliance-and-what-they-tell-us-about-intelligence-sharing" > Newly disclosed documents on the Five Eyes Alliance and what they tell us about intelligence-sharing agreements </a> </strong> (Lawfare, 23 April 2018) - The United States is party to a number of international intelligence sharing arrangements-one of the most prominent being the so-called "Five Eyes" alliance. Born from <a href="https://www.nsa.gov/news-features/declassified-documents/ukusa/"> spying arrangements </a> forged during World War II, the Five Eyes alliance facilitates the sharing of signals intelligence among the U.S., the U.K., Australia, Canada and New Zealand. The Five Eyes countries agree to exchange by default all signals intelligence they gather, as well as methods and techniques related to signals intelligence operations. When the Five Eyes first agreed to this exchange of intelligence-before the first transatlantic telephone cable was laid-they could hardly have anticipated the technological advances that awaited them. Yet, we <a href="https://www.justsecurity.org/47282/backdoor-search-loophole-isnt-problem-dangers-global-information-sharing/" > remain in the dark </a> about the current legal framework governing intelligence sharing among the Five Eyes, including the types of information that the U.S. government accesses and the rules that govern U.S. intelligence agencies' access to and dissemination of Americans' private communications and data. In July 2017, <a href="https://privacyinternational.org/">Privacy International </a> and <a href="https://law.yale.edu/mfia/"> Yale Law School's Media Freedom & Information Access Clinic </a> filed a <a href="https://law.yale.edu/system/files/documents/pdf/Clinics/mfia_complaint_7_6_17.pdf" > lawsuit </a> against the National Security Agency, the Office of the Director of National Intelligence, the State Department, and the National Archives and Records Administration seeking access to records related to the Five Eyes alliance under the Freedom of Information Act. Over the past few months, we have begun to receive limited disclosure from the NSA and the State Department. While we have not seen the text of the current agreement-as well as other records that would shed important light on how the agreement operates-the disclosures to date give us insight into the nature and scope of U.S. intelligence sharing agreements. Below, we summarize a few of these disclosures and talk through their implications. In particular, we highlight how, taken together, they suggest that the U.S. government takes an inconsistent approach to legal classification and therefore publication of these types of agreements. We also take a closer look at one agreement-the 1961 General Security Agreement between the Government of the United States and the Government of the United Kingdom-which further illuminates our understanding of the privatization of intelligence activities and provides us with a rare glimpse of the "third party rule," an obstacle to oversight and accountability of intelligence sharing. <a href="">top </a> </p> <p> <a name="USregulatorFines"> </a> <a href="https://www.reuters.com/article/us-altaba-cyber-yahoo/u-s-regulator-fines-altaba-35-million-over-2014-yahoo-email-hack-idUSKBN1HV295" > <strong> US regulator fines Altaba $35 million over 2014 Yahoo email hack </strong> </a> (Reuters, 24 April 2018) - U.S. regulators fined Altaba Inc, the company formerly known as Yahoo! Inc, $35 million on Tuesday to settle charges that kept its massive 2014 cyber security breach a secret from investors for more than two years. The Securities and Exchange Commission's case marks the first time it has gone after a company for failing to disclose a cyber security breach. Steven Peikin, co-director the SEC's enforcement division, said cyber breaches were a priority for the agency and hoped companies facing similar issues would take note. <a href="">top </a> </p> <p> <a name="HowHackersCould"> </a> <a href="http://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2018/04/24/how-hackers-could-cause-chaos-on-americas-roads-and-railways" > <strong> How hackers could cause chaos on America's roads and railways </strong> </a> (Pew Trusts, 24 April 2018) - When hackers struck the Colorado Department of Transportation in a ransomware attack in February and again eight days later, they disrupted the agency's operations for weeks. State officials had to shut down 2,000 computers, and transportation employees were forced to use pen and paper or their personal devices instead of their work computers. Staffers whose computers were infected didn't have access to their files or data, unless it was stored on the internet, and the attack affected the payroll system and vendor contracts. It could have been a lot worse: The Colorado hacks didn't affect traffic signals, cameras or electronic message boards, and state information technology officials, who refused to pay the ransom, said the system had been 95 percent restored as of last week. Transportation systems are ripe targets for cybercriminals, according to cybersecurity experts, and many state and local government officials are only now waking up to the threat and realizing they need to beef up their defenses. In February, Maryland Department of Transportation Secretary Pete Rahn told a meeting of the American Association of State Highway and Transportation Officials that security breaches are a big concern for his agency, which oversees public transit, highways, tolls, a port, an airport and the motor vehicle administration. If hackers get into the network, he said, "they can play with our trains, traffic signals, variable message boards. We've never had to think about these things before." * * * <a href="">top </a> </p> <p> <a name="TopFederalIT"> </a> <a href="https://www.globalcyberalliance.org/top-federal-it-contractors-leave-emails-vulnerable-to-phishing-spoofing.html" > <strong> Top federal IT contractors leave emails vulnerable to phishing, spoofing </strong> </a> (Global Cyber Alliance press release, 25 April 2018) - Only one of the largest federal contractors have fully implemented the top defense against email phishing and spoofing, according to research released today by the Global Cyber Alliance (GCA). In an examination of the <a href="https://washingtontechnology.com/toplists/top-100-lists/2017.aspx"> top 50 information technology (IT) contractors to the United States government </a> , GCA found that only one contractor is using email-validation security - the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol - at its highest level. DMARC weeds out fake emails (known as direct domain spoofing) deployed by spammers and phishers targeting the inboxes of workers in all sectors of society. According to the <a href="https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf" > 2017 Symantec ISTR report </a> , 1 in 131 emails contained malware, the highest rate in 5 years. Late last year, the Department of Homeland Security <a href="https://cyber.dhs.gov/assets/report/bod-18-01.pdf"> mandated that all federal agencies implement DMARC </a> . Security experts praised DHS and <a href="https://www.wyden.senate.gov/download/?id=9BABD0D8-B335-45BF-9B05-BDA34433C917&download=1" > Senator Ron Wyden, who called for agencies to implement DMARC </a> , for pushing government agencies to quickly implement DMARC at the highest level possible. Contractors' failure to follow suit could make them more enticing to threat actors looking for new ways to access government information. <a href="">top </a> </p> <p> <a name="BuildingOnSand"> </a> <a href="https://www.lawfareblog.com/building-sand-isnt-stable-correcting-misunderstanding-national-academies-report-encryption" > <strong> Building on sand isn't stable: Correcting a misunderstanding of the National Academies report on encryption </strong> </a> (Lawfare's Susan Landau, 25 April 2018) - The encryption debate is messy. In any debate that involves technology-encryption, security systems and policy, law enforcement, and national security access-the incomparable complexities and tradeoffs make choices complicated. That's why getting the facts absolutely right matters. To that end, I'm offering a small, but significant, correction to a <a href="https://www.lawfareblog.com/breaking-encryption-stalemate-new-research-secure-third-party-access" target="_blank" > post </a> Alan Rozenshtein wrote on <em>Lawfare </em>on March 29. Rozenshtein argued that in opposing an exceptional-access mandate-the ability for law enforcement to access an encrypted communication or locked device with a warrant-the computer-security community had deluded itself into thinking that such systems couldn't be built securely. As evidence of this, Rozenshtein pointed to the recent National Academies <a href="https://www.nap.edu/catalog/25010/decrypting-the-encryption-debate-a-framework-for-decision-makers" target="_blank" > study </a> on the tradeoffs involved in government access to encrypted content. (Note: I served on the study committee.) He <a href="https://www.lawfareblog.com/breaking-encryption-stalemate-new-research-secure-third-party-access" target="_blank" > wrote </a> that the report made an important point that many missed: "High-level experts in the information-security community itself are trying to build secure third-party-access systems." But this is not what the report said. The Academies report does discuss approaches to "building ... secure systems" that provide exceptional access-but these are <em>initial </em> approaches only. The report states as much in writing that computer scientists have "begun to explore" this area of research. The presentations to the Academies committee were brief descriptions of ideas by three smart computer scientists, not detailed architectures of how such systems would work. There's a huge difference between a sketch of an idea and an actual implementation-Leonardo da Vinci's <a href="http://www.flyingmachines.org/davi.html" target="_blank"> drawings </a> for a flying machine as opposed to the Wright brothers' <a href="https://en.wikipedia.org/wiki/Wright_Flyer" target="_blank"> plane </a> at Kitty Hawk. The presentations that the Academies saw are more akin to sketches than a system architecture. None of the three presentations involved anything more than the thoughts of a single individual. The study did not hear presentations about engineering teams "trying to build secure third-party-access systems"-there is no such effort at present. (This does not include key-recovery solutions such as those provided in Apple's <a href="https://support.apple.com/en-us/HT202385" target="_blank"> FileVault </a> or Microsoft's <a href="https://support.microsoft.com/en-us/help/4026181/windows-10-find-my-bitlocker-recovery-key" target="_blank" > BitLocker </a> ; these solve a different problem from the "going dark" issue.) An exceptional-access system is not merely a complex mathematical design for a cryptosystem; it is a systems design for a complex engineering task. * * * [ <strong>Polley </strong>: pretty interesting post, and Landau is quite expert in this field.] <a href="">top </a> </p> <p> - and - </p> <p> <a name="EncryptionPolicy"> </a> <strong> <a href="https://www.lawfareblog.com/encryption-policy-and-its-international-impacts-framework-understanding-extraterritorial-ripple" > Encryption policy and its international impacts: A framework for understanding extraterritorial ripple effects </a> </strong> (Lawfare, 2 May 2018) - Encryption technologies play a complicated role in today's connected, mobile, data-driven world. My colleagues, Herbert Burkert and Urs Gasser, and I have <a href="https://assets.documentcloud.org/documents/4450501/Budish-Aegis-Paper-May-2018.pdf" > written a paper </a> offering a conceptual framework that can help policy-makers better understand and anticipate the international ramifications of domestic encryption policies. There is no doubt that encryption has enabled our digital economy, securing everything from online commerce, financial transactions, connected devices, and more. At the same time, examples abound of concerns from law enforcement and intelligence agencies that encryption technologies are making it harder to address crime and terrorism. The 2016 battle between Apple and the FBI over the availability of essentially unbreakable encryption on consumer devices like the iPhone is perhaps the most public, but far from the only example of the complex challenges that encryption poses for legislators, law enforcement agencies, national security agencies, and other policymakers. In response to these technological and legal challenges, decisionmakers and leaders of all kinds-legislators, regulators, intelligence and law enforcement agencies, and companies-are increasingly faced with difficult decisions that ultimately have both direct and indirect impacts on the effectiveness and availability of encryption tools. For example, legislators might mandate the inclusion of so-called "backdoors" in consumer devices, regulators might only allow the government to purchase technologies that meet minimum levels of security, intelligence agencies might attempt to influence encryption technical standards in ways that are beneficial to intelligence gathering, and companies might make encryption a default in their products. Collectively, choices like these effectively define a country's encryption "policy." It is not one law or a regulation, but instead the cumulative impact of each (sometimes conflicting) decision that affects the availability and effectiveness of encryption technologies. The challenge for such decisionmakers is that although the domestic impacts of such individual decisions are often intended and predictable, the international implications are often both unintentional and poorly understood. The purpose of this paper is to help policymakers better anticipate the numerous global ramifications, including those that can undermine the intent of the original policy. <a href="">top </a> </p> <p> <a name="EquifaxData"> </a> <strong> <a href="https://www.scmagazine.com/equifax-data-breach-cost-hits-242-million/article/761330/?utm_source=eloqua&utm_medium=email_54174&utm_campaign=24612" > Equifax data breach cost hits $242 million </a> </strong> (SC Magazine, 26 April 2018) - The massive data breach that compromised the data of 147.9 million Equifax customers last year has cost the company more than $242 million in related expenses, but luckily for the company, much of this cost has been covered by its cybersecurity insurance. Equifax noted the expenditures in its <a href="https://otp.tools.investis.com/clients/us/equifax/SEC/sec-show.aspx?Type=html&FilingId=12701406&CIK=0000033185&Index=10000" > first-quarter financial report </a> . The total tally for the breach since it became public in September has been $242.7 million with $78.7 million in pre-tax expenses being spent during the first quarter, ended March 30. This included $45.7 million in IT and security costs to transform the company's IT infrastructure and improve application, network, and data security, and the costs of development and launch of Lock and Alert. Another $28.9 million was spent during the quarter on legal and investigative fees and $4.1 million on product liability costs include the expected costs of fulfillment of TrustedID Premier and support of consumers using TrustedID Premier. In the financial filing, Equifax said it carries $125 million in cybersecurity insurance, with a $7.5 million deductible and has so far received $60 million in payments from its carrier, $10 million was received during the first quarter. <a href="">top </a> </p> <p> <a name="TwentyFiveYears"> </a> <strong> <a href="https://www.fastcompany.com/40565692/25-years-ago-today-the-web-opened-up-and-the-world-changed?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > 25 years ago today, the web opened up and the world changed </a> </strong> (Fast Company, 30 April 2018) - On April 30, 1993, CERN-the European Organization for Nuclear Research-announced that it was putting a piece of software developed by one of its researchers, Tim Berners-Lee, into the public domain. That software was a "global computer networked information system" called the World Wide Web, and CERN's decision meant that anyone, anywhere, could run a website and do anything with it. In an era when online services were still dominated by proprietary, for-profit walled gardens such as AOL and CompuServe, that was a radical idea. <a href="">top </a> </p> <p> <a name="FacebookSaysItWill"> </a> <strong> <a href="https://www.axios.com/facebook-delete-data-clear-history-1525190525-dacb2b06-3492-4239-bfb9-4162796b99bd.html" > Facebook says it will let users remove data from outside sites </a> </strong> (Axios, 1 May 2018) - Facebook said Tuesday that in the coming months it would let users see and wipe the data fed into its ad targeting system by outside websites and applications. <strong>Why it matters </strong>: Facebook is grappling with a data privacy reckoning after the Cambridge Analytica scandal focused a spotlight on its relations with external developers. <strong>What they're saying </strong>: "This feature will enable you to see the websites and apps that send us information when you use them, delete this information from your account, and turn off our ability to store it associated with your account going forward," said Erin Egan, who the company recently said would focus full-time on her role as Chief Privacy Officer. If a user deletes this information, it will no longer be associated with their account - although Facebook says it will continue to give outside parties broad analytics reports. Facebook founder and chief executive Mark Zuckerberg called the new control a "Clear History" option, similar to what web browsers offer, and said in a post that when users take advantage of it, "Facebook won't be as good while it relearns your preferences." [ <em>see also </em> <strong> <a href="https://www.cnet.com/news/facebooks-zuckerberg-unveils-privacy-tool-clear-history-ahead-of-f8/" > Facebook's Zuckerberg unveils privacy tool 'clear history' </a> </strong> (CNET, 1 May 2018)] <a href="">top </a> </p> <p> <a name="UnderTheFSIA"> </a> <strong> <a href="https://www.lawfareblog.com/under-foreign-sovereign-immunities-act-where-do-hacking-torts-happen" > Under the Foreign Sovereign Immunities Act, where do hacking torts happen? </a> </strong> (Lawfare, 1 May 2018) - The Democratic National Committee's <a href="https://assets.documentcloud.org/documents/4443261/4-20-18-DNC-v-Russia-Complaint.pdf" > lawsuit </a> against the Russian Federation will run aground, as Ingrid Wuerth <a href="https://lawfareblog.com/dnc-v-russia-question-foreign-sovereign-immunity" > notes </a> , unless the DNC can find a way around Russia's immunity in American courts. In that respect, the suit raises a question on which precedent remains thin: whether allegations of state-sponsored hacking can fit through the Foreign Sovereign Immunities Act <a href="https://www.law.cornell.edu/uscode/text/28/1605">exception </a> for cases that involve "personal injury or death, or damage to or loss of property, occurring in the United States and caused by the tortious act or omission of the foreign state." That provision, the noncommercial tort exception, was written primarily to address traffic accidents, as the Supreme Court noted in <a href="https://supreme.justia.com/cases/federal/us/488/428/case.html"> <em>Argentine Republic v. Amerada Hess </em> </a> . Very few plaintiffs have attempted to invoke it in challenges to nation-state spying, and the case most squarely on point-the D.C. Circuit's 2017 decision in <a href="https://www.cadc.uscourts.gov/internet/opinions.nsf/E0C614D73F037CAD852580E3004EE648/$file/16-7081-1665840.pdf" > <em>Doe v. Federal Democratic Republic of Ethiopia </em> </a> -suggests that the DNC will face an uphill battle. But as I recently argued in a <a href="https://harvardlawreview.org/2018/02/doe-v-federal-democratic-republic-of-ethiopia/" > case comment </a> for the Harvard Law Review, and as this post summarizes, there are reasons for the Southern District of New York to think carefully before following <em>Doe </em>. <a href="">top </a> </p> <p> - and - </p> <p> <a name="TheDigitalVigilantes"> </a> <a href="https://www.newyorker.com/magazine/2018/05/07/the-digital-vigilantes-who-hack-back" > <strong>The digital vigilantes who hack back </strong> </a> (The New Yorker, 7 May 2018) - <em> American companies that fall victim to data breaches want to retaliate against the culprits. But can they do so without breaking the law? </em> [ <strong>Polley </strong>: worth a close read; very interesting.] <a href="">top </a> </p> <p> <a name="DataBreachThat"> </a> <strong> <a href="https://www.law.com/njlawjournal/2018/05/01/data-breach-that-revealed-client-file-sparks-legal-malpractice-action/?kw=Data%20Breach%20That%20Revealed%20Client%20File%20Sparks%20Legal%20Malpractice%20Action&et=editorial&bu=ALMcyberSecure&cn=20180503&src=EMC-Email&pt=cyberSecureNews" > Data breach that revealed client file sparks legal malpractice action </a> </strong> (New Jersey Law Journal, 1 May 2018) - A matrimonial attorney and her firm are facing a <a href="https://images.law.com/contrib/content/uploads/documents/292/FILED-COMPLAINT-and-CIS-00130806xD5CAE.pdf" > malpractice suit in state Superior Court in Morris County, New Jersey </a> , after litigation over a divorce was disrupted by a <a href="https://www.law.com/njlawjournal/sites/nationallawjournal/2017/12/21/opioids-data-breaches-expected-to-dominate-mass-torts-in-2018/" > data breach </a> . <a href="">top </a> </p> <p> <a name="PirateRadio"> </a> <strong> <a href="https://www.nytimes.com/2018/05/03/arts/music/youtube-streaming-radio.html?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > Pirate radio stations explode on YouTube </a> </strong> (NYT, 3 May 2018) - Luke Pritchard and Jonny Laxton were 13 when they met at a boarding school in Crowthorne, England, in 2011. They bonded over a shared love of underground music and in 2014 started a YouTube channel, <a href="https://www.youtube.com/channel/UCWzZ5TIGoZ6o-KtbGCyhnhg" target="_blank" > College Music </a> , to promote the artists they liked. At first, the channel grew slowly. Then, in the spring of 2016, Mr. Pritchard discovered 24/7 live-streaming, a feature that allows YouTube's users to broadcast a single video continuously. College Music had 794 subscribers in April 2015, a year before Mr. Pritchard and Mr. Laxton started streaming. A month after they began, they had more than 18,440. In April 2016, they had 98,110 subscribers and as of last month, with three active live streams, they have more than triple that amount, with 334,000. They make about $5,000 a month from the streams. The boys stumbled upon a new strategy, one that, in the past two years, has helped a certain kind of YouTube channel achieve widespread popularity. Hundreds of independently run channels have begun to stream music nonstop, with videos that combine playlists with hundreds of songs and short, looped animations, often taken from anime films without copyright permission. * * * The channels occupy a precarious space between YouTube's algorithm and its copyright policing, drawing comparisons to <a href="https://www.nytimes.com/1996/02/27/arts/pirate-radio-in-touch-with-the-village-not-the-fcc.html" target="_blank" > the unlicensed pirate radio stations of the 20th century </a> , recreated in the digital sphere. Many of the channels blink in and out of existence within a week, but their presence has become a compelling part of the site's musical ecosystem. And while competitors like Spotify are gaining, YouTube still dominates the streaming world, Report from the International Federation of the Phonographic Industry. <a href="">top </a> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <a href="http://ridethelightning.senseient.com/2018/04/a-fantastic-chart-on-the-admissibility-of-electronic-evidence.html" > <strong> A fantastic chart on the admissibility of electronic evidence </strong> </a> (RideTheLightning, 24 April 2018) - Thanks to my friend Craig Ball for a "Christmas in April" gift of a splendid post onthe admissibility of electronic evidence and a related chart shared with him by U.S. District Judge Paul Grimm and Kevin Brady, who is Of Counsel to Redgrave LLP. The <a href="http://craigball.com/Grimm%20Brady%20Evid%20Admiss%20Chart%202018.pdf" target="_blank" > chart </a> is beautifully designed and easy to use. It covers authentication, relevance, hearsay exceptions and the Best Evidence rule. <a href="">top </a> </p> <p> <a href="https://www.americanbar.org/content/aba/tools/digitalassetabstract.html/content/dam/aba/publications/business_lawyer/2018/73_2/article-distributed-stock-201804.pdf" > <strong>Distributed Stock Ledgers and Delaware Law </strong> </a> (ABA's The Business Lawyer, April 2018) - Effective August 1, 2017, the Delaware General Corporation Law (the "DGCL") now authorizes Delaware corporations to use blockchain technology to maintain stock ledgers and communicate with stockholders. Consistent with the DGCL's status as an enabling act that facilitates private ordering, the blockchain amendments are permissive. In the near term, they create a foundation for a technology ecosystem by removing any uncertainty about the validity of shares that have been issued or are maintained using blockchain technology. Over a longer time horizon, the amendments foreshadow a more flexible, dynamic, and digital future in which distributed ledger technology and smart contracts play major roles. <a href="">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <a href="https://www.pcworld.com/article/155743/oldest_domains.html"> <strong>The internet's 100 oldest dot-com domains </strong> </a> (PC World, 21 Dec 2008) - The Internet's been around in some form for decades. It wasn't until the mid-80s, though, that the Web as we know it started coming together -- and those precious dot-com domains started getting snatched up. As we finish out the tech-centric year of 2008, we thought we'd take a look back at the Internet's oldest commercial Web sites -- the ones registered back when chatting about "the Net" was as socially acceptable as wearing Jedi garb into a crowded nightclub. So grab your light sabers, dear friends -- we're boarding the Millennium Falcon and heading back to a virtual galaxy far, far away. [ <strong>Polley </strong>in 2008: Schlumberger was number 75 on May 20, 1987.] <a href="">top </a> </p> <p> <a href="https://bits.blogs.nytimes.com/2008/08/14/att-wants-to-watch-you-read-ads/" > <strong>AT&T mulls watching you surf </strong> </a> (New York Times, 14 August 2008) - AT&T is "carefully considering" monitoring the Web-surfing activities of customers who use its Internet service, the company said in a letter in response to an inquiry from the House Committee on Energy and Commerce. While the company said it hadn't tested such a system for monitoring display advertising viewing habits or committed to a particular technology, it expressed much more interest in the approach than the other big Internet providers who also responded to the committee's letter. AT&T did however promise that if it does decide to start tracking its customers online, it will "do so the right way." In particular, the advertising system will require customers to affirmatively agree to have their surfing monitored. This sort of "opt-in" approach is preferred by privacy experts to the "opt-out" method, practiced by most ad targeting companies today, which records the behavior of anyone who doesn't explicitly ask to not to be tracked. <a href="">top </a> </p> Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-64177561430861611242018-04-14T07:21:00.000-04:002018-04-14T07:21:11.362-04:00MIRLN --- 25 March – 14 April 2018 (v21.05)<p> <a name="TOP"> </a> MIRLN --- 25 March - 14 April 2018 (v21.05) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_25_march_14_april_2018_v2105/" > permalink </a> </p> <p> <a href="">ANNOUNCEMENTS </a> | <a href="">NEWS </a>| <a href="">RESOURCES </a>| <a href="">LOOKING BACK </a>| <a href="http://www.knowconnect.com/mirln/sources/">NOTES</a> </p> <p> <a name="ANNOUNCEMENTS"> </a> <h3> ANNOUNCEMENTS </h3> </p> <p> Take a look at the new <a href="https://shop.americanbar.org/eBus/Store/ProductDetails.aspx?productId=280127783" > <em> ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals </em> </a> (2nd Edition). Published in November, it's already out-sold the 1st edition, probably because cyberattacks on law firms are in the news every day. The Handbook contains actionable information about "reasonable" security precautions for lawyers in every practice setting (solos, smalls, and large firms; in-house, government, and public-interest practitioners). Produced by the ABA Cybersecurity Legal Task Force (which I co-chair), it complements other resources for ABA members. Learn more here: ambar.org/cyber </p> <p> <a name="NEWS"> </a> <h3> NEWS </h3> </p> <ul> <li> <a href=""> Appeals court says it's okay to copyright an entire style of music </a> </li> <li> <a href="">NIST targets APTs with resilience strategies </a> </li> <li> <a href="">Lawyers have an obligation to stay on Facebook </a> </li> <li> <a href=""> A cyberattack hobbles Atlanta, and security experts shudder </a> </li> <li> <a href=""> New York City is launching public cybersecurity tools to keep residents from getting hacked </a> </li> <li> <a href=""> How to speed up your internet and protect your privacy with Cloudflare's new DNS service </a> </li> <li> <a href="">Law firms' guide to selecting a cloud-based vendor </a> </li> <li> <a href=""> NJ physician practice fined over $400,000 for data breach caused by vendor </a> </li> <li> <a href=""> Protecting election registration sites from cyber intrusions </a> </li> <li> <a href="">Combatting deep fakes through the right of publicity </a> </li> <li> <a href=""> Realistic docudramas don't violate California publicity rights-deHavilland v. FX </a> </li> <li> <a href=""> Tech thinks it has a fix for the problems it created: Blockchain </a> </li> <li> <a href="">US suspects cellphone spying devices in DC </a> </li> <li> <a href="">Anatomy of a cyber attack </a> </li> <li> <a href=""> Facebook scans the photos and links you send on Messenger, and it reads flagged chats </a> </li> <li> <a href="">What you don't know about how Facebook uses your data </a> </li> <li> <a href="">Is cybersecurity improving? </a> </li> <li> <a href=""> Cyberinsurance tackles the wildly unpredictable world of hacks </a> </li> <li> <a href="">RSS is undead </a> </li> <li> <a href="">Using Turnitin to teach students not to plagiarize </a> </li> </ul> <p> <a name="AppealsCourtSays"> </a> <a href="https://www.techdirt.com/articles/20180321/11202439470/appeals-court-says-okay-to-copyright-entire-style-music.shtml" > <strong> Appeals court says it's okay to copyright an entire style of music </strong> </a> <strong> </strong> (TechDirt, 21 March 2018) - We had hoped that the 9th Circuit might bring some sanity back to the music copyright world by overturning the <a href="https://www.techdirt.com/articles/20150310/14554330276/jury-says-robin-thicke-pharrell-infringed-even-if-they-didnt-mean-to-told-to-pay-73-million.shtml" > awful "Blurred Lines" ruling </a> that has already created a massive <a href="https://www.techdirt.com/articles/20170712/11252637772/copyright-madness-blurred-lines-mess-means-artists-now-afraid-to-name-their-inspirations.shtml" > chilling effect </a> among musicians... but no such luck. In a ruling released earlier this morning, the 9th Circuit <a href="https://assets.documentcloud.org/documents/4417163/Blurred-Lines-9thCir3-21-18.pdf" target="_blank" > largely affirmed </a> the lower court ruling that said that Pharrell and Robin Thicke infringed on Marvin Gaye's copyright by writing a song, "Blurred Lines," that was clearly inspired by Gaye's "Got To Give It Up." No one has denied that the songs had similar "feels" but "feeling" is not copyrightable subject matter. The compositions of the two songs were clearly different, and the similarity in feel was, quite obviously, paying homage to the earlier work, rather than "copying" it. For what it's worth, there appears to be at least some hesitation on the part of the majority ruling, recognizing that this ruling could create a huge mess in the music world, so it tries (and mostly fails) to insist that this ruling is on narrow grounds, specific to this case (and much of it on procedural reasons, which is a kind way of suggesting that the lawyers for Pharrell and Thicke fucked up royally). As the court summarizes: * * * <a href="">top </a> </p> <p> <a name="NISTtargets"> </a> <a href="https://gcn.com/articles/2018/03/21/nist-cyber-resilience-apt.aspx?admgarea=TC_SecCybersSec" > <strong>NIST targets APTs with resilience strategies </strong> </a> (GCN, 21 March 2018) - From the Office of Personnel Management data breach to the Russian hacking of the 2016 elections, cyberattacks from hostile nation-states, criminal and terrorist groups and rogue individuals are becoming more frequent. The National Institute of Standards and Technology's most recent draft publication aims to help organizations address vulnerabilities and create more "defensible and survivable systems." <a href="https://csrc.nist.gov/CSRC/media/Publications/sp/800-160/vol-2/draft/documents/sp800-160-vol2-draft.pdf" target="_blank" > "Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems" </a> provides guidance on addressing advanced persistent threats that target IT infrastructure to impede critical aspects of an organization's mission. It is applicable to new systems, but also addresses engineering considerations when improving resiliency in legacy systems. NIST defines cyber resilience as "the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources regardless of the source." The publication breaks down elements of cyber resiliency to provide a conceptual framework of goals, objectives, techniques and design principles. <a href="">top </a> </p> <p> <a name="LawyersHaveAn"> </a> </p> <p> <a href="https://kevin.lexblog.com/2018/03/27/lawyers-obligation-stay-facebook/" > <strong>Lawyers have an obligation to stay on Facebook </strong> </a> (Kevin O'Keefe, 27 March 2018) - Computer scientist and author, Jaron Lanier, in a ballyhooed <a href="https://www.theguardian.com/commentisfree/2018/mar/27/pioneer-delete-facebook-addiction-social-life" > op-ed </a> in the Guardian, challenges us all to delete Facebook. Lanier was no fan of Facebook before (having already urged people to delete their social media accounts), but after Cambridge Analytica he saw it the perfect time to challenge everyone to beat the addiction, make a political statement and redefine your social life. The problem for lawyers is that Facebook represents the opportunity to engage the public where they are and on their terms. Like it or not, lawyers have an <a href="https://kevin.lexblog.com/2018/03/19/legal-tech-entrepreneurs-have-a-duty-to-seek-access-to-legal-services/" > ethical obligation </a> to make legal services accessible to people - not just to the impoverished, but to middle income individuals and small business people. To do this as a lawyer you not only need to go where the people are, but you need to establish trust by listening, sharing and nurturing relationships. More people spend more time on the Internet on Facebook than any other place. Social media, Facebook included, represents the town square, the coffee shop, the church group and the civic board of today. It's where lawyers establish enough trust and value in people's minds that legal services, at least though a lawyer, remain a viable answer for consumers and small business people. Lawyers jumping off Facebook can do so out of fear (perhaps legitimate) or to make a political statement, but by doing so they are turning on the public they serve. Access to legal services will only decline. [ <strong>Polley </strong>: interesting perspective, which I do not share.] <a href="">top </a> </p> <p> <a name="aCyberattackHobbles"> </a> <a href="https://www.nytimes.com/2018/03/27/us/cyberattack-atlanta-ransomware.html" > <strong> A cyberattack hobbles Atlanta, and security experts shudder </strong> </a> <strong> </strong> (NYT, 27 March 2018) - The City of Atlanta's 8,000 employees got the word on Tuesday that they had been waiting for: It was O.K. to turn their computers on. But as the city government's desktops, hard drives and printers flickered back to life for the first time in five days, residents still could not pay their traffic tickets or water bills online, or report potholes or graffiti on a city website. Travelers at the world's busiest airport still could not use the free Wi-Fi. Atlanta's municipal government has been brought to its knees since Thursday morning by a ransomware attack - one of the most sustained and consequential cyberattacks ever mounted against a major American city. The digital extortion aimed at Atlanta, which security experts have linked to a shadowy hacking crew known for its careful selection of targets, laid bare once again the vulnerabilities of governments as they rely on computer networks for day-to-day operations. The assault on Atlanta, the core of a metropolitan area of about six million people, represented a serious escalation from other recent cyberattacks on American cities, like one last year in Dallas where hackers gained the ability to set off tornado sirens in the middle of the night. Threat researchers at Dell SecureWorks, the Atlanta-based security firm helping the city respond to the ransomware attack, identified the assailants as the SamSam hacking crew, one of the more prevalent and meticulous of the dozens of active ransomware attack groups. The SamSam group is known for choosing targets that are the most likely to accede to its high ransom demands - typically the Bitcoin equivalent of about $50,000 - and for finding and locking up the victims' most valuable data. In Atlanta, where officials said the ransom demand amounted to about $51,000, the group left parts of the city's network tied in knots. Some major systems were not affected, including those for 911 calls and control of wastewater treatment. But other arms of city government have been scrambled for days. <a href="">top </a> </p> <p> - and - </p> <p> <a name="NewYorkCity"> </a> <a href="https://techcrunch.com/2018/03/29/nyc-secure-new-york-cybersecurity-app-de-blasio/" > <strong> New York City is launching public cybersecurity tools to keep residents from getting hacked </strong> </a> (TechCrunch, 29 March 2018) - In a week of harrowing <a href="https://www.nytimes.com/2018/03/27/us/cyberattack-atlanta-ransomware.html#click=https://t.co/4e50Auq6ol" > city-level cyber attacks </a> , New York is taking some precautions. While the timing is coincidental, New York City Mayor just announced that the city will introduce the first tools in its suite of cybersecurity offerings to protect residents against malicious online activity, particularly on mobile devices. When it launches this summer, New York residents will be able to download a free app called <a href="http://www1.nyc.gov/office-of-the-mayor/news/160-18/mayor-de-blasio-nyc-secure-city-s-first-ever-cybersecurity-initiative-protect-new" > NYC Secure </a> . The app will alert smartphone users to potential threats on their devices and offer tips for how to stay secure, "such as disconnecting from a malicious Wi-Fi network, navigating away from a compromised website, or uninstalling a malicious app." Because the app will take no active steps on its own, it'll be up to users to heed the advice presented to them. NYC Secure will not collect or transmit any personal identifying information or private data. The city will also beef up security over its public Wi-Fi networks, a notorious target for malicious actors looking to snoop on private information as it passes by unencrypted. The city will implement DNS protection through a service called <a href="https://arstechnica.com/information-technology/2017/11/new-quad9-dns-service-blocks-malicious-domains-for-everyone/" > Quad9 </a> , a free public cybersecurity product out of the partnership between Global Cyber Alliance (GCA), IBM and Packet Clearing House. <a href="">top </a> </p> <p> - and - </p> <p> <a name="HowToSpeedUp"> </a> <a href="https://gizmodo.com/how-to-speed-up-your-internet-and-protect-your-privacy-1824256587" > <strong> How to speed up your internet and protect your privacy with Cloudflare's new DNS service </strong> </a> (Gizmodo, 2 April 2018) - Cloudflare has launched its own consumer Domain Name System (DNS) service that not only promises to keep your browsing history safe, but appears significantly faster than any other DNS service available. Cloudflare, known primarily for <a href="https://www.cloudflare.com/lp/ddos-a/?_bt=157293179478&_bk=cloudflare&_bm=e&_bn=g&gclid=EAIaIQobChMI5bKc8vqb2gIVWJJ-Ch2ViQH_EAAYASAAEgKQVPD_BwE" target="_blank" > DDoS mitigation </a> , launched DNS resolver 1.1.1.1 and 1.0.0.1 on Sunday and, at time of writing, analytics show it processing queries at 14.01ms, officially making it in the internet's fastest DNS resolver. The other true benefit here is that Cloudflare's perspective on handling user data. Prince said the company views user data as a "toxic asset," something it strives to either never collect or delete as quickly as possible. "Just at a policy level, Cloudflare's business has never been advertising or selling consumer data," Prince said. "As we started to talk to various browser manufacturers and others about what we were doing, they would come back and say, 'Well, we don't want you to retain logs for any longer than a week, we don't want you selling any of the data.' And I think they were kind of surprised when we returned back and said, 'Actually, we prefer never to write any personally identifiable information to disk and guarantee that we'll wipe all of the transactional logs and bug tracking logs within 24 hours.'" Prince said Cloudflare will also bring in an external monitor to certify that it is actually taking all of these steps to ensure user privacy. Those using the DNS services set by their ISPs can have their browsing history recorded, sold, and analyzed for advertising purposes. There are several ways to prevent this, but most involve using a VPN or the Tor browser, both of which can impact speed. There's also no guarantee that a VPN service isn't amassing your data itself. (If you're looking for a reliable VPN, however, I'd suggest <a href="https://www.privateinternetaccess.com/pages/how-it-works/" target="_blank" > Private Internet Access </a> or <a href="https://protonvpn.com/" target="_blank">ProtonVPN </a>.) For non-technical users who've never changed their DNS settings, it may seem like one of those unfamiliar options you'd rather not mess around with. But it's actually quite simple and takes only a few seconds-and, as you've read, the benefits can be significant. Below are instructions on how to change your DNS settings for Windows and Mac, as well as iPhone and Android devices. * * * [ <strong>Polley </strong>: You probably should do this; also install an ad-blocker; use a VPN (vet it first); etc.] <a href="">top </a> </p> <p> <a name="LawFirmsGuide"> </a> <a href="https://www.natlawreview.com/article/law-firms-guide-to-selecting-cloud-based-vendor" > <strong>Law firms' guide to selecting a cloud-based vendor </strong> </a> (Nat'l Law Review, 28 March 2018) - Selecting vendors can be a frustrating and complicated process-but it doesn't have to be. You've already got enough to think about while considering the differences in functionality across different products and vendors, and factoring in security is like going through the entire decision-making process all over again! With a few key considerations, though, you can vet vendors' security protocols like a pro, leaving you to make a choice that fits your budget and performance needs with the peace of mind that comes with knowing that security is covered. * * * [ <strong>Polley </strong>: workman-like checklist.] <a href="">top </a> </p> <p> - and - </p> <p> <a name="NJphysician"> </a> <a href="https://www.workplaceprivacyreport.com/2018/04/articles/hipaa/your-own-cybersecurity-is-not-enough-nj-physician-practice-fined-over-400000-for-data-breach-caused-by-vendor/?utm_source=eloqua&utm_medium=email_53680&utm_campaign=24326#page=1" > <strong> NJ physician practice fined over $400,000 for data breach caused by vendor </strong> </a> <strong> </strong> (Jackson Lewis, 8 April 2018) - Last week, New Jersey Attorney General Gurbir S. Grewal and the New Jersey Division of Consumer Affairs ("Division") <a href="http://nj.gov/oag/newsreleases18/pr20180404b.html">announced </a> that a physician group affiliated with more than 50 South Jersey medical and surgical practices agreed to pay $417,816 and improve data security practices to settle allegations it failed to properly protect the privacy of more than 1,650 patients whose medical records were made viewable on the internet as a result of a server misconfiguration by a private vendor. In this case, according to the NJ Office of Attorney General, the physician practice used a third party vendor to transcribe dictations of medical notes, letters, and reports by doctors, a popular service provided to many physical practices and other medical providers across the country. When the vendor, a HIPAA business associate, attempted to update software on a password-protected File Transfer Protocol website ("FTP Site") where the transcribed documents were kept, it unintentionally misconfigured the web server, allowing the FTP Site to be accessed without a password. As a result, anyone who searched Google using search terms that happened to be contained within the dictation information would have been able to access and download the documents located on the FTP Site. These documents would have included doctor names, patient names, and treatment information concerning patients. <a href="">top </a> </p> <p> <a name="ProtectingElection"> </a> <a href="https://gcn.com/articles/2018/03/28/albert-intrusion-detection-voter-registration.aspx?admgarea=TC_SecCybersSec" > <strong> Protecting election registration sites from cyber intrusions </strong> </a> (GCN, 28 March 2018) - The Center for Internet Security's newly established Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) plans to deploy intrusion detection sensors to voter registration websites for all 50 states by the 2018 midterm elections, an official told GCN. The intrusion detection sensors are called Albert sensors, and CIS has been using them on the state and local level since 2010, according to CIS Vice President of Operations Brian Calkin. The open-source Albert sensors provide automated alerts on both traditional and advanced network threats. Albert grew out of a Department of Homeland Security's <a href="https://www.dhs.gov/einstein" target="_blank">Einstein </a> project, which focuses on detecting and blocking cyberattacks within federal agencies. DHS approached CIS about creating similar capability for states and localities, but since the Einstein name was taken, CIS called it Albert instead. <a href="">top </a> </p> <p> <a name="CombatytingDeep"> </a> <a href="https://www.lawfareblog.com/combatting-deep-fakes-through-right-publicity" > <strong>Combatting deep fakes through the right of publicity </strong> </a> (Lawfare, 30 March 2018) - Fake news is bad enough already, but something much nastier is just around the corner: As Evelyn Douek <a href="https://www.lawfareblog.com/future-misinformation-lesson-access-hollywood" target="_blank" > explained </a> , the "next frontier" of fake news will feature machine-learning software that can cheaply produce convincing audio or video of almost <em>anyone </em> saying or doing just about <em>anything </em>. These may be " <a href="https://www.wired.com/video/2017/10/digital-avatars-and-future-of-fake-news/" target="_blank" > digital avatars </a> " built from <a href="https://qz.com/1230470/the-hottest-trend-in-ai-is-perfect-for-creating-fake-media/" target="_blank" > generative adversarial networks </a> (GANs), or they may rely on simpler face-swapping technology to create " <a href="https://www.nytimes.com/2018/03/04/technology/fake-videos-deepfakes.html" target="_blank" > deep fakes </a> ." The effect is the same: fake videos that look frighteningly real. Bobby Chesney and Danielle Citron recently <a href="http://www.lawfareblog.com/deep-fakes-looming-crisis-national-security-democracy-and-privacy" target="_blank" > sounded the alarm </a> on <em>Lawfare </em>about the threat to democracy from "deep fakes," lamenting "the limits of technological and legal solutions." They argue that existing law has a limited ability to force online platforms to police such content because "Section 230 of the Communications Decency Act immunizes from (most) liability the entities best situated to minimize damage efficiently: the platforms." But in fact, a loophole built into <a href="https://www.law.cornell.edu/uscode/text/47/230" target="_blank"> Section 230 </a> immunity-the intellectual property exception-could be helpful in combating deep fakes and other next-generation fake news. Victims of deep fakes may successfully bring " <a href="https://www.law.cornell.edu/wex/publicity" target="_blank"> right of publicity </a> " claims against online platforms, thereby forcing the platforms to systematically police such content. At a minimum, such right-of-publicity claims are likely to generate crucial litigation. * * * <a href="">top </a> </p> <p> - and - </p> <p> <a name="RealisticDocudramas"> </a> <a href="https://blog.ericgoldman.org/archives/2018/04/realistic-docudramas-dont-violate-california-publicity-rights-dehavilland-v-fx.htm" > <strong> Realistic docudramas don't violate California publicity rights-deHavilland v. FX </strong> </a> (Eric Goldman, 2 April 2018) - Last week, the California Court of Appeal ordered the dismissal of a right of publicity and false-light privacy lawsuit brought by legendary actress <a href="https://en.wikipedia.org/wiki/Olivia_de_Havilland"> Olivia de Havilland </a> against FX Networks over the depiction of her in the television miniseries <a href="https://en.wikipedia.org/wiki/Feud_(TV_series)"> <em>Feud: Bette and Joan </em> </a> (2017). The opinion is available <a href="http://www.courts.ca.gov/opinions/documents/B285629.PDF">here </a>. One of Hollywood's staples is the docudrama: a motion picture or television series based on real persons and real-life events. Recent examples include the television series <a href="https://en.wikipedia.org/wiki/The_People_v._O._J._Simpson:_American_Crime_Story" > <em>The People v. O.J. Simpson </em> </a> (which won nine Emmy awards), and the movies <a href="https://en.wikipedia.org/wiki/Hidden_Figures"> <em>Hidden Figures </em> </a> (about female mathematicians and engineers at NASA in the 1960s) and <a href="https://en.wikipedia.org/wiki/Darkest_Hour_(film)"> <em>Darkest Hour </em> </a> (about Winston Churchill's early days as Prime Minister). Sometimes docudramas are near-journalistic in nature, and sometimes they are heavily fictionalized; but all docudramas are necessarily dramatized to some extent, because it is impossible to depict real life with 100% accuracy. To depict private conversations, for example, a screenwriter must invent dialogue, because no one was there to record what was said, and even the participants to the conversation may remember it differently when interviewed in later years. It is also common for screenwriters to invent fictitious or composite characters to interact with the more well-known historical figures that are the focus of the docudrama. Docudramas have frequently been the source of litigation disputes. When real-life people are upset with how they are depicted in a movie or television series, they often turn to causes of action such as libel, false-light privacy, or the right of publicity to vindicate what they see as the truth. More often than not, these lawsuits fail; but they succeed often enough to avoid Rule 11 sanctions, and the cost of litigating these disputes may have a "chilling effect" on the willingness of Hollywood to take on certain subject material. Hollywood studios frequently pay people for the "rights" to tell their life stories, simply in order to avoid having a suit filed against them for a violation of their rights of privacy or publicity, and the attendant cost of litigation. * * * <a href="">top </a> </p> <p> <a name="TechThinks"> </a> <a href="https://www.nytimes.com/2018/04/01/technology/blockchain-uses.html" > <strong> Tech thinks it has a fix for the problems it created: Blockchain </strong> </a> (NYT, 1 April 2018) - Worried about someone hacking the next election? Bothered by the way Facebook and Equifax coughed up your personal information? The technology industry has an answer called the blockchain - even for the problems the industry helped to create. The first blockchain was created in 2009 as a new kind of database for the <a href="https://www.nytimes.com/2017/10/01/technology/what-is-bitcoin-price.html" > virtual currency Bitcoin </a> , where all transactions could be stored without any banks or governments involved. Now, countless entrepreneurs, companies and governments are looking to use similar databases - often independent of Bitcoin - to solve some of the most intractable issues facing society. "People feel the need to move away from something like Facebook and toward something that allows them to have ownership of their own data," said Ryan Shea, a co-founder of Blockstack, a New York company working with blockchain technology. The creator of the World Wide Web, <a href="https://www.nytimes.com/2016/06/08/technology/the-webs-creator-looks-to-reinvent-it.html" > Tim Berners-Lee, has said </a> the blockchain could help reduce the big internet companies' influence and return the web to his original vision. But he has also warned that it could come with some of the same problems as the web. Blockchain allows information to be stored and exchanged by a network of computers without any central authority. In theory, this egalitarian arrangement also makes it harder for data to be altered or hacked. In the first three months of 2018, venture capitalists put half a billion dollars into 75 blockchain projects, more than double what they raised in the last quarter of 2017, according to data from Pitchbook. Most of the projects have not gotten beyond pilot testing, and many are aimed at transforming mundane corporate tasks like financial trading and accounting. But some experiments promise to transform fundamental things, like the way we vote and the way we interact online. [ <strong>Polley </strong>: Quite interesting article (if a bit unstructured), and worth a close read.] <a href="">top </a> </p> <p> <a name="USsuspectsCellphone"> </a> <a href="https://apnews.com/d716aac4ad744b4cae3c6b13dce12d7e?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong>US suspects cellphone spying devices in DC </strong> </a> (AP, 3 April 2018) - For the first time, the U.S. government has publicly acknowledged the existence in Washington of what appear to be rogue devices that foreign spies and criminals could be using to track individual cellphones and intercept calls and messages. The use of what are known as cellphone-site simulators by foreign powers has long been a concern, but American intelligence and law enforcement agencies - which use such eavesdropping equipment themselves - have been silent on the issue until now. In a <a href="https://www.documentcloud.org/documents/4429966-DHS-response-to-Wyden-3-26-18.html" > March 26 letter </a> to Oregon Sen. Ron Wyden, the Department of Homeland Security acknowledged that last year it <a href="https://www.documentcloud.org/documents/4430049-DHS-attachment-in-response-to-Wyden-3-26-18.html" > identified suspected unauthorized cell-site simulators </a> in the nation's capital. The agency said it had not determined the type of devices in use or who might have been operating them. Nor did it say how many it detected or where. The agency's response, obtained by The Associated Press from Wyden's office, suggests little has been done about such equipment, known popularly as Stingrays after a brand common among U.S. police departments. The Federal Communications Commission, which regulates the nation's airwaves, formed a task force on the subject four years ago, but it never produced a report and no longer meets regularly. * * * Legislators have been raising alarms about the use of Stingrays in the capital since at least 2014, when Goldsmith and other security-company researchers <a href="https://www.washingtonpost.com/world/national-security/researchers-try-to-pull-back-curtain-on-surveillance-efforts-in-washington/2014/09/17/f8c1f590-3e81-11e4-b03f-de718edeb92f_story.html" > conducted public sweeps </a> that located suspected unauthorized devices near the White House, the Supreme Court, the Commerce Department and the Pentagon, among other locations. Like other major world capitals, he said, Washington is awash in unauthorized interception devices. Foreign embassies have free rein because they are on sovereign soil. Every embassy "worth their salt" has a cell tower simulator installed, Turner said. They use them "to track interesting people that come toward their embassies." The Russians' equipment is so powerful it can track targets a mile away, he said. <a href="">top </a> </p> <p> <a name="Anatomy"> </a> <a href="https://www.law.com/newyorklawjournal/2018/04/04/anatomy-of-a-cyber-attack/" > <strong>Anatomy of a cyber attack </strong> </a> (NY Law Journal, 4 April 2018) - Cybersecurity is an increasingly important risk vector that impacts every facet of society. Day by day, businesses and even individuals are finding themselves to be targets of cyberattacks and lawyers are certainly no exception. The exponential scale of the problem can be seen in the fact that, according to a <a href="https://pages.riskbasedsecurity.com/2017-ye-breach-quickview-report" > recent report </a> , there were more records compromised in 2017 than there are people currently living on earth. While this risk is applicable to all organizations and individuals, lawyers, as safeguards of their client's information, are particularly useful targets for cyber criminals. Lawyers of every stripe and specialty tend to possess large quantities of their clients' sensitive data and in many cases present a more desirable target than the clients themselves because the data of all of their clients is centralized in a single location. Recognizing this threat, the bar has taken steps to ensure that the profession rises to the challenge posed by the pervasive threat of cyber-compromise. The bar's understanding of the lawyer's duty to his or her clients has developed along two parallel paths-the duty of confidentiality and the duty of technological competence as applied in the digital context. In 2017, the American Bar Association proceeded along the first path and released <a href="https://www.americanbar.org/content/dam/aba/administrative/law_national_security/ABA%20Formal%20Opinion%20477.authcheckdam.pdf" > Formal Opinion 477 </a> , which dealt with cybersecurity in client communications. This is a fundamental departure from <a href="https://cryptome.org/jya/fo99-413.htm"> previously established guidance </a> from the ABA, which held that "A lawyer may transmit information relating to the representation of a client by unencrypted e-mail sent over the Internet without violating the Model Rules of Professional Conduct (1998) because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint." While this specific rule change only effects attorney communications and not the practice of law more generally, it signals a change from the Bar that it is now more willing than ever to begin regulating cybersecurity and the practice of law. Not only the ABA has adopted these changes, in fact twenty-eight state Bars <a href="https://www.lawsitesblog.com/2015/03/11-states-have-adopted-ethical-duty-of-technology-competence.html" > have adopted language </a> mandating that the duty of competency in representation extends to technological competence as well. [ <strong>Polley </strong>: not much new(s) here, but the New York Law Journal reaches an important audience; more and more visibility (and appreciation) of these kinds of issues.] <a href="">top </a> </p> <p> <a name="FacebookScans"> </a> <a href="http://www.latimes.com/business/la-fi-tn-facebook-messenger-privacy-20180404-story.html?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong> Facebook scans the photos and links you send on Messenger, and it reads flagged chats </strong> </a> (LA Times, 4 April 2018) - Facebook Inc. scans the links and images that people send each other on Facebook Messenger, and reads chats when they're flagged to moderators, making sure it all abides by the company's rules governing content. If it doesn't pass muster, it gets blocked or taken down. The company confirmed the practice after an interview with Chief Executive Mark Zuckerberg, published this week, raised questions about Messenger's practices and privacy. Zuckerberg told Vox's Ezra Klein a story about receiving a phone call related to ethnic cleansing in Myanmar. Facebook had detected people trying to send sensational messages through the Messenger app, he said. "In that case, our systems detect what's going on," Zuckerberg said. "We stop those messages from going through." Some people reacted with concern on Twitter: Was Facebook reading messages more generally? Facebook has been under scrutiny in recent weeks over how it handles users' private data, and the revelation struck a nerve. Messenger doesn't use the data from the scanned messages for advertising, the company said, but the policy may extend beyond what Messenger users expect. <a href="">top </a> </p> <p> - and - </p> <p> <a name="WhatYouDont"> </a> <a href="https://www.nytimes.com/2018/04/11/technology/facebook-privacy-hearings.html?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong>What you don't know about how Facebook uses your data </strong> </a> (NYT, 11 April 2018) - * * * Facebook meticulously scrutinizes the minutiae of its users' online lives, and its tracking stretches far beyond the company's well-known targeted advertisements. Details that people often readily volunteer - age, employer, relationship status, likes and location - are just the start.Facebook tracks both its users and nonusers on other sites and apps. It collects biometric facial data without users' explicit "opt-in" consent. And the sifting of users can get quite personal. Among many possible target audiences, Facebook offers advertisers 1.5 million people "whose activity on Facebook suggests that they're more likely to engage with/distribute liberal political content" and nearly seven million Facebook users who "prefer high-value goods in Mexico." "Facebook can learn almost anything about you by using artificial intelligence to analyze your behavior," said <a href="https://www.eff.org/about/staff/peter-eckersley" title="Mr. Eckersley's bio." > Peter Eckersley, the chief computer scientist </a> for the Electronic Frontier Foundation, a digital rights nonprofit. "That knowledge turns out to be perfect both for advertising and propaganda. Will Facebook ever prevent itself from learning people's political views, or other sensitive facts about them?" Facebook uses a number of software tools to do this tracking. When internet users venture to other sites, Facebook can still monitor what they are doing with software like its ubiquitous "Like" and "Share" buttons, and something called Facebook Pixel - invisible code that's dropped onto the other websites that allows that site and Facebook to track users' activity. Ms. Dingell asked Mr. Zuckerberg how many non-Facebook sites used various kinds of Facebook tracking software: "Is the number over 100 million?" He said he'd have to get back to her with an answer. * * * <a href="">top </a> </p> <p> <a name="IsCybersecurity"> </a> <a href="https://www.lawfareblog.com/cybersecurity-improving"> <strong>Is cybersecurity improving? </strong> </a> (Lawfare, 5 April 2018) - Is cybersecurity improving overall? By at least some measures the answer is a surprising "yes." This <a href="https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" target="_blank" > annual report from FireEye </a> gives us at least two reasons to think that trend lines are actually improving: First, as noted by <a href="https://www.axios.com/newsletters/axios-codebook-8d24cc93-dbc4-49cf-9892-58f505574ae8.html" target="_blank" > Joe Uchill of Axios Codebook </a> , the identity of who discovers an intrusion is changing drastically. As recently as 2011, 94 percent of intrusions were discovered and reported by outsiders-law enforcement, customers, or other observers. Today, victim companies discover 64 percent of their own breaches-a significant improvement in self-awareness. Second, that improvement has consequences. An intruders "dwell time" inside a victim's system is less than a quarter of what it was in 2011. It's still too high-median dwell time is 75 days in the U.S., 175 in Europe and more than 490 in Asia-but the fact that it is down is a significant improvement. <a href="">top </a> </p> <p> <a name="Cyberinsurance"> </a> <a href="https://www.wired.com/story/cyberinsurance-tackles-the-wildly-unpredictable-world-of-hacks/" > <strong> Cyberinsurance tackles the wildly unpredictable world of hacks </strong> </a> (Wired, 6 April 2018) - In the aftermath of the <a href="https://www.wired.com/story/how-to-protect-yourself-from-that-massive-equifax-breach/" > Equifax data breach </a> last year that exposed personal information of more than 145 million people, analysis firm Property Claim Services <a href="https://www.reuters.com/article/us-usa-budget/trump-budget-plan-to-seek-funds-for-border-wall-infrastructure-opioid-treatment-idUSKBN1FW0BL" target="_blank" > estimated </a> that cyberinsurance would cover roughly $125 million of Equifax's losses from the incident. It's uncertain whether Equifax will actually receive that much money; insurance claims can take a long time to investigate, process, and pay out. But it was a reminder of the increasingly important role insurance plays in cybersecurity-and the challenges of getting it right. In 2016, the cyberinsurance market brought in around $3.5 billion in premiums globally, of which $3 billion came from US-based companies, <a href="https://www.oecd.org/daf/fin/insurance/Supporting-an-effective-cyber-insurance-market.pdf" target="_blank" > according to </a> the Organisation for Economic Co-operation and Development. That's not an enormous amount of money compared to other insurance markets; motor vehicle insurance premiums in the US, for instance, total more than <a href="http://www.latimes.com/business/la-fi-agenda-driverless-insurance-20160620-snap-story.html" target="_blank" > $200 billion annually </a> . But cyberinsurance premiums have grown steadily at a rate of roughly <a href="http://www.aon.com/inpoint/bin/pdfs/white-papers/Cyber.pdf" target="_blank" > 30 percent </a> every year for the past five years, in an industry unaccustomed to such spikes. With the Regulation poised to go into effect May 25, and firms of every size in every sector concerned about emerging online threats, insurance carriers see ample opportunity. But as the cyberinsurance market grows and those carriers take on responsibility for more computer-based risks, it becomes increasingly important that they model that risk and predict its outcomes accurately, a notoriously difficult task in the evolving and unpredictable domain of online threats. Companies like retailers, banks, and healthcare providers began seeking out cyberinsurance in the early 2000s, when states first passed data breach notification laws. But even with 20 years' worth of experience and claims data in cyberinsurance, underwriters still struggle with how to model and quantify a unique type of risk. "Typically in insurance we use the past as prediction for the future, and in cyber that's very difficult to do because no two incidents are alike," said Lori Bailey, global head of cyberrisk for the Zurich Insurance Group. Twenty years ago, policies dealt primarily with data breaches and third-party liability coverage, like the costs associated with breach class-action lawsuits or settlements. But more recent policies tend to accommodate first-party liability coverage, including costs like online extortion payments, renting temporary facilities during an attack, and lost business due to systems failures, cloud or web hosting provider outages, or even IT configuration errors. <a href="">top </a> </p> <p> <a name="RSS"> </a> <a href="https://techcrunch.com/2018/04/07/rss-is-undead/"> <strong>RSS is undead </strong> </a> <strong> </strong> (TechCrunch, 7 April 2018) - RSS died. Whether you blame <a href="https://techcrunch.com/2009/09/02/oh-rss-is-definitely-dead-now-feedburner-ceo-dick-costolo-to-become-twitter-coo/" > Feedburner </a> , or <a href="https://techcrunch.com/2013/07/01/we-were-the-1000-goodbye-google-reader/" > Google Reader </a> , or <a href="https://techcrunch.com/2018/03/14/alas-digg-reader-is-shutting-down-at-the-end-of-march/" > Digg Reader last month </a> , or any number of other product failures over the years, the humble protocol has managed to keep on trudging along despite all evidence that it is dead, dead, dead. Now, with scandal over Cambridge Analytica, there is a whole new wave of commentators calling for RSS to be resuscitated. <a href="https://www.wired.com/story/rss-readers-feedly-inoreader-old-reader/" > Brian Barrett at Wired said a week ago </a> that "… anyone weary of black-box algorithms controlling what you see online at least has a respite, one that's been there all along but has often gone ignored. Tired of Twitter? Facebook fatigued? It's time to head back to RSS." Let's be clear: RSS isn't coming back alive so much as it is officially entering its undead phase. Don't get me wrong, I love RSS. At its core, it is a beautiful manifestation of some of the most visionary principles of the internet, namely transparency and openness. The protocol really is simple and human-readable. It feels like how the internet was originally designed with static, full-text articles in HTML. Perhaps most importantly, it is decentralized, with no power structure trying to stuff other content in front of your face. It's wonderfully idealistic, but the reality of RSS is that it lacks the features required by nearly every actor in the modern content ecosystem, and I would strongly suspect that its return is not forthcoming. <strong>[Polley </strong>: interesting; I use RSS to find about 20% of the content that goes into MIRLN.] <a href="">top </a> </p> <p> <a name="UsingTurnitin"> </a> <a href="https://www.insidehighered.com/advice/2018/04/10/how-use-turnitin-teach-students-not-plagiarize-opinion?utm_source=Inside+Higher+Ed&utm_campaign=58afbaf5a1-DNU20180111&utm_medium=email&utm_term=0_1fcbc04421-58afbaf5a1-197618481&mc_cid=58afbaf5a1&mc_eid=012fe6c04c" > <strong>Using Turnitin to teach students not to plagiarize </strong> </a> (InsideHigherEd, 10 April 2018) - By now, most educators know about Turnitin, and many of us have used it to scare our students out of submitting work written by someone else, whether that writer was a friend, an internet entrepreneur or even (in the most obvious cases) Wikipedia. The first time I used it to check for plagiarism, I have to admit that it was purely for the fear factor, as I hadn't learned much about the benefits the resource has to offer. I just looked at the similarity percentages to see how high they were, warning students that they would be penalized if they had plagiarized. It took me a while to understand how Turnitin can also be useful to students if they are taught how to take advantage of it as a tool. * * * Here's how I tell students to use Turnitin to check their papers. First, I set it up on my end so that they can submit multiple times and see their similarity percentages. Students have told me sometimes their other professors won't allow this, which might be to further discourage plagiarism attempts by preventing students from knowing whether they need to make changes, but I feel that this restricts a powerful teachable moment. Next, when students have polished their drafts to a point where they think they're finished, they submit and wait for the percentage. Obviously, a high percentage is less than ideal, but that alone won't provide everything they need to know. Plagiarism is still possible with a low score, so I then have them click "markup document" and the originality tab. A truer originality percentage will show up if they use the filter, located on the right-hand side, to exclude any quotes they have used, as those will obviously come directly from sources. I also tell them to click "exclude bibliography," as titles of sources they have used will also come up highlighted. Any other writing that is too close to a source will be marked in various colors. This is a good check to see where they may need to make some tweaks. * * * [ <strong>Polley </strong>: quite interesting.] <a href="">top </a> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <a href="http://www.maine.gov/msl/libs/tech/How-to-Hotspot.pdf?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong>Starting A Mobile Hotspot Lending Program </strong> </a> (Maine.gov, March 2018) - Implementing a Mobile Hotspot Lending Program at your library offers up a world of possibilities for your patrons. Enabling patrons to take the Internet home offers a number of unique benefits such as: * * * By loaning out the Internet, just like a book, your Library can provide its patrons with 24/7 access to Internet. In an increasingly interconnected world, the Internet is vital in day to day life. Offering mobile hotspot devices to your patrons will help meet their information needs in new and exciting ways. <a href="">top </a> </p> <p> <a href="http://lawprofessors.typepad.com/media_law_prof_blog/2018/04/borgesius-and-steenbruggen-on-the-right-to-communications-confidentiality-in-europe-protecting-trust.html" > <strong> Borgesius and Steenbruggen on The Right to Communications Confidentiality in Europe: Protecting Trust, Privacy, and Freedom of Expression </strong> </a> (MLPB, 11 April 2018) - Frederik Zuiderveen Borgesius, University of Amsterdam, IVir Institute for Information Law (IViR), and Wilfred Steenbruggen, Bird & Bird, have published <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3152014"> The Right to Communications Confidentiality in Europe: Protecting Trust, Privacy, and Freedom of Expression. </a> Here is the abstract: <em> In the European Union, the General Data Protection Regulation (GDPR) provides comprehensive rules for the processing of personal data. In addition, the EU lawmaker intends to adopt specific rules to protect confidentiality of communications, in a separate ePrivacy Regulation. Some have argued that there is no need for such additional rules for communications confidentiality. This paper discusses the protection of the right to confidentiality of communications in Europe. We look at the right's origins as a fundamental right to assess the rationale for protecting the right. We also analyse how the right is currently protected under the European Convention on Human Rights and under EU law. We show that the right to communications confidentiality protects three values: trust in communication services, privacy, and freedom of expression. The right aims to ensure that individuals and businesses can safely entrust communication to service providers. Initially, the right protected only postal letters, but it has gradually developed into a strong safeguard for the protection of confidentiality of communications, regardless of the technology used. Hence, the right does not merely serve individual privacy interests, but also other interests that are crucial for the functioning of our information society. We conclude that separate EU rules to protect communications confidentiality, next to the GDPR, are justified and necessary to protect trust, privacy and freedom and expression. </em> <a href="">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <a href="http://www.nbcnews.com/id/23827953/ns/technology_and_science-internet/t/comcast-stop-blocking-internet-traffic/#.WkVydCOZOAw" > <strong>Comcast to stop blocking Internet traffic </strong> </a> <strong> </strong> (NBC, 27 March 2008) - Comcast Corp., an Internet service provider under investigation for hampering online file-sharing by its subscribers, announced Thursday an about-face in its stance and said it will treat all types of Internet traffic equally. Comcast said it will collaborate with BitTorrent Inc., the company founded by the creator of the popular BitTorrent file-sharing protocol, to come up with better ways to transport large files over the Internet instead of delaying file transfers. Since user reports of interference with file-sharing traffic were confirmed by an Associated Press investigation in October, Comcast has been vigorously defending its practices, most recently at a hearing of the Federal Communications Commission in February. Consumer and "Net Neutrality" advocates have been equally vigorous in their attacks on the company, saying that by secretly blocking some connections between file-sharing computers, Comcast made itself a judge and gatekeeper for the Internet. They also accused Comcast of stifling delivery of Internet video, an emerging competitor to the cable company's core business. Comcast has said that its practices were necessary to keep file-sharing traffic from overwhelming local cable lines, where neighbors share capacity with one another. On Thursday, Comcast said that by the end of the year, it will move to a system that manages capacity without favoring one type of traffic over another. <a href="">top </a> </p> <p> <a href="https://www.wired.com/2008/02/abracadabra-bush-makes-privacy-board-vanish/" > <strong>Abracadabra! Bush makes privacy board vanish </strong> </a> (Wired, 4 Feb 2008) - The Bush administration has failed to nominate any candidates to a newly empowered privacy and civil-liberties commission. This leaves the board without any members, even as Congress prepares to give the Bush administration extraordinary powers to wiretap without warrants inside the United States. The failure rankles Sens. Joe Lieberman (I-Connecticut) and Susan Collins (R-Maine), respectively chairman and ranking minority member of the Senate's Homeland Security Committee. "I urge the president to move swiftly to nominate members to the new board to preserve the public's faith in our promise to protect their privacy and civil liberties as we work to protect the country against terrorism," Lieberman said in a statement. "The White House's failure to move forward with appointing the new board is unacceptable, and I call on the administration to do so as quickly as possible to prevent a gap in this vital mission," Collins said in a statement. <a href="">top </a> </p> Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-11680840158616794932018-03-24T06:40:00.000-04:002018-04-13T10:50:39.135-04:00MIRLN --- 4-24 March 2018 (v21.04)<p> <a name="TOP"> </a> MIRLN --- 4-24 March 2018 (v21.04) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_4_24_march_2018_v2105/" > permalink </a> </p> <p> <a href="#NEWS">NEWS </a> | <a href="#PODCASTS">PODCASTS </a> | <a href="#LOOKINGBACK">LOOKING BACK </a> | <a href="http://www.knowconnect.com/mirln/sources/">NOTES </a> </p> <ul> <li> <a href="#LetsFix">Let's fix peer review </a> </li> <li> <a href="#FireQuestions"> Five questions to test your understanding of the ethics of technology </a> </li> <li> <a href="#EthicsOpinion"> Ethics opinion stresses lawyers' duty of confidentiality when blogging </a> </li> <li> <a href="#HoganLovells"> Hogan Lovells, 4th largest US firm, moves into the cloud </a> </li> <li> <a href="#InternationalLaw"> International law and cyberspace: Evolving views </a> </li> <li> <a href="#CompaniesSharpen"> Companies sharpen cyber due diligence as M&A activity revenue up </a> </li> <li> <a href="#Reflecting">Reflecting on the original big idea for MOOCs </a> </li> <li> <a href="#Udacity">Udacity u-turns on money-back guarantee </a> </li> <li> <a href="#GeekSquad"> Geek Squad's relationship with FBI is cozier than we thought </a> </li> <li> <a href="#LargeLawFirms">Large law firms seeing more data breaches </a> </li> <li> <a href="#ConfusingAsHell"> 'Confusing as hell': Making sense of cyber insurance </a> </li> <li> <a href="#ForTwoMonths"> For two months, I got my news from print newspapers. Here's what I learned. </a> </li> <li> <a href="#TheFCCsays"> The FCC says a space startup launched four tiny satellites into orbit without permission </a> </li> <li> <a href="#CantWashington"> Can't Washington protect Americans from propaganda on social media? </a> </li> <li> <a href="#HowResearchers"> How researchers learned to use Facebook 'likes' to sway your thinking </a> </li> <li> <a href="#ACLUsues"> ACLU sues TSA over searches of electronic devices </a> </li> <li> <a href="#HistoricalSupreme"> Historical Supreme Court cases now online </a> </li> <li> <a href="#aCyberattackInSaudi"> A cyberattack in Saudi Arabia had a deadly goal. Experts fear another try. </a> </li> <li> <a href="#InitialEstimates"> Initial estimates show digital economy accounted for 6.5 percent of GDP in 2016 </a> </li> <li> <a href="#ElectionInfrastructure"> Election infrastructure ISAC created to share threats specific to voting systems </a> </li> <li> <a href="#DemocratsWant"> Democrats want to subpoena Apple to find out when key administration officials downloaded encrypted messaging apps </a> </li> <li> <a href="#BigFourGiant"> Big four giant PWC announces blockchain auditing service </a> </li> <li> <a href="#NetflixForOil"> 'Netflix for oil' setting stage for $1 trillion battle over data </a> </li> <li> <a href="#ResultsMayVary"> Results may vary in legal research databases </a> </li> <li> <a href="#FormerGoogle"> Former Google legal heads launch Privacy Compliance Hub </a> </li> <li> <a href="#ThinkCryptocurrency"> Think cryptocurrency is confusing? Try paying taxes on it </a> </li> <li> <a href="#WhatIsProton"> What is ProtonMail, the service used by Cambridge Analytica to cover its tracks? </a> </li> </ul> <p> <a name="NEWS"> </a> </p> <p> <a name="LetsFix"> </a> <a href="https://raytruantlab.wordpress.com/2018/02/14/lets-fix-peer-review/" > <strong>Let's fix peer review </strong> </a> (Ray Truant Laboratory, 14 Feb 2018) - If one explains the current system of peer review to a non-scientist, the response is typically, "that's insane, I thought you guys were supposed to be smart". To recap: When we apply for a grant or want to publish our science, we secretly get the work reviewed by our peers, some of which are competing with us for precious funding, or a bizarre version of fame. Under the veil of anonymity, a reviewer can write anything, included false statements, or incorrect statements to justify a decision. The decision is most often, "do not fund" or "reject", even if the review is based off of inaccuracies, lack of expertise, or even blatant slander. There are no rules, there are no repercussions. There are few integrity guidelines, or oversight, nor rules of ethics in the review process for the most part. It can lead to internet trolling at a level of high art. In funding decisions, these mistakes can be missed by inattentive panels, but were definitely missed in the CIHR reform scheme before panels were re-introduced. We still have a problem of reviewers self-identifying expertise they simply do not have. Scientists have to follow strict rules of ethics when submitting data, including conflicts of interest, research ethics, etc. No such rules are often formally stated in the review process and can vary widely between journals. This system is historic, back to an era when biomedical research was a fraction of the size it is today, and journal Editors were typically active scientists. The community was small. But as science rapidly expanded in the 90s, so did scientific publishing, and soon editors became professional editors, with some never running a lab or research program. Then, came the digital revolution, and journals were no longer being read on paper and the pipeline to publish increased exponentially. What drove the massive expansion of journals? Money. Big money. And like many historic industries, it's thriving, mostly based off free slave labor. * * * [ <strong>Polley </strong>: Quite interesting; flagged for me by a former client. <em>See also </em> <a href="https://thewire.in/228888/who-may-swim-in-the-ocean-of-knowledge/"> <strong>Who May Swim in the Ocean of Knowledge? </strong> </a> <strong> </strong> (Carl Malamud, March 2018)] <a href="#TOP">top </a> <a name="FireQuestions"> </a> <strong> <a href="http://www.lawtechnologytoday.org/2018/03/understanding-of-the-ethics-of-technology/" > Five questions to test your understanding of the ethics of technology </a> </strong> (Law Technology Today, 1 March 2018) - More than 28 states now say lawyers have an ethical duty to be competent in technology. Indeed, a State Bar of California ethics opinion recently extended that duty to include competence in e-discovery, CA Formal Opinion No. 2015-193. On top of that, the federal courts have implemented new proportionality rules governing your duty to produce documents. All of this comes as lawyers grapple with thorny ethical issues concerning the use of cloud technology, storing privileged documents with outside vendors, and relying on key tasks on smart but non-human computer algorithms. So what are your ethical duties with using new technology, such as technology assisted review (TAR) in e-discovery? A careful look at five key questions surrounding the ethics of TAR can help you use it in a way that is strategic, reasonable and proportional to the matter. And will save you and your client on review costs. * * * <a href="#TOP">top </a> <strong> </strong> </p> <p> - and - </p> <p> <strong> </strong> </p> <p> <a name="EthicsOpinion"> </a> <strong> <a href="http://www.abajournal.com/news/article/ethics_opinion_stresses_lawyers_duty_of_confidentiality_blogging/" > Ethics opinion stresses lawyers' duty of confidentiality when blogging </a> </strong> (ABA Journal, 6 March 2018) - Lawyers should be mindful of the duty of confidentiality when they engage in public commentary, including blogging and other online postings, according to an ethics opinion from the ABA Standing Committee on Ethics and Professional Responsibility. <a href="http://www.abajournal.com/files/FO_480_FINAL.pdf"> Formal Ethics Opinion 480 </a> explains that lawyers communicating about legal topics in public commentary must comply with the ABA Model Rules of Professional Conduct, including <a href="https://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_6_confidentiality_of_information.html" > Rule 1.6(a) </a> , which provides: "A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b)." This duty of confidentiality is broad and includes all information related to the representation, not just information learned directly from the client. The reach of this rule is much broader than either the attorney-client privilege or the work product doctrine. The opinion explains that this duty of confidentiality applies even if the information about the client's representation is found in a court record or other public record. "The duty of confidentiality extends generally to information related to a representation whatever its source and without regard to the fact that others may be aware of or have access to such knowledge," the opinion reads. "The salient point is that when a lawyer participates in public commentary that includes client information, if the lawyer has not secured the client's informed consent or the disclosure is not otherwise impliedly authorized to carry out the representation, then the lawyer violates Rule 1.6(a)," the opinion continues. [ <strong>Polley </strong>: This is almost entirely "not news". But, it makes the point that even "public" client information shouldn't be blogged about.] <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="HoganLovells"> </a> <strong> <a href="https://www.law.com/legaltechnews/2018/02/27/hogan-lovells-4th-largest-us-firm-moves-into-the-cloud/?kw=Hogan%20Lovells%2C%204th%20Largest%20US%20Firm%2C%20Moves%20Into%20the%20Cloud&et=editorial&bu=ALMcyberSecure&cn=20180308&src=EMC-Email&pt=cyberSecureNews" > Hogan Lovells, 4th largest US firm, moves into the cloud </a> </strong> (LegalTech, 1 March 2018) - Cloud adoption has been a slow-brewing trend in the legal sector over the last few years, but a recent announcement that Hogan Lovells, the <a href="https://www.law.com/nationallawjournal/almID/1202791138666/"> fourth-largest firm in the United States </a> based on the National Law Journal's 2017 rankings, has opted to adopt a cloud-based document management system may indicate that legal is moving more definitively into the cloud. Hogan Lovells recently announced that the firm plans to use cloud-based system NetDocuments as its primary document management system. Prior to the adoption, the firm was using two competing systems, iManage and OpenText, left over from the firm's merger of Washington D.C.-based Hogan & Hartson and U.K. firm Lovells in 2010. <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="InternationalLaw"> </a> <strong> <a href="https://www.lawfareblog.com/international-law-and-cyberspace-evolving-views" > International law and cyberspace: Evolving views </a> </strong> (Lawfare, 4 March 2018) - On Feb. 13, our colleague Robert Chesney <a href="https://lawfareblog.com/cyberspace-and-gray-zone-cybercominteragency-legal-conference" target="_blank" > flagged </a> the upcoming Cyber Command legal conference titled "Cyberspace Operations in the Gray Zone." The conference-which begins Monday morning and involves heavy interagency and private sector and academia participation-is set to address a number of key international and domestic law issues surrounding cyberspace operations, such as the exploiting of social media in the gray zone, the characterizing of information warfare in cyberspace, the protecting of domestic information systems, the countering of gray zone cyber threats, technology and warfare, and privacy implications of military cyberspace operations. Much of the conference will be geared towards sub-use of force issues and activities that may not clearly be governed by the law of armed conflict, which raises questions about when exactly cyber activities do or not involve the use of force. The <a href="https://www.justsecurity.org/18891/state-humanitarian-law-cyber-conflict/" target="_blank" > U.S. </a> asserts that extant international law, to include International Humanitarian Law (IHL) applies to cyberspace, but it has yet to offer definitive guidance on what cyberattacks, short of those causing obvious large scale kinetic destruction, constitute a prohibited use of force or invoke the LOAC. While the <a href="http://assets.cambridge.org/97811071/77222/frontmatter/9781107177222_frontmatter.pdf" target="_blank" > Tallinn Manual 2.0 </a> may be the most comprehensive treatise on the applicability of international law to cyberspace thus far, it was developed without the official participation of, and has not been sanctioned by, States. The U.S. Government, for example, has taken no official position on the views set forth in the Manual. Because members of the military are tasked with following the law, defining the nuances of the applicability of international law in cyberspace should be a central priority. We hope that the following discussions can serve to enrich this week's conference, and further DoD's development of cyber law. This year, a number of excellent pieces of scholarship emerged that could help enhance conference discussions on key elements of international law, namely the principles governing cyber operations outside the context of armed conflict, such as sovereignty and the IHL principles of distinction and proportionality. In his personal capacity, Colonel Gary P. Corn, Staff Judge Advocate of USCYBERCOM, co-authored " <a href="https://www.cambridge.org/core/journals/american-journal-of-international-law/article/sovereignty-in-the-age-of-cyber/02314DFCFE00BC901C95FA6036F8CC70" target="_blank" > Sovereignty in the Age of Cyber </a> " with Robert Taylor, Former Principal Deputy General Counsel of DoD, and posted on SSRN an advance draft of an upcoming chapter titled, <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3089071" target="_blank" > "Cyber National Security: Navigating Gray Zone Challenges In and Through Cyberspace." </a> Meanwhile, Commander Peter Pascucci, Chief of Operational Law at USCYBERCOM, authored " <a href="http://minnjil.org/wp-content/uploads/2017/10/3-Pascucci-Final-macro.docx" target="_blank" > Distinction and Proportionality in Cyberwar: Virtual Problems with a Real Solution </a> ." These works add nuance to the applicability of international law principles to cyberspace and vary somewhat from the publicly stated views of prior State Department Legal Advisers, as we'll argue below. <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="CompaniesSharpen"> </a> <strong> <a href="http://news.morningstar.com/all/dow-jones/services/2018030584/companies-sharpen-cyber-due-diligence-as-ma-activity-revenue-up.aspx?utm_source=eloqua&utm_medium=email_52852&utm_campaign=23900" > Companies sharpen cyber due diligence as M&A activity revenue up </a> </strong> (Morningstar, 5 March 2018) - Automatic Data Processing Inc. deployed a team of cybersecurity, risk management and financial-crime specialists to WorkMarket before acquiring it in January. The ADP team combed the software maker's technology, practices and internal policies. It also interviewed staff about monitoring for intrusions, training employees and performing other security tasks. The payroll processor also hired a cybersecurity firm to do its own evaluation. Security problems, said ADP's chief security officer Roland Cloutier, could kill any deal. "If we found out data was exfiltrated, we may walk away," he said. "We've looked at a lot of companies and only purchased a few. Security always plays a part." Companies are intensifying due diligence of acquisition targets to avoid costly cybersecurity surprises, particularly when intellectual property, such as software code or customer data drive the deal. Gaps in data protection, undiscovered breaches, regulatory violations and other holes in a company's technology operations can threaten transactions. Such problems can also decrease the value of a deal or leave an acquirer liable for problems after a merger. ADP investigators typically look for troublespots such as signs of an unauthorized presence on the target's network and scant or no evidence that employees have received security training. No significant problems surfaced at WorkMarket, but deep study of a target's cybersecurity helps executives forecast deal costs, Mr. Cloutier said. ADP typically spends two to four months on the process. Problems can arise even years later. FedEx Corp. moved quickly last month to secure a server that exposed data from customer driver's licenses and passports. FedEx inherited the server when it bought e-commerce service Bongo International in 2014. [ <strong>Polley </strong>: directly on point is the recently published ABA book " <strong> <a href="https://shop.americanbar.org/ebus/store.aspx?term=guide+to+cybersecurity+due+diligence+in+M%26A+transactions" > Guide to Cybersecurity Due Diligence in M&A Transactions </a> </strong> ", which I highly recommend.] <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="Reflecting"> </a> <strong> <a href="https://www.insidehighered.com/blogs/technology-and-learning/reflecting-original-big-idea-moocs?utm_source=Inside+Higher+Ed&utm_campaign=f7c2633e08-DNU20180111&utm_medium=email&utm_term=0_1fcbc04421-f7c2633e08-197618481&mc_cid=f7c2633e08&mc_eid=012fe6c04c" > Reflecting on the original big idea for MOOCs </a> </strong> (InsideHigherEd, 6 March 2018) - Six years ago, inspired by a big idea to democratize higher education, the University of Michigan (U-M) became a founding partner of Coursera. Massive open online courses (MOOCs) were born. While the issuance of MOOC death certificates by skeptics is only rivaled in frequency by those filed by South Park writers for Kenny, MOOCs consistently find ways to survive and indeed thrive in nurturing environments. MOOCs are far from dead. Rather, they appear to hatch derivatives. Sean Gallagher of Northeastern University's Center for the Future of Higher Education and Talent Strategy refers to this as "the new ecology of credentials", a landscape transforming rapidly as we move from the early knowledge economy to the digital, AI, Gig economy. Which leads those of us close to the action to reflect often upon the original big idea for MOOCs. Typically stating a goal to "democratize" is followed by "access to" something. In hindsight, it's clear we hadn't fully considered the potential of what we might be democratizing. What, in fact, are we scaling? Is it content and courses? Curriculum and credentials? Communities and <a href="https://www.insidehighered.com/blogs/technology-and-learning/it-time-scale-college-towns-reimagining-public-engagement-through" target="_blank" > college towns </a> ? With <a href="https://record.umich.edu/articles/university-announces-first-online-degrees-through-coursera" target="_blank" > today's announcement </a> , we are now much closer to saying "all of the above". MOOCs may have initially provided learners an opportunity to simply peer into the university. Now MOOCs and MOOC derivatives (e.g. Teach-Outs, specializations, MicroMasters, MasterTrack, etc.) are helping universities to expand how they think about engaging with the world. For U-M, this is entirely consistent with top institutional priorities around academic innovation, diversity, equity, and inclusion, and public engagement. We are the global, inclusive, public research university. The real innovation of the MOOC era is not the unbundling of academic degrees that first captured massive attention, but rather the re-bundling that results from serious academic R&D - the creation of new communities and credentials for all levels. In announcing Michigan's new degrees this morning at the Coursera Partners Conference, Coursera CEO Jeff Maggioncalda contextualized these latest innovations as evidence that, "the future of work and the future of learning are converging." Today U-M announced the intent to design two new fully online master's degree programs and a new online cohort-based pathway to advanced degrees and career advancement called the MasterTrack Certificate. Let's consider this latest re-bundling effort within the broader context. * * * <a href="#TOP">top </a> <strong> </strong> </p> <p> - and - </p> <p> <a name="Udacity"> </a> <strong> <a href="https://www.insidehighered.com/news/2018/03/16/udacity-ends-pledge-students-get-hired-or-get-their-money-back?utm_source=Inside+Higher+Ed&utm_campaign=c94485ea30-DNU20180111&utm_medium=email&utm_term=0_1fcbc04421-c94485ea30-197618481&mc_cid=c94485ea30&mc_eid=012fe6c04c" > Udacity u-turns on money-back guarantee </a> </strong> (InsideHigherEd, 16 March 2018) - It was hailed as a "dream come true" by Udacity's founder and CEO Sebastian Thrun. "We now GUARANTEE a job for anyone who completes a Nanodegree Plus -- or else tuition back. Hope other universities follow," <a href="https://twitter.com/SebastianThrun/status/687315602973691904?ref_src=twsrc%5Etfw&ref_url=https%3A%2F%2Fwww.class-central.com%2Freport%2Fudacity-2017-review%2F&tfw_creator=classcentral&tfw_site=classcentral" target="_blank" > tweeted </a> Thrun in January 2016. Now, it seems, the dream is over. Udacity has quietly scrapped its pledge, nixing the program, which guaranteed a job within six months of graduation or 100 percent of students' money back, at the end of last year. <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="GeekSquad"> </a> <strong> <a href="https://www.eff.org/deeplinks/2018/03/geek-squads-relationship-fbi-cozier-we-thought" > Geek Squad's relationship with FBI is cozier than we thought </a> </strong> (EFF, 6 March 2018) - After the prosecution of a California doctor revealed the FBI's ties to a <a href="https://www.washingtonpost.com/local/public-safety/if-a-best-buy-technician-is-a-paid-fbi-informant-are-his-computer-searches-legal/2017/01/09/f56028b4-d442-11e6-9cb0-54ab630851e8_story.html" > Best Buy Geek Squad </a> computer repair facility in Kentucky, new documents released to EFF show that the relationship goes back years. The records also confirm that the FBI has paid Geek Squad employees as informants. EFF filed a Freedom of Information Act <a href="https://www.eff.org/cases/fbi-geek-squad-informants-foia-suit"> (FOIA) lawsuit </a> last year to learn more about how the FBI uses Geek Squad employees to flag illegal material when people pay Best Buy to repair their computers. The relationship potentially <a href="https://www.eff.org/deeplinks/2017/02/FBI-tries-to-bypass-Fourth-Amendment-Safeguards-by-using-Geek-Squad" > circumvents computer owners' Fourth Amendment rights </a> . The documents released to EFF show that Best Buy officials have enjoyed a particularly close relationship with the agency for at least 10 years. For example, <a href="https://www.eff.org/document/geek-squad-foia-excerpt-fbi-meeting-repair-facility" > an FBI memo </a> from September 2008 details how Best Buy hosted a meeting of the agency's "Cyber Working Group" at the company's Kentucky repair facility. The memo and a related email show that Geek Squad employees also gave FBI officials a tour of the facility before their meeting and makes clear that the law enforcement agency's Louisville Division "has maintained close liaison with the Geek Squad's management in an effort to glean case initiations and to support the division's Computer Intrusion and Cyber Crime programs." Another <a href="https://www.eff.org/document/geek-squad-foia-excerpt-fbi-payment-informant" > document </a> records a $500 payment from the FBI to a confidential Geek Squad informant. This appears to be one of the same payments at issue in the <a href="https://www.ocweekly.com/best-buy-geek-squad-informant-use-has-fbi-on-defense-in-child-porn-case-7794252/" > prosecution of Mark Rettenmaier </a> , the California doctor who was charged with possession of child pornography after Best Buy sent his computer to the Kentucky Geek Squad repair facility. Other documents show that over the years of working with Geek Squad employees, FBI agents developed a process for investigating and prosecuting people who sent their devices to the Geek Squad for repairs. The documents detail a series of FBI investigations in which a Geek Squad employee would call the FBI's Louisville field office after finding what they believed was child pornography. <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="LargeLawFirms"> </a> <strong> <a href="http://ridethelightning.senseient.com/2018/03/large-law-firms-seeing-more-data-breaches.html" > Large law firms seeing more data breaches </a> </strong> (Ride the Lightning, 6 March 2018) - I know many readers have not read the <em>2017 ABA Legal Technology Survey </em> because it costs money, but it is well worth reviewing the cybersecurity highlights - more 4000 respondents were surveyed. 22% of respondents said their firms had experienced a data breach at some point, up from 14 percent last year - that's a big escalation. Significantly, respondents at firms with 500 or more attorneys took the bulk of those hits. Over one third of law firms with 10-99 attorneys reported being compromised in 2017 alone. Some of the key consequences from breaches were downtime, loss of billable hours, destruction or loss of files - and of course having to pay consulting fees for remediating damages from the attacks. As one might expect, reporting stats are much lower. 7% of firms with 500+ attorneys and 3% of firms with 10-49 attorneys reported authorized access to sensitive client data. 25% of firms reported having no security policies, though all firms with 500+ lawyers did have such policies. 66% of BigLaw firms do have an Incident Response Plan. 51% of firms with 100-499 attorneys and 43% of firms with 50-99 attorneys also have an incident response plan. <a href="#TOP">top </a> <strong> </strong> </p> <p> - and - </p> <p> <strong> </strong> </p> <p> <a name="ConfusingAsHell"> </a> <a href="http://www.abajournal.com/news/article/confusing_as_hell_making_sense_of_cyber_insurance" > <strong>'Confusing as hell': Making sense of cyber insurance </strong> </a> (ABA Journal, 9 March 2018) - When it comes to managing a firm's cybersecurity risks, password regimens and encrypted backups are not enough. You need cyber insurance. A Friday morning panel at ABA Techshow entitled "Cyberinsurance: Necessary, Expensive and Confusing as Hell," attempted to demystify the nascent cyber insurance field while underscoring how vital it is to have some sort of insurance policy in place in case of cyberattacks. Panelists Judy Selby, a cyber insurance consultant and lawyer, and Sharon Nelson, president of Sensei Enterprises, laid out the case for the insurance and the challenges of understanding it. No matter how good your cybersecurity infrastructure may be, "it can't stop it all," said Nelson. She argued that cyber insurance is necessary, "because you are managing an enormous risk." Providing background on the relatively new area of cyber insurance, Nelson quoted a <a href="https://www.pwc.com/gx/en/insurance/publications/assets/reaping-dividends-cyber-resilience.pdf" > PricewaterhouseCoopers </a> report that found one-third of businesses have a cyber insurance policy. Additionally, she noted that policies are being offered by upwards of 60 insurers. At the same time, according to the 2017 ABA Legal Technology Survey, <a href="https://www.americanbar.org/groups/law_practice/publications/techreport/2017/security.html" > 22 percent of solo and small firms </a> reported a data breach-an increase compared to the previous year, when 14 percent of such firms reported a breach. For many, this can be devastating. According to Nelson, it has been reported that half of all small businesses close within six months after a breach. Cyber insurance varies, but these types of policies can often cover first-party contingencies like legal, forensic, notification, credit monitoring and breach coach costs. It may also cover business interruption incurred by the insured or contingent business interruption, which provides coverage when a third-party service provider that the insured relies on, such as a cloud storage vendor, cannot operate because of a cyber incident. Policies may also cover data restoration, extortion, denial of service attacks and social engineering attacks. Some policies will cover third-party contingencies like privacy and network liability, public relations, regulatory liability, fines and payment card issuer liability. With growing demand and offerings, the cyber insurance market is still new, or a "soft market" in the terms of the presenters. This means that prices vary and terms and exclusions in cyber coverage are not standardized across the industry. "No matter what two polices you're looking at, it's apples and oranges," said Nelson. This includes ubiquitous terms like "cyber incident" or "social engineering," which will be defined by the insurer in their own idiosyncratic way. To this end, both say it is important to read through potential policies with an eye toward detail and definitions. <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="ForTwoMonths"> </a> <strong> <a href="https://www.nytimes.com/2018/03/07/technology/two-months-news-newspapers.html?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > For two months, I got my news from print newspapers. Here's what I learned. </a> </strong> (NYT, 7 March 2018) - I first got news of the school shooting in Parkland, Fla., via an alert on my watch. Even though I had turned off news notifications months ago, the biggest news still somehow finds a way to slip through. But for much of the next 24 hours after that alert, I heard almost nothing about the shooting. There was a lot I was glad to miss. For instance, I didn't see the <a href="https://twitter.com/maxwelltani/status/963904779046014977"> false claims </a> - possibly amplified <a href="https://www.nytimes.com/2018/02/19/technology/russian-bots-school-shooting.html" > by propaganda bots </a> - that the killer was a leftist, an anarchist, a member of ISIS and perhaps just one of multiple shooters. I missed the Fox News report tying him to <a href="http://dailycaller.com/2018/02/14/florida-shooter-syrian-groups/"> Syrian resistance groups </a> even before his name had been released. I also didn't see the claim circulated by many news outlets ( <a href="https://www.nytimes.com/2018/02/15/podcasts/the-daily/trump-immigration-parkland-school-shooting.html" > including The New York Times </a> ) as well as by Senator Bernie Sanders and other liberals on Twitter that the massacre had been the 18th school shooting of the year, <a href="https://www.washingtonpost.com/local/no-there-havent-been-18-school-shooting-in-2018-that-number-is-flat-wrong/2018/02/15/65b6cf72-1264-11e8-8ea1-c1d91fcec3fe_story.html?utm_term=.334dd83f1b4f" > which wasn't true </a> . Instead, the day after the shooting, a friendly person I've never met dropped off three newspapers at my front door. That morning, I spent maybe 40 minutes poring over the horror of the shooting and a million other things the newspapers had to tell me. Not only had I spent less time with the story than if I had followed along as it unfolded online, I was better informed, too. Because I had avoided the innocent mistakes - and the more malicious misdirection - that had pervaded the first hours after the shooting, my first experience of the news was an accurate account of the actual events of the day. This has been my life for nearly two months. In January, after the breaking-newsiest year in recent memory, I decided to travel back in time. I turned off my digital news notifications, unplugged from Twitter and other social networks, and subscribed to home delivery of three print newspapers - The Times, The Wall Street Journal and my local paper, The San Francisco Chronicle - plus a weekly newsmagazine, The Economist. I have spent most days since then getting the news mainly from print, though my self-imposed asceticism allowed for podcasts, email newsletters and long-form nonfiction (books and magazine articles). Basically, I was trying to <a href="https://www.youtube.com/watch?v=ziwYbVx_-qg">slow-jam the news </a> - I still wanted to be informed, but was looking to formats that prized depth and accuracy over speed. It has been life changing. Turning off the buzzing breaking-news machine I carry in my pocket was like unshackling myself from a monster who had me on speed dial, always ready to break into my day with half-baked bulletins. Now I am not just less anxious and less addicted to the news, I am more widely informed (though there are some blind spots). And I'm embarrassed about how much free time I have - in two months, I managed to read half a dozen books, took up pottery and (I think) became a more attentive husband and father. * * * [ <strong>Polley </strong>: resonates with me and the idea of <em>saving </em> time is attractive. For me, this story was the tipping point: I've just re-subscribed to New York Times home-delivery, hardcopy. I've been missing too much.] <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="TheFCCsays"> </a> <strong> <a href="https://www.theverge.com/2018/3/10/17102888/the-fcc-says-a-space-startup-launched-four-tiny-satellites-into-orbit-without-permission?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > The FCC says a space startup launched four tiny satellites into orbit without permission </a> </strong> (The Verge, 10 March 2018) - Earlier this year, a space startup from Silicon Valley launched four of its first prototype communications satellites on top of an Indian rocket. Except the FCC says that the company didn't have authorization to send up those spacecraft from the US government, <a href="https://spectrum.ieee.org/tech-talk/aerospace/satellites/fcc-accuses-stealthy-startup-of-launching-rogue-satellites" > <em>IEEE Spectrum </em> reports </a> . It would seemingly mark the first time a US private company launched un-licensed satellites into orbit - and these rogue spacecraft could pose a danger to other objects in space. The four satellites reportedly belong to a fledgling company called Swarm Technologies, which was started by former Google and NASA JPL engineer Sara Spangelo in 2016. The probes, dubbed SpaceBees 1, 2, 3, and 4, are meant to test out Swarm's idea for a "space-based Internet of Things" network, according to IEEE, and went up as part of a cluster of 31 satellites aboard an Indian Polar Satellite Launch Vehicle (PSLV) rocket on January 12th. At the time of the launch, India's space agency <a href="https://www.isro.gov.in/sites/default/files/flipping_book/PSLV-C40_Cartosat2SeriesMission/files/assets/common/downloads/PSLV-C40%20-%20Cartosat%202%20Series%20Mission.pdf" > didn't name the operator of the four satellites </a> . <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="CantWashington"> </a> <strong> <a href="https://www.poynter.org/news/morning-mediawire-cant-washington-protect-americans-propaganda-social-media?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > Can't Washington protect Americans from propaganda on social media? </a> </strong> (Poynter, 12 March 2018) - The past two years have taught us that the United States needs a better handle on what social networks are doing to manipulate and prioritize information. If there's one thing that Washington could do, it would be to provide better safeguards to ensure that these powerful tools are not used to mislead the public again. That's part of the message from Martha Minow, longtime Harvard Law school dean and expert on the shifting media and technological landscape. Minow also casts a skeptical eye on the concentration of local media ownership by companies such as Sinclair Broadcasting. We need action now, or independent news as we know it won't be around, she warned in <a href="https://brown.hosted.panopto.com/Panopto/Pages/Viewer.aspx?id=0f92574b-5d72-45af-bc1c-a889012556c2" > a speech </a> last week at Brown University. Minow cites the Constitution as impetus for Washington "to improve reliable access to material enabling competing views and authentication of messages and sources. The government can protect users against bombardment by computer-generated messages that drown out news and drive citizens away from the exchange needed for democratic self-governance." "Nothing in the Constitution forecloses government action to regulate concentrated economic power, to require disclosure of who is financing communications, and to support news initiatives where there are market failures. The First Amendment forbids Congress from 'abridging' the freedom of speech and freedom of press; it does not forbid strengthening it and amplifying news. "Affirmative government action may be precisely what the First Amendment actually requires now." <a href="#TOP">top </a> <strong> </strong> </p> <p> - and - </p> <p> <strong> </strong> </p> <p> <a name="HowResearchers"> </a> <strong> <a href="https://www.nytimes.com/2018/03/20/technology/facebook-cambridge-behavior-model.html?rref=collection/issuecollection/todays-new-york-times&utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > How researchers learned to use Facebook 'likes' to sway your thinking </a> </strong> (NYT, 20 March 2018) - Perhaps at some point in the past few years you've told Facebook that you like, say, Kim Kardashian West. When you hit the thumbs-up button on her page, you probably did it because you wanted to see the reality TV star's posts in your news feed. Maybe you realized that marketers could target advertisements to you based on your interest in her. What you probably missed is that researchers had figured out how to tie your interest in Ms. Kardashian West to certain personality traits, such as how extroverted you are (very), how conscientious (more than most) and how open-minded (only somewhat). And when your fondness for Ms. Kardashian West is combined with other interests you've indicated on Facebook, researchers believe their algorithms can predict the nuances of your political views with better accuracy than your loved ones. As The New York Times <a href="https://www.nytimes.com/2018/03/17/us/politics/cambridge-analytica-trump-campaign.html" > reported on Saturday </a> , that is what motivated the consulting firm Cambridge Analytica to collect data from more than 50 million Facebook users, without their consent, to build its own behavioral models to target potential voters in various political campaigns. The company has worked for a political action committee started by John R. Bolton, who served in the George W. Bush administration, as well as for President Trump's presidential campaign in 2016. "We find your voters and move them to action," boasts on its website. <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="ACLUsues"> </a> <strong> <a href="https://techcrunch.com/2018/03/12/aclu-sues-tsa-over-searches-of-electronic-devices/" > ACLU sues TSA over searches of electronic devices </a> </strong> (Tech Crunch, 12 March 2018) - The American Civil Liberties Union of Northern California <a href="https://www.aclunc.org/news/aclu-northern-california-lawsuit-demands-information-tsa-searches-domestic-airline-passengers" > has filed a Freedom of Information Act lawsuit </a> against the Transportation Security Administration over its alleged practices of searching the electronic devices of passengers traveling on domestic flights. "The federal government's policies on searching the phones, laptops, and tablets of domestic air passengers remain shrouded in secrecy," ACLU Foundation of Northern California attorney Vasudha Talla said in a blog post. The lawsuit, which is directed toward the TSA field offices in San Francisco and its headquarters in Arlington, Virginia, specifically asks the TSA to hand over records related to its policies, procedures and/or protocols pertaining to the search of electronic devices. This lawsuit comes after a number of reports came in pertaining to the searches of electronic devices of passengers traveling domestically. The ACLU also wants to know what equipment the TSA uses to search, examine and extract any data from passengers' devices, as well as what kind of training TSA officers receive around screening and searching the devices. [ <em>see also, </em> <strong> <a href="https://businesslawtoday.org/2018/03/u-s-border-searches-of-electronic-devices-recent-developments-and-lawyers-ethical-responsibilities/" > US border searches of electronic devices: Recent developments and lawyers' ethical responsibilities </a> </strong> (ABA, 13 March 2018) - by Keith Fisher (and, as always, worth reading)] <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="HistoricalSupreme"> </a> <a href="https://www.loc.gov/item/prn-18-026/?loclr=twloc"> <strong>Historical Supreme Court cases now online </strong> </a> (Library of Congress, 13 March 2018) - More than 225 years of Supreme Court decisions acquired by the Library of Congress are now publicly available online - free to access in a page image format for the first time. The Library has made available more than 35,000 cases that were published in the printed bound editions of United States Reports (U.S. Reports). United States Reports is a series of bound case reporters that are the official reports of decisions for the United States Supreme Court dating to the court's first decision in 1791 and to earlier courts that preceded the Supreme Court in the colonial era. The Library's new online collection offers access to individual cases published in volumes 1-542 of the bound edition. This collection of Supreme Court cases is fully searchable. Filters allow users to narrow their searches by date, name of the justice authoring the opinion, subject and by the main legal concepts at issue in each case. PDF versions of individual cases can be viewed and downloaded. The collection is online at <a href="https://www.loc.gov/collections/united-states-reports/"> loc.gov/collections/united-states-reports/ </a> . The digital versions of the U.S. Reports in the new collection were acquired by the Law Library of Congress through a purchase agreement with William S. Hein & Co. Inc. The acquisition is part of the Law Library's transition to a digital future and in support of its efforts to make historical U.S. public domain legal materials freely and easily available to Congress and the world. Users can access this collection from a link on <a href="https://www.loc.gov/collections/united-states-code/">loc.gov </a> and <a href="http://www.loc.gov/law/help/us-code.php">law.gov </a>. More recent editions of the U.S. Reports from 1987 to the present are available online from the U.S. Supreme Court. The U.S. Reports digital collection augments other legal collections made available online during the past year, including the U.S. Code from 1925 to 1988. Other newly digitized collections include the papers of U.S. Presidents James Buchanan, Ulysses S. Grant, Millard Fillmore, Franklin Pierce and James K. Polk; and the papers of Alexander Hamilton, Sigmund Freud and Margaret Bayard Smith. [ <strong>Polley </strong>: Spotted by MIRLN reader Carl Malamud - @carlmalamud] <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="aCyberattackInSaudi"> </a> <a href="https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html" > <strong> A cyberattack in Saudi Arabia had a deadly goal. Experts fear another try. </strong> </a> <strong> </strong> (NYT, 15 March 2018) - In August, a petrochemical company with a plant in Saudi Arabia was hit by a new kind of cyberassault. The attack was not designed to simply destroy data or shut down the plant, investigators believe. It was meant to sabotage the firm's operations and trigger an explosion. The attack was a dangerous escalation in international cyberwarfare, as faceless enemies demonstrated both the drive and the ability to inflict serious physical damage. And United States government officials, their allies and cybersecurity researchers worry that the culprits could replicate it in other countries, since thousands of industrial plants all over the world rely on the same American-engineered computer systems that were compromised. Investigators have been tight-lipped about the August attack. They still won't identify the company or the country where it is based and have not identified the culprits. But the attackers were sophisticated and had plenty of time and resources, an indication that they were most likely supported by a government, according to more than a dozen people, including cybersecurity experts who have looked into the attack and asked not to be identified because of the confidentiality of the continuing investigation. The only thing that prevented an explosion was a mistake in the attackers' computer code, the investigators said. The assault was the most alarming in a string of cyberattacks on petrochemical plants in Saudi Arabia. In January 2017, computers went dark at the National Industrialization Company, Tasnee for short, which is one of the few privately owned Saudi petrochemical companies. Computers also crashed 15 miles away at Sadara Chemical Company, a joint venture between the oil and chemical giants Saudi Aramco and Dow Chemical. Within minutes of the attack at Tasnee, the hard drives inside the company's computers were destroyed and their data wiped clean, replaced with an image of <a href="https://www.nytimes.com/2016/09/03/world/middleeast/alan-kurdi-aylan-anniversary-turkey-syria-refugees-death.html" > Alan Kurdi </a> , <a href="https://www.nytimes.com/2015/09/04/world/europe/syria-boy-drowning.html" > the small </a> <a href="https://www.nytimes.com/2015/09/04/world/europe/syria-boy-drowning.html" > Syrian child </a> who drowned off the coast of Turkey during his family's attempt to flee that country's civil war. The intent of the January attacks, Tasnee officials and researchers at the security company Symantec believe, was to inflict lasting damage on the petrochemical companies and send a political message. Recovery took months. Energy experts said the August attack could have been an attempt to complicate <a href="https://www.nytimes.com/2017/11/14/world/middleeast/saudi-arabia-mohammed-bin-salman.html" > Crown Prince Mohammed bin Salman's plans </a> to encourage foreign and domestic private investment to diversify the Saudi economy and produce jobs for the country's growing youth population. A team at Schneider Electric, which made the industrial systems that were targeted, called Triconex safety controllers, is also looking into the attack, the people who spoke to The Times said. So are the National Security Agency, the F.B.I., the Department of Homeland Security and the Pentagon's Defense Advanced Research Projects Agency, which has been supporting research into forensic tools designed to assist hacking investigations. All of the investigators believe the attack was most likely intended to cause an explosion that would have killed people. In the last few years, explosions at petrochemical plants in China and Mexico - though not triggered by hackers - have killed several employees, injured hundreds and forced evacuations of surrounding communities. What worries investigators and intelligence analysts the most is that the attackers compromised Schneider's Triconex controllers, which keep equipment operating safely by performing tasks like regulating voltage, pressure and temperatures. Those controllers are used in about 18,000 plants around the world, including nuclear and water treatment facilities, oil and gas refineries, and chemical plants. The Triconex system was believed to be a "lock and key operation." In other words, the safety controllers could be tweaked or dismantled only with physical contact. <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="InitialEstimates"> </a> <strong> <a href="https://www.ntia.doc.gov/blog/2018/initial-estimates-show-digital-economy-accounted-65-percent-gdp-2016?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > Initial estimates show digital economy accounted for 6.5 percent of GDP in 2016 </a> </strong> (NTIA, 15 March 2018) - The Bureau of Economic Analysis released, for the first time, preliminary statistics and an accompanying report exploring the size and growth of the digital economy. Goods and services that are primarily digital accounted for 6.5 percent of the U.S. economy, or $1.2 trillion, in 2016, after a decade of growing faster than the U.S. economy overall, BEA's research shows. These new estimates are supported in part by funding from NTIA. From 2006 to 2016, the digital economy grew at an average annual rate of 5.6 percent, outpacing overall U.S. economic growth of 1.5 percent per year. In 2016, the digital economy supported 5.9 million jobs, or 3.9 percent of total U.S. employment. Digital economy employees earned $114,275 in average annual compensation compared with $66,498 per worker for the total U.S. economy. <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="ElectionInfrastructure"> </a> <strong> <a href="https://www.cyberscoop.com/election-infrastructure-isac-dhs-cis/" > Election infrastructure ISAC created to share threats specific to voting systems </a> </strong> (CyberScoop, 16 March 2018) - States and localities are getting a new, Department of Homeland Security-backed center to coordinate and share information on election security. The Elections Infrastructure Information Sharing and Analysis Center (ISAC) was announced Thursday, giving the nation's 8,800 state and local jurisdictions a dedicated venue to share information about cyberthreats and vulnerabilities specific to election systems and remote security monitoring capabilities. DHS has tasked the nonprofit Center for Internet Security with establishing and running the ISAC. CIS already runs the <a href="https://www.fedscoop.com/ms-isac-einstein-inspired-program-almost-used-by-every-state/?__hstc=143679850.101c4253c6080b97d56279a6f78fb3c0.1488720222032.1518021749277.1521741458187.6&__hssc=143679850.1.1521741458187&__hsfp=2302536794" > Multi-State ISAC </a> , which states have been using to coordinate on election security in lieu of any official. <a href="https://www.nationalisacs.org/member-isacs">Other ISACs exist </a> for DHS's critical infrastructure sectors, such as the financial services, electricity and aviation industries. DHS designated election systems as subsector of the country's critical infrastructure in early 2017 when the intelligence community concluded that Russia tried to interfere in the 2016 presidential election. While that designation was initially <a href="https://www.cyberscoop.com/dhs-elections-systems-critical-infrastructure-state-local-officials/" > met with skepticism </a> on the state and local level, <a href="https://www.cyberscoop.com/election-security-information-sharing-dhs-cis/" > officials now say </a> that it has improved election security coordination across levels of government. <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="DemocratsWant"> </a> <strong> <a href="https://theintercept.com/2018/03/17/trump-russia-apple-whatsapp/?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > Democrats want to subpoena Apple to find out when key administration officials downloaded encrypted messaging apps </a> </strong> (The Intercept, 17 March 2018) - On Wednesday, House Democrats on the Intelligence Committee released a memo laying out the steps they would have taken had they been in charge of the Trump-Russia investigation - and steps they may take if and when they gain subpoena power by taking over the House of Representatives in November. Down on Page 20 of the memo is a pair of ideas that could put Congress on a collision course with privacy advocates in Silicon Valley. "Apple: The Committee should seek records reflecting downloaded encrypted messaging apps for certain key individuals," <a href="https://democrats-intelligence.house.gov/uploadedfiles/final_-_minority_status_of_the_russia_investigation_with_appendices.pdf" > the memo suggests. </a> "The Committee should likewise issue a subpoena to WhatsApp for messages exchanged between key witnesses of interest." The committee said that it would also seek to find out "all messaging applications that Mr. [Jared] Kushner used during the campaign as well as the presidential transition, including but not limited to SMS, iMessage, Whatsapp, Facebook Messenger, Signal, Slack, Instagram, and Snapchat." The committee may also consider adding ProtonMail, the encrypted email service, to that list. One White House staffer, Ryan P. McAvoy, jotted his ProtonMail passwords and his address on a piece of White House stationery and left it at a bus stop near the White House. A source found it there and provided it to The Intercept, which confirmed its authenticity. (McAvoy did not respond to requests for comment.) <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="BigFourGiant"> </a> <strong> <a href="https://www.ccn.com/pwc-to-provide-audit-service-for-blockchain-to-stimulate-adoption/" > Big four giant PWC announces blockchain auditing service </a> </strong> (CCN, 17 March 2018) - Price Waterhouse Cooper LLP, a Big Four accounting firm that has supported various blockchain projects, has announced a blockchain audit service that it claims will encourage people to use the still new technology, according to <a href="http://www.paywallnews.com/business/PwC-Has-an-Answer-for-the-Blockchain--Audit-It-.rJXaFXFKz.html" > The Wall Street Journal </a> . The service will allow companies to offer an outside review of their use of blockchain technology, thereby ensuring they are using it properly and enabling employees to monitor the company's blockchain transactions. PwC recognizes the obstacles to the technology's adoption. These include concerns about compliance within companies and organizations, as well as concerns about risk management and corporate controls. While blockchain is often considered tamper-proof, its adoption presents issues similar to that of deploying any information technology. In recognizing such concerns among its own clients who were starting to use blockchain technology, PwC was motivated to develop its new solution. PwC logs transactions on the blockchain and has developed testing criteria and controls. The service will allows user within a company to view, test and monitor transactions on the blockchain in near real time. One customer is a major stock exchange that needs to verify its blockchain based payment process. Another customer, a digital wallet provider, is using the product to verify its transaction processing. PwC declined to identify these two customers. <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="NetflixForOil"> </a> <a href="https://www.bloomberg.com/news/articles/2018-03-19/-netflix-for-oil-setting-stage-for-1-trillion-battle-over-data" > <strong> 'Netflix for oil' setting stage for $1 trillion battle over data </strong> </a> (Bloomberg, 19 March 2018) - A battle for big data is brewing in the oil patch. The service companies that map underground pockets of oil, drill the wells and lift crude from miles below are generating vast new amounts of data they never before realized could be valuable. But their exploration customers are essentially saying hands off to anything coming out of their wells, including the streams of zeros and 1s. "There's no doubt to me, we are producing two resources: the oil and gas, and the data," said Philippe Herve, a Schlumberger Ltd. veteran who now helps oil companies use artificial intelligence at SparkCognition. "The oil and gas is very clear: it belongs to the operator. But who owns the data?" Answering that question will mean real money for a global industry climbing out of the worst crude crash in a generation. An industry that only uses about 1 percent of the data it generates, according to <a href="https://www.bloomberg.com/quote/BHGE:US" target="_blank" title="Financial Data" > Baker Hughes </a> , is trying to harness it to see where to pump more oil faster for less money. Transforming to a digital oil field could add almost $1 trillion to the world's economy by 2025, according to a 2015 study by Oxford Economics and Cisco Consulting Services. To the service companies specifically, owning the data -- enough to fill 20 million file cabinets since 2010 alone -- would mean a whole new revenue stream, perhaps as they sell subscriptions to huge data libraries. "It's like Netflix for oil and gas," said John Gibson, an advisor at Tudor Pickering Holt & Co. who previously ran the oil-services business for <a href="https://www.bloomberg.com/quote/HAL:US" target="_blank" title="Bloomberg Intelligence Company Primer" > Halliburton Co. </a> "Imagine that all data is like a movie that many different people want to watch, but they want to watch it at different times." To the producers, though, owning that data means one less check they'd have to write. And it would ensure competing producers couldn't see their data while stealthily moving into a new field. <a href="https://www.bloomberg.com/quote/EOG:US" target="_blank" title="Bloomberg Intelligence Company Primer" > EOG Resources Inc. </a> , dubbed by one of its analysts as the Apple Inc. of the oilfield, is widely considered a leader among explorers for bypassing oilfield service companies to generate its own in-house innovations. "Data is king and one of our most valuable resources," Sandeep Bhakhri, chief information and technology officer at EOG told investors on a conference call last year. "You have to own the data. You cannot outsource its collection, analysis or delivery." [ <strong>Polley </strong>: Fascinating; I was in the business 14 years ago, and am surprised this issue isn't well-settled.] <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="ResultsMayVary"> </a> <a href="http://www.abajournal.com/magazine/article/results_vary_legal_research_databases" > <strong>Results may vary in legal research databases </strong> </a> (ABA Journal, March 2018) - When a lawyer searches in a legal database, that single search box is like a lure: Put in your search terms and rely on the excellence of the search algorithms to catch the right fish. At first glance, the various legal research databases seem similar. For instance, they all promote their natural language searching, so when the keywords go into the search box, researchers expect relevant results. The lawyer would also expect the results to be somewhat similar no matter which legal database a lawyer uses. After all, the algorithms are all trying to solve the same problem: translating a specific query into relevant results. The reality is much different. In a comparison of six legal databases-Casetext, Fastcase, Google Scholar, Lexis Advance, Ravel and Westlaw-when researchers entered the identical search in the same jurisdictional database of reported cases, there was hardly any overlap in the top 10 cases returned in the results. Only 7 percent of the cases were in all six databases, and 40 percent of the cases each database returned in the results set were unique to that database. It turns out that when you give six groups of humans the same problem to solve, the results are a testament to the variability of human problem-solving. If your starting point for research is a keyword search, the divergent results in each of these six databases will frame the rest of your research in a very different way. <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="FormerGoogle"> </a> <strong> <a href="https://www.legaltechnology.com/latest-news/former-google-heads-launch-privacy-compliance-hub/" > Former Google legal heads launch Privacy Compliance Hub </a> </strong> (Legal Technology, 20 March 2018) - Two former heads of legal at Google have launched a <a href="https://www.privacycompliancehub.com" target="_blank"> Privacy Compliance Hub </a> , which is designed to take organisations through their data obligations in a step-by-step fashion in order to keep compliance in the hands of the business, not outside consultants or lawyers. <a href="https://www.linkedin.com/in/nigelvjones/" target="_blank"> Nigel Jones </a> and <a href="https://www.linkedin.com/in/klegal/" target="_blank"> Karima Noren </a> - who once upon a time were director of legal EMEA and head of emerging markets respectively, but in the past few years have had a fairly entrepreneurial career path (latterly co-founding legal consultancy <a href="http://www.thelegalpod.com" target="_blank">The Legal Pod </a>) - created the Privacy Compliance Hub in January to help aid the process of data compliance and create a culture of privacy compliance within a business, inevitably using GDPR as a hook. Using a team of 'privacy champions' appointed from within the organisation, a compliance programme is followed using a methodology and privacy plan which are supplied within the hub. This takes the privacy champions through what they need to do in a structured, step by step fashion, recording each step of the organisation's compliance journey as they go along. The hub provides straightforward guidance and over 30 template documents, which are linked to key steps of the plan. [ <strong>Polley </strong>: super expensive; I'm curious if anybody has seen the product.] <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="ThinkCryptocurrency"> </a> <strong> <a href="https://www.nytimes.com/2018/03/21/technology/think-cryptocurrency-is-confusing-try-paying-taxes-on-it.html?em_pos=small&emc=edit_ct_20180322&nl=technology&nl_art=5&nlid=50122138&ref=headline&te=1" > Think cryptocurrency is confusing? Try paying taxes on it </a> </strong> (NYT, 21 March 2018) - The room was full of stressed-out cryptocurrency traders. And for once, they weren't nervous about the price of Bitcoin, or the roller coaster swings of the virtual currency markets. No, the subject of this gloomy affair was taxes. Specifically, how - and whether - to pay them. With this year's April 17 tax filing deadline fast approaching, many virtual currency traders are sweating over their tax returns. They're confused by the complicated rules, many of them stemming from guidelines issued by the I.R.S. in 2014, governing the taxation of virtual currencies. They're afraid that the windfall profits created by last year's cryptocurrency boom, which sent currencies like Bitcoin and Ether skyrocketing and created a new class of crypto-millionaires, have left them with huge tax bills. And, of course, they're worried about drawing the eye of the Internal Revenue Service. Taxes have become an increasingly divisive topic among cryptocurrency fans. On Reddit forums devoted to cryptocurrency trading, some users exchange tips for dodging their tax obligations, including a method of hiding their assets by converting them into "privacy coins," such as Monero, which are designed to be opaque and untraceable. They argue about whether the I.R.S. could use the blockchain, the digital ledger that records all Bitcoin transactions, to identify tax evaders in the future. And they ask for tax advice on complex situations, such as fly-by-night cryptocurrency exchanges that vanish suddenly, erasing the records of users' transactions. <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="WhatIsProton"> </a> <strong> <a href="https://mashable.com/2018/03/21/what-is-protonmail/#gDOIrrUmXiqY" > What is ProtonMail, the service used by Cambridge Analytica to cover its tracks? </a> </strong> (Mashable, 21 March 2018) - Cambridge Analytica - the data analytics firm that came under fire this weekend for maliciously collecting information on 50 million Facebook users - reportedly <a href="https://mashable.com/2018/03/20/cambridge-analytica-protonmail-erasing-email/" > used a self-destructing, encrypted email service </a> called ProtonMail to cover its tracks, covering up correspondence between the company and third parties, according to a investigation published Wednesday. The firm set emails to self-delete after two hours and urged clients to use the service as well, per footage captured of former CEO Alexander Nix talking to a journalist posing as a would-be client. "I'd like you to set up a ProtonMail account, please," Nix said, "because these are, now it's getting quite sensitive." "We set our ProtonMail emails with a self-destruct timer," he continued. "So you send them, and after they've been read, two hours later they disappear." So how does ProtonMail work? Just like any normal email service. Go to <a href="https://protonmail.com/" target="_blank">their website </a>, sign up for an account, and you're in. Their free service has some restrictions, though. You only get 500 MB of storage and can only send 150 messages per day. If you upgrade to the Plus plan for (4.00 € or ~ $4.91 per month), you get 5 GB of storage, 1,000 sent messages per day, and a slew of other perks. * * * All of this sounds a tad bit shady, no? Which brings us to the next question: How does ProtonMail get away with it? The answer is its email servers, which are based in Switzerland. Yes, it's something the company touts loudly on its website. On <a href="https://protonmail.com/" target="_blank">its homepage </a>, it says, "ProtonMail is incorporated in Switzerland and all our servers are located in Switzerland. This means all user data is protected by strict Swiss privacy laws." ProtonMail purports to be so secure that no one but you can access your email. They even make it explicit that ProtonMail couldn't read your messages if it wanted to. The company says that since all of the data is stored outside the realm of "intrusive" U.S. laws, only encrypted messages could be handed over. * * * [ <strong>Polley </strong>: <em>see also, <strong> </strong> </em> <strong> <a href="https://www.techdirt.com/articles/20180320/19123839463/russian-court-says-telegram-must-hand-over-encryption-keys-to-state-intelligence-service.shtml" > Russian court says Telegram must hand over encryption keys to state intelligence service </a> </strong> (TechDirt, 21 March 2018); <em>and </em> <strong> <a href="https://uk.reuters.com/article/us-kaspersky-lab-switzerland-exclusive/exclusive-kaspersky-lab-plans-swiss-data-center-to-combat-spying-allegations-documents-idUKKBN1GX0EK" > Kaspersky Lab plans Swiss data center to combat spying allegations - documents </a> </strong> (Reuters, 21 March 2018)] <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="PODCASTS"> </a> <h3> NOTED PODCASTS/MOOCS </h3> </p> <p> <strong> <a href="http://www.slate.com/articles/slate_plus/watergate.html"> Slow Burn: A Podcast About Watergate </a> </strong> (Slate) - You think you know the story, or maybe you don't. But Watergate was stranger, wilder, and more exciting than you can imagine. What did it feel like to live through the scandal that brought down a president? Join Leon Neyfakh for an eight-episode podcast miniseries that tells the story of Watergate as it happened-and asks, if we were living through Watergate, would we know it? [ <strong>Polley </strong>: 8 episodes (about 3 hours); fantastic. If you lived thru Watergate, this'll take you back to what it was like as the scandal slowly became clear; instructive for our current times.] <a href="#TOP">top </a> <strong> </strong> </p> <p> <strong> <br/> <a href="https://cyber.harvard.edu/events/2018/luncheon/03/Dressel"> The Accuracy, Fairness, and Limits of Predicting Recidivism </a> </strong> (Harvard Berkman video, 6 March 2018; 56 mins) - Algorithms for predicting recidivism are commonly used to assess a criminal defendant's likelihood of committing a crime. Proponents of these systems argue that big data and advanced machine learning make these analyses more accurate and less biased than humans. However, our study shows that the widely used commercial risk assessment software COMPAS is no more accurate or fair than predictions made by people with little or no criminal justice expertise. <a href="#TOP">top </a> <strong> </strong> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <a href="http://news.bbc.co.uk/2/hi/middle_east/7160057.stm"> <strong>Egypt 'to copyright antiquities' </strong> </a> (BBC, 25 Dec 2007) - Egypt's MPs are expected to pass a law requiring royalties be paid whenever copies are made of museum pieces or ancient monuments such as the pyramids. Zahi Hawass, who chairs Egypt's Supreme Council of Antiquities, told the BBC the law would apply in all countries. The money was needed to maintain thousands of pharaonic sites, he said. Correspondents say the law will deal a blow to themed resorts across the world where large-scale copies of Egyptian artefacts are a crowd-puller. Mr Hawass said the law would apply to full-scale replicas of any object in any museum in Egypt. "Commercial use" of ancient monuments like the pyramids or the sphinx would also be controlled, he said. "Even if it is for private use, they must have permission from the Egyptian government," he added. But he said the law would not stop local and international artists reproducing monuments as long as they were not exact replicas. <a href="#TOP">top </a> <strong> </strong> </p> <p> <a href="https://www.techdirt.com/articles/20080318/074802570.shtml"> <strong> Science journal won't publish papers because authors want to put them on Wikipedia </strong> </a> (TechDirt, 19 March 2008) - Over the last few months, we've been hearing more and more stories concerning some of the ridiculous levels of control that academic journals exert over the copyrights on the various papers and research they publish. Since many of those journals are ridiculously expensive, much of this important research is basically locked up entirely. This is especially troublesome when it comes to publicly funded research, which you would think should be available to the taxpayers who paid for it. While we've definitely seen a trend towards more open rules to publishing, many journals are still behind the curve. Reader parsko writes in to alert us to the news of the American Physical Society, which withdrew the offer to publish two recent studies in the Physical Review Letters because the authors wanted to be able to publish parts of the study in Wikipedia. Since the APS requires you hand over the rights to the study, they wouldn't allow it, and turned down the papers because of it. Not surprisingly, various scientists are upset about this, pointing out that it seems totally contrary to the purpose of the journal to hide such information using copyright claims. <a href="#TOP">top </a> <strong> </strong> </p> Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-63507890773580419472018-03-03T07:17:00.000-05:002018-03-03T07:17:42.107-05:00MIRLN --- 11 Feb - 3 March 2018 (v21.03)<p> <a name="TOP"> </a> MIRLN --- 11 Feb - 3 March 2018 (v21.03) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_11_feb_3_march_2018/" > permalink </a> </p> <p> <a href="">NEWS </a> | <a href="">RESOURCES </a> | <a href="">LOOKING BACK </a> | <a href="http://www.knowconnect.com/mirln/sources/">NOTES</a> </p> <ul> <li> <a href="">How the government controls sensitive satellite data </a> </li> <li> <a href=""> CISOs wary of threat intelligence accuracy, quality: Study </a> </li> <li> <a href=""> New Orleans eyes bars and restaurants as new focus of surveillance </a> </li> <li> <a href=""> ABA House of Delegates approves novel virtual currency draft legislation </a> </li> <li> <a href="">German court says Facebook's real name policy is illegal </a> </li> <li> <a href=""> 97% of cybersecurity leaders are evaluating vendor security, including law firms, says new survey </a> </li> <li> <a href=""> Memo to law firms: Raise cybersecurity bar or risk client losses </a> </li> <li> <a href=""> Tech's ethical 'dark side': Harvard, Stanford and others want to address it </a> </li> <li> <a href=""> Porsche is 3d printing hard-to-find parts for the 959 and other classics </a> </li> <li> <a href=""> We don't need new laws for faked videos, we already have them </a> </li> <li> <a href=""> Deep Fakes: A looming crisis for national security, democracy and privacy? </a> </li> <li> <a href="">Iterating on Code.mil </a> </li> <li> <a href=""> Project revives old software, preserves 'born-digital' data </a> </li> <li> <a href="">CDT launching effort to improve trust in VPNs </a> </li> <li> <a href="">Salon to use readers' computers to mine cryptocurrency </a> </li> <li> <a href="">How Russian bots spread fear at university in the US </a> </li> <li> <a href=""> New York's cybersecurity requirements for financial services companies: Certification of compliance due </a> </li> <li> <a href=""> Facebook inks music licensing deal with ICE covering 160 territories, 290K rightsholders on FB, Insta, Oculus and Messenger </a> </li> <li> <a href="">Tech-savvy attorneys in heavy demand amid emerging tech </a> </li> <li> <a href=""> Court destroys future public art installations by holding building owner liable for destroying this one </a> </li> <li> <a href=""> SEC expands guidance on cybersecurity disclosure obligations </a> </li> <li> <a href="">A new, democratic tool for mapping city streets </a> </li> <li> <a href=""> How a fight over Star Wars download codes could reshape copyright law </a> </li> <li> <a href=""> 2nd Circuit contributes to fair use week with an odd and problematic ruling on TVEyes </a> </li> </ul> <p> <a name="NEWS"> </a> <a name="HowTheGovt"> </a> <a href="https://www.wired.com/story/how-the-government-controls-sensitive-satellite-data/" > <strong>How the government controls sensitive satellite data </strong> </a> (Wired, 8 Feb 2018) - During the cold War, on the vast, barren flatland around Area 51's dried-up Groom Lake, the military developed a stealth spy plane code-named Project Oxcart. Project personnel were sworn to secrecy, but still, US officials worried that the Soviets would find out what they were up to. With good reason: Up above, USSR satellites were ready to spy with their on-board cameras. While Area 51 employees couldn't stop these satellites from swinging by, they did come up with a low-tech solution: moving the classified planes into sheds when they knew the satellites would pass over. Today, that's not a feasible stealth solution. Earth orbit doesn't just host a few Soviet spysats: More than a thousand working orbiters are out there, hundreds of those equipped with Earth-observing cameras. They are American, European, African, South American, Japanese, Indian, Chinese, Russian. And nothing stops many of them from taking pictures of supersecret areas. But the government has other ways of restricting information. The feds can limit how good commercially available images can be when taken by US companies. And it can issue a directive barring imaging over a given location. The law regulating that imaging, though, was first passed before satellite imaging really existed as an industry. And according to insiders, it's been keeping satellites down-even as thousands more of them are set to launch in the next decade. When <a href="https://www.congress.gov/bill/102nd-congress/house-bill/6133" target="_blank" > the Land Remote Sensing Policy Act </a> passed, the world was a younger, more naïve place. Aladdin was about to come out. George Sr. was president. Oh, and also the satellite-imaging industry was way different. "The biggest way that it was different was that there wasn't really one," says Walter Scott, the founder of DigitalGlobe and CTO of Maxar Technologies, which bought DigitalGlobe last year. The law allowed fully private companies to get a license to take data on Earth from space-and so, when it passed in 1992, Scott did. The law-since added to, amended, and <a href="http://uscode.house.gov/codification/t51/index.html" target="_blank" > restated </a> -still forms the legal basis for commercial remote sensing. But regulations have also accomplished the opposite, allowing the government to exercise so-called "shutter control": If the government says to close your satellite's eye, you have to do it. The government has never put shutter control into effect-at least not exactly. It's gotten around it, though. After 9/11, the feds didn't legislate the high-resolution Ikonos satellite out of taking or releasing images of Afghanistan. They simply bought exclusive rights to all of its images of the area, the only high-res ones available on the US market, making it functionally impossible for anyone else to use commercial US imagery surveil the area. Insiders call this "checkbook shutter control." That kind of limitation also happens on a smaller scale. "US government customers have the ability-as, actually, do some of our other customers-to say, 'We would like you to take this image and not make this image available publicly,'" explains Scott. "It's an exclusivity arrangement." Then, there are the things that aren't shutter control but do place cuffs around satellite operators. Take the <a href="https://www.motherjones.com/politics/2011/06/google-israel-us/" target="_blank" > Kyl-Bingaman Amendment </a> , which bans US companies from releasing their high-resolution images of Israel and the Occupied Territories. In addition, "certain licensees have some area imaging restrictions," says Tahara Dawkins, the director of the NOAA Commercial Remote Sensing Regulatory Affairs Office. "The details are proprietary." [ <strong>Polley </strong>: fascinating] <a href="">top </a> </p> <p> <a name="CISOSwary"> </a> <a href="http://www.cxotoday.com/story/cisos-wary-of-threat-intelligence-accuracy-quality-study/?utm_source=eloqua&utm_medium=email_52338&utm_campaign=23646" > <strong> CISOs wary of threat intelligence accuracy, quality: Study </strong> </a> (CXO Today, 8 Feb 2018) - In a world where cyber criminals are becoming increasingly stealthy and sophisticated-with new threats on the rise ranging from ransomware to DNS hijacking-it is ineffective and costly for companies to defend themselves against cybersecurity threats alone. According to a new report conducted by Ponemon Institute , the consumption and exchange of threat intelligence has increased significantly since 2015. Yet despite the increase in the exchange and use of threat intelligence, CISOs are not satisfied with the current quality of the data. [Read the full study <a href="http://email.prnewswire.com/wf/click?upn=7VDqtAz2AW-2FeY7XnbvsasdP84xvv2AElvcSuVAUtRUreKTpBiTJczJdAUZ-2FFAFIG8BO-2Fj2bwj5J1NyhIR4olymP8p21mT-2BF8Tu5b8xlEmrQMzNsbr3s-2BIrZ4ak-2FRIvDS86A2gbqOwvmefUx77fFDuA-3D-3D_5YoOm78snXKRtTGBy4HUy69VGzfAqQjWM59fulB-2BVbu9RqtF7AWFxwu3kUXiWHzV4TkddoFVpMI9R8egWzpSdlgOVHi7BXwiGUQWm9-2FovQzo-2FhSs70e48H6WokePyhssiqRt9joXdLLpyojR23-2BMgPy2zPDMXotiEdkW4-2Fm1yUDMYDqm13YIuT9sAbikYT3yQEVNoX739dyqbjiOxjsaDh3PYJfX0wHa9akM-2FJe1NBUA4n-2F4Z1HGtXGBVNSAgIcWM-2FXrolx1O7sc4Z9fA-2FzjnTTJ3iwZQQXPkfdVEcKlIpde6WeSQENHLkIDP98uW4wvviOWQPoz73Dr9G-2B04fIDXA-3D-3D" target="_blank" > here </a> ] The report titled " <a href="http://email.prnewswire.com/wf/click?upn=7VDqtAz2AW-2FeY7XnbvsasdP84xvv2AElvcSuVAUtRUreKTpBiTJczJdAUZ-2FFAFIG8BO-2Fj2bwj5J1NyhIR4olymP8p21mT-2BF8Tu5b8xlEmrQMzNsbr3s-2BIrZ4ak-2FRIvDS86A2gbqOwvmefUx77fFDuA-3D-3D_5YoOm78snXKRtTGBy4HUy69VGzfAqQjWM59fulB-2BVbu9RqtF7AWFxwu3kUXiWHzV4TkddoFVpMI9R8egWzpSdlgOVHi7BXwiGUQWm9-2FovQzo-2FhSs70e48H6WokePyhssiqRt9joXdLLpyojR23-2BMgPy2zPDMXotiEdkW4-2Fm1yUDMYDqm13YIuT9sAbikYT3yuYXLZerNDoprtNkjuuDxcIDU7d1cMZtaGIQ1aXczrLsyP7XjC7fQk3jNjVv6DExGt2Swg33rMGSmNfOyVgYBHi8CLnZjcyBspVERBQdVImwqCTb0iFZdEgOX2s-2Fsh8MDOjsq5uOJECmDL4-2BifVaxyg-3D-3D" target="_blank" > Exchanging Cyber Threat Intelligence: There Has to Be a Better Way </a> ," found that while security professionals are increasingly recognizing the importance of threat intelligence, the majority remain dissatisfied with its accuracy and quality. Meanwhile, because many security teams still execute threat investigations solo rather than pooling intelligence, their ability to quickly act on threats is limited. The report found 67 percent of IT and security professionals spend more than 50 hours per week on threat investigations, instead of efficiently using security resources and sharing threat intelligence. Lack of accuracy and timeliness is among the top complaints about threat intelligence, which in turn hinders its effectiveness and security teams' ability to quickly mitigate threats, the report noted. In fact, only 31 percent of respondents cited threat intelligence as actionable. But exchanging threat intelligence amongst peers, industry groups, IT vendors and government bodies can result in more holistic, accurate and timely threat intelligence and a stronger security posture. Two-thirds of respondents (66 percent) reported that threat intelligence could have prevented or minimized the consequence of a data breach or cyber attack, indicating that more infosecurity professionals are realizing the importance of threat intelligence. The vast majority of respondents are focused on threat sharing, with 84 percent of organizations fully participating or partially participating in an initiative or program for exchanging threat intelligence with peers and/or industry groups. But, most of these organizations are only participating in peer-to-peer exchange of threat intelligence (65 percent) instead of a more formal approach such as threat intelligence exchange services or consortium, which contributes to the dissatisfaction with the quality of the threat intelligence obtained. Other key findings from the survey include: Most respondents believe threat intelligence improves situational awareness, with an increase from 54 percent of respondents in 2014 to 61 percent of respondents in this year's study. Sixty-six percent of respondents say shared information is not timely, and 41 percent say it is too complicated. Potential liability and lack of trust in intelligence providers prevent some organizations from fully participating in threat intelligence exchange programs, with 58 percent and 60 percent respectively citing these concerns. Twenty-four percent of organizations would rather exchange threat intelligence via a threat intelligence exchange service and 21 percent via a trusted intermediary, with only four percent preferring to share intelligence directly with other organizations- indicating a need for an exchange platform that enables such sharing because it is trusted and neutral. While the value of threat intelligence declines within minutes, only 24 percent of respondents say they receive threat intelligence in real time (nine percent) or hourly (15 percent). Seventy-three percent of respondents say they use threat indicators and the most valuable types of information are indicators of malicious IP addresses and malicious URLs. <a href="">top </a> </p> <p> <a name="NewOrleans"> </a> <a href="https://www.citylab.com/life/2018/02/new-orleans-eyes-bars-and-restaurants-as-new-focus-of-surveillance/552836/" > <strong> New Orleans eyes bars and restaurants as new focus of surveillance </strong> </a> <strong> </strong> (Citylab, 9 Feb 2018) - New Orleans Police Superintendent Michael Harrison has a message for New Orleans bar-goers: Be good-you're being watched. The city council is considering an unprecedented proposal to require any business with a liquor license to install video cameras that feed into a real-time surveillance "command center" monitored 24/7 by law enforcement. "We want to be able to send a message that if you're in public spaces, we're going to be able to catch you if you commit a crime," Harrison told CityLab. "We have to have the ability to demonstrate to would-be criminals, to would-be terrorists, if you will, that in public spaces we're going to find them and know who you are." To that end, New Orleans is pioneering what appears to be the most expansive surveillance of bars and restaurants in the country. As currently written, the <a href="https://static1.squarespace.com/static/5839e0cf8419c204f71e961c/t/5a2729bd085229fcea6bf341/1512516035070/ABO+change+ordinance_3468_001.pdf" > ordinance </a> requires proprietors to purchase and install street-facing cameras that connect to the city's command center and store the footage for at least two weeks. Businesses found violating any conditions of the liquor license could be required to install the cameras inside as well. In a <a href="https://static1.squarespace.com/static/5839e0cf8419c204f71e961c/t/5a4eaec90852296d70905ce9/1515105993933/MaCCNO_ABO_Camera_Law_Report.pdf" > survey of other municipal laws </a> , MaCCNO found that no other cities in the U.S. require all businesses with a liquor license to participate in a real-time surveillance network. Still, this unique proposal follows a broader trend of cities increasingly expanding the geographic scope of local video surveillance in the name of public safety. Cities from <a href="https://blogs.wsj.com/cio/2012/08/08/the-nypd-is-microsofts-new-business-partner/" > New York </a> to <a href="https://www.washingtonpost.com/local/public-safety/the-new-way-police-are-surveilling-you-calculating-your-threat-score/2016/01/10/e42bccac-8e15-11e5-baf4-bdf37355da0c_story.html?utm_term=.84644a743d48" > Fresno </a> have developed software that merges city camera networks with predictive policing software to try to ascertain the likelihood individuals will commit a crime. New Orleans plans to eventually expand the monitoring center to "include an intelligent threat analytics platform that looks for specific kinds of threats and integrates remote-sensing technology," according to the mayor's <a href="https://static1.squarespace.com/static/5839e0cf8419c204f71e961c/t/58acd39e37c5810740d77c83/1487721378161/New+Orleans+Public+Safety+Improvement+Plan.pdf" > public safety plan </a> . <a href="">top </a> </p> <p> <a name="ABAhouse"> </a> <a href="http://www.abajournal.com/news/article/aba_house_of_delegates_approves_novel_virtual_currency_draft_legislation/?utm_source=maestro&utm_medium=email&utm_campaign=weekly_email" > <strong> ABA House of Delegates approves novel virtual currency draft legislation </strong> </a> (ABA Journal, 9 Feb 2018) - The American Bar Association's House of Delegates approved a draft uniform law regarding virtual currency businesses for states to adopt. Drafted by the National Conference of Commissioners on Uniform State Laws, the Uniform Regulation of Virtual-Currency Business Act is draft legislation intended to create a statutory structure for regulating "virtual currency business activity," according to the act's <a href="http://www.uniformlaws.org/shared/docs/regulation%20of%20virtual%20currencies/URVCBA_Final_2017oct9.pdf" > prefatory note </a> . The vote took place during the ABA Midyear Meeting in Vancouver, British Columbia. Many involved with cryptocurrency "are not enamored much in the way of regulation," according to Fred Miller, the chair of the committee that drafted the legislation. He says, however, that there was near unanimity from advocates, business people and lawyers regarding the need for this type of legislation. Miller notes that the bill does not regulate the underlying technology of virtual currency, called blockchain, often described as a distributed ledger. Instead, the draft law focuses on licensing businesses associated with virtual currencies, like money transmitters and money services. In that regard, the draft law is similar to the Uniform Money Services Act, which deals with traditional currency businesses. To date, state governments have had mixed responses to cryptocurrencies and related businesses. While some have taken a hands-off approach, others have created elaborate licensing schemes. In one example, New York created the BitLicense regulatory scheme in 2015. It has received broad criticism for being over the top, according to Miller. As of last month, only three companies had received BitLicenses. Miller says that the criticism of the New York law was one reason the draft legislation did something novel: it created tiered regulation. The system will trigger certain levels of regulation depending on a company's earnings. Entities with under $5,000 of business activity will be exempt from regulatory oversight. Those operating between $5,000 and $35,000 will require a "light license", explains Miller. The full regulatory scheme is triggered once a business breaches the $35,000 threshold. "We wanted to allow some regulation and allow some experimentation and innovation as well," says Miller. To date, the draft legislation has been introduced in Hawaii and Nebraska, according to the Uniform Law Commission's <a href="http://www.uniformlaws.org/Act.aspx?title=Regulation%20of%20Virtual-Currency%20Businesses%20Act" > website </a> . <a href="">top </a> </p> <p> <a name="GermanCourt"> </a> <a href="https://www.theverge.com/2018/2/12/17005746/facebook-real-name-policy-illegal-german-court-rules" > <strong> German court says Facebook's real name policy is illegal </strong> </a> <strong> </strong> (The Verge, 12 Feb 2018) - A German court ruled that Facebook's real name policy is illegal and that users must be allowed to sign up for the service under pseudonyms to comply with a decade-old privacy law. The ruling, made last month but only now being announced, comes from the Berlin Regional Court and was <a href="https://www.vzbv.de/pressemitteilung/facebook-verstoesst-gegen-deutsches-datenschutzrecht" > detailed today </a> by the Federation of German Consumer Organizations (abbreviated from German as VZBV), which filed the lawsuit against Facebook. Facebook says it will appeal the ruling, but also that it will make changes to comply with European Union privacy laws coming into effect in June, <a href="https://www.reuters.com/article/us-germany-facebook/german-court-rules-facebook-use-of-personal-data-illegal-idUSKBN1FW1FI" > according to <em>Reuters </em> </a> . "We are working hard to ensure that our guidelines are clear and easy to understand, and that the services offered by Facebook are in full accordance with the law," a Facebook spokesperson said. According to the VZBV, the court found that Facebook's real name policy was "a covert way" of obtaining users' consent to share their names, which are one of many pieces of information the court said Facebook did not properly obtain users' permission for. The court also said that Facebook did not provide a clear choice to users for other default settings, such as to share their location in chats, and it ruled against clauses that allowed Facebook to use information such as profile pictures for "commercial, sponsored, or related content." VZBV notes that it didn't win on all counts, though. Facebook prevailed on a complaint that it was misleading to say the service was free, because as VZBV put it, consumers pay "with their data." Given that the ruling comes from a regional court and that both parties intend to appeal, it's unlikely that some of these decisions are going to be final. But it's still bad news for Facebook - and good news for users - that a consumer advocacy group is finding success as it pushes back against the social network's generous data sharing policies, which are often more a benefit to the company than to people using the service. <a href="">top </a> </p> <p> <a name="NinetySeven"> </a> <a href="http://www.abajournal.com/news/article/97_of_cybersecurity_leaders_are_evaluating_vendor_security#When:19:01:00Z" > <strong> 97% of cybersecurity leaders are evaluating vendor security, including law firms, says new survey </strong> </a> <strong> </strong> (ABA Journal, 12 Feb 2018) - Released Feb. 8, the report, titled "The Shifting Cybersecurity Landscape: How CISOs and Security Leaders Are Managing Evolving Global Risks to Safeguard Data," explores the role of chief information security officers, the adoption of cloud technology and how businesses are auditing their vendors. While the report did not focus on the legal industry, formal evaluation of legal vendors was touched on. Seventeen percent of respondents said these evaluations were driven by regulatory requirements. Even with this level of scrutiny, only 53 percent said they were confident in the security of their data being managed by third parties, like law firms. Fifty-seven percent of respondents said they were periodically involved in litigation or investigations. And the level of concern regarding sharing data with these companies "depends on the case and litigation, as well as what disclosure of information is required," said an unnamed technology CISO in the report. Looking at cloud storage, the report found that 87 percent of respondents were using third-party cloud providers to "host non-critical information" to save money and streamline business processes. Nearly one-fifth said that moving to the cloud was spurred by using Microsoft Office 365. The 30-person survey, conducted last August by Ari Kaplan Advisors and Ankura, a consultancy, included chief information security officers, chief technology officers and director-level positions related to information security from primarily the U.S. Sixty-seven percent of respondents were from highly regulated financial- and healthcare-related industries, which skewed results towards stronger levels of awareness of these issues, according to the report. <a href="">top </a> </p> <p> - and - </p> <p> <a name="MemoTLaw"> </a> <a href="https://biglawbusiness.com/memo-to-law-firms-raise-cybersecurity-bar-or-risk-client-losses/" > <strong> Memo to law firms: Raise cybersecurity bar or risk client losses </strong> </a> (Bloomberg, 23 Feb 2018) - Law firms may not be the safe repository of client confidences-such as trade secrets and merger plans-that they once were, as hackers recognize firms as prized vaults of proprietary corporate data. "Law firms are ideal targets for hackers because of the sensitive nature and variety of information they collect and store," Dore said. Clients, for their part, view law firm data breaches or lax security as serious business considerations, Lucian T. Pera, legal ethics partner at Adam and Reese LLP in Memphis, Tenn. and former treasurer of the American Bar Association, told Bloomberg Law. "Cybersecurity protections are becoming a serious factor in client decision-making," at law firms, and large firms stand to lose business if they don't take care of cybersecurity, he said. [ <strong>Polley </strong>: Again, <em>see </em> <a href="http://bit.ly/2x7HNbJ"> <strong>ABA Cybersecurity Handbook </strong> </a> (which Lucian Pera helped write). More than a thousand copies have sold in its 3 months. <em>See also </em>, the ABA Journal's ongoing 2018 " <a href="http://www.abajournal.com/magazine/cyber/"> <strong>Digital Dangers </strong> </a> " series/resources.] <a href="">top </a> </p> <p> <a name="TechsEthical"> </a> <a href="https://www.nytimes.com/2018/02/12/business/computer-science-ethics-courses.html" > <strong> Tech's ethical 'dark side': Harvard, Stanford and others want to address it </strong> </a> (NYT, 12 Feb 2018) - The medical profession has an ethic: <a href="http://onlinelibrary.wiley.com/doi/10.1177/0091270004273680/abstract" > First, do no harm </a> . Silicon Valley has an ethos: Build it first and <a href="https://www.npr.org/sections/alltechconsidered/2014/12/26/373087290/as-uber-expands-it-asks-cities-for-forgivness-instead-of-permission" title="NPR article on Uber." > ask for forgiveness later </a> . Now, in the wake of fake news and other troubles at tech companies, universities that helped produce some of Silicon Valley's top technologists are hustling to bring a more medicine-like morality to computer science. This semester, Harvard University and the Massachusetts Institute of Technology are jointly offering <a href="https://www.media.mit.edu/courses/the-ethics-and-governance-of-artificial-intelligence/" title="MIT info about the course." > a new course </a> on the ethics and regulation of artificial intelligence. The University of Texas at Austin just introduced a course titled " <a href="https://www.cs.utexas.edu/~ans/classes/cs109/syllabus.html" title="U.Texas info about the course." > Ethical Foundations of Computer Science </a> " - with the idea of eventually requiring it for all computer science majors. And at Stanford University, the academic heart of the industry, three professors and a research fellow are developing a computer science ethics course for next year. They hope several hundred students will enroll. The idea is to train the next generation of technologists and policymakers to consider the ramifications of innovations - like autonomous weapons or self-driving cars - before those products go on sale. "It's about finding or identifying issues that we know in the next two, three, five, 10 years, the students who graduate from here are going to have to grapple with," said <a href="https://profiles.stanford.edu/mehran-sahami" title="Prof. Sahami's profile." > Mehran Sahami </a> , a popular computer science professor at Stanford who is helping to develop the course. He is renowned on campus for <a href="https://www.acm.org/articles/people-of-acm/2015/mehran-sahami" title="interview with Prof. Sahami on Mr. Zuckerberg class visits" > bringing Mark Zuckerberg to class </a> . "Technology is not neutral," said Professor Sahami, who formerly worked at Google as a senior research scientist. "The choices that get made in building technology then have social ramifications." <a href="">top </a> </p> <p> <a name="Porsche"> </a> <a href="https://jalopnik.com/porsche-is-3d-printing-hard-to-find-parts-for-the-959-a-1822959539" > <strong> Porsche is 3d printing hard-to-find parts for the 959 and other classics </strong> </a> (Jalopnik.com, 13 Feb 2018) - Porsche Classic, Porsche's classic cars division, has turned to 3D printing obscure parts that people might need on occasion. They already have about 52,000 parts available, but for the truly arcane ones, it's cheaper to 3D print them than make the specialized tools to create them over again. <a href="">top </a> </p> <p> <a name="WeDontNeed"> </a> <a href="https://www.eff.org/deeplinks/2018/02/we-dont-need-new-laws-faked-videos-we-already-have-them" > <strong> We don't need new laws for faked videos, we already have them </strong> </a> (EFF, 13 Feb 2018) - Video editing technology hit a milestone this month. The new tech is being used to make porn. With easy-to-use software, pretty much anyone can seamlessly take the face of one real person (like a celebrity) and splice it onto the body of another (like a porn star), creating videos that lack the consent of multiple parties. People have already picked up the technology, creating and uploading dozens of videos on the Internet that purport to involve famous Hollywood actresses in pornography films that they had no part in whatsoever. While many specific uses of the technology (like specific uses of any technology) may be illegal or create liability, there is nothing inherently illegal about the technology itself. And existing legal restrictions should be enough to set right any injuries caused by malicious uses. * * * [ <strong>Polley </strong> : Useful article, as usual.] <a href="">top </a> </p> <p> - and - </p> <p> <a name="DeepFakes"> </a> <a href="https://www.lawfareblog.com/deep-fakes-looming-crisis-national-security-democracy-and-privacy" > <strong> Deep Fakes: A looming crisis for national security, democracy and privacy? </strong> </a> (Bobby Chesney on Lawfare, 21 Feb 2018) - "We are truly fucked." That was Motherboard's spot-on reaction to deep fake sex videos (realistic-looking videos that swap a person's face into sex scenes actually involving other people). And that sleazy application is just the tip of the iceberg. As Julian Sanchez tweeted, "The prospect of any Internet rando being able to swap anyone's face into porn is incredibly creepy. But my first thought is that we have not even scratched the surface of how bad 'fake news' is going to get." Indeed. Recent events amply demonstrate that false claims-even preposterous ones-can be peddled with unprecedented success today thanks to a combination of social media ubiquity and virality, cognitive biases, filter bubbles, and group polarization. The resulting harms are significant for individuals, businesses, and democracy. Belated recognition of the problem has spurred a variety of efforts to address this most recent illustration of truth decay, and at first blush there seems to be reason for optimism. Alas, the problem may soon take a significant turn for the worse thanks to deep fakes. Get used to hearing that phrase. It refers to digital manipulation of sound, images, or video to impersonate someone or make it appear that a person did something-and to do so in a manner that is increasingly realistic, to the point that the unaided observer cannot detect the fake. Think of it as a destructive variation of the Turing test: imitation designed to mislead and deceive rather than to emulate and iterate. * * * [ <em>see also </em>, <a href="https://www.lawfareblog.com/danger-deep-fakes-responding-bobby-chesney-and-danielle-citron" > <strong> The danger of deep fakes: responding to Bobby Chesney and Danielle Citron </strong> </a> (Stanford's Herb Lin on Lawfare, 27 Feb 2013)] <a href="">top </a> </p> <p> <a name="Iterating"> </a> <a href="https://medium.com/defense-digital-service/iterating-on-code-mil-1b5f70cb6c0b" > <strong>Iterating on Code.mil </strong> </a> (Defense Digital Service, 13 Feb 2018) - In February 2017, the Defense Digital Service (DDS) decided it was time to take a more involved approach within the Department of Defense in the government-wide movement to open source code. This was spurred by the release of the new Federal Source Code Policy by the Office of Management and Budget in August, 2016 and <a href="https://www.code.gov/" target="_blank">Code.gov </a> in November, 2016. We spent a lot of time talking with people in the DoD, across the federal government, and leaders in the Free / Open Source Software (F/OSS) community. Thus we formed <a href="https://medium.com/@DefenseDigitalService/code-mil-an-open-source-initiative-at-the-pentagon-5ae4986b79bc" target="_blank" > a new project called Code.mil </a> and created a repository providing guidance on how to open source code at the DoD. It's been a long time coming, but that guidance - and its organization and presentation - has received a well-needed refresh with today's (re)launch of <a href="http://www.code.mil/" target="_blank">Code.mil </a>, an experiment in open source at the Department of Defense. Our guidance has been reorganized into an easy to digest website and we're investing in further improvements. The DoD faces many challenges in open sourcing code. Unlike most software projects, code written by U.S. Federal government employees typically does not have copyright protections under U.S. and some international laws. Often times this makes people think that our code can't use an OSS license, but this is far from true! It does, however, require a little more effort to define our intent. The complexity of national security policy adds another point of difficulty when individual program offices look to open source their work. Even with approval to release code publicly, government employees can be hindered by lack of access to modern source control and developer operations processes. Those barriers are precisely what DDS is good at tackling. The guidance we're providing at Code.mil will help many projects across the Department by giving developers and product owners a template to start from and the necessary background information to share with people in their organization who may not be familiar with open source software. The site also highlights the policy and laws that affect custom-developed code written by U.S. government employees - or contractors working with us - so that people are informed about the requirements placed on them. * * * <a href="">top </a> </p> <p> <a name="ProjectRevives"> </a> <a href="https://news.yale.edu/2018/02/13/project-revives-old-software-preserves-born-digital-data" > <strong> Project revives old software, preserves 'born-digital' data </strong> </a> (Yale News, 13 Feb 2018) - Digital preservationists at Yale University Library are building a shareable "emulation as a service" infrastructure to resurrect thousands of obsolete software programs and ensure that the information produced on them will be kept intact and made easily available for future access, study, and use. Funded through a pair of $1 million grants from The Andrew W. Mellon Foundation and the Alfred P. Sloan Foundation, the project will enable access to at least 3,000 applications, including operating systems, scientific software, office and email applications, design and engineering software, and software for creative pursuits like video editing or music composition. "Material across subjects and fields increasingly is created only in digital form, making it vital for research libraries to develop ways to preserve digital information and make it readily accessible to the public," said Susan Gibbons, university librarian and deputy provost for collections and scholarly communication. "Thanks to the generous support and foresight of the Sloan and Mellon Foundations, Yale University Library is helping both to establish best practices in this emerging and critically important field and to ensure that future generations of students and scholars can examine a word-processing file or electronic spreadsheet as easily as they study a book or manuscript." The project will establish a shareable infrastructure that provides on-demand access to old software, recreating the original software environment on a current-day device, said Euan Cochrane, the library's digital preservation manager and the project's principle investigator. <a href="">top </a> </p> <p> <a name="CDTlaunching"> </a> <a href="https://cdt.org/blog/cdt-launching-effort-to-improve-trust-in-vpns/" > <strong>CDT launching effort to improve trust in VPNs </strong> </a> (CDT, 14 Feb 2018) - As more internet users strive to take more control of their online privacy, Virtual Private Networks or VPNs have surged in popularity. VPNs work by creating an encrypted connections tunnel between a browser or device and the VPN provider's network, protecting traffic from through potentially hostile local network conditions. They assist in obscuring oneself from ISPs and shielding personal information flowing through non-secure public WiFi found in airports, coffee shops, conferences, and hotels. Advocates, including CDT, and regulators routinely advise individuals to consider using a VPN if they are particularly concerned about protecting their online privacy. But the basic security, privacy, and usability of VPNs vary widely and it can be extremely difficult for users to assess the reliability of any given VPN provider's privacy and security practices, as evidenced by <a href="https://cdt.org/insight/cdts-complaint-to-the-ftc-on-hotspot-shield-vpn/" > CDT's complaint last summer against AnchorFree's Hotspot Shield VPN </a> . While there have been several well-meaning efforts to develop best practices for VPNs, it remains difficult for privacy advocates and technical experts to recommend a specific commercial VPN service. It is also hard for responsible VPN providers to differentiate themselves on their privacy and security bonafides in the marketplace. To address these challenges, CDT will bring together VPN providers, privacy and consumer advocates, technical experts, and other stakeholders focused on internet infrastructure to create best practices and an enforceable code of conduct for protecting user data with VPNs. CDT believes any successful guidance on privacy and security in VPNs will address the following five issues: * * * [ <strong>Polley </strong>: This is great; all VPNs are <u>not </u> created equal; CDT is a credible entity to shine some light on this. <em>See also </em> <a href="https://www.ftc.gov/news-events/blogs/business-blog/2018/02/market-vpn-app?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong>In the market for a VPN app? </strong> </a> (FTC, 22 Feb 2018)] <a href="">top </a> </p> <p> <a name="SalonToUse"> </a> <a href="http://thehill.com/homenews/media/373595-salon-to-use-readers-computers-to-mine-cryptocurrency?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong>Salon to use readers' computers to mine cryptocurrency </strong> </a> (The Hill, 13 Feb 2018) - Media company Salon.com is asking readers to allow them to use their computers to mine cryptocurrencies as a new source of revenue. The left-leaning company launched the test program on Monday and is targeting readers who use ad blockers, which it blames for declining revenues, the <a href="https://www.ft.com/content/acc26c6a-10a1-11e8-8cb6-b9ccc4c4dbbb"> Financial Times </a> reports. Readers who suppress ads with a blocker now see a pop-up that asks them if they will give Salon access to their computers' unused processing power to mine digital currencies. The pop-up is powered by Coinhive, which allows companies to run a program on users' web browsers to mine the cryptocurrency Monero, known for its privacy features and popularity on the black market. [ <strong>Polley </strong>: I use ad-blockers for security purposes, and there's no chance that I'd let somebody borrow computer cycles from me either. Forbes and Salon have thus lost me as a reader; Talking Points Memo left enough outside the paywall to keep me engaged, and I've just signed up for their "prime" service ($50/year).] <a href="">top </a> </p> <p> <a name="HowRussianBots"> </a> <a href="https://www.insidehighered.com/news/2018/02/15/journal-article-explains-how-russian-bots-created-fear-university-missouri?utm_source=Inside+Higher+Ed&utm_campaign=3301ded713-DNU20180111&utm_medium=email&utm_term=0_1fcbc04421-3301ded713-197618481&mc_cid=3301ded713&mc_eid=012fe6c04c" > <strong>How Russian bots spread fear at university in the US </strong> </a> (InsideHigherEd, 15 Feb 2018) - Numerous reports in the last year have documented how Russian bots manipulated social media during the 2016 presidential campaign. <a href="http://www.airuniversity.af.mil/Portals/10/SSQ/documents/Volume-11_Issue-4/Prier.pdf" target="_blank" > A new journal article </a> in <em>Strategic Studies Quarterly </em> reveals that the Russian bots had another target in the fall of 2015: students at the University of Missouri at Columbia. The bots created false impressions about some threats against black students and faculty members at the university, which resulted in some campus leaders calling for people to stay home and many students to say that they were terrified. The false reports also contributed to a negative image of the university -- particularly with regard to its support for minority students -- that the university continues to fight. Complicating the situation is that racial tensions were quite real at Mizzou that fall, and real threats did exist. But the article documents how the false reports contributed to considerable fear on campus. In fact, the Russian bots avoided detection in part because the hashtag #PrayforMizzou was used by real people who were at the university or were concerned about it, as well as by those forwarding the bot-created tweets. * * * The author of the journal article is Lieutenant Colonel Jarred Prier of the United States Air Force. Prier writes that there was plenty of evidence -- for those looking -- that the tweets that spread were false. He cites the tweeting and retweeting patterns, consistent with other Russian bot efforts. "The plot was smoothly executed and evaded the algorithms Twitter designed to catch bot tweeting, mainly because the Mizzou hashtag was being used outside of that attack," he writes. "The narrative was set as the trend was hijacked, and the hoax was underway." <a href="">top </a> </p> <p> <a name="NewYorksCybersecurity"> </a> <a href="http://ridethelightning.senseient.com/2018/02/new-yorks-cybersecurity-requirements-for-financial-services-companies-certification-of-compliance-due.html" > <strong> New York's cybersecurity requirements for financial services companies: Certification of compliance due </strong> </a> (Ride The Lightning, 21 Feb 2018) - <em>Lexology </em> <a href="https://www.lexology.com/library/detail.aspx?g=435fe1f2-16b4-402f-9967-c49e1e13aaf0" target="_blank" > reported </a> last week that the first certification of compliance was due under a new law in New York. The New York State Department of Financial Services enacted Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500, on March 1, 2017. The first certification of compliance with this regulation was due February 15, 2018. The regulation requires "covered entities"-meaning any person or non-governmental entity operating under or required to operate under authorization under the Banking Law, Insurance Law, or Financial Services law, to maintain a strong cybersecurity program that includes monitoring, testing, and training, as well as written cybersecurity policies that include periodic risk assessments. The regulation also requires covered entities to designate a qualified "Chief Information Security Officer" and require that the entity establish a written incident response plan to promptly respond to and recover from a cybersecurity incident. The regulation requires a covered entity to provide notice of a breach or cybersecurity event to the superintendent within 72 hours of determination that a cyber event has occurred and empowers the superintendent to enforce the provisions of the regulation. [ <em>see also </em> <a href="https://www.huntoninsurancerecoveryblog.com/2018/02/articles/cyber/new-york-cybersecurity-deadline-highlights-importance-of-a-comprehensive-insurance-coverage-for-cyber-risks/?utm_source=eloqua&utm_medium=email_52493&utm_campaign=23720" > <strong> New York cybersecurity deadline highlights importance of a comprehensive insurance coverage for cyber risks </strong> </a> <strong> </strong> (Hunton, 15 Feb 2018)] <a href="">top </a> </p> <p> <a name="FacebookInks"> </a> <a href="https://techcrunch.com/2018/02/21/facebook-inks-music-licensing-deal-with-ice-covering-160-territories-290k-rightsholders-on-fb-insta-oculus-and-messenger/" > <strong> Facebook inks music licensing deal with ICE covering 160 territories, 290K rightsholders on FB, Insta, Oculus and Messenger </strong> </a> (TechCrunch, 21 Feb 2018) - <a href="http://facebook.com/" target="_blank">Facebook </a> today took its latest step towards making good on paying out royalties to music rightsholders around tracks that are used across its multiple platforms and networks. The company has signed a deal with <a href="http://www.iceservices.com/" target="_blank">ICE Services </a> - a licensing group and copyright database of some 31 million works that represents <a href="https://www.prsformusic.com/" target="_blank">PRS </a> in the UK, <a href="http://www.stim.se/" target="_blank">STIM </a> in Sweden and <a href="https://www.gema.de/" target="_blank">GEMA </a> in Germany - to provide music licensing and royalty collection for works and artists represented by the group, when their music is used on Facebook, Instagram, Oculus and Messenger. WhatsApp is not included because "We understand that WhatsApp is currently used as a pure communication tool akin to private email / messaging," a spokesperson for ICE told TechCrunch. "This will be kept under review." The deal is significant because, as ICE describes it, it's the first multi-territorial license Facebook has signed with an online licensing hub: it will cover 160 territories and 290,000 rightsholders. So what will this be used for? Facebook has moved into a lot of different services over the years, but a streaming music operation to compete with the likes of (soon-to-be public) Spotify, Pandora and Apple Music has not been one of them. However, in recent times it has been laying the groundwork to do more in music. And specifically, it has been signing deals with record labels and others to make sure that the music that is used in videos and other items posted to its sites is legit and paid for to avoid lawsuits, takedown requests, and - yes - potentially the creation of new music-based services down the road, as it starts to tap into the opportunities that music affords it. <a href="">top </a> </p> <p> <a name="TechSavvy"> </a> <a href="https://biglawbusiness.com/tech-savvy-attorneys-in-heavy-demand-amid-emerging-tech/" > <strong> Tech-savvy attorneys in heavy demand amid emerging tech </strong> </a> (Bloomberg, 22 Feb 2018) - Memo to lawyers: free your inner computer nerd if you want to represent today's clients. Take Patrick Berarducci, a lawyer whose resume also includes a background in computer science and software engineering. He was quickly snatched up by the blockchain company ConsenSys to make sure the developing technology complies with existing laws and regulations. "There's a real shortage" of lawyers like him, John Wolpert, ConsenSys' product executive, told Bloomberg Law. "We need a lot more code-y lawyers, as I say." Emerging and fast-evolving technologies, such as blockchain, artificial intelligence and cybersecurity, have law firms scrambling for legal talent that understands technology. Law firms are scouring for attorneys with expertise in computer science or cryptography to advise corporate and government clients implementing technology and navigate nascent case law in these areas, executives and attorneys told Bloomberg Law. Law firms trailing in tech know-how risk losing business from all sectors of the economy, attorneys told Bloomberg Law. More states, in their attorney competence standards, are telling firms to boost their lawyers' tech expertise, or run the risk of possible sanctions or penalties. * * * [ <strong>Polley </strong>: look for fluent lawyers - conversant in the technology, international issues, business, <em>and </em> the law. As a Venn-diagram, you want to engage with those in the center.] <a href="">top </a> </p> <p> <a name="CourtDestroys"> </a> <a href="https://www.techdirt.com/articles/20180219/11142039268/court-destroys-future-public-art-installations-holding-building-owner-liable-destroying-this-one.shtml" > <strong> Court destroys future public art installations by holding building owner liable for destroying this one </strong> </a> (TechDirt, 22 Feb 2018) - Last week was a big week for dramatically bad copyright rulings from the New York federal courts: the <a href="https://www.techdirt.com/articles/20180216/00011839246/terrible-copyright-ruling-over-embedded-tweet-undermines-key-concept-how-internet-works.shtml" > one finding people liable for infringement if they embed others' content in their own webpages </a> , and this one about <a href="https://en.wikipedia.org/wiki/5_Pointz">5Pointz </a>, where a court has found a building owner liable for substantial monetary damages for having painted <em>his own building </em>. While many have <a href="http://www.xxlmag.com/news/2018/02/graffiti-artists-6-7-million-dollars-destruction-of-5pointz-murals-queens/" > hailed this decision </a> , including those who have <a href="http://nymag.com/daily/intelligencer/2018/02/artists-won-at-5pointz-but-the-decision-was-terrible-for-art.html" > mistakenly viewed it as a win for artists </a> , this post explains why it is actually bad for everyone. The facts in this case are basically this: the owner of a run-down, formerly industrial building in a run-down neighborhood aspired to do something to redevelop his property, but it would be a few years before the time would be right. So in the meantime he let some graffiti artists use the building for their aerosol paintings. The building became known as 5Pointz, and the artwork on it soon began to attract attention. The neighborhood also began to change, and with the improvement the prospects for redeveloping the property into residences became more promising. From the outset everyone knew that redevelopment would happen eventually, and that it would put an end to the arrangement since the redevelopment would likely necessitate tearing down the building, and with it the art on the walls. As the date of demolition grew closer, the artists considered buying the building from the owner in order to prevent it from being torn down and thus preserve the art. However the owner had received a variance that suddenly made the value of the property skyrocket from $40 million to $200 million, which made the buyout impossible. So the artists instead sued to halt the destruction of their art and asked for a preliminary injunction, which would ensure that nothing happened to the art while the case was litigated. But in late 2013 the court <a href="https://assets.documentcloud.org/documents/4382133/Gov-Uscourts-Nyed-347782-37-0.pdf" target="_blank" > denied the preliminary injunction </a> , and so a few days later the building owner went ahead and painted over the walls. The painting-over didn't end the litigation, which then became focused on whether this painting-over broke the law. In 2017 the court <a href="https://assets.documentcloud.org/documents/4382132/5pointz-Ruling.pdf" target="_blank" > issued a ruling allowing the case to proceed to trial on this question </a> . Then last week came the results of that trial, with the court finding this painting-over a "willfully" "infringing" act and <a href="https://assets.documentcloud.org/documents/4382131/Gov-Uscourts-Nyed-370997-69-0.pdf" target="_blank" > assessing a $6.7 million damages award </a> against the owner for it. It may be tempting to cheer the news that an apparently wealthy man has been ordered to pay $6.7 million to poorer artists for damaging their art. True -- the building owner, with his valuable property, seems to be someone who potentially could afford to share some of that wealth with artists who are presumably of lesser means. But we can't assume that a defendant building owner, who wants to be able to do with his property what he is normally legally allowed to do, will always be the one with all the money, and the plaintiff artist will always be the one without those resources. The law applies to all cases, no matter which party is richer, and the judicial reasoning at play in this case could just as easily apply if Banksy happened to paint the side of your house and you no longer wanted what he had painted to remain there. Per this decision, removing it could turn into an expensive proposition. The decision presents several interrelated reasons for concern. * * * <a href="">top </a> </p> <p> <a name="SECexpands"> </a> <a href="https://comms.wileyrein.com/8/1953/february-2018/client-alert--sec-expands-guidance-on-cybersecurity-disclosure-obligations.asp?sid=5c9d1586-1c51-42c4-8e94-feaa3e3ebf21" > <strong> SEC expands guidance on cybersecurity disclosure obligations </strong> </a> (Wiley Rein, 22 Feb 2018) - On February 21, 2018, the Securities and Exchange Commission (SEC) <a href="https://comms.wileyrein.com/e/htec6omm32t07q/5c9d1586-1c51-42c4-8e94-feaa3e3ebf21" target="_blank" > announced </a> much-anticipated guidance which updates previous guidance on disclosing cybersecurity risk. The Commission stated it was "reinforcing and expanding upon the staff's 2011 guidance," while continuing to consider other means of promoting appropriate disclosure of cyber incidents. One takeaway from this guidance is that some uncertainty will remain as to what is material. That said, the SEC is sending clear signals. Companies must pay more attention to the quality and nature of their disclosures and Board management is top of mind at the Commission. Companies should double down on efforts to ensure they have solid policies and procedures, and consider SEC risk when handling a cyber incident. This update comes against the backdrop of other executive branch activity on market transparency and disclosure in response to President Trump's 2017 Executive Order, as well as statements by senior government officials signaling increasing expectations about private sector efforts on cybersecurity. The government is also looking at measurement and metrics for cyber risk management, in other venues. <a href="">top </a> </p> <p> <a name="AnewDemocratic"> </a> <a href="https://www.theatlantic.com/technology/archive/2018/02/sharedstreets-data-mapping/554171/" > <strong>A new, democratic tool for mapping city streets </strong> </a> (The Atlantic, 23 Feb 2018) - Let's say you're throwing a block party. You and your neighbor both draw your own maps of where the street will be closed, and how to get there. How would you do it? Just label some points on a line, or draw all the intersections? Do you indicate nearby parking spots? Does your map look exactly like your neighbor's? Would partygoers looking at both get confused? Now take that concept to the city level, where mismatched maps can have truly high stakes. Using giant GIS databases, cities from Boston to San Diego maintain master street maps to guide their transportation and safety decisions. But there's no standard format for that data. Where are the intersections? How long are the curbs? Where's the median? It varies from city to city, and map to map. That's a problem as more private transportation services flood the roads. If a city needs to communicate street closures or parking regulations to Uber drivers, or Google Maps users, or new dockless bike-sharing services-which all use proprietary digital maps of their own-any confusion could mean the difference between smooth traffic and carpocalypse. And, perhaps more importantly, it goes the other way too: Cities struggle to obtain and translate the trip data they get from private companies ( <em>if </em> they can get their hands on it, which isn't always the case) when their map formats don't match up. A team of street-design and transportation-data experts believes it has a solution. On Thursday, the National Association of City Transportation Officials and the nonprofit Open Transport Partnership launched a new open data standard and digital platform for mapping and sharing city streets. It might sound wonky, but the implications are big: <a href="http://sharedstreets.io/">SharedStreets </a> brings public agencies, private companies, and civic hackers onto the same page, with the collective goal of creating safer, more efficient, and democratic transportation networks. <a href="">top </a> </p> <p> <a name="HowAfight"> </a> <a href="https://arstechnica.com/tech-policy/2018/02/judge-slaps-down-disney-effort-to-stop-resale-of-star-wars-download-codes/" > <strong> How a fight over Star Wars download codes could reshape copyright law </strong> </a> (ArsTechnica, 23 Feb 2018) - A federal judge in California has rejected Disney's effort to stop Redbox from reselling download codes of popular Disney titles like <em>Frozen </em>, <em>Beauty and the Beast </em>, and the latest <em>Star Wars </em> movies. Judge Dean Pregerson's <a href="https://www.documentcloud.org/documents/4383824-Disney-Redbox.html" > Tuesday ruling </a> invoked the little-used doctrine of copyright misuse, which holds that a copyright holder loses the right to enforce a copyright if the copyright is being abused. Pregerson faulted Disney for tying digital download codes to physical ownership of discs, a practice that he argued ran afoul of copyright's first sale doctrine, which guarantees customers the right to resell used DVDs. If the ruling were upheld on appeal, it would have sweeping implications. It could potentially force Hollywood studios to stop bundling digital download codes with physical DVDs and force video game companies to rethink their own practices. But James Grimmelmann, a copyright scholar at Cornell Law School, is skeptical that the ruling will survive an inevitable appeal from Disney. When you buy a Disney DVD or Blu-ray disc, it will often come bundled with a special code that can be used at one of two Disney-sponsored websites, <a href="https://redeemdigitalmovie.com/">RedeemDigitalMovies </a> and <a href="https://www.disneymoviesanywhere.com/">Disney Movies Anywhere </a> (recently superceded by the multi-studio <a href="https://moviesanywhere.com/welcome">Movies Anywhere </a>), to obtain a digital copy that can be viewed on PCs and mobile devices. Disney didn't view the DVD and the download code as two separate products. Instead, Disney views them as a customer convenience-a way to allow a single customer to watch the one movie they've purchased on a wide range of devices. But Redbox had a different interpretation. Redbox is in the business of buying DVDs and renting them out to customers. And it saw an opportunity to make some extra money from Disney's download codes. The company started buying DVD-plus-download-code bundles at ordinary retail locations and breaking the bundles apart. Redbox rented out the DVDs and Blu-Ray discs as it always has. But it also began selling the download codes to customers, allowing them to gain a digital copy of a movie for a fraction of the cost of purchasing a digital download directly from Disney. Disney sued, arguing that Redbox was violating the licensing terms that came with the bundle. The Disney DVDs came bundled with a notice that says "codes are not for sale or transfer." Disney argued that Redbox had to accept this condition in order to open the package and gain access to the download code. [ <strong>Polley </strong>: I've got a lot of respect for Grimmelmann, and this is a weird case.] <a href="">top </a> </p> <p> <a name="SecondCircuit"> </a> <strong> <a href="https://www.techdirt.com/articles/20180301/11524539337/2nd-circuit-contributes-to-fair-use-week-with-odd-problematic-ruling-tveyes.shtml" > 2nd Circuit contributes to fair use week with an odd and problematic ruling on TVEyes </a> </strong> (TechDirt, 2 March 2018) - For years, we've quoted a copyright lawyer/law professor who once noted that the standards for fair use are an almost total crapshoot: nearly any case can have almost any result, depending on the judge (and sometimes jury) in the case. Even though there are "four factors" that must be evaluated, judges will often bend over backwards to twist those four factors to get to their desired result. Some might argue that this is a good thing in giving judges discretion in coming up with the "right" solution. But, it also means that there's little real "guidance" on fair use for people who wish to make use of it. And that's a huge problem, as it discourages and suppresses many innovations that might otherwise be quite useful. Case in point: earlier this week the 2nd Circuit <a href="https://assets.documentcloud.org/documents/4391572/15-3885-Complete-Opn.pdf" > rejected a lower court decision </a> in the Fox News v. TVEyes case. If you don't recall, TVEyes provides a useful media monitoring service that records basically all TV and radio, and makes the collections searchable and accessible. It's a useful tool for other media companies (which want to use clips), for large PR firms tracking mentions, and for a variety of other uses as well. The <a href="https://www.techdirt.com/articles/20140909/15564328465/big-win-fair-use-even-when-profit-big-loss-hot-news-fox.shtml" > initial ruling </a> was a big win for fair use (even when done for profit) and against Fox News' assertion of the obsolete doctrine of "Hot News" misappropriation. That was good. However, that initial ruling only covered <em>some </em> aspects of TVEyes' operations -- mainly the searching and indexing. A second ruling was <a href="https://www.techdirt.com/articles/20150825/16150732064/latest-tveyes-ruling-mixed-bag-archiving-sharing-privately-is-fair-use-downloading-sharing-publicly-is-not.shtml" > more of a mixed bag </a> , saying that archiving the content was fair use, but allowing downloading the content and "date and time search" (as opposed to content search) was not fair use. Some of this was appealed up to the 2nd circuit -- specifically that second ruling saying parts of the service were not fair use. Thankfully, Fox didn't even bother appealing the "hot news" ruling or the "fair use on index search" ruling. As you'd expect, the court runs through a four factors test, and as noted above, the analysis is... weird. Once again, it seems clear that the court decided Fox should win and then bent its four factors analysis to make that happen. The court separates out TVEyes operations into two things: "Search" and "Watch." Whereas the lower court separated out "Watch" into various components, here the court decides that the entire "Watch" part is not fair use, and thus there's no need to examine the components (the "Search" part remains covered by fair use -- which, again, Fox did not challenge). * * * <a href="">top </a> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3126320"> <strong>Self-Destruct Apps: Spoliation by Design? </strong> </a> (Agnieszka McPeak, U Toledo, 19 Feb 2018) - Abstract: <em> The Federal Rules of Civil Procedure are at risk of being out of sync with current technology trends. Privacy policy in the US and Europe encourages "privacy by design," the idea that privacy-enhancing features should be built into the very design of new technology. Self-destruct apps, like Snapchat, Confide, and Vaporstream, embody privacy by design by offering ephemeral communication tools that mimic live conversation and avoid permanent records. At the same time, the Federal Rules of Civil Procedure contemplate broad access to relevant information, including electronically stored information, and impose potentially serious consequences in litigation when relevant information is not preserved. This essay analyzes the impact self-destruct apps, like Snapchat, will have on civil discovery and explores the tension between privacy policy and preservation duties. It cautions against characterizing self-destruct apps as spoliation by design: onerous or overly expansive preservation duties for self-destructing content are not warranted or desirable. In some contexts, ephemeral messaging may be more akin to live conversation than email, and the Federal Rules need not assume spoliation by their mere use by individuals and businesses. </em> <a href="">top </a> </p> <p> <em> </em> </p> <p> <a href="https://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?referer=&httpsredir=1&article=2657&context=ilj" > <strong> A Call To Cyberarms: The International Arbitrator's Duty To Avoid Digital Intrusion </strong> </a> (Fordham Int'l Law Journal, 2017) - International commercial arbitration rests on certain fundamental attributes that cut across the different rule sets and cultural and legal systems in which it operates. There is common ground that any international commercial arbitration regime must encompass integrity and fairness, uphold the legitimate expectations of commercial parties, and respect essential elements of due process such as equal treatment of the parties, a fair opportunity for each party to present its case and neutral adjudicatory proceedings, untainted by illegal conduct. The system and its integrity depend substantially on the role of the arbitrator. As Professor Rogers has stated: [T]he authoritative nature of adjudicatory outcomes, as well as their existence within a larger system, imposes on adjudicators an obligation to preserve the integrity and legitimacy of the adjudicatory system in which they operate. Cyberbreaches of the arbitral process, including intrusion into arbitration-related data and transmissions, pose a direct and serious threat to the integrity and legitimacy of the process. This article posits that the arbitrator, as the presiding actor, has an important, front-line duty to avoid intrusion into the process. The focus here on cyberintrusion into the arbitral process does not imply that international arbitration is uniquely vulnerable to data breaches, but only that international arbitration proceedings are not immune to increasingly pervasive cyberattacks against corporations, law firms, government agencies and officials and other custodians of large electronic data sets of sensitive information. Similarly, our focus on the role and responsibilities of the arbitrator should not obscure that cybersecurity is a shared responsibility and that other actors have independent obligations. Arbitrators are not uniquely vulnerable to data breaches and are not guarantors of cybersecurity. In the highly interdependent landscape of international commercial arbitration, data associated with any arbitration matter will only be as secure as the weakest link. Since data security ultimately depends on the responsible conduct and vigilance of individuals, any individual actor can be that weak link, whatever their practice setting, whatever the infrastructure they rely upon, and whatever role they play in an arbitration. * * * [ <strong>Polley </strong>: Spotted by MIRLN reader Phil Ray @philray66.] <a href="">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <a href="http://news.bbc.co.uk/2/hi/middle_east/7160057.stm"> <strong>Egypt 'to copyright antiquities' </strong> </a> (BBC, 25 Dec 2007) - Egypt's MPs are expected to pass a law requiring royalties be paid whenever copies are made of museum pieces or ancient monuments such as the pyramids. Zahi Hawass, who chairs Egypt's Supreme Council of Antiquities, told the BBC the law would apply in all countries. The money was needed to maintain thousands of pharaonic sites, he said. Correspondents say the law will deal a blow to themed resorts across the world where large-scale copies of Egyptian artefacts are a crowd-puller. Mr Hawass said the law would apply to full-scale replicas of any object in any museum in Egypt. "Commercial use" of ancient monuments like the pyramids or the sphinx would also be controlled, he said. "Even if it is for private use, they must have permission from the Egyptian government," he added. But he said the law would not stop local and international artists reproducing monuments as long as they were not exact replicas. <a href="">top </a> </p> <p> <a href="http://www.nytimes.com/2008/04/27/opinion/27sun3.html?_r=1&ref=opinion&oref=slogin" > <strong>Laura Berg's letter </strong> </a> (New York Times Editorial, 27 April 2008) - The PEN American Center, the literary organization committed to free expression, is honoring an American most people in this country have never read or even heard of: Laura Berg. She is a psychiatric nurse at a Veterans Affairs hospital who was threatened with a sedition investigation after she wrote a letter to the editor denouncing the Bush administration's bungling of Hurricane Katrina and the Iraq war. That's right, sedition: inciting rebellion against the government. We suppose nothing should surprise us in these days of government zealotry. But the horror and the shame of that witch hunt should shock everyone. Ms. Berg identified herself as a V.A. nurse when, soon after Katrina's horrors, she sent her impassioned letter to The Alibi, a paper in Albuquerque. "I am furious with the tragically misplaced priorities and criminal negligence of this government," she wrote. "We need to wake up and get real here, and act forcefully to remove a government administration playing games of smoke and mirrors and vicious deceit." Her superiors at the hospital soon alerted the Federal Bureau of Investigation and impounded her office computer, where she keeps the case files of war-scarred veterans she treats. Then she received an official warning in which a Veterans Affairs investigator intoned that her letter "potentially represents sedition." It took civil rights litigators and Senator Jeff Bingaman of New Mexico to "act forcefully" in reminding the government of the Constitution and her right to free speech. The Department of Veterans Affairs retreated then finally apologized to the shaken Ms. Berg. Even then, she noted, one superior told her it was preferred that she not identify herself as a V.A. nurse in any future letter writing. "And so I am saying I am a V.A. nurse," Ms. Berg soon boomed out in a radio broadcast. "And some of my fire in writing this about Katrina and Iraq is from my experience as a V.A. nurse." Thus declared Ms. Berg, well chosen to receive the new PEN/Katherine Anne Porter First Amendment Award. <a href="">top </a> </p> Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-25802055844113243892018-02-10T07:32:00.000-05:002018-02-10T07:32:06.901-05:00MIRLN --- 21 Jan - 10 Feb 2018 (v21.02)<p> <a name="TOP"> </a> MIRLN --- 21 Jan - 10 Feb 2018 (v21.02) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_21_jan_10_feb_2018_v2102/" > permalink </a> </p> <p> <a href="">NEWS </a> | <a href="">RESOURCES </a> | <a href="">LOOKING BACK </a> | <a href="">NOTES </a> </p> <ul> <li> <a href=""> The NSA knows who you are just by the sound of your voice-and their tech predates Apple and Amazon </a> </li> <li> <a href=""> From public Wi-Fi to encrypted emails, NY panel probes security of lawyer communications </a> </li> <li> <a href="">Your sloppy Bitcoin drug deals will haunt you for years </a> </li> <li> <a href=""> ICE is about to start tracking license plates across the US </a> </li> <li> <a href="">First 'Jackpotting' attacks hit US ATMs </a> </li> <li> <a href=""> Arizona bar accuses libel lawyers of suing fake defendants </a> </li> <li> <a href=""> Pentagon reviews GPS policies after soldiers' Strava tracks are seemingly exposed </a> </li> <li> <a href=""> UK gov will fine infrastructure firms up to £17m for lax cybersecurity safeguards </a> </li> <li> <a href=""> The shrinking half-life of knowledge, and what that means for KM </a> </li> <li> <a href=""> Inserting people into porn movies: The First Amendment textbook problem (2005) </a> </li> <li> <a href="">Personalized fake porn videos are now for sale on Reddit </a> </li> <li> <a href="">Get to know the city of Detroit's propaganda arm </a> </li> <li> <a href="">Google Search results to give 'diverse' answers </a> </li> <li> <a href=""> Opinion warns against judges doing online research on facts related to cases </a> </li> <li> <a href=""> Freedom of the Press Foundation will preserve Gawker's archives </a> </li> <li> <a href=""> A cybersecurity tip sheet for U.S. campaign officials is gaining traction, usage in field </a> </li> <li> <a href="">3 million Americans live in higher education deserts </a> </li> <li> <a href="">NIST issues "Blockchain Technology Overview" </a> </li> <li> <a href=""> Businesses with Apple and Cisco products may now pay less for cybersecurity insurance </a> </li> <li> <a href=""> An 'iceberg' of unseen crimes: Many cyber offenses go unreported </a> </li> <li> <a href=""> The NYT debuts its first augmented reality-enhanced story on iOS </a> </li> <li> <a href=""> An AI that reads privacy policies so that you don't have to </a> </li> </ul> <p> <a name="NEWS"> </a> </p> <p> <a name="TheNSAknows"> </a> <a href="https://www.cnbc.com/2018/01/20/the-nsa-can-recognize-you-by-just-your-voice-predating-apple-amazon.html" > <strong> The NSA knows who you are just by the sound of your voice-and their tech predates Apple and Amazon </strong> </a> <strong> </strong> (CNBC, 20 Jan 2018) - For technology users who have marveled at the ability of Siri or Alexa to recognize their voice, consider this: The National Security Agency has apparently been way ahead of <a href="https://www.cnbc.com/quotes/?symbol=AAPL">Apple </a> or <a href="https://www.cnbc.com/quotes/?symbol=AMZN">Amazon </a>. The agency has at its disposal voice recognition technology that it employs to identify terrorists, government spies, or anyone they choose - with just a phone call, according to a report by T <a href="https://theintercept.com/2018/01/19/voice-recognition-technology-nsa/" title="https://theintercept.com/2018/01/19/voice-recognition-technology-nsa/" > he Intercept </a> . The disclosure was revealed in a recently published article, part of a trove of documents leaked by former NSA contractor Edward Snowden. The publication wrote that by using recorded audio, the NSA is able to create a "voiceprint," or a map of qualities that mark a voice as singular, and identify the person speaking. The documents also suggest the agency is continuously improving its speech recognition capabilities, the publication noted. According to a <a href="https://www.documentcloud.org/documents/4351987-2006-01-04-Technology-That-Identifies-People-by.html" title="https://www.documentcloud.org/documents/4351987-2006-01-04-Technology-That-Identifies-People-by.html" > classified memo obtained by The Intercept </a> , the agency has employed this technology since at least 2006, with the document referencing technology "that identifies people by the sound of their voices." In fact, the NSA used such technology during Operation Iraqi Freedom, when analysts were able to verify audio thought to be of Saddam Hussein speaking. It suggests that national security operatives had access to high-level voice technology long before Amazon, Apple and Google's solutions became cultural touchstones. A "voiceprint" is "a dynamic computer model of the individual's vocal characteristics," the publication explained, created by an algorithm analyzing features like pitch and mouth shape. Then, using the NSA's formidable bank of recorded audio files, the agency is able to match the speaker to an identity. <a href="">top </a> </p> <p> <a name="FromPublic"> </a> <a href="https://www.law.com/newyorklawjournal/sites/newyorklawjournal/2018/01/23/from-public-wi-fi-to-encrypted-emails-panel-probes-security-of-lawyer-communications/?kw=From%20Public%20Wi-Fi%20to%20Encrypted%20Emails%2C%20Panel%20Probes%20Security%20of%20Lawyer%20Communications&et=editorial&bu=ALMcyberSecure&cn=20180126&src=EMC-Email&pt=cyberSecureNews" > <strong> From public Wi-Fi to encrypted emails, NY panel probes security of lawyer communications </strong> </a> (NY Law Journal, 233 Jan 2018) - What happens when a lawyer connects a laptop containing sensitive client information to a public Wi-Fi network or prints out documents from a hotel printer? Those scenarios could put lawyers-and their clients-at an increased risk for data leaks and hacking, said panelists at a Tuesday discussion at the New York State Bar Association's <a href="http://www.nysba.org/am2018/" target="_blank"> annual conference </a> in Manhattan. One takeaway from the discussion, which was centered around data security in an attorney's day-to-day-practice and related ethical obligations, is the importance of using an encrypted communication device in transmitting client information. Encryption is often "client dictated," not law firm-driven, said panelist <a href="http://www.stroock.com/people/JBernard" target="_blank"> James Bernard </a> , a partner at Stroock & Stroock & Lavan who also serves as general counsel to his firm. Many clients, particularly financial services companies that are concerned about unauthorized access to personally identifiable information in their customer base, will use encrypted email, sometimes exclusively, in communications with law firms, Bernard said. * * * Another panelist, <a href="http://www.nycourts.gov/ad3/Bios/PetersBios.html" target="_blank"> Karen Peters </a> , a former presiding justice of the Appellate Division, Third Department, said an attorney's ethical obligations vary depending on the firm. "Are you talking about a large law firm with hundreds of lawyers that has an international presence? Then I would think their obligation to ensure confidentially to client data is a much higher obligation," said Peters, noting that such a firm's clients have information that hackers are looking to acquire, unlike a small firm in Plattsburgh, New York, handling family law or Surrogate's Court work. <a href="">top </a> </p> <p> <a name="YourSloppy"> </a> <a href="https://www.wired.com/story/bitcoin-drug-deals-silk-road-blockchain/" > <strong> Your sloppy Bitcoin drug deals will haunt you for years </strong> </a> (Wired, 26 Jan 2018) - Perhaps you bought some illegal narcotics on the Silk Road half a decade ago, back when that digital black market for every contraband imaginable was still online and bustling. You might already regret that decision, for any number of reasons. After all, the four <a href="https://www.wired.com/story/guide-bitcoin/">bitcoins </a> you spent on that bag of hallucinogenic mushrooms would now be worth about as much as an Alfa Romeo. But one group of researchers wants to remind you of yet another reason to rue that transaction: If you weren't particularly careful in how you spent your cryptocurrency, the evidence of that drug deal may still be hanging around in plain view of law enforcement, even years after the Silk Road was torn off the dark web. Researchers at Qatar University and the country's Hamad Bin Khalifa University earlier this week published <a href="https://arxiv.org/pdf/1801.07501.pdf" target="_blank">findings </a> that show just how easy it may be to dredge up evidence of years-old bitcoin transactions when spenders didn't carefully launder their payments. In well over 100 cases, they could connect someone's bitcoin payment on a dark web site to that person's public account. In more than 20 instances, they say, they could easily link those public accounts to transactions specifically on the Silk Road, finding even some purchasers' specific names and locations. <a href="">top </a> </p> <p> <a name="ICEisAbout"> </a> <a href="https://www.theverge.com/2018/1/26/16932350/ice-immigration-customs-license-plate-recognition-contract-vigilant-solutions" > <strong> ICE is about to start tracking license plates across the US </strong> </a> (The Verge, 26 Jan 2018) - The Immigration and Customs Enforcement (ICE) agency has officially gained agency-wide access to a nationwide license plate recognition database, according to <a href="https://www.fbo.gov/index?s=opportunity&mode=form&id=5629706f5736d22bd174b11965f5ac4c&tab=core&tabmode=list&=" > a contract finalized earlier this month </a> . The system gives the agency access to billions of license plate records and new powers of real-time location tracking, raising significant concerns from civil libertarians. The source of the data is not named in the contract, but an ICE representative said the data came from Vigilant Solutions, the leading network for license plate recognition data. "Like most other law enforcement agencies, ICE uses information obtained from license plate readers as one tool in support of its investigations," spokesperson Dani Bennett said in a statement. "ICE is not seeking to build a license plate reader database, and will not collect nor contribute any data to a national public or private database through this contract." While it collects few photos itself, Vigilant Solutions has amassed a database of more than 2 billion license plate photos by ingesting data from partners like <a href="http://www.syracuse.com/news/index.ssf/2015/01/private_companies_know_where_youve_been_thanks_to_license_plate_cameras.html" > vehicle repossession agencies </a> and other private groups. Vigilant also partners with <a href="https://www.eff.org/deeplinks/2016/01/no-cost-license-plate-readers-are-turning-texas-police-mobile-debt-collectors-and" > local law enforcement agencies </a> , often collecting even more data from camera-equipped police cars. The result is a massive vehicle-tracking network generating as many as 100 million sightings per month, each tagged with a date, time, and GPS coordinates of the sighting. <a href="">top </a> </p> <p> <a name="FirstJackpotting"> </a> <a href="https://krebsonsecurity.com/2018/01/first-jackpotting-attacks-hit-u-s-atms/" > <strong>First 'Jackpotting' attacks hit US ATMs </strong> </a> (Krebs on Security, 27 Jan 2018) - ATM "jackpotting" - a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand - has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States. To carry out a jackpotting attack, thieves first must gain physical access to the cash machine. From there they can use malware or specialized electronics - often a combination of both - to control the operations of the ATM. The Secret Service alert explains that the attackers typically use an <a href="https://en.wikipedia.org/wiki/Endoscope" target="_blank"> endoscope </a> - a slender, flexible instrument traditionally used in medicine to give physicians a look inside the human body - to locate the internal portion of the cash machine where they can attach a cord that allows them to sync their laptop with the ATM's computer. "Once this is complete, the ATM is controlled by the fraudsters and the ATM will appear Out of Service to potential customers," reads the confidential Secret Service alert. At this point, the crook(s) installing the malware will contact co-conspirators who can remotely control the ATMs and force the machines to dispense cash. "In previous Ploutus.D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds," the alert continues. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad. Otherwise, the machine is completely emptied of cash, according to the alert. <a href="">top </a> </p> <p> <a name="ArizonaBar"> </a> <a href="http://reason.com/volokh/2018/01/29/arizona-bar-accuses-lawyers-of-suing-fak" > <strong> Arizona bar accuses libel lawyers of suing fake defendants </strong> </a> (Volokh Conspiracy, 29 Jan 2018) - Friday, the Arizona State Bar <a href="https://reason.com/assets/db/15172543163948.pdf"> filed a disciplinary complaint </a> accusing two lawyers of filing libel lawsuits against fake defendants. Why would anyone do such thing, you might ask? How can you get real money (or real compliance with an injunction) from a fake defendant? Well, say you think some people are libeling you online. You try to get them to take down the libelous material, but you can't find them, or they refuse. You try to get the hosting site to delete the material, but it refuses. (Under the federal 47 U.S.C. § 230 statute, such intermediaries can refuse without fear of liability.) So you e-mail Google, and ask it to remove the page from Google's indexes, so that Google users won't see it. "We don't know whether it's actually libelous," Google responds, "and we aren't equipped to figure that out. But tell you what: You get a court order against the author that concludes the material is libelous, and then maybe we'll consider deindexing it." Now you, or the reputation management company you hired, can get a lawyer and bring that lawsuit. Many people do -- but it's time-consuming and very expensive. And maybe you'll lose: Maybe the defendant will defend, and will point out that the statement is just nonactionable opinion, or is factually accurate, or (what often happens) was written long enough ago that the statute of limitations runs. So you might be out the money, and without a remedy. That's where the fake-defendant lawsuits come in. Someone -- the plaintiff, the reputation management company, or the lawyer -- decides to file suit against a nonexistent defendant. The complaint is filed in court together with a stipulation from the "defendant" (actually filed by whoever is engineering this on the plaintiff's behalf) agreeing that the statement was false and defamatory, and agreeing to the entry of an injunction ordering the "defendant" to remove the statement. The court sees what appears to be agreement between the parties, and issues the injunction. In one such case, I saw the injunction issued a blazingly fast four days after the filing. Lovely! The only problem, of course, is that it's a fraud on the court. <a href="">top </a> </p> <p> <a name="PentagonReviews"> </a> <a href="https://www.npr.org/sections/thetwo-way/2018/01/29/581597949/pentagon-reviews-gps-data-after-soldiers-strava-tracks-are-seemingly-exposed" > <strong> Pentagon reviews GPS policies after soldiers' Strava tracks are seemingly exposed </strong> </a> <strong> </strong> (NPR, 29 Jan 2018) - Locations and activity of U.S. military bases; jogging and patrol routes of American soldiers - experts say those details are among the GPS data shared by the exercise tracking company Strava, whose Heat Map reflects more than a billion exercise activities globally. The Pentagon says it's looking at adding new training and policies to address security concerns. "Recent data releases emphasize the need for situational awareness when members of the military share personal information," Pentagon spokesman Major Adrian J.T. Rankine-Galloway of the U.S. Marine Corps said in a statement about the implications of the Strava data that has made international headlines. Strava - which includes an option for keeping users' workout data private - published the updated Heat Map late last year. The California-based company calls itself "the social network for athletes," saying that its mobile apps and website connect millions of people every day. * * * Describing what he calls "a security nightmare for governments around the world," foreign policy columnist Jeffrey Lewis describes for The Daily Beast about how he used the Strava data to explore a missile command center in Taiwan whose location is meant to be secret. <a href="">top </a> </p> <p> <a name="UKgov"> </a> <a href="https://www.theinquirer.net/inquirer/news/3025518/uk-gov-will-fine-infrastructure-firms-up-to-gbp17m-for-lax-cybersecurity-safeguards?utm_source=eloqua&utm_medium=email_52075&utm_campaign=23528" > <strong> UK gov will fine infrastructure firms up to £17m for lax cybersecurity safeguards </strong> </a> (The Inquirer, 29 Jan 2018) - The UK government has announced that it will fine critical infrastructure organisations to £17m if they fail to implement appropriate cybersecurity safeguards. UK gov issued the warning over the weekend, telling bosses of energy, transport, water and health firms to boost their cyber security defences or <a href="https://www.computing.co.uk/ctg/feature/2478896/how-gdpr-and-the-network-and-information-systems-security-directive-will-complicate-cloud-computing" target="_blank" title="Computing - How GDPR and the Network and Information Systems Security Directive will complicate cloud computing" > risk being slapped with hefty fines under the incoming Network and Information Systems (NIS) directive </a> . It said that, in the future, a regulator will be able to assess the cybersecurity infrastructure of the country's critical industries to ensure they're as robust "as possible". This regulator will have the power to issue legally-binding instructions to improve security, and - if appropriate - impose financial penalties, the government warned. The system will be aimed at ensuring that UK electricity, transport, water, energy, transport, health and digital infrastructure firms are able to deal with cybersecurity threats. It will cover IT threats including power outages, hardware failures and environmental hazards. Under these measures, cybersecurity breaches and system failures such as WannaCry will fall under the NIS directive. <a href="">top </a> </p> <p> <a name="TheShrinking"> </a> <a href="http://www.nickmilton.com/2018/01/the-shrinking-half-life-of-knowledge.html" > <strong> The shrinking half-life of knowledge, and what that means for KM </strong> </a> (KnoCo, 30 Jan 2018) - When John Browne was CEO at BP, he talked about "the shrinking half-life of ideas". This always struck me as a very interesting concept; one which was fundamental to Browne's approach to corporate KM. I have since found that he was quoting an older idea from 1962 concerning the shrinking half-life of Knowledge, which has now been popularised and explored by Sam Arbesman (see video) among others. The idea of a half-life comes from nuclear physics, and originally applied to the decay of radioactive nucleii. In knowledge terms it refers to the observation that, as <a href="http://qi.com/research-half-life-of-facts">this article </a> tells us: <em> "What we think we know changes over time. Things once accepted as true are shown to be plain wrong. .... But what's really interesting is that studies of the frequency of citations of scientific papers show they become obsolete at a predictable rate. Just as with radioactive decay, you can't tell when any one 'fact' will reach its expiry date, but you can predict how long it will take for half the facts in any discipline to do so. In medicine, for example, 'truth' seems to have a 45-year half-life. Some medical schools teach students that, within a few years, half of what they've been taught will be wrong - they just don't know which half. In mathematics, the rate of decay is much slower: very few accepted mathematical proofs get disproved." </em> Not all knowledge has a short half-life - sometimes the knowledge is linked to the technology, and if you are running a nuclear power station using 1960s control software, then the half-life of the knowledge of the software has to exceed the life of the power station. However in most other areas, where knowledge is evolving and changing, and your competitive advantage lies (at least partly) in having the best and most valid knowledge, then hanging on to old knowledge which is past it's half-life can be competitively dangerous. And the faster the speed of change, the shorter the half-life of knowledge and the greater the danger of using obsolete knowledge. Where knowledge has a short half-life, Knowledge Management is not so much about documenting and protecting "what you know", it is about how fast you can know something new, and how easily you can let go of the old. <a href="">top </a> </p> <p> <a name="InsertingPeople"> </a> <a href="http://reason.com/volokh/2018/01/31/inserting-people-into-porn-movies-the-fi" > <strong> Inserting people into porn movies: The First Amendment textbook problem (2005) </strong> </a> <strong> </strong> (Eugene Volokh, 31 Jan 2018) - I added this problem to the second edition of my First Amendment textbook back in 2005, and accounts suggest that it's now quite timely: <em> Within ten or twenty years [of 2005], there will probably be consumer-usable software that can easily overlay people's photographs and voices onto movies that depict someone else. The program would automatically and seamlessly alter multiple scenes in which the character is shown from different angles, with different facial expressions, doing different things. (Of course, one can already do this in some measure with photos, but this hypothetical program would be much more sophisticated.) Naturally, many people, famous or not, will be unhappy knowing that they are depicted without their permission in others' home sex movies. Imagine that Congress therefore decides to prohibit the distribution and use of the computer program that allows such movies to be made. How would such a law be different for First Amendment purposes from normal obscenity legislation? Do you think the law should be upheld (even if that means changing First Amendment law), and on what grounds? If you think the law should be struck down, what about laws that: (1) prohibit the use of the software to make such pornographic movies without the photographed person's consent; (2) prohibit the noncommercial distribution of the movies, whether to a small group of friends or on the Internet, or; (3) prohibit the commercial distribution of the movies? Don't limit yourself to considering whether such laws are constitutional under existing obscenity doctrine. Consider also whether you think there should be an obscenity exception at all, and whether you think it should be broader or narrower than it now is. </em> <a href="">top </a> </p> <p> - and - </p> <p> <a name="Personalized"> </a> <a href="https://motherboard.vice.com/en_us/article/7x799b/selling-ai-generated-fake-porn-is-probably-a-good-way-to-get-sued" > <strong> Personalized fake porn videos are now for sale on Reddit </strong> </a> (Motherboard, 6 Feb 2018) - Until last week, people in Reddit's deepfakes community, which creates fake porn videos of celebrities using a machine learning algorithm, have been content to post their work for free, framing it as their hobby. But increasingly, they're taking the opportunity to make a buck off of nonconsenting women's likenesses, by selling face-swapped fake porn creations for cryptocurrency. In the weeks since <a href="https://motherboard.vice.com/en_us/article/bjye8a/reddit-fake-porn-app-daisy-ridley%5C" target="_blank" > we first reported on it, </a> the r/deepfakes subreddit-home base for AI-generated fake porn videos, mostly of unconsenting celebrities-has exploded to more than 85,000 subscribers. One of those subreddits, r/deepfakeservice, is dedicated to commissioning deepfake videos from other users. The pinned rules post includes guidelines for formatting requests and service offers: For requests, the seller would ask for a description of the video, price, what they need to work with (images of the celebrity needed to create the fake video), and how much time it will take. Where there's demand, there are people waiting to turn a profit. The subreddit has been up for about a week and has over 200 subscribers and a handful of requests. It raises the question: If trading fake porn videos for free exists in a legal gray area <a href="https://motherboard.vice.com/en_us/article/59kzx3/targets-of-fake-porn-deepfakes-are-at-the-mercy-of-big-platforms" target="_blank" > as we've reported </a> , does putting a price tag on these videos change the game? <em>[See also </em>, <a href="https://techcrunch.com/2018/02/07/deepfakes-fake-porn-reddit-twitter-ban/" > <strong> Reddit bans 'involuntary porn' communities that trade AI-generated celebrity videos </strong> </a> (Tech Crunch, 7 Feb 2018)] <a href="">top </a> </p> <p> <a name="GetToKnow"> </a> <a href="https://www.metrotimes.com/detroit/get-to-know-the-city-of-detroits-propaganda-arm/Content?oid=8910656&utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong>Get to know the city of Detroit's propaganda arm </strong> </a> (Metro Times, 31 Jan 2018) - Early this month, in the days after Detroit Mayor Mike Duggan said he'd be moving forward with a plan to require thousands of Detroit businesses to <a href="http://www.crainsdetroit.com/article/20180104/news/649206/detroit-aims-to-mandate-project-green-light-crime-monitoring" target="_blank" > buy into a costly surveillance program </a> intended to reduce crime, a sponsored post that looked favorably upon the program appeared at the top of our Facebook timeline. The linked content - <a href="http://www.theneighborhoods.org/story/inside-real-time-crime-center-dpds-24-hour-monitoring-station" target="_blank" > "Inside the Real Time Crime Center, DPD's 24-hour monitoring station" </a> - had all of the trappings of a news story. There was a headline, a byline, a mix of quotes and information. It was published at a site called " <a href="http://theneighborhoods.org/" target="_blank"> theneighborhoods.org </a> ," suggesting it may have been the work of a community news nonprofit. But the story was not journalism. It was written by the Detroit city government - more specifically, its "Storytelling" department. The department created by Duggan last year is believed to be the first of its kind in the nation. Staffed by six people, some of them former journalists, its primary objective is to populate a website and cable channel called "The Neighborhoods," which launched as Duggan was in the midst of a re-election effort that hinged on his ability to thwart perceptions he'd <a href="https://www.metrotimes.com/detroit/meet-the-13-candidates-trying-detroit-mayor-mike-duggan/Content?oid=4814573" target="_blank" > let the city's neighborhoods languish </a> during his first term. The company line at the time was that the site would <a href="https://www.theguardian.com/cities/2017/sep/05/detroit-redefined-america-first-official-chief-storyteller#img-1" target="_blank" > "give Detroiters and their neighborhoods a stronger voice," </a> filling a void department head and "chief storyteller" Aaron Foley claimed traditional media hadn't. Five months in, the website appears to be fulfilling that mission - in part. The Neighborhoods' story grid is primarily comprised of features on local businesses, notices on city services, and "things-to-do" listicles that include some neighborhood happenings. But the story posted Jan. 10 did not give Detroiters a "stronger voice" - it omitted their voices almost entirely. In covering the controversial and costly Project Green Light surveillance program following word of a possible mandate, the piece did not include the voices of Detroit business owners who might oppose being forced to buy the technology, nor did it provide quotes from any residents concerned about being filmed - it featured only voices from the law enforcement and counterterrorism intelligence communities. To the undiscerning reader, the report may have seemed innocuous. Project Green Light, a program in which businesses pay for cameras that stream video footage directly into Detroit police headquarters, is generally known for helping drive down crime where it's present. The Neighborhoods' story gave readers a glimpse into the Real Time Crime Center where the footage is streamed, and it supplied an anecdote in which police were able to quickly find and arrest a shooting suspect who was caught on tape. The story also did offer a few words about privacy concerns - though only to quickly shoot them down via an officer who said that if people were made to choose between protection and privacy, they'd choose protection. But the program has drawn criticism from the American Civil Liberties Union of Michigan, and business owners have <a href="https://www.metrotimes.com/detroit/project-green-light-faces-scrutiny-as-detroit-eyes-mandate-for-thousands-of-businesses/Content?oid=8539251" target="_blank" > questioned its benefits </a> . Earlier this month we reported that the expensive technology doesn't appear to be helping stop crimes in progress, and that some business owners feel they <a href="https://www.metrotimes.com/detroit/project-green-light-faces-scrutiny-as-detroit-eyes-mandate-for-thousands-of-businesses/Content?oid=8539251" target="_blank" > benefit only from the perks of the system </a> , which include <a href="http://www.greenlightdetroit.org/faqs/" target="_blank"> "priority 1" </a> police response times of 14 minutes. "It's more of a 'pay and we'll come or don't pay and we're not coming,'" Billy Jawad, who runs a gas station on 7 Mile and Meyers, told us. The Neighborhoods story overlooked these dynamics, but it also neglected to mention a glaring news peg. Just days earlier, Duggan had said "the votes in council are there" to pass a law that would require any business open past 10 p.m. to buy the technology - at a cost of at least $4,000, plus monthly fees of $140 and up. The proposal, which the city later said would not come for about a year, could impact <a href="http://www.crainsdetroit.com/article/20180104/news/649206/detroit-aims-to-mandate-project-green-light-crime-monitoring" target="_blank" > up to 4,000 businesses </a> , according to <em>Crain's Detroit Business </em>. <a href="">top </a> </p> <p> <a name="GoogleSearch"> </a> <a href="http://www.bbc.com/news/technology-42886944?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong>Google Search results to give 'diverse' answers </strong> </a> (BBC, 31 Jan 2018) - Google says it will soon alter its Search tool to provide "diverse perspectives" where appropriate. The change <a href="https://blog.google/products/search/reintroduction-googles-featured-snippets/" > will affect the boxed text </a> that often appears at the top of results pages - known as a Snippet - which contains a response sourced from a third-party site. At present, Google provides only a single box but it will sometimes show multiple Snippets in the future. The change could help Google tackle claims it sometimes spreads lies. But one expert warned the move introduced fresh risks of its own. Google introduced Snippets into its search results in 2014, placing the boxed text below paid listings but above other links. The idea is to provide information that users want without them having to click through to another page. Google <a href="https://research.googleblog.com/2014/09/introducing-structured-snippets-now.html" > acknowledged at the time </a> that "fact quality" would vary depending on the request. But it has <a href="https://theoutline.com/post/1192/google-s-featured-snippets-are-worse-than-fake-news?zd=1" > been accused of providing </a> "shockingly bad" information in some cases. Google offered a less controversial example of a problem, in a blog detailing its new approach. It said that when users asked if reptiles made "good pets" they were given several reasons why the answer was yes, but if they asked if the animals made "bad pets" they were given contradictory advice. It said this happened because its system was designed to favour content that aligned with the posed question, and suggested that offering different viewpoints would therefore be a better option. "There are often legitimate diverse perspectives offered by publishers, and we want to provide users visibility and access into those perspective from multiple sources," wrote Matthew Gray, Google's Snippets chief. <a href="">top </a> </p> <p> <a name="OpinionWarns"> </a> <a href="http://www.abajournal.com/magazine/article/opinion_warns_against_judges_doing_online_research_on_facts_related_to_case/" > <strong> Opinion warns against judges doing online research on facts related to cases </strong> </a> (ABA Journal, Feb 2018) - In <a href="http://www.abajournal.com/images/main_images/FO_478_FINAL_12_07_17.pdf" > Formal Opinion 478 </a> , the ABA Standing Committee on Ethics and Professional Responsibility addresses the restrictions imposed by the 2007 ABA Model Code of Judicial Conduct on a judge searching the internet for information helpful in deciding a case. The ABA opinion concludes that Rule 2.9(C) of the Model Code prohibits a judge from researching adjudicative facts on the internet unless a fact is subject to judicial notice. Rule 2.9(C) clearly and definitively declares that "a judge shall not investigate facts in a matter independently, and shall consider only the evidence presented and any facts that may properly be judicially noticed." Acknowledging the integral part that search engines play in everyday life, Comment 6 to Rule 2.9 bluntly tells judges that the prohibition "extends to information available in all mediums, including electronic." While recognizing that the internet, including social networking sites, provides immediate access to a limitless amount of information potentially useful to a judge laboring over difficult case-specific factual issues, the recent ABA opinion highlights two important justifications for the prohibition against electronic factual research. First, information found on the web may be fleeting, biased, misleading and sometimes downright false. Second, unless the narrow judicial-notice exception applies, gathering even trustworthy information from the internet compromises the division of responsibility between the judge and the parties so essential to the proper functioning of the adversarial system. The committee emphasizes this point by describing the "defining feature" of the judicial role as a judge's duty to base decisions only on evidence presented in court and available to the parties. The limitations on independent factual research by judges are not solely a matter of judicial ethics. Rule 2.9(C) is one of the few provisions of the Model Code that integrates an evidentiary rule into an ethical standard. Rule 2.9(C) permits a judge to consider a fact from sources other than the evidence submitted by the parties as long as the judge abides by his or her jurisdiction's requirements for taking judicial notice of the fact. Incorporating a rule of evidence into an ethical rule complicates the analysis because, as noted by the committee, judicial notice standards and procedures vary significantly from jurisdiction to jurisdiction. To illustrate how Rule 2.9(C) and the doctrine of judicial notice interface, the committee examines Federal Rule of Evidence 201, which governs judicial notice. * * * <a href="">top </a> </p> <p> <a name="FreedomOfThe"> </a> <a href="https://techcrunch.com/2018/02/01/freedom-of-the-press-foundation-will-preserve-gawkers-archives/" > <strong> Freedom of the Press Foundation will preserve Gawker's archives </strong> </a> (Tech Crunch, 1 Feb 2018) - <a href="http://gawker.com/" target="_blank">Gawker's posts </a> will be captured and saved by the non-profit <a href="https://freedom.press/" target="_blank"> Freedom of the Press Foundation </a> , following <a href="https://www.reuters.com/article/us-gawker-thiel/peter-thiel-submits-bid-for-gawker-faces-challenges-idUSKBN1F02V2" target="_blank" > a report that venture capitalist Peter Thiel </a> wants to buy its remaining assets, including archived content and domain names. Thiel bankrolled the lawsuit that led to Gawker's bankruptcy and eventual shutdown in 2016. In <a href="https://freedom.press/news/archiving-alternative-press-threatened-wealthy-buyers/?source=techstories.org" target="_blank" > a blog post </a> , Parker Higgins, the Freedom of the Press Foundation's director of special projects, said it is launching an online archive collection with <a href="https://archive-it.org/" target="_blank">Archive-It </a>, a service developed by the Internet Archive (the non-profit that runs the Wayback Machine). The archive will focus on preserving the entire sites of "news outlets we deem to be especially vulnerable to the 'billionaire problem,'" Higgins wrote. Higgins wrote that by archiving news sites, the Freedom of the Press Foundation "seek[s] to reduce the 'upside' for wealthy individuals and organizations who would eliminate embarrassing or unflattering coverage by purchasing outlets outright. In other words, we hope that sites that can't simply be made to disappear will show some immunity to the billionaire problem." Archive-It takes screenshots of webpages at specific times and is used by universities, libraries, museums and other organizations to preserve sites they consider important historic documents. For example, UCLA used it to <a href="https://archive-it.org/collections/5886" target="_blank"> archive sites related to the Occupy Wall Street protests </a> , while the Internet Archive made a collection of sites, news coverage, blog entries and documents <a href="https://archive-it.org/collections/2017" target="_blank"> about the Wikileaks releases </a> . The Freedom of the Press Foundation has already used Archive-It to capture the LA Weekly after it was <a href="http://www.latimes.com/business/la-fi-la-weekly-20171201-story.html" target="_blank" > acquired by Semenal Media </a> , which originally tried to keep the identity of its owners secret, and then <a href="https://www.thedailybeast.com/all-la-weekly-editors-abruptly-fired" target="_blank" > fired most of the newspaper's editorial staff </a> . Preserved content from Gawker will appear in the Freedom of the Press Foundation's collection, as well as on the Wayback Machine. [ <em>See also, </em> <a href="https://freedom.press/news/archiving-alternative-press-threatened-wealthy-buyers/" > <strong> Archiving the alternative press threatened by wealthy buyers </strong> </a> (Freedom of the Press Foundation, 31 Jan 2018)] <a href="">top </a> </p> <p> <a name="AcybersecurityTip"> </a> <a href="https://www.cyberscoop.com/cybersecurity-tip-sheet-u-s-campaign-officials-gaining-traction-usage-field/" > <strong> A cybersecurity tip sheet for U.S. campaign officials is gaining traction, usage in field </strong> </a> (CyberScoop, 1 Feb 2018) - A prominent nonprofit research organization has begun distributing tip sheets to campaign officials in an effort to safeguard the 2018 midterm elections from hackers. Alison Lundergan, Kentucky's secretary of state, and Mac Warner, West Virginia's secretary of state, are now sharing the " <a href="https://www.belfercenter.org/CyberPlaybook?utm_source=SilverpopMailing&utm_medium=email&utm_campaign=D3P_Bipartisan%20Secs%20in%20Kentucky%20and%20West%20Virginia_Cybersecurity%20Playbook%20(1)&utm_content=&spMailingID=18927551&spUserID=MzMxMTg0Mjc5ODc2S0&spJobID=1182066651&spReportId=MTE4MjA2NjY1MQS2" > Cybersecurity Campaign Playbook </a> " with candidates seeking office in their states. Kentucky and West Virginia represent the first two states in the country to distribute and leverage these guidelines. The playbook was created by <a href="https://www.belfercenter.org/publication/belfer-center-launches-defending-digital-democracy-project-fight-cyber-attacks-and" > Defending Digital Democracy </a> (DDD) - a bipartisan initiative focused on providing tools and strategies to protect the democratic process from cyberattacks. The initiative was launched last summer at the Belfer Center for Science and International Affairs at Harvard Kennedy School. It is led by two former campaign managers who were involved in leading failed presidential campaigns for 2016 democratic candidate Hillary Clinton and 2012 republican candidate Mitt Romney, respectively. The DDD playbook is intended for campaigns that don't have the means to hire professional cybersecurity staff. The recommendations are supposed to be easily digestible for people without technical training. The document was created with the goal of providing political campaigns, candidates and their staff with the basic information to prevent digital attacks. It will be used to "provide campaign operatives with bipartisan and commonsense steps on cybersecurity," Colin Reed, senior vice presidents of public affairs at DDD told CyberScoop. <a href="">top </a> </p> <p> <a name="ThreeMillion"> </a> <a href="https://www.insidehighered.com/quicktakes/2018/02/02/3-million-americans-live-higher-education-deserts?utm_source=Inside+Higher+Ed&utm_campaign=0ab132a377-DNU20180111&utm_medium=email&utm_term=0_1fcbc04421-0ab132a377-197618481&mc_cid=0ab132a377&mc_eid=012fe6c04c" > <strong>3 million Americans live in higher education deserts </strong> </a> (InsideHigherEd, 2 Feb 2018) - Roughly <a href="https://www.urban.org/urban-wire/three-million-americans-are-disconnected-higher-education" target="_blank" > three million Americans </a> live more than 25 miles from a broad-access public college and do not have the sort of high-speed internet connection necessary for online college programs, according to a report from the Urban Institute's education policy program. The institute used data from the U.S. Department of Education and the Federal Communications Commission to identify these education "deserts," cross-referencing that information with data from the Census Bureau to determine who lives in them. The report found that 17.6 million adults live in a physical higher education desert, with 3.1 million (1.3 percent of adults in the U.S.) lacking access to online and physical college programs. The report also tracked the demographics of people who live in education deserts. "This study demonstrates what many Native Americans, rural Americans and other Americans living in education deserts already know: the internet has not untethered all of us from our geographic locations," said the report. "As long as broadband access depends on geography, place still plays an important role in access to higher education." <a href="">top </a> </p> <p> <a name="NISTissues"> </a> <a href="http://ridethelightning.senseient.com/2018/02/nist-issues-blockchain-technology-overview.html" > <strong>NIST issues "Blockchain Technology Overview" </strong> </a> (Ride The Lightning, 5 Feb 2018) - The National Institute of Standards and Technology (NIST) has issued a report titled " <a href="https://csrc.nist.gov/CSRC/media/Publications/nistir/8202/draft/documents/nistir8202-draft.pdf" target="_blank" > Blockchain Technology Overview </a> ." The report is intended to provide a high-level technical overview and discusses the application of blockchain technology to electronic currency in depth as well as broader applications. "We want to help people understand how blockchains work so that they can appropriately and usefully apply them to technology problems," said NIST computer scientist Dylan Yaga, who is one of the authors of the report. "It's an introduction to the things you should understand and think about if you want to use blockchain." According to Yaga, blockchain technology is a powerful new paradigm for business. "Because the market is growing so rapidly, several stakeholders, customers and agencies asked NIST to create a straightforward description of blockchain so that newcomers to the marketplace could enter with the same knowledge about the technology," according to the NIST press release. The NIST draft report is open to public comments from January 24 to February 23, 2018. <a href="">top </a> </p> <p> <a name="BusinessesWith"> </a> <a href="https://techcrunch.com/2018/02/05/businesses-with-apple-and-cisco-products-may-now-pay-less-for-cybersecurity-insurance/?ncid=rss" > <strong> Businesses with Apple and Cisco products may now pay less for cybersecurity insurance </strong> </a> (Tech Crunch, 5 Feb 2018) - Apple and Cisco <a href="https://www.apple.com/newsroom/2018/02/cisco-apple-aon-allianz-introduce-a-first-in-cyber-risk-management/" target="_blank" > announced </a> this morning a new deal with insurer Allianz that will allow businesses with their technology products to receive better terms on their cyber insurance coverage, including lower deductibles - or even no deductibles, in some cases. Allianz said it made the decision to offer these better terms after evaluating the technical foundation of Apple and Cisco's products, like Cisco's Ransomware Defense and Apple's iPhone, iPad and Mac. Allianz found Apple and Cisco's products offered businesses a "superior level of security," Apple said in its own announcement about the new deal. The new cyber security insurance solution will involve Aon's cyber security professionals assessing potential customers' current cyber security situation and recommendations on how to improve their defenses. And participating organizations will have access to Cisco and Aon's Incident Response teams in the event of a malware attack. <a href="">top </a> </p> <p> <a name="AnIceberg"> </a> <a href="https://www.nytimes.com/2018/02/05/nyregion/cyber-crimes-unreported.html?ref=todayspaper&utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong> An 'iceberg' of unseen crimes: Many cyber offenses go unreported </strong> </a> (NYT, 5 Feb 2018) - Utah's chief law enforcement officer was deep in the fight against opioids when he realized that a lack of data on internet sales of fentanyl was hindering investigations. So the officer, Keith D. Squires, the <a href="http://www.policeforum.org/assets/UtahModel.pdf" title="Utah study" > state's </a> public safety commissioner, created a team of analysts to track and chronicle online distribution patterns of the drug. In Philadelphia, hidebound ways of confronting iPhone thefts let thrive illicit networks to distribute stolen cellphones. Detectives treated each robbery as an unrelated street crime - known as "apple picking" - rather than a vast scheme with connected channels used by thieves to sell the stolen phones. And in Nashville, investigators had no meaningful statistics on a nasty new swindle of the digital age: the "cheating husband" email scheme. In it, anonymous extortionists mass-email large numbers of men, threatening to unmask their infidelities. The extortionists have no idea if the men have done anything wrong, but enough of them are guilty, it turns out, that some pay up, sometimes with Bitcoin. Each case demonstrates how the tools used to fight crime and measure crime trends in the United States are outdated. Even as certain kinds of crimes are declining, others are increasing - yet because so many occur online and have no geographic borders, local police departments face new challenges not only fighting them, but also keeping track of them. Politicians often promote crime declines without acknowledging the rise of new cybercrimes. Many of the offenses are not even counted when major crimes around the nation are tallied. Among them: identity theft; <a href="https://www.thedailybeast.com/sextortion-killed-their-son-cops-looked-the-other-way" title="Daily Beast story" > sexual </a> exploitation; <a href="http://www.healthcareitnews.com/slideshow/ransomware-see-hospitals-hit-2016?page=1" title="News reports" > ransomware attacks </a> ; fentanyl purchases over the dark web; human trafficking for sex or labor; revenge porn; credit card fraud; child exploitation; and gift or credit card schemes that gangs use to raise cash for their traditional operations or vendettas. In a sense, technology has created an extraordinary moment for industrious criminals, increasing profits without the risk of street violence. Digital villainy can be launched from faraway states, or countries, eliminating physical threats the police traditionally confront. Cyberperpetrators remain unknown. Law enforcement officials, meanwhile, ask themselves: Who owns their crimes? Who must investigate them? What are the specific violations? Who are the victims? How can we prevent it? <a href="">top </a> </p> <p> <a name="TheNYTdebuts"> </a> <a href="https://techcrunch.com/2018/02/06/the-nyt-debuts-its-first-augmented-reality-enhanced-story-on-ios/?ncid=rss" > <strong> The NYT debuts its first augmented reality-enhanced story on iOS </strong> </a> (Tech Crunch, 6 Feb 2018) - Apple's investment in AR technologies has been ushering in a <a href="https://techcrunch.com/2017/08/29/a-preview-of-the-first-wave-of-ar-apps-coming-to-iphones/" target="_blank" > new wave of apps </a> , from those that let you perform more practical tasks - like visualizing furniture placement in rooms - to those with mass consumer appeal - like AR gaming, including Niantic's upcoming <a href="https://techcrunch.com/2017/11/08/niantics-follow-up-to-pokemon-go-will-be-a-harry-potter-ar-game-launching-in-2018/" target="_blank" > Harry Potter: Wizards Unite </a> . But AR can also be used to create unique experiences within more traditional apps, too, as The New York Times is showcasing with today's launch of its <a href="https://www.nytimes.com/interactive/2018/02/05/sports/olympics/ar-augmented-reality-olympic-athletes-ul.html" target="_blank" > first-ever AR experiment for storytelling </a> . In The NYT's iOS app for iPhone and iPad, the company is debuting its first AR-enabled article, offering a <a href="https://www.nytimes.com/interactive/2018/02/05/sports/olympics/ar-augmented-reality-olympic-athletes-ul.html" target="_blank" > preview of the Winter Olympics </a> . The article focuses on top Olympic athletes, including figure skater Nathan Chen, snowboarder Anna Gasser, short track speed skater J.R. Celski, and hockey goalie Alex Rigsby. In the app, NYT readers can view the athletes appear in the room beside them, zoom in and out, and walk around in 360 degrees to see them from every side. This lets you get up close and personal with the Olympians, where you're able to see things like how high Chen's skates are off the ice when performing a jump, the offset of Celski's skates, or how far open Alex Rigsby's glove is when making a save. * * * [ <strong>Polley </strong>: quite impressive - the athletes appear in high-def, right in the middle of my living room; they're frozen in time, and I can walk entirely around them, and approach/back-away to see more detail, close-up. Impressive.] <a href="">top </a> </p> <p> <a name="AnAI"> </a> <strong> <a href="https://www.wired.com/story/polisis-ai-reads-privacy-policies-so-you-dont-have-to/" > An AI that reads privacy policies so that you don't have to </a> </strong> (Wired, 9 Feb 2018) - You don't read privacy policies. And of course, that's because they're not actually written for you, or any of the other billions of people who click to agree to their inscrutable legalese. Instead, like bad poetry and teenagers' diaries, those millions upon millions of words are produced for the benefit of their authors, not readers-the lawyers who wrote those get-out clauses to protect their Silicon Valley employers. But one group of academics has proposed a way to make those virtually illegible privacy policies into the actual tool of consumer protection they pretend to be: an <a href="https://www.wired.com/story/guide-artificial-intelligence/"> artificial intelligence </a> that's fluent in fine print. Today, researchers at Switzerland's Federal Institute of Technology at Lausanne (EPFL), the University of Wisconsin and the University of Michigan announced the release of <a href="https://pribot.org/" target="_blank">Polisis </a>-short for "privacy policy analysis"-a new website and browser extension that uses their machine-learning-trained app to automatically read and make sense of any <a href="https://www.wired.com/2012/08/no-time-to-read-the-terms-of-service-tosdr-does-the-hard-work-for-you/" > online service's privacy policy </a> , so you don't have to. In about 30 seconds, Polisis can read a privacy policy it's never seen before and extract a readable summary, displayed in a graphic flow chart, of what kind of data a service collects, where that data could be sent, and whether a user can opt out of that collection or sharing. Polisis' creators have also built a chat interface they call Pribot that's designed to answer questions about any privacy policy, intended as a sort of privacy-focused paralegal advisor. Together, the researchers hope those tools can unlock the secrets of how tech firms use your data that have long been hidden in plain sight. "What if we visualize what's in the policy for the user?" asks Hamza Harkous, an EPFL researcher who led the work, describing the thoughts that led the group to their work on Polisis and Pribot. "Not to give every piece of the policy, but just the interesting stuff... What if we turned privacy policies into a conversation?" Plug in the website for Pokemon Go, for instance, and Polisis will immediately find its privacy policy and show you the vast panoply of information that the game collects, from IP addresses and device IDs to location and demographics, as well as how those data sources are split between advertising, marketing, and use by the game itself. It also shows that only a small sliver of that data is subject to a clear opt-in consent. (See how Polisis lays out those data flows in the chart below.) Feed it the website for DNA analysis app Helix, and Polisis shows that health and demographic information is collected for analytics and basic services, but, reassuringly, none of it is used for advertising and marketing, and most of the sensitive data collection is opt-in. <a href="">top </a> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <a href="https://www.americanbar.org/content/aba/tools/digitalassetabstract.html/content/dam/aba/publications/business_lawyer/2018/73_1/article-cybersecurity-201801.pdf" > <strong> SEC Cybersecurity Guidelines: Insights Into the Utility of Risk Factor Disclosures for Investors </strong> </a> (ABA Business Law Section, Jan 2018) - In October 2011, the SEC issued new guidelines for disclosure of cybersecurity risks. Some firms responded to these guidelines by issuing new risk factor disclosures. This article examines the guidelines and cybersecurity disclosures in the context of existing laws governing securities regulation. It then examines empirical results from firm disclosures following the new guidelines. Evidence shows a relatively small proportion of firms chose to modify their risk factor disclosures, with most firms choosing not to disclose any specific cybersecurity risk. Moreover, disclosing firms generally experienced significant negative stock market price effects on account of making new disclosures. Rather than viewing disclosure as a positive signal of management attentiveness, investors apparently viewed it as a cautionary sign. <a href="">top </a> </p> <p> <a href="https://medium.com/berkman-klein-center/the-cyberlaw-guide-to-protest-art-roadmap-c79b8ab4f61b" > <strong>The Cyberlaw Guide to Protest Art: Roadmap </strong> </a> (Harvard Berkman/Klein, 22 Jan 2018) - Art plays a significant role in American democracy. Across the political spectrum, protest art - posters, songs, poems, memes, and more -inspires us, gives us a sense of community, and provides insight into how others think and feel about important and often controversial issues. While protest art has been part of our culture for a very long time, the Internet and social media have changed the available media and the visibility of protest artists. Digital technologies make it easy to find existing works and incorporate them into your own, and art that goes viral online spreads faster than was ever possible in the analog world. Many artists find the law that governs all of this unclear in the physical world, and even murkier online. The authors of this guide are a collection of lawyers and creative folks. We have seen how the law can undermine artists, writers, and musicians when they're caught unaware, and distract them from the work they want to do. But we've also observed how savvy creators <em>use </em> the law to enhance their work and broaden their audiences. This guide is intended to ensure that you, the reader, can be one of the savvy ones. <a href="">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <a href="https://www.theguardian.com/technology/2008/jan/24/privacy.internet" > <strong>Sharper aerial pictures spark privacy fears </strong> </a> (The Guardian, 24 Jan 2008) - If you were up to no good in the London open air last winter, start working up excuses: you might be on the web. This week, a company launches an online map of central London which includes aerial photography at four times the resolution of existing online maps: the equivalent of looking down from the 10th floor. The map, from 192.com, publishes aerial photography at a resolution of 4cm for London and 12.5cm for the rest of the UK. In the right conditions, images at this resolution are enough to identify individuals - a step that existing online mapping ventures such as Google Earth and Microsoft's Virtual Earth have so far been careful to avoid. Alastair Crawford, 192's chief executive, makes no apologies for the possibilities: "We're considering holding a competition. We want to challenge people to find out how much naughty stuff is happening. If you're having an affair in London, you'd better be careful!" The mapping venture is likely to heat up the debate about the extent to which information about individuals is available on the web - especially as 192.com, which specialises in providing data about individuals gleaned from official sources has announced plans to attach estimated ages to every person in its database of 27 million Britons. <a href="">top </a> </p> <p> <a href="http://www.washingtonpost.com/wp-dyn/content/article/2008/02/26/AR2008022602312.html" > <strong>GOP halts effort to retrieve White House e-mails </strong> </a> (Washington Post, 27 Feb 2008) - After promising last year to search its computers for tens of thousands of e-mails sent by White House officials, the Republican National Committee has informed a House committee that it no longer plans to retrieve the communications by restoring computer backup tapes, the panel's chairman said yesterday. The move increases the likelihood that an untold number of RNC e-mails dealing with official White House business during the first term of the Bush administration - including many sent or received by former presidential adviser Karl Rove - will never be recovered, said House Democrats and public records advocates. The RNC had previously told the House Oversight and Government Reform Committee that it was attempting to restore e-mails from 2001 to 2003, when the RNC had a policy of purging all e-mails, including those to and from White House officials, after 30 days. But Chairman Henry A. Waxman (D-Calif.) disclosed during a hearing yesterday that the RNC has now said it "has no intention of trying to restore the missing White House e-mails." "The result is a potentially enormous gap in the historical record," Waxman said, including the buildup to the Iraq war. Spokesman Danny Diaz said in a statement that the RNC "is fully compliant with the spirit and letter of the law." He declined further comment. <a href="">top </a> </p> <p> <a name="NOTES"> </a> <h3> NOTES </h3> </p> <p> MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( <a href="mailto:vpolley@knowconnect.com?subject=MIRLN"> mailto:vpolley@knowconnect.com?subject=MIRLN </a> ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line. </p> <p> Recent MIRLN issues are archived at <a href="http://www.knowconnect.com/mirln">www.knowconnect.com/mirln </a>. Get supplemental information through Twitter: <a href="http://twitter.com/vpolley">http://twitter.com/vpolley </a> #mirln. </p> <p> SOURCES (inter alia): </p> <p> 1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, <a href="http://cyber.law.harvard.edu/">http://cyber.law.harvard.edu </a> </p> <p> 2. InsideHigherEd - <a href="http://www.insidehighered.com/">http://www.insidehighered.com/ </a> </p> <p> 3. SANS Newsbites, <a href="http://www.sans.org/newsletters/newsbites/"> http://www.sans.org/newsletters/newsbites/ </a> </p> <p> 4. Aon's Technology & Professional Risks Newsletter </p> <p> 5. Crypto-Gram, <a href="http://www.schneier.com/crypto-gram.html"> http://www.schneier.com/crypto-gram.html </a> </p> <p> 6. Eric Goldman's Technology and Marketing Law Blog, <a href="http://blog.ericgoldman.org/">http://blog.ericgoldman.org/ </a> </p> <p> 7. The Benton Foundation's Communications Headlines </p> <p> 8. Gate15 Situational Update Notifications, <a href="http://www.gate15.us/services.html"> http://www.gate15.us/services.html </a> </p> <p> 9. Readers' submissions, and the editor's discoveries </p> <p> This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. </p> <p> PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. <a href="">top </a> </p> Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-13700636888184612772018-01-20T07:15:00.000-05:002018-01-20T07:15:15.070-05:00MIRLN --- 1-20 Jan 2018 (v21.01)<p> <a name="TOP"> </a> MIRLN --- 1-20 Jan 2018 (v21.01) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_1_20_jan_2018_v2101/" > permalink </a> </p> <p> <a href="">NEWS </a> | <a href="">RESOURCES </a> | <a href="">LOOKING BACK </a> | <a href="">NOTES </a> </p> <ul> <li> <a href="">FERC proposes rule to expand cyber incident reporting </a> </li> <li> <a href="">SEC plans cybersecurity guidance refresh: What to expect </a> </li> <li> <a href="">Zero-width [fingerprinting] characters </a> </li> <li> <a href=""> This candidate for Congress will let his constituents decide how he votes </a> </li> <li> <a href=""> DHS expands license plate dragnet, streams collections to us law enforcement agencies </a> </li> <li> <a href=""> New CBP border device search policy still permits unconstitutional searches </a> </li> <li> <a href=""> Federal agencies may be regularly hiding surveillance methods in criminal cases </a> </li> <li> <a href=""> Raising its bet on analytics, Littler adds first Chief Data Analytics Officer </a> </li> <li> <a href=""> Ninth Circuit doubles down: Violating a website's terms of service is not a crime </a> </li> <li> <a href=""> Sedona Conference publishes the Sedona Conference Data Privacy Primer </a> </li> <li> <a href=""> Inside Uber's $100,000 payment to a hacker, and the fallout </a> </li> <li> <a href=""> Science Fiction Writers of America accuse Internet Archive of piracy </a> </li> <li> <a href=""> China's total information awareness: Second-order challenges </a> </li> <li> <a href=""> Electronic device advisory for ABA mid-year meeting attendees </a> </li> <li> <a href=""> Google's art selfies aren't available in Illinois. Here's why. </a> </li> </ul> <p> <a name="NEWS"> </a> <a name="FERCproposes"> </a> <a href="https://www.fifthdomain.com/critical-infrastructure/2017/12/28/ferc-proposes-rule-to-expand-cyber-incident-reporting/" > <strong>FERC proposes rule to expand cyber incident reporting </strong> </a> (Fifth Domain, 28 Dec 2017) - The Federal Energy Regulatory Commission wants to expand cyber incident reporting requirements to include any time an adversary attempts to break into an energy company's networks, rather than only those that compromise the company's critical operations. "The proposed development of modified mandatory reporting requirements is intended to improve awareness of existing and future cyber security threats and potential vulnerabilities." At the crux of the proposed rule is the question of what defines a "reportable cyber incident" in the energy industry. According to the current CIP reliability standards, a cyber incident must disrupt core processes in order to be considered critical. "Under these definitions, unsuccessful attempts to compromise or disrupt a responsible entity's core activities are not subject to the current reporting requirements," the proposed rule said. This definition may also leave out cyberattacks designed to steal information or create openings for a future, large scale hack, meaning that incident reports would not give early warning by recording that activity. The new rule was proposed after the <a href="http://www.resilientsocieties.org/" target="_blank"> Foundation for Resilient Societies </a> filed a petition on January 13, 2017, that FERC institute a rule requiring an enhanced Reliability Standard for malware detection, reporting, mitigation and removal from the Bulk-Power System. <a href="">top </a> </p> <p> - and - </p> <p> <a name="SECplans"> </a> <a href="https://www.databreachtoday.com/sec-plans-cybersecurity-guidance-refresh-what-to-expect-a-10554?utm_source=eloqua&utm_medium=email_51672&utm_campaign=23325" > <strong> SEC plans cybersecurity guidance refresh: What to expect </strong> </a> (Data Breach Today, 29 Dec 2017) - The U.S. Securities and Exchange Commission is planning to update its 6-year-old cybersecurity guidance for how publicly traded firms report data breaches to investors. The agency has indicated that it expects to refine guidance around how businesses disclose cybersecurity risks to investors as well as require insider trading programs to include blackout rules in the event that a suspected data breach gets discovered (see <a href="https://www.databreachtoday.com/report-sec-plans-breach-reporting-guidance-refresh-a-10447" > <em>Report: SEC Plans Breach Reporting Guidance Refresh </em> </a> ). "Unfortunately, in the reality that we live in now, cyber breaches are going to be increasingly common, and this is in part why the SEC is so fully focused on cybersecurity," says Matt Rossi, a former assistant chief litigation counsel to the SEC who's now an attorney specializing in securities litigation and enforcement as well as data privacy at global law firm Mayer Brown. "Chairman [Jay] Clayton said it's one of the greatest risks to the financial system right now." Indeed, in September, Clayton signaled to a Senate banking committee that companies would be required to disclose more cybersecurity information to investors in a timely manner (see <a href="https://www.bankinfosecurity.com/sec-chair-wants-more-cyber-risk-disclosure-from-public-firms-a-10336" > <em>SEC Chair Wants More Cyber Risk Disclosure From Public Firms </em> </a> ). His remarks, ironically, followed the SEC having failed to publicly disclose its own major breach for 16 months (see <a href="https://www.govinfosecurity.com/hackers-may-have-traded-on-stolen-sec-data-a-10327" > <em>Hackers May Have Traded on Stolen SEC Data </em> </a> ). In November, meanwhile, William Hinman, the SEC's director of corporation finance, signaled that the regulator's <a href="https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm" target="_blank" > cybersecurity guidance </a> , first issued on Oct. 13, 2011, wouldn't be overhauled but rather amended with some new requirements, such as how breach information gets disclosed internally and escalated to senior management (see <a href="https://www.bankinfosecurity.com/report-sec-plans-breach-reporting-guidance-refresh-a-10447" > <em>Report: SEC Plans Breach Reporting Guidance Refresh </em> </a> ). With the refresh, Rossi says businesses should expect to have to disclose more cyber risks, refine their insider trading policies and prove that they're taking information security seriously. <a href="">top </a> </p> <p> <a name="ZeroWidth"> </a> <a href="https://www.zachaysan.com/writing/2017-12-30-zero-width-characters" > <strong>Zero-width [fingerprinting] characters </strong> </a> (Zach Aysan, 30 Dec 2017) - Journalists watch out-you may be unintentionally revealing sources. In early 2016 I realized that it was possible to use zero-width characters, like <a href="https://en.wikipedia.org/wiki/Zero-width_non-joiner"> zero-width non-joiner </a> or other zero-width characters like the <a href="https://en.wikipedia.org/wiki/Zero-width_space"> zero-width space </a> to fingerprint text. Even with just a single type of zero-width character the presence or non-presence of the non-visible character is enough bits to fingerprint even the shortest text. We're​ not the​ same text, even though we look the same. We're not the same​ text, even though we look the same. Unlike previous text fingerprinting techniques, zero-width characters are not removed when formatting is removed from text. They're often not even visible in contexts where software experts would expect them to be, like on a programming terminal. I also realized that it is possible to use <a href="https://en.wikipedia.org/wiki/Homoglyph">homoglyph </a> substitution (e.g., replacing the letter "a" with its Cyrillic counterpart, "а"), but I dismissed this as too easy to detect due to the differences in character rendering across fonts and systems. However, differences in dashes (en, em, and hyphens), quotes (straight vs curly), word spelling (color vs colour), and the number of spaces after sentence endings could probably go undetected due to their frequent use in real text. With increased effort, synonyms (huge vs large vs massive) can also be used, though it would require some manual setup because words lack single definitions (due to homonyms) and in some contexts would be easier to detect since differing word lengths may cause sentences to wrap differently across documents. * * * After discovering these techniques I shared them with some friends to try to help track down a cyber criminal which they thought might be an insider threat (it wasn't, it was just a normal blackhat hacker). Then the White House started leaking like an old hose, so I continued to keep quiet. The reason I'm writing about this now is that it appears both <a href="https://www.researchgate.net/publication/308044170"> homoglyph substitution </a> and <a href="http://blog.fastforwardlabs.com/2017/06/23/fingerprinting-documents-with-steganography.html" > zero-width fingerprinting </a> have been discovered by others, so journalists should be informed of the existence of these techniques. If your news organization has a pre-existing trove of documents it should be fairly straightforward to scan them for zero-width characters or mixed character encodings. Detecting synonym substitution would require multiple documents and some custom code, but should be fairly straightforward for an intermediately skilled data scientist or software developer with some time. <a href="">top </a> </p> <p> <a name="ThisCandidate"> </a> <a href="https://www.fastcompany.com/40509226/this-candidate-for-congress-will-let-his-constituents-decide-how-he-votes?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong> This candidate for Congress will let his constituents decide how he votes </strong> </a> (Fast Company, 2 Jan 2018) - Michael Allman is running for Congress as a Republican. But if his constituents lean left of him on a particular issue before Congress, that's how Allman will vote. That's because Allman is <a href="https://allmanforcongress.com/">running </a> on a direct democracy platform: For every issue, voters in his district will be able to use a blockchain-enabled website to securely log their opinions, and Allman will follow the will of the people. "Everyone thinks what's happening in Washington, D.C., today is broken," says Allman, former CEO of Southern California Gas, who is running for the 52nd district in San Diego County. "Nobody thinks it's working. We can go into a hundred reasons why, but I'd summarize it with just one word: Partisanship. Everybody votes with the party on pretty much everything, and it's a red versus blue, us versus them kind of attitude." Allman has no background in politics, but has worked in the tech industry, and realized that the technology exists to make direct representation possible. Working with a tech company that had an existing platform, he created a custom website that will outline both sides of a general issue-for example, whether or not there should be more gun control laws-or a specific bill. Voters can read through the arguments on both sides, and read selected op-eds. The site can verify that someone is in a particular district and that they're registered to vote, and then register their opinion confidentially. Of course, the success of the system will depend on participation-and even elections typically have low turnout (for midterm elections, turnout is only around 40%). But logging on to the online platform is easier than making it to a polling place, and for ongoing issues, people won't have to vote by a particular deadline. Conceivably, if voters know that their participation could make a difference on an actual vote in Congress-and that impact is guaranteed, rather than making calls or sending emails to representatives-they may be more motivated to act. [ <strong>Polley </strong>: "Well, it <em>seemed </em> like a good idea at the time."] <a href="">top </a> </p> <p> <a name="DHSexpands"> </a> <a href="https://www.techdirt.com/articles/20171223/13550438876/dhs-expands-license-plate-dragnet-streams-collections-to-us-law-enforcement-agencies.shtml" > <strong> DHS expands license plate dragnet, streams collections to us law enforcement agencies </strong> </a> (TechDirt, 4 Jan 2018) - The DHS has provided the public with a Privacy Impact Assessment (PIA) on its use of license plate readers (LPRs). What the document shows is the DHS's <a href="https://www.techdirt.com/articles/20140220/06370726290/dhs-suffers-moment-clarity-shuts-down-plans-to-build-nationwide-license-plate-database.shtml" > hasty abandonment </a> of plans for a national license plate database <a href="https://www.techdirt.com/articles/20150403/10114630537/dhs-takes-another-stab-license-plate-database-this-time-with-more-privacy-protections-transparency.shtml" > had little impact </a> on its ability to create a replacement national license plate database. The document deals with border areas primarily, but that shouldn't lead inland drivers to believe they won't be swept up in the collection. <a href="https://papersplease.org/wp/2017/12/19/border-control-as-pretext-for-drug-dragnet/" target="_blank" > The DHS has multiple partners in its license plate gathering efforts </a> , with the foremost beneficiary being the DEA, as Papers, Please! Reports: <em>The latest so-called " </em> <a href="https://www.dhs.gov/publication/dhscbppia-049-cbp-license-plate-reader-technology" target="_blank" > <em>Privacy Impact Assessment </em> </a> <em>" (PIA) made public by the US Department of Homeland Security, " </em> <a href="https://www.dhs.gov/sites/default/files/publications/privacy-pia-cbp049-cbplprtechnology-december2017.pdf" target="_blank" > <em>CBP License Plate Reader Technology </em> </a> <em> ", provides unsurprising but disturbing details about how the US government's phobias about foreigners and drugs are driving (pun intended) the convergence of border surveillance and dragnet surveillance of the movements of private vehicles within the USA </em> . The CBP defines the border as anything <a href="https://www.techdirt.com/articles/20130212/02045321947/do-you-live-constitution-free-zone-us.shtml" > within 100 miles </a> of the country's physical borders, which also include international airports. Consequently, more than 2/3rds of the nation's population reside in the CBP's so-called "Constitution-free zone." The plate readers discussed in the PIA aren't just the ones drivers and visitors might expect. While the CBP operates many of these at static locations at entry points, other LPRs are mounted on CBP vehicles or hidden in areas the CBP patrols. The addition of the DEA <a href="https://www.techdirt.com/articles/20150127/18110029835/dea-collecting-massive-database-your-driving-habits-secret-using-license-plate-readers.shtml" > adds law enforcement </a> to the mix. This means the DHS is intermingling its collection with existing law enforcement databases, allowing it to build an ad hoc national database without having to inform the public or hire a contractor to build one from the ground up. <a href="">top </a> </p> <p> - and - </p> <p> <a name="NewCBP"> </a> <a href="https://www.eff.org/deeplinks/2018/01/new-cbp-border-device-search-policy-still-permits-unconstitutional-searches" > <strong> New CBP border device search policy still permits unconstitutional searches </strong> </a> (EFF, 8 Jan 2018) - U.S. Customs and Border Protection (CBP) issued a <a href="https://www.dhs.gov/sites/default/files/publications/CBP%20Directive%203340-049A_Border-Search-of-Electronic-Media.pdf" > new policy </a> on border searches of electronic devices that's full of loopholes and vague language and that continues to allow agents to violate travelers' constitutional rights. Although the new policy contains a few improvements over rules first <a href="https://www.dhs.gov/sites/default/files/publications/privacy_pia_cbp_laptop.pdf" > published nine years ago </a> , overall it doesn't go nearly far enough to protect the privacy of innocent travelers or to recognize how exceptionally intrusive electronic device searches are. Nothing announced in the policy changes the fact that these device searches are unconstitutional, and EFF will continue to fight for travelers' rights in our <a href="https://www.eff.org/cases/alasaad-v-duke"> border search lawsuit </a> . Below is a legal analysis of some of the key features of the new policy. * * * <a href="">top </a> </p> <p> - and - </p> <p> <a name="FederalAgencies"> </a> <a href="http://reason.com/blog/2018/01/09/federal-agencies-may-be-regularly-hiding" > <strong> Federal agencies may be regularly hiding surveillance methods in criminal cases </strong> </a> (Reason, 9 Jan 2018) - The U.S. government uses secret evidence to build criminal cases, according to a <a href="https://www.hrw.org/report/2018/01/09/dark-side/secret-origins-evidence-us-criminal-cases" > report </a> released today by Human Rights Watch. The report offers one of the most comprehensive looks yet at "parallel construction," a tactic where federal law enforcement hides classified or sensitive methods from courts by building a parallel chain of evidence after the fact. The report shows that numerous federal law enforcement agencies send requests to local police to find reasons to perform traffic stops and searches on criminal suspects. Unless something goes wrong, defendants will never know the origins of the government's case against them. The group notes that parallel construction raises several civil rights concerns, chiefly the right to a fair trial. "When you have parallel construction, you have defendants and even judges who don't know how evidence was gathered and can't challenge the constitutionality of that," report author Sarah St. Vincent says. "What you have is very one-sided, where the government, on its own, is deciding what practices it thinks are legal." The method was first revealed in a <a href="https://www.reuters.com/article/us-dea-sod/exclusive-u-s-directs-agents-to-cover-up-program-used-to-investigate-americans-idUSBRE97409R20130805" > 2013 Reuters investigation </a> , which detailed how the Special Operations Division, a secretive unit within the Drug Enforcement Administration (DEA), had been funneling surveillance tips to field agents and other agencies to build cases. Meanwhile, it trained agents to "recreate" evidence chains to keep classified methods hidden from defendants, judges, and even federal prosecutors. According to the Human Rights Watch report, the Special Operations Division's activities were nicknamed "the dark side" and exiting agents were given Darth Vader keychains as tokens. DEA <a href="https://www.muckrock.com/news/archives/2014/feb/03/dea-parallel-construction-guides/" > training slides </a> that I obtained via a 2014 Freedom of Information Act request shed further light on how widespread the tactic is. The FOIA request also resulted in perhaps my favorite redaction that I have ever received: * * * [Polley: <em>See also </em>, <a href="https://www.wired.com/story/stingray-secret-surveillance-programs/" > <strong>How the government hides secret surveillance programs </strong> </a> <strong> </strong> (Wired, 9 Jan 2018)] <a href="">top </a> </p> <p> <a name="RaisingItsBet"> </a> <a href="https://www.law.com/americanlawyer/sites/americanlawyer/2018/01/09/raising-its-bet-on-analytics-littler-adds-first-chief-data-analytics-officer/" > <strong> Raising its bet on analytics, Littler adds first Chief Data Analytics Officer </strong> </a> (American Lawyer, 9 Jan 2018) - <a href="http://www.law.com/sites/almstaff/2016/10/26/littler-mendelson-gambles-on-data-mining-as-competition-changes/" target="_blank" > By hiring Zev Eigen </a> , a data scientist with a Ph.D. from the Massachusetts Institute of Technology, Littler Mendelson publicly <a href="http://www.littler.com/publication-press/press/littler-hires-its-first-national-director-data-analytics-and-launches-data" target="_blank" > placed its bet more than two years ago </a> on the potential that data analytics would change the way law is practiced. Now the <a href="http://www.law.com/americanlawyer/sites/americanlawyer/2017/06/01/littler-names-new-panama-leadership/" target="_blank" > rapidly expanding </a> <a href="http://www.law.com/americanlawyer/almID/1202785611846/" target="_blank" > global labor and employment giant </a> is doubling down. Littler is poised to announce its hire of a chief data analytics officer, <a href="http://themastersconference.com/speakers/aaron-crews" target="_blank" > Aaron Crews </a> , who will be tasked with managing the firm's data capabilities and to help it roll out more technology-based products based on the ideas of the firm's existing data scientists. Littler has already been tapping into the data it has collected for the past five-plus years through its Littler CaseSmart platform. One product spearheaded by Eigen is a prediction model for Equal Employment Opportunity Commission charges that Littler has used internally to gauge outcomes and prices for client matters. Last year the firm also began offering Equal Pay audits, which more than 100 clients have used to determine their risk of discrimination claims. Thomas Bender, <a href="http://www.law.com/americanlawyer/almID/1202568323704" target="_blank" > co-president and co-managing partner at Littler </a> , said there is an "endless horizon" for the possibilities on how data analytics can change the practice of law. Crews, a former Littler partner and electronic discovery counsel, re-joins the firm after having spent the past six months as general counsel and vice president of strategy at legal artificial intelligence company <a href="http://www.textiq.com/" target="_blank">Text IQ </a>, a position <a href="http://www.law.com/sites/almstaff/2017/09/01/former-wal-mart-head-of-e-discovery-dishes-on-his-move-to-ai-startup-text-iq/" target="_blank" > he discussed late last year with LegalTech News </a> . Before that, Crews spent three years as a senior associate general counsel and <a href="http://www.law.com/corpcounsel/almID/1202727844488/walmart-likes-to-keep-inhouse-ediscovery-flexible/" target="_blank" > global head of e-discovery at Wal-Mart Stores Inc. </a> , having joined the retail giant from Littler in 2014. <a href="">top </a> </p> <p> <a name="NinthCircuit"> </a> <a href="https://www.eff.org/deeplinks/2018/01/ninth-circuit-doubles-down-violating-websites-terms-service-not-crime" > <strong> Ninth Circuit doubles down: Violating a website's terms of service is not a crime </strong> </a> (EFF, 10 Jan 2018) - Good news out of the Ninth Circuit: the federal court of appeals heeded EFF's <a href="https://www.eff.org/document/oracle-v-rimini-eff-amicus-brief"> advice </a> and <a href="https://www.eff.org/document/oracle-v-rimini-ninth-circuit-opinion" > rejected </a> an attempt by Oracle to hold a company criminally liable for accessing Oracle's website in a manner it didn't like. The court <a href="https://www.eff.org/document/ninth-circuit-en-banc-opinion"> ruled </a> back in 2012 that merely violating a website's terms of use is not a crime under the federal computer crime statute, the <a href="https://ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_%28CFAA%29" > Computer Fraud and Abuse Act </a> . But some companies, like Oracle, turned to state computer crime statutes-in this case, California and Nevada-to enforce their computer use preferences. This decision shores up the good precedent from 2012 and makes clear-if it wasn't clear already-that violating a corporate computer use policy is not a crime. <em>Oracle v. Rimini </em> involves Oracle's terms of use prohibition on the use of automated methods to download support materials from the company's website. Rimini, which provides Oracle clients with software support that competes with Oracle's own services, violated that provision by using automated scripts instead of downloading each file individually. Oracle sent Rimini a cease and desist letter demanding that it stop using automated scripts, but Oracle didn't rescind Rimini's authorization to access the files outright. Rimini still had authorization from Oracle to access the files, but Oracle wanted them to access them manually-which would have seriously slowed down Rimini's ability to service customers. Rimini stopped using automatic downloading tools for about a year but then resumed using automated scripts to download support documents and files, since downloading all of the materials manually would have been burdensome, and Oracle sued. The jury found Rimini guilty under both the California and Nevada computer crime statues, and the judge upheld that verdict-concluding that, under both statutes, violating a website's terms of service counts as using a computer without authorization or permission. <a href="">top </a> </p> <p> <a name="SedonaConference"> </a> <a href="http://ridethelightning.senseient.com/2018/01/sedona-conference-publishes-the-sedona-conference-data-privacy-primer.html" > <strong> Sedona Conference publishes the Sedona Conference Data Privacy Primer </strong> </a> (Ride the Lightning, 11 Jan 2018) - On January 9 <sup>th </sup>, the Sedona Conference and its Working Group 11 on Data Security and Privacy (WG11) announced the publication of <em>The Sedona Conference Data Privacy Primer </em>. This final version contains several updates following thorough consideration of the public comments submitted between January and April 2017. WG11 developed the Data Privacy Primer to provide a practical framework and guide to basic privacy issues in the United States and to identify key considerations and resources, including key privacy concepts in federal and state law, regulations, and guidance. You can download the publication without charge <a href="https://thesedonaconference.org/publication/The%20Sedona%20Conference%20Data%20Privacy%20Primer?" target="_blank" > here </a> . <a href="">top </a> </p> <p> <a name="InsideUbers"> </a> <a href="https://www.nytimes.com/2018/01/12/technology/uber-hacker-payment-100000.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=first-column-region&region=top-news&WT.nav=top-news&_r=0" > <strong> Inside Uber's $100,000 payment to a hacker, and the fallout </strong> </a> (NYT, 12 Jan 2018) - "Hello Joe," read the November 2016 email from someone identifying himself as "John Doughs." "I have found a major vulnerability in Uber." The email appeared to be no different from other messages that Joe Sullivan, Uber's chief security officer, and his team routinely received through the company's "bug bounty" program, which pays hackers for reporting holes in the ride-hailing service's systems, according to current and former Uber security employees. Yet the note and Uber's eventual $100,000 payment to the hacker, which was initially celebrated internally as a rare win in corporate security, have since turned into a public relations debacle for the company. In November, when <a href="https://www.nytimes.com/2017/11/21/technology/uber-hack.html"> Uber disclosed the 2016 incident </a> and how the information of 57 million driver and rider accounts had been at risk, the company's chief executive since August, Dara Khosrowshahi, <a href="https://www.uber.com/newsroom/2016-data-incident/"> called it a "failure" </a> that it had not notified people earlier. Mr. Sullivan and a security lawyer, Craig Clark, were fired. In the weeks since, Uber's handling of the hacking has come under major scrutiny. Not only did Uber <a href="https://threatpost.com/average-bug-bounty-payments-growing/126570/" > pay an outsize amount </a> to the hacker, but it also did not disclose that it had briefly lost control of so much consumer and driver data until a year later. The behavior raised questions of a cover-up and a lack of transparency, as well as whether the payment really was just a ransom paid by a security operation that had acted on its own for too long. The hacking is now the subject of at least four lawsuits, with attorneys general in five states investigating whether Uber broke laws on data-breach notifications. In addition, the United States attorney for Northern California has begun a criminal investigation into the matter. Most of all, the hacking and Uber's response have fueled a debate about whether companies that have crusaded to lock up their systems can scrupulously work with hackers without putting themselves on the wrong side of the law. [S]ince the fallout from Uber's disclosure, Silicon Valley companies have taken a harder look at their bounty programs. At least three have put their programs under review, according to two consultants who have confidential relationships with those companies, which they declined to name. Others said criminal prosecutions for not reporting John Doughs would deter ethical hackers who would otherwise come forward, causing even more security breaches. This account of Uber's hacking and the company's response was based on more than a dozen interviews with people who dealt with the incident, many of whom declined to be identified because of the confidentiality of their exchanges. Many are current or former members of Uber's security team, who defended their actions as a prime example of how executives should respond to security problems. The New York Times also obtained more than two dozen internal Uber emails and documents related to the incident. * * * [ <strong>Polley </strong>: quite interesting] <a href="">top </a> </p> <p> <a name="ScienceFiction"> </a> <a href="https://yro.slashdot.org/story/18/01/13/0010244/science-fiction-writers-of-america-accuse-internet-archive-of-piracy" > <strong> Science Fiction Writers of America accuse Internet Archive of piracy </strong> </a> (Slashdot, 13 Jan 2018) - An anonymous reader writes: <a href="https://openlibrary.org/"> <em>The "Open Library" project </em> </a> <em> of the nonprofit Internet Archive has been scanning books and offering "loans" of DRM-protected versions for e-readers (which expire after the loan period expires). This week the Legal Affairs Committe of the Science Fiction Writers of America </em> <a href="http://www.sfwa.org/2018/01/infringement-alert/" target="_blank"> <em>issued a new "Infringement Alert" on the practice </em> </a> <em> , complaining that "an unreadable copy of the book is saved on users' devices...and can be made readable by stripping DRM protection." The objection, argues SFWA President Cat Rambo, is that "writers' work is being scanned in and put up for access without notifying them... it is up to the individual writer whether or not their work should be made available in this way." But the infringement alert takes the criticism even further. "We suspect that this is the world's largest ongoing project of unremunerated digital distribution of entire in-copyright books." </em> The Digital Reader blog points out one great irony. " <a href="https://the-digital-reader.com/2018/01/09/sfwa-finally-notices-internet-archives-decade-old-open-library-decides-piracy/" > The program initially launched in 2007 </a> . It has been running for ten years, and the SFWA only just now noticed." They add that SFWA's tardiness "leaves critical legal issues unresolved." "Remember, Google won the Google Books case, and had its scanning activities legalized as fair use ex post facto... [I]n fact the Internet Archive has a stronger case than Google did; the latter had a commercial interest in its scans, while the Internet Archive is a non-profit out to serve the public good." <a href="">top </a> </p> <p> <a name="ChinasTotal"> </a> <a href="https://lawfareblog.com/chinas-total-information-awareness-second-order-challenges" > <strong> China's total information awareness: Second-order challenges </strong> </a> (Lawfare, 16 Jan 2018) - Every day seems to bring a new article about China's pervasive use of facial recognition technology. Both the <a href="https://www.nytimes.com/2017/12/05/business/china-internet-conference-wuzhen.html" target="_blank" > New York Times </a> and the <a href="https://www.washingtonpost.com/news/world/wp/2018/01/07/feature/in-china-facial-recognition-is-sharp-end-of-a-drive-for-total-surveillance/?utm_term=.e032ca89a4c0" target="_blank" > Washington Post </a> have reported how widely China is using this technology, collecting and storing video evidence from cameras on every street corner and road, at apartment building entrances, and in businesses, malls, transportation hubs, and public toilets. The Chinese government seeks to consolidate this information with people's criminal and medical records, travel plans, online purchases, and comments on social media. China would link all of this information to every citizen's identification card and face, forming one omnipotent database. Similarly, the Wall Street Journal produced a chilling long-form <a href="https://www.wsj.com/articles/twelve-days-in-xinjiang-how-chinas-surveillance-state-overwhelms-daily-life-1513700355" target="_blank" > article </a> tracking a journalist's trip to Xinjiang province. The piece details not just the use of facial recognition software but also more intrusive steps such as the use of DNA collection, iris scanning, voice-pattern analysis, phone scanners, ID card swipes, and security checkpoints, all to further suppress unrest among the predominantly Muslim Uighur population. The piece frames life in Xinjiang as a forecast of what's to come in China more broadly. These developments feel relatively distant, both geographically and as a matter of current U.S. domestic practice. Our government does not collect video feeds from cameras in public toilets and private apartment buildings. Nor does it possess a database containing every citizen's photograph. Nevertheless, federal and local government agencies in the United States are increasing their use of facial recognition software at the border and in law enforcement contexts. There are a range of second-order questions that we should begin to think about as facial recognition software continues to improve and as its use expands, both within and beyond China's borders. * * * [ <strong>Polley </strong>: Fascinating, and scary piece. TV's <em>The Prisoner </em>, <em>Person of Interest </em>, <em>Black Mirror, Electric Dreams </em> - all looking more realistic.] <a href="">top </a> </p> <p> <a name="ElectronicDevice"> </a> <a href="https://www.americanbar.org/content/dam/aba/events/meetings_travel/scerp-electronic-device-advisory-djcbsg-1-10-18.authcheckdam.pdf" > <strong> Electronic device advisory for ABA mid-year meeting attendees </strong> </a> (ABA, 16 Jan 2018) - Thousands of lawyers, judges and other legal professionals will cross international borders when attending the 2018 ABA Mid-Year Meeting in Vancouver, British Columbia, Canada. Each person leaving and reentering the United States is subject to inspection and search from both United States and Canadian officials. This paper has been prepared by the ABA Center for Professional Responsibility to update legal professionals about searches that U.S. Customs and Border Protection ("CBP") agents might conduct when legal professionals cross an international border with electronic devices containing confidential client or judicial information. While the actual number of travelers whose electronic devices are subject to border inspection is relatively low, a possibility exists that electronic devices may be searched. Part I describes a new Directive, issued January 4, 2018, by the CBP. Part II summarizes the principal Model Rules of Professional Conduct legal professionals should consider. Part III offers a list of protective measures legal professionals may wish to take while planning their travel to the Mid-Year Meeting. [ <strong>Polley </strong>: <em>See also </em>, NY City Bar " <a href="http://www.nycbar.org/member-and-career-services/committees/reports-listing/reports/detail/formal-opinion-2017-5-an-attorneys-ethical-duties-regarding-us-border-searches-of-electronic-devices-containing-clients-confidential-information" > FORMAL OPINION 2017-5: An Attorney's Ethical Duties Regarding U.S. Border Searches of Electronic Devices Containing Clients' Confidential Information </a> " (25 July 2017)] <a href="">top </a> </p> <p> <strong> </strong> </p> <p> <a name="GooglesArt"> </a> <a href="http://www.chicagotribune.com/business/ct-biz-google-art-selfies-20180116-story.html" > <strong> Google's art selfies aren't available in Illinois. Here's why. </strong> </a> (Chicago Tribune, 17 Jan 2018) - The Google Arts & Culture app's new feature seems to be everywhere as social media streams are flooded with photos of friends and the great works of art that resemble them - that is, nearly everywhere but Illinois. The state is one of two in the country where the Google app's art selfie feature - which matches users' uploaded selfies with portraits or faces depicted in works of art - is not available. Google won't say why. But it's likely because Illinois has one of the nation's most strict laws on the use of biometrics, which include facial, fingerprint and iris scans. "They're being overly cautious" by keeping the feature out of Illinois, said Christopher Dore, a partner at Chicago law firm Edelson, which has brought biometrics suits against tech companies including Facebook. Some Illinois residents are finding workarounds to discover their artwork look-alikes, sending selfies to out-of-state friends who will run their photo through the feature. * * * Texas is the only other state without access to the art selfies, and it, too, has a biometrics law. Illinois' Biometric Information Privacy Act mandates that companies collecting such information obtain prior consent from consumers, detailing how they'll use it and how long it will be kept. It also allows private citizens to sue, while other states have laws that let only the attorney general bring a lawsuit. <a href="">top </a> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <strong> <a href="https://www.schneier.com/blog/archives/2017/12/security_planne.html" > Security Planner </a> </strong> (recommended by Bruce Schneier, 21 Dec 2017) - <a href="https://securityplanner.org/">Security Planner </a> <em> is a custom security advice tool from Citizen Lab. Answer a few questions, and it gives you a few simple things you can do to improve your security. It's not meant to be comprehensive, but instead to give people things they can actually do to immediately improve their security. I don't see it replacing any of the good security guides out there, but instead augmenting them. The advice is peer reviewed, and the team behind Security Planner is committed to keeping it up to date. </em> <a href="">top </a> </p> <p> <a href="https://www.bespacific.com/u-s-army-concept-for-cyberspace-and-electronic-warfare-operations-2025-2040/" > <strong> U.S. Army Concept for Cyberspace and Electronic Warfare Operations 2025-2040 </strong> </a> (BeSpacific, 15 Jan 2018) - <a href="https://fas.org/irp/doddir/army/tp525-8-6.pdf">CRS report </a> via FAS. "TRADOC Pamphlet 525-8- 6, The U.S. Army Concept for Cyberspace and Electronic Warfare Operations expands on the ideas presented in TRADOC Pamphlet 525-3- 1, The U.S. Army Operating Concept: Win in a Complex World (AOC). This document describes how the Army will operate in and through cyberspace and the electromagnetic spectrum and will fully integrate cyberspace, electronic warfare (EW), and electromagnetic spectrum operations as part of joint combined arms operations to meet future operational environment challenges. Cyberspace and EW operations provide commanders the ability to conduct simultaneous, linked maneuver in and through multiple domains, and to engage adversaries and populations where they live and operate. Cyberspace and EW operations provide commanders a full range of physical and virtual, as well as kinetic and non-kinetic, capabilities tailored into combinations that enhance the combat power of maneuver elements conducting joint combined operations. Th is concept serves as a foundation for developing future cyberspace and electronic warfare capabilities and helps Army leaders think clearly about future armed conflict, learn about the future through the Army's campaign of learning, analyze future capability gaps and identify opportunities, and implement interim solutions to improve current and future force combat effectiveness.." <a href="">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <a href="https://www.faegrebd.com/nlrb-rules-on-employee-use-of-company-email-for-union" > <strong> NLRB rules on employee use of company email for union purposes </strong> </a> (Faegre & Benson's John Polley [yes, he's my brother], 8 Jan 2008) - Ever since the advent of email in the workplace, employers have sought guidance about whether they may lawfully prohibit employees from using company email systems to solicit other employees to support a union. However, since most employers permit employees to use company email for at least some personal communications, the concern has been that prohibiting employee use of email for union solicitations would run afoul of nondiscrimination rules under the National Labor Relations Act. In Guard Publishing Company, 351 NLRB No. 70 (December 16, 2007), the National Labor Relations Board finally addressed these issues. In Guard Publishing Company, the NLRB held that an employer may prohibit employees from using a company-owned email system to solicit for "non-job-related reasons," even if the employer had allowed employees to use the email system for various personal reasons such as giving away tickets or announcing the birth of a child. However, Guard Publishing, a 3-2 decision, was sharply divided along party lines, and the terms of office of two of the Board members in the majority (and one in the dissent) expired within days of the decision. Therefore, there is some real doubt about whether this decision will remain law when a new, full Board is constituted. There is also some doubt about whether portions of this decision will survive on appeal. <a href="">top </a> </p> <p> <a href=""> <strong>IP addresses are personal data, EU regulator says </strong> </a> (Washington Post, 22 Jan 2008) - IP addresses, strings of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union's group of data privacy regulators said Monday. Germany's data-protection commissioner, Peter Scharr, leads the E.U. group, which is preparing a report on how well the privacy policies of Internet search engines operated by Google, Yahoo, Microsoft and others comply with E.U. privacy law. Scharr told a European Parliament hearing on online data protection that when someone is identified by an IP, or Internet protocol, address, "then it has to be regarded as personal data." His view differs from that of Google, which insists an IP address merely identifies the location of a computer, not who the individual user is. That is true but does not take into consideration that many people regularly use the same computer and IP address. Scharr acknowledged that IP addresses for a computer may not always be personal or linked to an individual. For example, some computers in Internet cafes or offices are used by several people. These exceptions have not stopped the emergence of a host of "whois" Internet sites, which allow users to type in an IP address and will then generate a name for the person or company linked to it. Treating IP addresses as personal information would have implications for how search engines record data. Google was the first last year to cut the time it stored search information to 18 months. It also reduced the time limit on the cookies that collect information on how people use the Internet from a default of 30 years to an automatic expiration in two years. A privacy advocate at the nonprofit Electronic Privacy Information Center said it was "absurd" for Google to claim that stripping out the last two figures from the stored IP address made the address impossible to identify by making it one of 256 possible configurations. "It's one of the things that make computer people giggle," the center's executive director, Marc Rotenberg, said. "The more the companies know about you, the more commercial value is obtained." Google's global privacy counsel, Peter Fleischer, said Google collects IP addresses to give customers a more accurate service because it knows what part of the world a search result comes from and what language is used - and that was not enough to identify an individual user. <a href="">top </a> </p> <p> <a name="NOTES"> </a> <h3> NOTES </h3> </p> <p> MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( <a href="mailto:vpolley@knowconnect.com?subject=MIRLN"> mailto:vpolley@knowconnect.com?subject=MIRLN </a> ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line. </p> <p> Recent MIRLN issues are archived at <a href="http://www.knowconnect.com/mirln">www.knowconnect.com/mirln </a>. Get supplemental information through Twitter: <a href="http://twitter.com/vpolley">http://twitter.com/vpolley </a> #mirln. </p> <p> SOURCES (inter alia): </p> <p> 1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, <a href="http://cyber.law.harvard.edu/">http://cyber.law.harvard.edu </a> </p> <p> 2. InsideHigherEd - <a href="http://www.insidehighered.com/">http://www.insidehighered.com/ </a> </p> <p> 3. SANS Newsbites, <a href="http://www.sans.org/newsletters/newsbites/"> http://www.sans.org/newsletters/newsbites/ </a> </p> <p> 4. Aon's Technology & Professional Risks Newsletter </p> <p> 5. Crypto-Gram, <a href="http://www.schneier.com/crypto-gram.html"> http://www.schneier.com/crypto-gram.html </a> </p> <p> 6. Eric Goldman's Technology and Marketing Law Blog, <a href="http://blog.ericgoldman.org/">http://blog.ericgoldman.org/ </a> </p> <p> 7. The Benton Foundation's Communications Headlines </p> <p> 8. Gate15 Situational Update Notifications, <a href="http://www.gate15.us/services.html"> http://www.gate15.us/services.html </a> </p> <p> 9. Readers' submissions, and the editor's discoveries </p> <p> This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. </p> <p> PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. <a href="">top </a> </p> Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-6276310886473663482017-12-30T14:52:00.000-05:002017-12-30T14:52:03.824-05:00MIRLN --- 10-31 Dec 2017 (v20.18)<p> <a name="TOP"> </a> MIRLN --- 10-31 Dec 2017 (v20.18) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_10_31_dec_2017_v2018/" > permalink </a> </p> <p> <a href="">NEWS </a> | <a href="">RESOURCES </a> | <a href="">LOOKING BACK </a> | <a href="">NOTES </a> </p> <ul> <li> <a href=""> 20,000 artworks available for free download on LACMA's robust digital archive </a> </li> <li> <a href=""> Vicarious liability for data breach by rogue [UK] employee </a> </li> <li> <a href="">Almost one-third of US businesses had a data breach </a> </li> <li> <a href=""> Governors and federal agencies are blocking nearly 1,300 accounts on Facebook and Twitter </a> </li> <li> <a href="">How Google Fiber turned 2017 into its comeback year </a> </li> <li> <a href="">How email open tracking quietly took over the web </a> </li> <li> <a href=""> Most companies fail to disclose cybersecurity as a risk factor in SEC filings </a> </li> <li> <a href=""> 4 in 5 physicians had a cyberattack in their practices, says survey </a> </li> <li> <a href=""> Model publishing contract features author-friendly terms for open access scholarship </a> </li> <li> <a href="">Tips for capturing social media evidence </a> </li> <li> <a href=""> DLA Piper had planned a cyberbreach response before major malware attack in June </a> </li> <li> <a href=""> Prepare, practice, protect: A strategy for defeating cyberthreats to lawyers </a> </li> <li> <a href=""> Rep. Blackburn introduces fake net neutrality legislation </a> </li> <li> <a href=""> Bucking President Trump's FCC, New York introduces its own net neutrality bill </a> </li> <li> <a href=""> Facial scans at US airports violate Americans' privacy, report says </a> </li> <li> <a href=""> Russian submarines are prowling around vital undersea cables. It's making NATO nervous. </a> </li> <li> <a href=""> Codified US laws from 1925 now available, searchable on loc.gov </a> </li> <li> <a href=""> Library of Congress gives up collecting all tweets because Twitter is garbage </a> </li> <li> <a href=""> That game on your phone may be tracking what you're watching on TV </a> </li> </ul> <p> <a name="NEWS"> </a> </p> <p> <a name="TwentyThousand"> </a> <a href="https://mymodernmet.com/lacma-free-downloadable-art/"> <strong> 20,000 artworks available for free download on LACMA's robust digital archive </strong> </a> (My Modern Met, 4 Dec 2017) - You don't have to travel the world to see great art. As museums continue to digitize their collections, you can view paintings, sculptures, and other artwork that spans thousands of years and geographical locations. The <a href="http://www.lacma.org/" target="_blank"> Los Angeles County Museum of Art </a> (LACMA) has worked for the past two years to make their acquisitions <a href="https://collections.lacma.org/" target="_blank"> viewable online </a> . There are 20,000 images available and in the public domain, making them also free downloadable art for anyone. Altogether, the museum has uploaded 80,000 works on their website with both restricted and unrestricted use-a quarter of the art that's in their physical collection. It's easy to find an image that will inspire you. The <a href="https://collections.lacma.org/search" target="_blank"> robust online search </a> is sorted via highlights, chronology, curatorial area, and more; it's a great place to start. If you're looking for something more specific, however, they've tagged individual works with their defining attributes. Typing in the word "cactus", for instance, will bring up photographs, paintings, and objects having to do with the plant. You can even choose the option to filter only images that are in the public domain. <a href="">top </a> </p> <p> <a name="Vicarious"> </a> <a href="https://www.clydeco.com/blog/the-hive/article/vicarious-liability-for-data-breach-by-rogue-employee?utm_source=eloqua&utm_medium=email_51425&utm_campaign=23194" > <strong> Vicarious liability for data breach by rogue [UK] employee </strong> </a> (Clyde & Co, 5 Dec 2017) - In the first group litigation of its kind, Morrisons Supermarkets was found to be vicariously liable for the actions of a rogue employee who, driven by a grudge against the supermarket chain, took payroll data relating to 100,000 employees and published it online. This was despite the fact that Morrisons was found to be entirely innocent of any misuse, that the employee had acted deliberately to harm his employer, had been convicted and imprisoned for his actions and that disclosure of the data had been done at home, on a Sunday outside office hours. In principle, the decision could mean that Morrisons will be liable to compensate all 5,500 employees involved in the claim. Permission has already been given for Morrisons to appeal the decision to the Court of Appeal. <a href="">top </a> </p> <p> <a name="AlmostOneThird"> </a> <a href="http://news.sys-con.com/node/4207781?utm_source=eloqua&utm_medium=email_51425&utm_campaign=23194" > <strong>Almost one-third of US businesses had a data breach </strong> </a> (Sys-Con Media, 7 Dec 2017) - Almost one-third of U.S. businesses (29 percent) experienced a data breach in the previous year, a survey for The Hartford Steam Boiler Inspection and Insurance Company (HSB), part of Munich Re, reported today, and eight in ten spent at least $5,000 to respond. The HSB survey conducted by Zogby Analytics also found that almost half of the breaches (47 percent) were caused by a vendor or contractor working for a business, followed by employee negligence (21 percent) and lost or stolen mobile devices or storage media (20 percent). In two-thirds of the data breaches, the businesses reported their reputation was negatively affected. When asked what the biggest hurdle would be for their organization to respond to a data breach, 51 percent said lack of knowledge and 41 percent a lack of resources. The financial impact of a data breach was considerable: 27 percent of the businesses spent between $5,000 and $50,000 to respond and 30 percent spent between $50,000 and $100,000. <a href="">top </a> </p> <p> <a name="Governors"> </a> <a href="https://www.propublica.org/article/governors-and-federal-agencies-are-blocking-accounts-on-facebook-and-twitter?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong> Governors and federal agencies are blocking nearly 1,300 accounts on Facebook and Twitter </strong> </a> (ProPublica, 8 Dec 2017) - Amanda Farber still doesn't know why Maryland Gov. Larry Hogan blocked her from his Facebook group. A resident of Bethesda and full-time parent and volunteer, Farber identifies as a Democrat but voted for the Republican Hogan in 2014. Farber says she doesn't post on her representatives' pages often. But earlier this year, she said she wrote on the governor's Facebook page, asking him to oppose the Trump administration's travel ban and health care proposal. She never received a response. When she later returned to the page, she noticed her comment had been deleted. She also noticed she had been blocked from commenting. (She is still allowed to share the governor's posts and messages.) According to documents ProPublica obtained through an open-records request this summer, hers is one of 494 accounts that Hogan blocks. Blocked accounts include a schoolteacher who criticized the governor's education policies and a pastor who stance against accepting Syrian refugees. They even have their own Facebook group: <a href="https://www.facebook.com/groups/254061628339792/members/"> Marylanders Blocked by Larry Hogan on Facebook </a> . In August, ProPublica filed public-records requests with every governor and 22 federal agencies, asking for lists of everyone blocked on their official Facebook and Twitter accounts. The responses we've received so far show that governors and agencies across the country are blocking at least 1,298 accounts. More than half of those - 652 accounts - are blocked by Kentucky Gov. Matt Bevin, a Republican. Four other Republican governors and four Democrats, as well as five federal agencies, block hundreds of others, according to their responses to our requests. Five Republican governors and three Democrats responded that they are not blocking any accounts at all. Many agencies and more than half of governors' offices have not yet responded to our requests. When the administrator of a public Facebook page or Twitter handle blocks an account, the blocked user can no longer comment on posts. That can create an inaccurate public image of support for government policies. ( <a href="https://www.propublica.org/article/how-to-find-out-if-your-elected-officials-are-blocking-constituents-on-facebook-and-twitter" > Here's how you can dig into whether your elected officials are blocking constituents. </a> ) <a href="">top </a> </p> <p> <a name="HowGoogle"> </a> <a href="https://www.techrepublic.com/article/how-google-fiber-turned-2017-into-its-comeback-year/?mc_cid=19966bd01c&mc_eid=90e82e1935&utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong>How Google Fiber turned 2017 into its comeback year </strong> </a> (TechRepublic, 11 Dec 2017) - <a href="https://www.techrepublic.com/article/google-fiber-the-smart-persons-guide/" > Google Fiber </a> showed new life in 2017, after a near death experience in late 2016. The fiber internet pioneer launched in three new cities-Huntsville, AL, Louisville, KY, and San Antonio, TX-this year. It also began to heavily rely on <a href="https://www.techrepublic.com/article/google-fiber-is-using-a-secret-weapon-to-outpace-at-t-and-other-gigabit-competitors/" > shallow trenching </a> , a new method of laying cables, to expedite the construction process. "We're very pleased with the response from residents in these markets-along with our other existing Google Fiber cities, where we worked hard throughout the year to bring Fiber service to even more people in many more neighborhoods," a Google Fiber spokesperson told TechRepublic. The comeback happened after a construction halt and the <a href="https://www.techrepublic.com/article/google-fiber-pivots-what-it-means-for-the-future-of-gigabit-internet/" > CEO stepping down </a> in October 2016, which left some wondering if Fiber was on its last breath. But 2017 wasn't entirely a year of redemption. In February, <a href="http://fortune.com/2017/02/16/google-fiber-new-ceo-more-job-cuts/" target="_blank" > hundreds of Fiber employees </a> were moved to new jobs at Google. And Gregory McCray <a href="http://www.zdnet.com/article/google-fiber-chief-steps-down-after-five-months-in-the-job/" target="_blank" > left the role of CEO </a> in July after only holding the position for five months. And internet experts still have their doubts. Chris Antlitz, a senior analyst at Technology Business Research, labelled Fiber's year as "not very good." Jim Hayes, president of the Fiber Optic Association, called Google Fiber a "very distant player" in the fiber market. Fiber set a new bar for broadband by showing incumbent internet service providers (ISPs) that it is economically feasible to bring 1 gigabit internet to consumers, Antlitz said. Since Google Fiber led a connectivity renaissance in 2011 when it launched in its first city, Kansas City, KS, top telecom providers have been in an arms race to upgrade their broadband pipes to accommodate 1 gigabit, Antlitz said. Google Fiber's presence in the market has caused competition that has forced other fiber providers like Verizon and AT&T Fiber to offer <a href="http://www.zdnet.com/article/i-wish-google-fiber-was-in-my-neighborhood/" target="_blank" > cheaper, faster service </a> . Adding a second provider to a market can reduce prices by around one-third, according to a study by the <a href="https://medium.com/@fiberbroadband/when-gigabit-internet-comes-to-town-it-could-mean-savings-for-consumers-4feccd69223" target="_blank" > Fiber to the Home Council </a> . <a href="">top </a> </p> <p> <a name="HowEmail"> </a> <a href="https://www.wired.com/story/how-email-open-tracking-quietly-took-over-the-web/" > <strong>How email open tracking quietly took over the web </strong> </a> (Wired, 11 Dec 2017) - "I just came across this email," began the message, a long overdue reply. But I knew the sender was lying. He'd opened my email nearly six months ago. On a Mac. In Palo Alto. At night. I knew this because I was running the email tracking service <a href="https://www.streak.com/" target="_blank">Streak </a>, which notified me as soon as my message had been opened. It told me where, when, and on what kind of device it was read. With Streak enabled, I felt like an inside trader whenever I glanced at my inbox, privy to details that gave me maybe a little too much information. And I certainly wasn't alone. There are some <a href="http://www.radicati.com/wp/wp-content/uploads/2017/01/Email-Statistics-Report-2017-2021-Executive-Summary.pdf" target="_blank" > 269 billion emails </a> sent and received daily. That's roughly 35 emails for every person on the planet, every day. Over 40 percent of those emails are tracked, according to a <a href="https://evercontact.com/special/email-tracking.html" target="_blank" > study </a> published last June by OMC, an "email intelligence" company that also builds anti-tracking tools. The tech is pretty simple. Tracking clients embed a line of code in the body of an email-usually in a 1x1 pixel image, so tiny it's invisible, but also in elements like hyperlinks and custom fonts. When a recipient opens the email, the tracking client recognizes that pixel has been downloaded, as well as where and on what device. Newsletter services, marketers, and advertisers have used the technique for years, to collect data about their open rates; major tech companies like Facebook and Twitter followed suit in their ongoing quest to profile and predict our behavior online. But lately, a surprising-and growing-number of tracked emails are being sent not from corporations, but acquaintances. "We have been in touch with users that were tracked by their spouses, business partners, competitors," says Florian Seroussi, the founder of OMC. "It's the wild, wild west out there." According to OMC's data, a full 19 percent of all "conversational" email is now tracked. That's one in five of the emails you get from your friends. And you probably never noticed. "Surprisingly, while there is a vast literature on web tracking, email tracking has seen little research," noted an <a href="https://senglehardt.com/papers/pets18_email_tracking.pdf" target="_blank" > October 2017 paper </a> published by three Princeton computer scientists. All of this means that billions of emails are sent every day to millions of people who have never consented in any way to be tracked, but are being tracked nonetheless. And Seroussi believes that some, at least, are in serious danger as a result. * * * <a href="">top </a> </p> <p> <a name="MostCompanies"> </a> <a href="https://www.law.com/corpcounsel/sites/corpcounsel/2017/12/08/report-most-companies-fail-to-disclose-cybersecurity-as-a-risk-factor-in-sec-filings/?kw=Report:%20Most%20Companies%20Fail%20to%20Disclose%20Cybersecurity%20as%20a%20Risk%20Factor%20in%252" > <strong> Most companies fail to disclose cybersecurity as a risk factor in SEC filings </strong> </a> (Corporate Counsel, 12 Dec 2017) - In recent years, the number of companies identifying cybersecurity as a risk factor in U.S. Securities and Exchange Commission filings has grown tremendously. But there appears to have been a leveling off in 2017, which may indicate that companies "have blinders on" when it comes to disclosing cybersecurity risks, according to a new report. From 2012 to 2016, the number of companies reporting cybersecurity as a risk factor in SEC filings has grown 277 percent, the <a href="https://www.intelligize.com/">report from Intelligize Inc. </a> shows. Despite that increase though, the report, which is based on all public company SEC filings from 2012 to this year, indicates that there's still only a relatively small proportion of all public companies-38 percent-citing cybersecurity as a risk factor in quarterly and annual filings. What's more, the report said, while by 2016, 1,662 public companies reported cybersecurity was a risk factor, as of Oct. 31 of this year, that number had only seen a slight bump to 1,680 companies. The slowdown in disclosing cyber as a risk may indicate one of two things, Todd Hicks, CEO of Intelligize, said in an email. It means companies "either they have blinders on-or they are deliberately not acknowledging the risks because they don't want to tip off potential hackers," he said. But Hicks added that he expects to see more reporting from companies in the coming years. "For the 62 percent of public companies not disclosing, I would expect that number to get smaller over the next few years, especially as the SEC gets stricter on rules around specific risk factor disclosure," Hicks said. <a href="">top </a> </p> <p> - and - </p> <p> <a name="FourInFive"> </a> <a href="https://www.ama-assn.org/4-5-physicians-had-cyberattack-their-practices-says-survey?utm_source=eloqua&utm_medium=email_51562&utm_campaign=23277" > <strong> 4 in 5 physicians had a cyberattack in their practices, says survey </strong> </a> (AMA, 12 Dec 2017) - More than four in five U.S. physicians (83 percent) have experienced some form of a cybersecurity attack, according to new <a href="https://www.ama-assn.org/sites/default/files/media-browser/public/government/advocacy/cybersecurity-infographic.pdf" target="_blank" > research </a> released today by <a href="http://www.accenture.com/health" target="_blank">Accenture </a> and the <a href="https://www.ama-assn.org/">American Medical Association </a> (AMA). This, along with additional findings, signals a call to action for the health care sector to increase cybersecurity support for medical practices in their communities. The findings, which examined the experiences of roughly 1,300 U.S. physicians, underscore the recognition that it is not "if" but "when" a cyberattack will occur. More than half (55 percent) of the physicians were very or extremely concerned about future cyberattacks in their practice. In addition, physicians were most concerned that future attacks could interrupt their clinical practices (cited by 74 percent), compromise the security of patient records (74 percent) or impact patient safety (53 percent). "The important role of information sharing within clinical care makes health care a uniquely attractive target for cyber criminals through computer viruses and phishing scams that, if successful, can threaten care delivery and patient safety," said AMA President <a href="https://www.ama-assn.org/david-o-barbe-md-mha">David O. Barbe </a>, M.D., M.H.A. "New research shows that most physicians think that securely exchanging electronic data is important to improve health care. More support from the government, technology and medical sectors would help physicians with a proactive cybersecurity defense to better ensure the availability, confidentially and integrity of health care data." The findings show the most common type of cyberattack was phishing-cited by more than half (55 percent) of physicians who experienced an attack-followed by computer viruses (48 percent). Physicians from medium and large practices were twice as likely as those in small practices to experience these types of attacks. Nearly two-thirds (64 percent) of all the physicians who experienced a cyberattack experienced up to four hours of downtime before they resumed operations, and approximately one-third (29 percent) of physicians in medium-sized practices that experienced a cyberattack said they experienced nearly a full day of downtime. <a href="">top </a> </p> <p> <a name="ModelPublishing"> </a> <a href="https://www.authorsalliance.org/2017/12/14/model-publishing-contract-features-author-friendly-terms-for-open-access-scholarship/" > <strong> Model publishing contract features author-friendly terms for open access scholarship </strong> </a> <strong> </strong> (Authors Alliance, 14 Dec 2017) - The University of Michigan and Emory University have teamed up to create a <a href="https://www.modelpublishingcontract.org/" target="_blank"> Model Publishing Contract for Digital Scholarship </a> designed to aid in the publication of long-form digital scholarship according to open access principles. Developed by a team of library and university press professionals, the model contract takes into account the needs of a variety of stakeholders. The contract is shorter and easier to understand than typical publishing contracts, and it offers authors more rights in their own work, while still allowing publishers sufficient rights for commercial uses and sales. Associated <a href="https://www.modelpublishingcontract.org/" target="_blank"> documents </a> include: * * * <a href="">top </a> </p> <p> <a name="TipsFor"> </a> <a href="https://www.attorneyatwork.com/tips-capturing-social-media-evidence/" > <strong>Tips for capturing social media evidence </strong> </a> (Attorney at Work, 15 Dec 2017) - It turns out that sometimes you can believe what you see on the internet. Criminal defendants and civil litigants overshare on social media just like the rest of us. But heading into court, that tendency is less an annoying habit and more a potential self-incrimination. In their search for credible evidence against opponents, lawyers are increasingly turning to social media for digital smoking guns. When Facebook first urged its users to "Go Live!" on its new video posting system, it probably imagined videos of blown-out birthday candles or baby's first steps. Disturbingly, the feature began to be used for posting videos bragging to the world about crimes. But self-incriminating evidence includes more than posting videos of possible crimes. For example, spouses often use internet posts against each other in divorce court. Even as early as 2010, 81 percent of divorce attorneys agreed there was an increase in social media evidence. They cited Facebook as the top source for online evidence, with 66 percent of those lawyers finding something useful for their clients on the social site. No area of practice is immune: Bankruptcy lawyers need to worry about posts that indicate hidden assets, and personal injury attorneys should worry that their client's Instagram posts will make the jury skeptical of claims of pain and suffering. You can use social media evidence to great effect, but first, you've got to find it and capture it in an efficient way. Consider these three tips: * * * <a href="">top </a> </p> <p> <a name="DLApiper"> </a> <a href="http://www.abajournal.com/news/article/dla_piper_had_planned_for_a_cyberbreach_before_major_malware_attack_last_su" > <strong> DLA Piper had planned a cyberbreach response before major malware attack in June </strong> </a> (ABA Journal, 19 Dec 2017) - DLA Piper had planned its response to a cyberbreach before its systems shut down in response to a major malware attack last June. Don Jaycox, DLA Piper's chief information officer for the Americas, tells the <a href="https://www.wsj.com/articles/what-happened-after-a-law-firm-got-hit-by-a-global-cyberattack-1513652400" > Wall Street Journal </a> (sub. req.) that t <a href="http://www.abajournal.com/news/article/dla_piper_is_hit_by_major_cyber_attack_amid_larger_hack_spreading_to_us/" > he attack began </a> when a malware agent known as NotPetya was downloaded on a finance server in Ukraine. "Our first instinct-because we had planned it out-was to shut everything down once we realized the attack had a fairly broad reach," Jaycox said. "Everything was off the air, along with roughly two-thirds of our end points, laptops, desktops, etc." DLA Piper had already contracted with companies <a href="http://www.abajournal.com/news/article/dla_piper_works_with_fbi_as_it_grapples_with_malware_attack_says_client_dat" > that would assist it </a> in monitoring its network and responding to an attack. Two were tapped the first day of the breach, and a third was called in on the second day. The law firm had registered all of its cellphones to a mass communication texting system, allowing for a blast communication. The firm also had a game plan for quickly recovering a targeted system, such as email, but it couldn't quickly restore every system at once. "People who do backups to the cloud, one of the things that you need to think about is what is the scenario for total recovery if you lose everything," Jaycox said. "Because getting all the data back if you need to get all of it can be a little bit challenging." The top question from clients was whether their data was compromised, Jaycox said. At first, the law firm was able to say it found no indications of compromised information. After additional assessment, that statement can now be made "with a very high degree of certainty," he said. <a href="">top </a> </p> <p> - and - </p> <p> <a name="PreparePractice"> </a> <a href="http://www.abajournal.com/magazine/article/prepare_practice_protect_cyberthreats_lawyers" > <strong> Prepare, practice, protect: A strategy for defeating cyberthreats to lawyers </strong> </a> (ABA Journal article, by ODNI's Bob Litt & colleagues, Jan 2018) - Corporate litigator Jane Doe sat down at her desk Monday morning and logged on to her computer. She opened an email appearing to be from a client that read: "Hi. Could you please take a look at this document? It's urgent." Doe clicked on the attachment. Two weeks later, a hacker website published confidential documents that one of her most important clients had given the firm in connection with a lawsuit alleging environmental violations. Doe's client called, furious, to inform her that she was discharged, and that the client was considering a lawsuit against her firm. Every week brings news of major new cyberattacks-the stealing of personal information from Equifax and the federal Office of Personnel Management, the Petya and WannaCry ransomware worms, the Russian hacking of the Democratic National Committee's emails, to name a few. Indeed, the cyberthreat from criminals, hacktivists and state actors is growing. The costs associated with these malicious activities are staggering: Last year, the Commission on the Theft of American Intellectual Property estimated that the annual cost of IP theft in three major categories may be as high as $600 billion and that the low-end total exceeds $225 billion, or 1.25 percent of the U.S. economy. Law firms have not been immune. In fact, they have been a ripe target: * * * [ <strong>Polley </strong>: This is the first in a year-long 2018 series "Digital Dangers", addressing cybersecurity and the threat faced by lawyers. This is related to the ABA's just-published <a href="https://shop.americanbar.org/eBus/Store/ProductDetails.aspx?productId=280127783&term=cybersecurity" > Cybersecurity Handbook </a> (2nd Ed.). The Journal's series, the Handbook, and other resources showcase work by the ABA's <a href="http://ambar.org/cyber">Cybersecurity Legal Task Force </a>, which I have the privilege of co-chairing with Ruth Bro.] <a href="">top </a> </p> <p> <a name="RepBlackburn"> </a> <a href="https://www.freepress.net/press-release/108557/rep-blackburn-introduces-fake-net-neutrality-legislation?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong> Rep. Blackburn introduces fake net neutrality legislation </strong> </a> (Free Press, 19 Dec 2017) - On Tuesday, Rep. Marsha Blackburn (R-Tennessee) introduced anti-Net Neutrality legislation that she dubbed the "Open Internet Preservation Act." The bill lacks many of the fundamental guarantees that prevent internet access providers from interfering with online traffic. Rep. Blackburn, who is among the top recipients of campaign contributions from the phone and cable lobby, said on Twitter that she hopes to rush the legislation to President Donald Trump's desk for signing. The bill reportedly includes prohibitions on blocking or throttling of internet traffic, but would not prevent pay-to-play prioritization schemes. It would also constrain FCC authority to contend with future abuses and prevent states from enacting their own Net Neutrality protections. Free Press Action Fund President and CEO Craig Aaron made the following statement: <em> "Having lost their fight against Net Neutrality in the court of public opinion, companies like AT&T, Comcast and Verizon are trying to use fake Net Neutrality bills like this to end all effective oversight of their anti-competitive, anti-consumer practices. Blackburn's legislation fails at the very thing it claims to accomplish. It prohibits a few open-internet violations, but opens the door to rampant abuse through paid-prioritization schemes that split the internet into fast lanes for the richest companies and slow lanes for everyone else. This bill's true goal is to let a few unregulated monopolies and duopolies stifle competition and control the future of communications. This cynical attempt to offer something the tiniest bit better than what the FCC did and pretend it's a compromise is an insult to the millions who are calling on Congress to restore real Net Neutrality." </em> <a href="">top </a> </p> <p> - and - </p> <p> <a name="Bucking"> </a> <a href="https://www.fastcompany.com/40509610/bucking-trumps-fcc-new-york-introduces-its-own-net-neutrality-bill" > <strong> Bucking President Trump's FCC, New York introduces its own net neutrality bill </strong> </a> (Fast Company, 19 Dec 2017) - Since the FCC voted last week to abolish net neutrality regulations, California, Washington, and New York State have vowed to take up the cause. New York is one of the first out the gate. State Assembly member <a href="https://medium.com/@patriciafahy/protecting-net-neutrality-in-new-york-state-249ca30aa9f7" > Patricia Fahy </a> -a Democrat whose district includes the capital, Albany-has drafted a short piece of legislation to introduce this week. It requires the state government, state agencies, and local governments (including New York City) to do business only with ISPs that adhere to net neutrality principles of no blocking or slowing down access to any legal content. Nor can they allow paid prioritization, or offer content providers premium-priced "fast lanes" for better service. "If you are going to be a contractor and want to work with New York, then you must meet the principles," Fahy tells <em>Fast Company </em>. She hopes that this approach will get around a roadblock known as preemption. The Constitution generally gives the federal government final authority over commercial activities that cross state lines. But while New York can't require ISPs to uphold net neutrality, it can use its "power of the purse" to punish ISPs that don't. "There's a decent amount of precedent for saying, if you want a state contract, you have to meet such and such requirements," she says, noting construction contracts contingent on certain labor practices or the use of U.S.-made steel. <a href="">top </a> </p> <p> <a name="FacialScans"> </a> <a href="https://www.nytimes.com/2017/12/21/us/politics/facial-scans-airports-security-privacy.html?_r=0" > <strong> Facial scans at US airports violate Americans' privacy, report says </strong> </a> (NYT, 21 Dec 2017) - A new report concludes that a Department of Homeland Security <a href="https://www.nytimes.com/2017/08/01/us/politics/federal-border-agents-biometric-scanning-system-undocumented-immigrants.html" > pilot program </a> improperly gathers data on Americans when it requires passengers embarking on foreign flights to undergo facial recognition scans to ensure they haven't overstayed visas. <a href="https://www.documentcloud.org/documents/4334243-Georgetown-Law-report-on-airport-facial.html" > The report </a> , released on Thursday by researchers at the Center on Privacy and Technology at Georgetown University's law school, called the system an invasive surveillance tool that the department has installed at nearly a dozen airports without going through a required federal rule-making process. The report's authors examined dozens of Department of Homeland Security documents and raised questions about the accuracy of facial recognition scans. They said the technology had high error rates and are subject to bias, because the scans often fail to properly identify women and African-Americans. "It's telling that D.H.S. cannot identify a single benefit actually resulting from airport face scans at the departure gate," said Harrison Rudolph, an associate at the center and one of the report's co-authors. * * * <a href="">top </a> </p> <p> <a name="RussianSubs"> </a> <a href="https://www.washingtonpost.com/world/europe/russian-submarines-are-prowling-around-vital-undersea-cables-its-making-nato-nervous/2017/12/22/d4c1f3da-e5d0-11e7-927a-e72eac1e73b6_story.html?utm_term=.6c52b94f476e" > <strong> Russian submarines are prowling around vital undersea cables. It's making NATO nervous. </strong> </a> (WaPo, 22 Dec 2017) - Russian submarines have dramatically stepped up activity around undersea data cables in the North Atlantic, part of a more aggressive naval posture that has driven NATO to revive a Cold War-era command, according to senior military officials. The apparent Russian focus on the cables, which provide Internet and other communications connections to North America and Europe, <strong> </strong>could give the Kremlin the power to sever or tap into vital data lines, the officials said. Russian submarine activity has increased to levels unseen since the Cold War, they said, sparking hunts in recent months for the elusive watercraft. "We are now seeing Russian underwater activity in the vicinity of undersea cables that I don't believe we have ever seen," said U.S. Navy Rear Adm. Andrew Lennon, the commander of NATO's submarine forces. "Russia is clearly taking an interest in NATO and NATO nations' undersea infrastructure." NATO has responded with <a href="http://www.washingtonpost.com/world/facing-russian-threat-nato-boosts-operations-for-the-first-time-since-the-cold-war/2017/11/08/9b47f542-c49b-11e7-9922-4151f5ca6168_story.html" target="_self" > plans to reestablish a command post </a> , shuttered after the Cold War, to help secure the North Atlantic. NATO allies are also rushing to boost anti-submarine warfare capabilities and to develop advanced submarine-detecting planes. <a href="">top </a> </p> <p> <a name="CodifiedUS"> </a> <a href="http://www.goldrushcam.com/sierrasuntimes/index.php/news/local-news/12315-historical-versions-of-the-united-states-code-now-online?utm_content=buffer4f8b3&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer" > <strong> Codified US laws from 1925 now available, searchable on loc.gov </strong> </a> <strong> </strong> (Sierra Sun Times, 26 Dec 2017) - More than 60 years of U.S. laws are now published online and accessible for free for the first time after being acquired by the Library of Congress. The Library has made available the main editions and supplements of the United States Code from 1925 through the 1988 edition. The U.S. Code is a compilation of federal laws arranged by subject by the Office of the Law Revision Counsel of the House of Representatives. The Library's U.S. Code Collection is fully searchable. Filters allow users to narrow their searches by date, title and/or subject. PDF versions of each chapter can be viewed and downloaded. The collection is online at <a href="https://www.loc.gov/collections/united-states-code/"> loc.gov/collections/united-states-code/ </a> . This provides access to editions of the U.S. Code that previously were not available to the public online for free. "For the first time these historical materials will be available online for free in a searchable format," Law Librarian of Congress Jane Sanchez said. "The U.S. Code provides a convenient tool for locating the law in force at a particular point in time. These historical editions will help students, historians and other researchers delving into the primary sources of our government and democracy." <a href="">top </a> </p> <p> <a name="LibraryOf"> </a> <a href="https://gizmodo.com/library-of-congress-gives-up-on-twitter-because-twitter-1821581190" > <strong> Library of Congress gives up collecting all tweets because Twitter is garbage </strong> </a> (Gizmodo, 26 Dec 2017) - In 2010, the Library of Congress started archiving every single public tweet that was published on Twitter. It even retroactively acquired all tweets dating back to 2006. But the Library of Congress will stop archiving every tweet on December 31, 2017. Why is it stopping? Because tweets are trash now. The Library of Congress issued a <a href="https://blogs.loc.gov/loc/files/2017/12/2017dec_twitter_white-paper.pdf" target="_blank" > white paper </a> this month saying that it was proud of its comprehensive collection of tweets from the first 12 years of Twitter, but that it's completely unnecessary for it to continue. Instead, the organization will only collect tweets that it deems historically significant. For instance, President Trump's tweets are almost certainly still going to be saved for future generations. One reason that the Library is stopping the comprehensive archive? The social media company's controversial change to allow 280 character tweets. The Library's halt on collection of all tweets puts Twitter more in line with the way that other digital collections are archived, including websites. The Library of Congress only archives websites on a selective basis, unlike the nonprofit, non-governmental organization the Internet Archive, which has a much broader goal of archiving everything online with its <a href="https://archive.org/web/" target="_blank">Wayback Machine </a>. The Library of Congress also noted that many tweets include photos and video and that it has only been collecting text, making some of its collection worthless. <a href="">top </a> </p> <p> <a name="ThatGame"> </a> <strong> <a href="https://www.nytimes.com/2017/12/28/business/media/alphonso-app-tracking.html?_r=0" > That game on your phone may be tracking what you're watching on TV </a> </strong> (NYT, 28 Dec 2017) - At first glance, the gaming apps - with names like "Pool 3D," "Beer Pong: Trickshot" and "Real Bowling Strike 10 Pin" - seem innocuous. One called "Honey Quest" features Jumbo, an animated bear. Yet these apps, once downloaded onto a smartphone, have the ability to keep tabs on the viewing habits of their users - some of whom may be children - even when the games aren't being played. The apps use software from Alphonso, a start-up that collects TV-viewing data for advertisers. Using a smartphone's microphone, Alphonso's software can detail what people watch by identifying audio signals in TV ads and shows, sometimes even matching that information with the places people visit and the movies they see. The information can then be used to target ads more precisely and to try to analyze things like which ads prompted a person to go to a car dealership. More than <a href="https://play.google.com/store/search?q=%22alphonso%20automated%22&hl=en" > 250 games </a> that use Alphonso software are available in the Google Play store; some are also available in Apple's app store. Some of the tracking is taking place through gaming apps that do not otherwise involve a smartphone's microphone, including some apps that are geared toward children. The software can also detect sounds even when a phone is in a pocket if the apps are running in the background. Alphonso said that its software, which does not record human speech, is clearly explained in app descriptions and privacy <a href="http://alphonso.tv/privacy/">policies </a> and that the company cannot gain access to users' microphones and locations unless they agree. Alphonso declined to say how many people it is collecting data from, and Mr. Chordia said that he could not disclose the names of the roughly 1,000 games and the messaging and social apps with Alphonso software because a rival was trying to hurt its relationships with developers. (The New York Times identified many of the apps in question by searching <a href="https://play.google.com/store/search?q=%22Alphonso%20automated%22&c=apps&hl=en" > "Alphonso automated" </a> and <a href="https://play.google.com/store/search?q=%22Alphonso%20software%22&c=apps&hl=en" > "Alphonso software" </a> in the Google Play store.) </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <a href="http://lawprofessors.typepad.com/media_law_prof_blog/2017/12/lee-on-digital-copyright-in-the-tpp.html" > <strong>Lee on Digital Copyright in the TPP </strong> </a> (MLPB, 11 Dec 2017) - Jyh-An Lee, The Chinese University of Hong Kong Faculty of Law, has published Digital Copyright in the TPP, in Paradigm Shift in International Economic Law Rule-Making: TPP As a New Model for Trade Agreements? 371 (Julien Chaisse, Henry Gao & Chang-fa Lo eds., Springer, 2017). Here is the abstract: <em> This chapter focuses on key copyright issues in TPP's IP Chapter, especially those related to the Internet and digital technologies. Those issues include copyright term extension, safe harbor for Internet service providers (ISPs), technological protection measures, criminal liability, and limitations and exceptions. This chapter analyzes whether private and public interests represented by various stakeholders in the copyright ecology are taken into full account and kept balanced under TPP. This chapter also evaluates member states' diverse considerations for implementing those copyright provisions. Furthermore, this chapter uses the IP Chapter as a lens to illustrate the international expansion of copyright facilitated by trade negotiations. </em> <a href="">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <a href="http://itlaw.wikia.com/wiki/The_IT_Law_Wiki"> <strong>The IT law Wiki </strong> </a> (launched December 2007) -- This wiki is an encyclopedia of the legal issues, cases, statutes, events, people, organizations and publications that make up the global field of information technology law (often referred to as "computer law"). To learn more about this wiki, click on the "About this Wiki" link. To find an article, simply type the name in the "Search The IT Law Wiki" box in the upper right hand corner of [the referenced] page, click the "Content (A-Z)" button to the right or click the "Random page" button above or to the right. To write a new The IT Law Wiki article, enter the page title in the box. [see also the EFF's similar wiki: <a href="http://ilt.eff.org/index.php/Table_of_Contents"> http://ilt.eff.org/index.php/Table_of_Contents </a> ] <a href="">top </a> </p> <p> <a href="https://arstechnica.com/gadgets/2007/11/get-your-own-xo-laptop-olpc-give-1-get-1-project-underway/" > <strong> Get your own XO laptop: OLPC Give 1 Get 1 project underway </strong> </a> (ArsTechnica, 12 Nov 2007) - The One Laptop Per Child (OLPC) initiative announced today the official launch of the Give 1 Get 1 (G1G1) program, which allows individual donors in the United States and Canada to acquire their very own shiny OLPC XO laptop by donating $399 to the project. Designed specifically to be used by schoolchildren in developing countries, the XO laptop was originally only going to be sold in bulk quantity to governments. OLPC had to <a href="http://arstechnica.com/news.ars/post/20070924-olpc-give-1-get-1-initiative-a-sign-of-trouble-for-the-project.html" > change those plans </a> earlier this year in order to compensate for slow sales. The G1G1 program, which opens today and ends on November 26, allows individual donors to purchase XO laptops for personal use when also buying one for a child in a developing nation. Ponying up $399 will get donors an XO laptop, and $200 of that donation is tax-deductible. OLPC has also partnered with T-Mobile, which is offering free T-Mobile HotSpot access to all US donors who participate in the G1G1 program. <a href="">top </a> </p> <p> <a name="NOTES"> </a> <h3> NOTES </h3> </p> <p> MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( <a href="mailto:vpolley@knowconnect.com?subject=MIRLN"> mailto:vpolley@knowconnect.com?subject=MIRLN </a> ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line. </p> <p> Recent MIRLN issues are archived at <a href="http://www.knowconnect.com/mirln">www.knowconnect.com/mirln </a>. Get supplemental information through Twitter: <a href="http://twitter.com/vpolley">http://twitter.com/vpolley </a> #mirln. </p> <p> SOURCES (inter alia): </p> <p> 1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, <a href="http://cyber.law.harvard.edu/">http://cyber.law.harvard.edu </a> </p> <p> 2. InsideHigherEd - <a href="http://www.insidehighered.com/">http://www.insidehighered.com/ </a> </p> <p> 3. SANS Newsbites, <a href="http://www.sans.org/newsletters/newsbites/"> http://www.sans.org/newsletters/newsbites/ </a> </p> <p> 4. Aon's Technology & Professional Risks Newsletter </p> <p> 5. Crypto-Gram, <a href="http://www.schneier.com/crypto-gram.html"> http://www.schneier.com/crypto-gram.html </a> </p> <p> 6. Eric Goldman's Technology and Marketing Law Blog, <a href="http://blog.ericgoldman.org/">http://blog.ericgoldman.org/ </a> </p> <p> 7. The Benton Foundation's Communications Headlines </p> <p> 8. Gate15 Situational Update Notifications, <a href="http://www.gate15.us/services.html"> http://www.gate15.us/services.html </a> </p> <p> 9. Readers' submissions, and the editor's discoveries </p> <p> This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. </p> <p> PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. <a href="">top </a> </p> Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-55897101550812288422017-12-09T07:38:00.000-05:002017-12-09T07:38:06.434-05:00MIRLN --- 19 Nov - 9 Dec 2017 (v20.17)<p> <a name="TOP"> </a> MIRLN --- 19 Nov - 9 Dec 2017 (v20.17) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_19_nov_9_dec_2017_v2017/" > permalink </a> </p> <p> <a href="#NEWS">NEWS </a> | <a href="#RESOURCES">RESOURCES </a> | <a href="#LOOKINGBACK">LOOKING BACK </a> | <a href="#NOTES">NOTES </a> </p> <ul> <li> <a href="#NewRoadside"> New roadside scanner contract brings uninsured drivers closer to automatic tickets </a> </li> <li> <a href="#TheDangerous"> The dangerous data hack that you won't even notice </a> </li> <li> <a href="#OneBillion"> $1 billion lawsuit focuses on EHR data integrity concerns </a> </li> <li> <a href="#CybersecurityWhat"> Cybersecurity: what to know about the 'Vulnerabilities Equities Process' </a> </li> <li> <a href="#TheFifth"> The Fifth Amendment, decryption and biometric passcodes </a> </li> <li> <a href="#ArtGalleries">Art galleries versus the Pentagon </a> </li> <li> <a href="#BakerHostetler"> BakerHostetler and Perkins Coie named 'founding stewards' in new blockchain ID network </a> </li> <li> <a href="#Coinbase"> Coinbase ordered to give the IRS data on users trading more than $20,000 </a> </li> <li> <a href="#AsClientsDemand"> As clients demand law firm cyber audits, who sets the terms? </a> </li> <li> <a href="#SWIFTwarns"> SWIFT warns banks on cyber heists as hack sophistication grows </a> </li> <li> <a href="#NATOmulls"> NATO mulls 'offensive defense' with cyber warfare rules </a> </li> <li> <a href="#FacebooksNew"> Facebook's new captcha test: 'Upload a clear photo of your face' </a> </li> <li> <a href="#HeightenedSecurity"> Heightened security risks dictate a proactive corporate board </a> </li> <li> <a href="#ItsGonna"> It's gonna get a lot easier to break science journal paywalls </a> </li> <li> <a href="#StanfordLied"> Stanford lied about business school scholarships </a> </li> <li> <a href="#independent"> Independent factual research by judges via the internet </a> </li> </ul> <p> <a name="NEWS"> </a> </p> <p> <a name="NewRoadside"> </a> <a href="http://oklahomawatch.org/2017/11/16/district-attorneys-approve-license-plate-scanner-contract-bringing-uninsured-drivers-closer-to-automatic-tickets/" > <strong> New roadside scanner contract brings uninsured drivers closer to automatic tickets </strong> </a> (Oklahoma Watch, 16 Nov 2017) - Oklahoma has finalized a deal with a Massachusetts company to use license-plate scanners to catch uninsured drivers, and the firm expects to issue 20,000 citations a month starting as early as next year. The program, believed to be the first of its kind in the nation, involves setting up automated high-speed cameras on highways around the state to detect uninsured vehicles and mailing their owners a citation with a fine of $184, according to the District Attorneys Council. Gatso USA, a Beverly, Massachusetts-based company that specializes in red-light-running and speeding detection systems, will initially get $80, or 43 percent, of each fine. Its cut will decrease to $74 after two years and $68 after five years, according to a contract approved by the state after months of legal review and negotiation. The company could expect to bring in $1.6 million a month, or $19 million a year, if the 20,000 citations are issued monthly. Gatso is a subsidiary of a Dutch company. Drivers who pay the fees will avoid having a charge of driving without insurance on their permanent record. The purpose of the Uninsured Vehicle Enforcement Diversion Program, approved by the state Legislature in 2016, is to reduce the high number of uninsured motorists in Oklahoma. A 2015 <a href="http://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2015/2/20/states-look-to-reduce-ranks-of-uninsured-drivers" > Pew Charitable Trusts survey </a> found that 26 percent of all drivers in the state are uninsured - the highest rate in the nation - which can push up insurance premiums and hit-and-run accidents. But another incentive underlies the program. It will be overseen by the District Attorneys Council rather than law enforcement, and the state's 27 district attorneys' offices are expected to receive millions of dollars in citation revenue a year, although no estimates were provided. District attorneys have complained that their revenue sources are diminishing because of state budget cuts and the drop in bounced-check fines. <a href="#TOP">top </a> </p> <p> <a name="TheDangerous"> </a> <a href="https://qz.com/1130434/the-dangerous-data-hack-that-you-wont-even-notice/?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong>The dangerous data hack that you won't even notice </strong> </a> (Quartz, 17 Nov 2017) - A recent wave of cyberattacks-from WannaCry and Equifax to the alleged Russian influence on the US election-has demonstrated how hackers can wreak havoc on our largest institutions. But by focusing only on hackers' efforts to extort money or mess with our political process, we may have been missing what is potentially an even scarier possibility: data manipulation. Imagine that a major Big Food company gets hacked. But this time, instead of leaking the company's proprietary information to the public or freezing its systems with ransomware, the hackers subtly manipulate the data on which the company relies. Expiration dates on milk cartons get scrambled so that some are thrown away early while others make drinkers sick, despite appearing within their use-by date. Figures are tweaked slightly on pending invoices to vendors, altering the company's balance sheets by hundreds of thousands of dollars. Small changes are made to food-safety tests so that a dangerous product that was failing suddenly looks like it is passing regulation tests. Would the company even notice such changes happening? Could it still have the confidence that its backups were uncompromised? How could its investors accurately assess the company's value when all of its financials might suddenly be based on faulty information? And how might its customers and suppliers respond? Now apply this thought experiment to banks, medical institutions, and government organizations. It's pretty scary. Unlike "information-gathering" hacks (where data is stolen because it is valuable) or "hold hostage" attacks (when data is imprisoned until someone pays to release it), "manipulation hacks" are hard to detect: They result when individuals (or bots) illegally change vital information below the threshold of attention. * * * <a href="#TOP">top </a> </p> <p> - and - </p> <p> <a name="OneBillion"> </a> <a href="https://www.databreachtoday.com/1-billion-lawsuit-focuses-on-ehr-data-integrity-concerns-a-10463?utm_source=eloqua&utm_medium=email_51055&utm_campaign=22928" > <strong> $1 billion lawsuit focuses on EHR data integrity concerns </strong> </a> (Data Breach Today, 20 Nov 2017) - The suit alleges that eClinicalWorks' cloud-based EHR system failed to provide reliable health information for potentially millions of patients, which means "patients and doctors cannot rely on the veracity of those records." The lawsuit against eClinicalWorks comes about five months after the Department of Justice announced that the Westborough, Massachusetts-based vendor agreed to pay a $155 million financial settlement, as well as enter into a five-year corporate integrity agreement, with the Department of Health and Human Services' Office of Inspector General (see <a href="https://www.healthcareinfosecurity.com/eclinicalworks-case-shines-spotlight-on-data-integrity-a-9967" > <em>eClinicalWorks Case Shines Spotlight on Data Integrity </em> </a> ). The Justice Department alleged the company falsely claimed it met the <a href="http://www.healthcareinfosecurity.com/hipaa-hitech-c-282"> HITECH Act </a> EHR incentive program's certification requirements. Among the requirements it didn't meet, according to DoJ: accurately recording user actions - such as orders for diagnostic tests - that are conducted in the course of a patient's treatment and ensuring data portability. The civil lawsuit against eClinicalWorks alleges that as a result of the failure of the vendor to meet certification requirements of the HITECH Act EHR incentive program, the company's software: (1) Periodically displayed incorrect medical information in the right chart panel of the patient screen; (2) Periodically displayed multiple patients' information concurrently; (3) In specific workflows, failed to accurately display medical history on progress notes; and (4) Failed to have audit logs accurately record user actions, and in some cases the audit logs misled users as to the events that were conducted in the course of a patient's treatment. "As a direct result of these deficiencies, millions of patients have had their medical records compromised, i.e. they can no longer rely on the accuracy and veracity of their medical records," the lawsuit complaint claims. "Because the audit history does not accurately record user actions, there is no way for any patient to know if there records were deleted/altered/modified. In other words, ECW was grossly negligent, or in the alternative, intentionally coded their software to not accurately record user actions," the complaint says. The lawsuit, which seeks class action status and $999 million in damages for breach of fiduciary duty and gross negligence, was filed on Thursday in a New York district court by Kristina Tot, the administrator of the Estate of Stjepan Tot, "on behalf of herself and all others similarly situated." <a href="#TOP">top </a> </p> <p> <a name="CybersecurityWhat"> </a> <a href="https://www.law.com/therecorder/sites/therecorder/2017/11/22/cybersecurity-what-to-know-about-the-vulnerabilities-equities-process/?kw=Cybersecurity:%20What%20to%20Know%20About%20the%20%27Vulnerabilities%20Equities%20Process%27&et=editorial&bu=ALM" > <strong> Cybersecurity: What to know about the 'Vulnerabilities Equities Process' </strong> </a> (The Recorder, 22 Nov 2017) - They may not realize it, but any company hit by the WannaCry ransomware attack over the past several months was impacted firsthand by a secretive U.S. government policy mechanism known as the VEP. Short for the "Vulnerabilities Equities Process," the VEP is the procedure through which the government decides whether to hang on to knowledge of computer security flaws for offensive uses (i.e., hacking), or disclose them to ensure they get patched. In the case of WannaCry, <a href="https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/" > news reports </a> and comments by <a href="https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/" target="_blank" > Microsoft's chief legal officer </a> indicated that the NSA knew about the vulnerability at the root of the worm, but only told Microsoft after losing control of it. In the wake of the ensuing controversy, White House Cybersecurity Coordinator Rob Joyce last week for the first time <a href="https://www.whitehouse.gov/blog/2017/11/15/improving-and-making-vulnerability-equities-process-transparent-right-thing-do" target="_blank" > unveiled a public version of the VEP Charter </a> in an effort to shed some light on the government's decision-making process. The <a href="https://www.whitehouse.gov/sites/whitehouse.gov/files/images/External%20-%20Unclassified%20VEP%20Charter%20FINAL.PDF" target="_blank" > 14-page document </a> describes in broad strokes the balancing act government hackers must go through after they discover new vulnerabilities. Here are a few things you ought to know about it: * * * <a href="#TOP">top </a> </p> <p> <a name="TheFifth"> </a> <a href="https://lawfareblog.com/fifth-amendment-decryption-and-biometric-passcodes" > <strong> The Fifth Amendment, decryption and biometric passcodes </strong> </a> (Lawfare, 27 Nov 2017) - The spread of commercially available encryption products has made it harder for law enforcement officials to access to information that relates to criminal and national security investigations. In October, FBI Director Christopher Wray <a href="https://www.fbi.gov/news/speeches/the-fbi-and-the-iacp-bound-together-by-partnership-friendship-and-commitment" target="_blank" > said </a> that in an 11-month period, the FBI had been unable to extract data from more than 6,900 devices; that is over half of the devices it had attempted to unlock. It's a "huge, huge problem," Wray said. One might think that a way around this problem is for the government to order the user to produce the password to the device. But such an order might face a big hurdle: the Fifth Amendment. A handful of cases have emerged in recent years on the applicability of the Fifth Amendment to demands for passwords to encrypted devices. The protections afforded by the amendment depend on, among other things, whether the password involves biometric verification via a unique physical feature, or the more typical string of characters (passcode). As we will see, the government has a bit more leeway under the Fifth Amendment to insist on the decryption of personal computing devices using biometric passwords that-as in the new iPhone X-are increasingly prevalent. * * * [ <strong>Polley </strong>: this area is in flux, but the article is a decent summary.] <a href="#TOP">top </a> </p> <p> <a name="ArtGalleries"> </a> <a href="https://www.insidehighered.com/news/2017/11/28/art-exhibit-cuny-draws-scrutiny-pentagon?utm_source=Inside+Higher+Ed&utm_campaign=f4d326dafb-DNU20171128&utm_medium=email&utm_term=0_1fcbc04421-f4d326dafb-197618481&mc_cid=f4d326dafb&mc_eid=012fe6c04c" > <strong>Art galleries versus the Pentagon </strong> </a> (InsideHigherEd, 28 Nov 2017) - Is it art? Or government property? Or both? The John Jay College of Criminal Justice is currently hosting an exhibit of art from eight current and former detainees at the detention camp at Guantánamo Bay Naval Base in Cuba. Earlier this month, however, the Department of Defense halted the export of artwork made by prisoners there, declaring that works made by the prisoners are property of the United States government. The exhibit, "Ode to the Sea: Art From Guantánamo," went on display at the City University of New York campus Oct. 2, when Department of Defense policy still allowed detainees to export art from the island prison where the U.S. government currently detains 41 people. A total of 779 people, all men, have been detained at Gauntanamo Bay since the prison's controversial opening in 2002. "On the opening pages of <em>Moby-Dick </em>, [Herman] Melville writes about the 'water-gazers' of New York, office-dwellers who spent their free time looking at the rivers and sea that surround the city," Erin Thompson, the exhibit's co-curator and an assistant professor in John Jay's Department of Art and Music, <a href="https://www.theparisreview.org/blog/2017/10/02/art-from-guantanamo/" target="_blank" > wrote in an essay for <em>The Paris Review </em> </a> when the exhibit debuted. "The detainee artists told me that they thought of the sea as a symbol of both hope and fear. They represented it in order to dream about escape and to escape as best they could. By immersing themselves so fully in making art, they could imagine that they were in a ship at sea -- until the work was finished." <a href="https://nypost.com/2017/11/25/pentagon-nyc-college-feud-over-gallery-of-artwork-made-by-suspected-terrorists/" target="_blank" > <em>The New York Post </em> </a> characterized the exhibit as "controversial," noting that some of the first responders who died in the Sept. 11 attacks had attended John Jay. (On the other hand, Thompson noted, only one of the current detainees whose work is on display has actually been charged with a crime.) After going through an examination by prison authorities, art created through prison programming was allowed to be released and sent abroad. That policy was changed earlier this month. "Items produced by detainees remain the property of the U.S. government," Ben Sakrisson, a Pentagon spokesman, said Monday, adding that the policy was in firmly in place and not under review, which previous reports had suggested was a possibility. Even if a detainee is eventually released, Sakrisson acknowledged that the policy implicitly states that any art made by the detainee would still be government property. <a href="#TOP">top </a> </p> <p> <a name="BakerHostetler"> </a> <a href="http://www.abajournal.com/news/article/bakerhostetler_and_perkins_coie_join_network_for_new_blockchain_id_network/?utm_source=maestro&utm_medium=email&utm_campaign=weekly_email" > <strong> BakerHostetler and Perkins Coie named 'founding stewards' in new blockchain ID network </strong> </a> (ABA Journal, 28 Nov 2017) - BakerHostetler and Perkins Coie are "founding stewards" in the new blockchain-based identity network Sovrin. On account of high-profile data breaches of personal information and the increased interest and feasibility of blockchain technology, there is a growing movement to create IDs that do not rely on centralized storage, which is a honeypot for hackers. Sovrin, run by the nonprofit Sovrin Foundation, "is a global, decentralized identity network that allows people and organizations to create portable, self-sovereign digital identities, which they control, and cannot be taken away by any government or organization" according to the <a href="https://www.bakerlaw.com/EmergingTechnologies">BakerHostetler </a> website. As founding stewards, BakerHostetler and Perkins Coie "donate network power to maintain the ledger" that host nodes to house the self-sovereign IDs, according to an email from Judd Bagley, director of communications at Evernym, the company that invented Sovrin and spun it off as a separate nonprofit foundation. Bagley adds: "Stewards are charged with writing encrypted identity data to the Sovrin ledger and verifying the validity" of each ledger entry. Once in the network, the ID's existence is public across the distributed network. But it can only be accessed with the user's verification key, which is a public identifier, and a signing key, which is private and known only to the user. Collectively, those two cryptographic keys will signal to a bank, government or another individual or entity that a person is who they say. For Joe Cutler, a partner at Perkins Coie, self-sovereign identity is "the future of identity." In a <a href="https://www.perkinscoie.com/en/news-insights/perkins-coie-selected-as-a-founding-steward-in-self-sovereign.html" > press release </a> he said: "SSI aims to shift control over your most personal information back into your own hands, and to end this notion that you must sacrifice privacy and security in order to participate in today's digital economy." Laura Jehl, a partner at BakerHostetler's D.C., office, told the ABA Journal in an email that being a steward is about helping their "clients understand and embrace a future where digital identities can be trusted, mitigating risks from data breaches and other cybersecurity incidents." The Sovrin Foundation is one of numerous entities focused on self-sovereign ID built on blockchain, which includes IBM's Blockchain Platform and Microsoft's partnership with Blockstack and ConsenSys, two blockchain companies. <a href="#TOP">top </a> </p> <p> - and - </p> <p> <a name="Coinbase"> </a> <a href="https://techcrunch.com/2017/11/29/coinbase-internal-revenue-service-taxation/" > <strong> Coinbase ordered to give the IRS data on users trading more than $20,000 </strong> </a> (TechCrunch, 29 Nov 2017) - Most digital currencies exist in a sort of twilight state just beyond the grasp of federal regulators, but the U.S. tax authority is starting to get savvy to this whole bitcoin thing. On Wednesday, a federal judge in San Francisco ruled that Coinbase must supply the IRS with identifying information on users who had more than $20,000 in annual transactions on its platform between 2013 and 2015. After noticing that the number of tax returns claiming gains from virtual currency didn't line up with the emerging popularity of digital currencies like bitcoin as an investment vehicle, the IRS asked Coinbase to hand over a broad swath of information on its users. Coinbase pushed back, and now the court has landed on a compromise that the company is calling a " <a href="https://blog.coinbase.com/coinbase-obtains-partial-victory-over-irs-dac041db59a3" target="_blank" > partial victory </a> ." "Coinbase itself admits that the Narrowed Summons requests information regarding 8.9 million Coinbase transactions and 14,355 Coinbase account holders. That only 800 to 900 taxpayers reported gains related to bitcoin in each of the relevant years and that more than 14,000 Coinbase users have either bought, sold, sent or received at least $20,000 worth of bitcoin in a given year suggests that many Coinbase users may not be reporting their bitcoin gains," the <a href="https://www.scribd.com/document/365896015/Coinbase-IRS" target="_blank" > court documents read </a> . While cryptocurrency users who value the relative decentralization and privacy afforded by digital currencies won't be happy, Coinbase succeeded in limiting the government's initial request for information on all Coinbase users who made transactions from 2013 to 2015 to the smaller subset of high-value users. The IRS initially requested nine kinds of user data, including "complete user profiles, know-your-customer due diligence, documents regarding third-party access, transaction logs, records of payments processed, correspondence between Coinbase and Coinbase users, account or invoice statements and records of payments." Rejecting some of those requests, today the court narrowed the scope of documents that the IRS can request from Coinbase to taxpayer ID number, name, date of birth, address, transaction logs and account statements, deeming the rest of the documents "not necessary." Again, these personal data requests will only apply to accounts that have bought, sold, sent or received more than $20,000 in any of those types of transactions between 2013 and 2015. <a href="#TOP">top </a> </p> <p> <a name="AsClientsDemand"> </a> <a href="https://www.law.com/americanlawyer/sites/americanlawyer/2017/11/29/as-clients-demand-law-firm-cyber-audits-who-sets-the-terms/" > <strong> As clients demand law firm cyber audits, who sets the terms? </strong> </a> (Law.com, 29 Nov 2017) - With <a href="https://www.law.com/americanlawyer/almID/1202791614770/" target="_blank" > hackers </a> and other <a href="https://www.law.com/newyorklawjournal/sites/newyorklawjournal/2017/07/26/lawyers-inadvertent-e-discovery-failures-led-to-wells-fargo-data-breach/" target="_blank" > cyber pitfalls </a> affecting <a href="https://www.law.com/americanlawyer/sites/americanlawyer/2017/11/06/as-paradise-papers-sizzle-appleby-whats-next-for-offshore-firms/?back=law" target="_blank" > more and more law firms </a> , there is still no universally accepted standard that firms must meet to show that they are adequately protected. In the legal industry, concerns about how to assess firms' cyber defenses will likely grow, as a growing number of corporate clients insist outside counsel undergo, and most often pay for, cybersecurity audits. "We have seen an exponential increase in inquiries from law firms in 2017 versus years past," said John DiMaria, a marketing executive in the London office of BSI Group, which provides certifications related to cybersecurity, including certification for ISO/IEC 27001, an international standard for information security management. According to Patti Moran, a spokeswoman for the International Legal Technology Association, and its subsidiary ILTA LegalSEC, a community of law firms seeking to improve the security in the global legal community, more than 44 law firms had achieved that certification by the end of last year, and another 56 were working toward it. That's a big increase from two years ago, when The American Lawyer <a href="https://www.law.com/americanlawyer/almID/1202720468020/" target="_blank" > reported </a> that at least 10 Am Law 200 firms had attained the ISO certification to assure clients they were taking steps toward protecting their documents and communication systems. To make audits' worth their expense, cybersecurity auditors must use accepted and published benchmarks, said Jeffrey Ritter, a visiting fellow at the University of Oxford and founding chairman of the American Bar Association's committee on cyberspace law. "You have to show what criteria you are using," he said. At the same time, Ritter argues that such standards "have a level of ambiguity" that makes them insufficient safeguards. Meeting an ISO standard is simply not enough, according to John Sweeney, president of Nashville, Tennessee-based LogicForce, which conducts cybersecurity audits largely for law firms. (Other providers of cybersecurity audits include all the Big Four accounting firms, BSI Group and Resiliam.) "ISO is only a single standard that doesn't necessarily cover practical implementation of best practices. Our experience with corporate audits from financial, health, insurance, and other industries have shown ISO 27001 compliance isn't enough to get law firms to pass their audits," Sweeney wrote in an email responding to questions for this article. Moreover, many firms fall far behind even the minimum requirements to meet the ISO standards, a set of legal, physical and technical policies for information risk management procedures, including rules about documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. "There is currently a large gap in where plenty of law firms are today, and any formal certification process," Sweeney wrote. <a href="#TOP">top </a> </p> <p> <a name="SWIFTwarns"> </a> <a href="https://www.reuters.com/article/us-eu-court-apple-xiaomi/apple-wins-eu-trademark-case-against-xiaomi-idUSKBN1DZ1IO" > <strong> SWIFT warns banks on cyber heists as hack sophistication grows </strong> </a> (Reuters, 28 Nov 2017) - SWIFT, the global messaging system used to move trillions of dollars each day, warned banks on Wednesday that the threat of digital heists is on the rise as hackers use increasingly sophisticated tools and techniques to launch new attacks. "Adversaries have advanced their knowledge," SWIFT said in a 16-page report co-written with BAE Systems Plc's cyber security division. "No system can be assumed to be totally infallible, or immune to attack." SWIFT has declined to disclose the number of attacks, identify victims or say how much money has been stolen. Still, details on some cases have become public. The new report described an attack on an unidentified bank. Hackers spent several months inside the network of one customer, preparing for the eventual attack by stealing user credentials and monitoring the bank's operations using software that recorded computer keystrokes and screenshots, the report said. When they launched the attack in the middle of the night, the hackers installed additional malware that let them modify messaging software so they could bypass protocols for confirming the identity of the computer's operator, according to the report. The hackers then ordered payments sent to banks in other countries by copying pre-formatted payment requests into the messaging software, according to the report. After the hackers ended the three-hour operation, they sought to hide their tracks by deleting records of their activity. They also tried to distract the bank's security team by infecting dozens of other computers with ransomware that locked documents with an encryption key, the report said. While SWIFT did not say how much money was taken, it said the bank quickly identified the fraudulent payments and arranged for the stolen funds to be frozen. [ <strong>Polley </strong>: I've seen such attacks executed with painstaking attention-to-detail, nearly-perfectly scripted. Impressive, and scary.] <a href="#TOP">top </a> </p> <p> - and - </p> <p> <a name="NATOmulls"> </a> <a href="https://www.reuters.com/article/us-nato-cyber/nato-mulls-offensive-defense-with-cyber-warfare-rules-idUSKBN1DU1G4" > <strong> NATO mulls 'offensive defense' with cyber warfare rules </strong> </a> (Reuters, 30 Nov 2017) - The United States, Britain, Germany, Norway, Spain, Denmark and the Netherlands are drawing up cyber warfare principles to guide their militaries on what justifies deploying cyber attack weapons more broadly, aiming for agreement by early 2019. The doctrine could shift NATO's approach from being defensive to confronting hackers that officials say Russia, China and North Korea use to try to undermine Western governments and steal technology. The 29-nation NATO alliance recognized cyber as a domain of warfare, along with land, air and sea, in 2014, but has not outlined in detail what that entails. In Europe, the issue of deploying malware is sensitive because democratic governments do not want to be seen to be using the same tactics as an authoritarian regime. Commanders and experts have focused on defending their networks and blocking attempts at malicious manipulation of data. Senior Baltic and British security officials say they have intelligence showing persistent Russian cyber hacks to try to bring down European energy and telecommunications networks, coupled with Internet disinformation campaigns. * * * NATO held its biggest ever cyber exercise this week at a military base in southern Estonia, testing 25 NATO allies against a fictional state-sponsored hacker group seeking to infiltrate NATO air defense and communication networks. "The fictional scenarios are based on real threats," said Estonian army Lieutenant-Colonel Anders Kuusk, who ran the exercise. NATO's commanders will not develop cyber weapons but allied defense ministers agreed last month that NATO commanders can request nations to allow them use of their weapons if requested. <a href="#TOP">top </a> </p> <p> <a name="FacebooksNew"> </a> <a href="https://www.wired.com/story/facebooks-new-captcha-test-upload-a-clear-photo-of-your-face/?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong> Facebook's new captcha test: 'Upload a clear photo of your face' </strong> </a> <strong> </strong> (Wired, 28 Nov 2017) - Facebook may soon ask you to "upload a photo of yourself that clearly shows your face," to prove you're not a bot. The company is using a new kind of captcha to verify whether a user is a real person. According to a screenshot of the identity test shared on Twitter on Tuesday and verified by Facebook, the prompt says: "Please upload a photo of yourself that clearly shows your face. We'll check it and then permanently delete it from our servers." In a statement to WIRED, a Facebook spokesperson said the photo test is intended to "help us catch suspicious activity at various points of interaction on the site, including creating an account, sending Friend requests, setting up ads payments, and creating or editing ads." The process is automated, including identifying suspicious activity and checking the photo. To determine if the account is authentic, Facebook looks at whether the photo is unique. The Facebook spokesperson said the photo test is one of several methods, both automated and manual, used to detect suspicious activity. The company declined to share details to prevent the system from being manipulated. Suspicious activity might include someone who consistently posts from New York and then starts posting from Russia. Facial technology is increasingly common, such the use of Apple Face ID to authenticate users on iPhone X. A since deleted screenshot from Twitter seemed to indicate that users are locked out of their accounts while the photo is being verified. A message said, "You Can't Log In Right Now. We'll get in touch with you after we've reviewed your photo. You'll now be logged out of Facebook as a security precaution." Facebook users who suspect their account has been compromised can go to <a href="https://www.facebook.com/hacked" target="_blank"> Facebook.com/hacked </a> . The company would not say when it started using the technique, but in a post <a href="https://www.reddit.com/r/socialmedia/comments/643co2/facebook_wont_let_me_login_asks_for_me_to_upload" target="_blank" > on Reddit </a> users reported getting the same prompt in April. The new authentication scheme is the second in recent weeks that relies on photos. Earlier this month, Facebook asked users to <a href="https://www.theverge.com/2017/11/9/16630900/facebook-revenge-porn-defense-details" target="_blank" > upload nude photos </a> to Facebook Messenger, as part of an effort to prevent revenge porn. Facebook said it would use the nude photos to create a digital fingerprint against which to compare future posts. Facebook said the photos are hashed and then deleted from its servers. [ <strong>Polley: </strong>Orwell.] <a href="#TOP">top </a> </p> <p> <a name="HeightenedSecurity"> </a> <strong> <a href="http://www.securityinfowatch.com/article/12384571/heightened-security-risks-dictate-a-proactive-corporate-board" > Heightened security risks dictate a proactive corporate board </a> </strong> (Security Info Watch, 1 Dec 2017) - * * * Despite the impact that data breaches and other types of cyber-attacks continue to have on all kinds of organizations, Jim Pflaging, principal, technology sector and strategy practice lead at security and risk management advisory firm The Chertoff Group, says the level of involvement many boards have today when it comes to addressing cybersecurity issues is really a mixed bag. Pflaging, who serves on the board of several technology companies himself and as a board advisor to several others, says that The Chertoff Group set out last year to get a better understanding about the state of maturity in cybersecurity conversations at the board level and subsequently interviewed over 100 leading executives across three different continents in companies ranging in size from Fortune 500 organizations to small, private firms. What they found, according to Pflaging, was a "tale of two cities." "The first (group) was the good news and that was Fortune 500 (companies) in what people would call critical infrastructure - transportation, utilities, finance, healthcare and some tech (firms) - they said, 'yeah, we've been talking about cybersecurity for years. It is a mature conversation, we talk about it from a risk point of view and, in some cases, it is beyond risk and in the overall business continuity discussion,' Pflaging says. "The second group was largely everybody else and this was not a pretty picture. This resonated with me because it reflected the boards that I am on and that is that cyber is rarely or never on the agenda and if it is on the agenda, it's in response to a breach. The state of the conversation was there really wasn't one." Pflaging says that many of these executives from the first group had learned about cybersecurity mostly from other boards but from personal stories as well. Those board members in the second group reported being confused about exactly what their roles should be as directors when it comes to cybersecurity and what questions they should be asking. <a href="#TOP">top </a> </p> <p> <a name="ItsGonna"> </a> <a href="https://www.wired.com/story/its-gonna-get-a-lot-easier-to-break-science-journal-paywalls/?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong> It's gonna get a lot easier to break science journal paywalls </strong> </a> (Wired, 3 Dec 2017) - * * * Today, even though you can't access Scholar directly from the Google-prime page, it has become the internet's default scientific search engine-even more than once-monopolistic Web of Science, the National Institutes of Health's PubMed, and Scopus, owned by the giant scientific publisher Elsevier. But most science is still paywalled. More than three quarters of published journal articles-114 million on the World Wide Web alone, by one (lowball) <a href="http://journals.plos.org/plosone/article?id=10.1371/journal.pone.0093949" target="_blank" > estimate </a> -are only available if you are affiliated with an institution that can afford pricey subscriptions or you can swing $40-per-article fees. In the last several years, though, scientists have made strides to loosen the grip of giant science publishers. They <a href="https://www.wired.com/2015/08/science-problems-web-fix/"> skip over the lengthy peer review process </a> mediated by the big journals and just … post. Review comes after. The paywall isn't crumbling, but it might be eroding. The <a href="https://www.wired.com/story/biologys-roiling-debate-over-publishing-preprint-research-early/" > open science movement </a> , with its free distribution of articles before their official publication, is a big reason. Another reason, though, is stealthy improvement in scientific search engines like <a href="https://www.wired.com/2014/10/the-gentleman-who-made-scholar/"> Google Scholar </a> , Microsoft Academic, and <a href="https://www.wired.com/2016/11/allen-institute-ai-eyes-future-scientific-search/" > Semantic Scholar </a> -web tools increasingly able to see around paywalls or find articles that have jumped over. Scientific publishing ain't like book publishing or journalism. In fact, it's a little more like music, pre-iTunes, pre-Spotify. You know, right about when everyone started using Napster. * * * <a href="#TOP">top </a> </p> <p> <a name="StanfordLied"> </a> <a href="https://www.insidehighered.com/quicktakes/2017/12/04/stanford-lied-about-business-school-scholarships?utm_source=Inside+Higher+Ed&utm_campaign=889e97e9d8-DNU20171204&utm_medium=email&utm_term=0_1fcbc04421-889e97e9d8-197618481" > <strong>Stanford lied about business school scholarships </strong> </a> (InsideHigherEd, 4 Dec 2017) - A breach of confidential data has indicated that the Stanford University Graduate School of Business has been publicly misrepresenting how it awards scholarships. The business school's website, for years, said that "all fellowships are need based," referring to scholarships. A student, Adam Allcock, recently found out that anyone in the business school had access to confidential data. He alerted the school to inform officials of the security flaw, but also downloaded the data and ran an analysis that showed that scholarship awards are not, in fact, need based. "The [Graduate School of Business] secretly ranks students as to how valuable (or replaceable) they were seen, and awarded financial aid on that basis," Allcock wrote in an 88-page report describing his analysis. "Not only has the GSB also been systematically discriminating by gender, international status and more while lying to their faces for the last 10 to ~25 years." <a href="https://poetsandquants.com/2017/11/30/stanford-gsb-misled-students-on-financial-aid/" target="_blank" > <em>Poets & Quants </em> </a> , an outlet that specializes in business school rankings and news, broke the story. <a href="http://www.sfchronicle.com/education/article/Stanford-University-data-glitch-exposes-truth-12396695.php" target="_blank" > <em>The San Francisco Chronicle </em> </a> noted that the school has not disputed the report's findings, and that this isn't the only data breach Stanford has had in recent months. The school has since admitted that even though it claimed not to award scholarships based on merit, it "has offered additional fellowship awards to candidates whose biographies make them particularly compelling and competitive in trying to attract a diverse class." Women and those with backgrounds in finance were often favored for scholarship money, even if they had more ability to pay for tuition than others. In some cases, according to the report, scholarships could be three times larger between two different students with identical financial need. The secretive scholarship promise might explain why Stanford graduates perform so well, according to <em>Poets & Quants </em>: the school, for example, sends more students into venture capital and private-equity jobs than Wharton, Chicago Booth, Columbia or Harvard. "Allcock's discovery that more money is being used by Stanford to entice the best students with financial backgrounds suggests an admissions strategy that helps the school achieve the highest starting compensation packages of any M.B.A. program in the world," <em>Poets & Quants </em>wrote. "That is largely because prior work experience in finance is generally required to land jobs in the most lucrative finance fields in private equity, venture capital and hedge funds." <a href="#TOP">top </a> </p> <p> <a name="independent"> </a> <strong> <a href="https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_opinion_478.authcheckdam.pdf" > Independent factual research by judges via the internet </a> </strong> (ABA Formal Opinion 478, 8 Dec 2017) - <em> Easy access to a vast amount of information available on the Internet exposes judges to potential ethical problems. Judges risk violating the Model Code of Judicial Conduct by searching the Internetforinformationrelatedtoparticipantsorfactsinaproceeding. Independent </em> <em> investigation of adjudicative facts generally is prohibited unless the information is properly subject to judicial notice. The restriction on independent investigation includes individuals subject to the judge's direction and control. </em> <a href="#TOP">top </a> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <a href="http://jolt.law.harvard.edu/digest/a-legal-anatomy-of-ai-generated-art-part-i" > <strong>A Legal Anatomy of AI-generated Art: Part I </strong> </a> (Harvard Journal of Law & Technology, 21 Nov 2017) - Abstract: This Comment is the first in a two-part series on how lawyers should think about art generated by artificial intelligences, particularly with regard to copyright law. This first part charts the anatomy of the AI-assisted artistic process. The second Comment in the series examine how copyright interests in these elements interact and provide practice tips for lawyers drafting license agreements or involved in disputes around AI-generated artwork <em> : "Advanced algorithms that display cognition-like processes, popularly called artificial intelligences or "AIs," are capable of generating sophisticated and provocative works of art.[1] These technologies differ from widely-used digital creation and editing tools in that they are capable of developing complex decision-making processes, leading to unexpected outcomes. Generative AI systems and the artwork they produce raise mind-bending questions of ownership, from broad policy concerns[2] to the individual interests of the artists, engineers, and researchers undertaking this work. Attorneys, too, are beginning to get involved, called on by their clients to draft licenses or manage disputes. The Harvard Law School Cyberlaw Clinic at the Berkman Klein Center for Internet & Society has recently developed a practice in advising clients in the emerging field at the intersection of art and AI. We have seen for ourselves how attempts to negotiate licenses or settle disputes without a common understanding of the systems involved may result in vague and poorly understood agreements, and worse, unnecessary conflict between parties. More often than not, this friction arises between reasonable parties who are open to compromise, but suffer from a lack of clarity over what, exactly, is being negotiated. In the course of solving such problems, we have dissected generative AIs and studied their elements from a legal perspective. The result is an anatomy that forms the foundation of our thinking-and our practice-on the subject of AI-generated art. When the parties to an agreement or dispute share a common vocabulary and understanding of the nature of the work, many areas of potential conflict evaporate. This Comment makes that anatomy available to others, in the hopes that it will facilitate productive negotiations and clear, enforceable agreements for others involved in AI-related art projects. We begin by clarifying what we mean by AI-generated art, distinguishing it from art that is created by humans using digital creation and editing software. Next, we describe four key elements that make up the anatomy of a generative AI. We go into detail on each element, providing plain-language explanations that are comprehensible even to those without a technical background. We conclude with a brief preview of the second Comment in this series, which will delve into how we think about the application of copyright law in this context, including the questions of ownership that arise as to each element, and provide some practical insights for negotiating agreements in the context of AI-generated art. * * *" </em> <a href="#TOP">top </a> </p> <p> <em> </em> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <a href="https://www.wired.com/2007/05/army-bloggers/"> <strong>Army squeezes soldier blogs, maybe to death </strong> </a> (Wired, 2 May 2007) -- The U.S. Army has ordered soldiers to stop posting to blogs or sending personal e-mail messages, without first clearing the content with a superior officer, Wired News has learned. The directive, issued April 19, is the sharpest restriction on troops' online activities since the start of the Iraq war. And it could mean the end of military blogs, observers say. Military officials have been wrestling for years with how to handle troops who publish blogs. Officers have weighed the need for wartime discretion against the opportunities for the public to personally connect with some of the most effective advocates for the operations in Afghanistan and Iraq -- the troops themselves. The secret-keepers have generally won the argument, and the once-permissive atmosphere has slowly grown more tightly regulated. Soldier-bloggers have dropped offline as a result. The new rules obtained by Wired News require a commander be consulted before every blog update. "This is the final nail in the coffin for combat blogging," said retired paratrooper Matthew Burden, editor of The Blog of War anthology. "No more military bloggers writing about their experiences in the combat zone. This is the best PR the military has -- it's most honest voice out of the war zone. And it's being silenced." Army Regulation 530--1: Operations Security (OPSEC) restricts more than just blogs, however. Previous editions of the rules asked Army personnel to "consult with their immediate supervisor" before posting a document "that might contain sensitive and/or critical information in a public forum." The new version, in contrast, requires "an OPSEC review prior to publishing" anything -- from "web log (blog) postings" to comments on internet message boards, from resumes to letters home. Active-duty troops aren't the only ones affected by the new guidelines. Civilians working for the military, Army contractors -- even soldiers' families -- are all subject to the directive as well. But, while the regulations may apply to a broad swath of people, not everybody affected can actually read them. In a Kafka-esque turn, the guidelines are kept on the military's restricted Army Knowledge Online intranet. Many Army contractors -- and many family members -- don't have access to the site. Even those able to get in are finding their access is blocked to that particular file. <a href="#TOP">top </a> </p> <p> <a href="http://www.nytimes.com/2007/12/22/business/worldbusiness/22gambling.html?_r=1&ref=business&oref=slogin" > <strong>In trade ruling, Antigua wins a right to piracy </strong> </a> (New York Times, 22 Dec 2007) - In an unusual ruling on Friday at the World Trade Organization, the Caribbean nation of Antigua won the right to violate copyright protections on goods like films and music from the United States - an award worth up to $21 million - as part of a dispute between the countries over online gambling. The award follows a W.T.O. ruling that Washington had wrongly blocked online gambling operators on the island from the American market at the same time it allowed online wagering on horse racing. Antigua and Barbuda had claimed damages of $3.44 billion a year. That makes the relatively small amount awarded Friday, $21 million, something of a setback for Antigua, which had been struggling to preserve its gambling industry. The United States argued that its behavior had caused $500,000 damage. Yet the ruling is significant in that it grants a rare form of compensation: the right of one country, in this case Antigua, to violate intellectual property laws of another - the United States - by allowing it to distribute copies of American music, movie and software products. <a href="#TOP">top </a> </p> <p> <a name="NOTES"> </a> <h3> NOTES </h3> </p> <p> MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( <a href="mailto:vpolley@knowconnect.com?subject=MIRLN"> mailto:vpolley@knowconnect.com?subject=MIRLN </a> ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line. </p> <p> Recent MIRLN issues are archived at <a href="http://www.knowconnect.com/mirln">www.knowconnect.com/mirln </a>. Get supplemental information through Twitter: <a href="http://twitter.com/vpolley">http://twitter.com/vpolley </a> #mirln. </p> <p> SOURCES (inter alia): </p> <p> 1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, <a href="http://cyber.law.harvard.edu">http://cyber.law.harvard.edu </a> </p> <p> 2. InsideHigherEd - <a href="http://www.insidehighered.com/">http://www.insidehighered.com/ </a> </p> <p> 3. SANS Newsbites, <a href="http://www.sans.org/newsletters/newsbites/"> http://www.sans.org/newsletters/newsbites/ </a> </p> <p> 4. Aon's Technology & Professional Risks Newsletter </p> <p> 5. Crypto-Gram, <a href="http://www.schneier.com/crypto-gram.html"> http://www.schneier.com/crypto-gram.html </a> </p> <p> 6. Eric Goldman's Technology and Marketing Law Blog, <a href="http://blog.ericgoldman.org/">http://blog.ericgoldman.org/ </a> </p> <p> 7. The Benton Foundation's Communications Headlines </p> <p> 8. Gate15 Situational Update Notifications, <a href="http://www.gate15.us/services.html"> http://www.gate15.us/services.html </a> </p> <p> 9. Readers' submissions, and the editor's discoveries </p> <p> This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. </p> <p> PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. <a href="#TOP">top </a> </p> Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-41707178932387255872017-11-18T06:34:00.000-05:002017-11-18T06:34:04.488-05:00MIRLN --- 29 Oct - 18 Nov 2017 (v20.16)<p> <a name="TOPS"> </a> <a name="TOP"> </a> MIRLN --- 29 Oct - 18 Nov 2017 (v20.16) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_29_oct_18_nov_2017_v2016/" > permalink </a> </p> <p> <a href="">ANNOUNCEMENTS </a> | <a href="">NEWS </a> | <a href="">RESOURCES </a> | <a href="">DIFFERENT </a> | <a href="">LOOKING BACK </a> | <a href="">NOTES </a> </p> <p> <a name="ANNOUNCEMENT"> </a> <h3> ANNOUNCEMENT </h3> </p> <p> The new Second Edition of the ABA's best-selling Cybersecurity Handbook is a must-read for anyone working in the field, including private-practice attorneys, in-house counsel, non-profit and government lawyers, and others. For more detail, visit the ABA store at <a href="http://bit.ly/2x7HNbJ" target="_blank">http://bit.ly/2x7HNbJ </a>. (get a 10% discount with code 2ECYBERTF10). Below, an ABA story on the Handbook: </p> <p> <a href="https://www.americanbar.org/news/abanews/aba-news-archives/2017/11/updated_aba_cybersec.html" > <strong> Updated ABA cybersecurity handbook helps lawyers protect sensitive client information from hackers </strong> </a> (ABA, 1 Nov 2017) - Cybersecurity breaches in law firms have made headlines and clients are asking questions about lawyers' and firms' security programs. From the massive Panama Papers breach that led to the dissolution of the Mossack Fonseca Law Firm in April 2016 to the WannaCry and Petya ransomware attacks, which led to a work outage at DLA Piper in June 2017, it is imperative that attorneys understand their obligations and the potential risk of inadequate information security practices to their practices and their clients. <a href="https://shop.americanbar.org/eBus/Store/ProductDetails.aspx?productId=280127783&term=%E2%80%9CThe+ABA+Cybersecurity+Handbook%3a+A+Resource+for+Attorneys%2c+Law+Firms%2c+and+Business%E2%80%9D+" > <strong>" </strong> The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business, Second Edition" </a> is an updated edition of the handbook that expands on many of the issues raised in the 2013 first edition, while highlighting the extensive changes in the current cybersecurity environment. It is co-edited by cybersecurity legal experts Jill D. Rhodes, chief information security officer at Option Care and former senior executive with the intelligence community; and Robert S. Litt, counsel, Morrison & Forester and former general counsel of the Office of the Director of National Intelligence, This new edition will enable lawyers and law firms to identify potential cybersecurity risks and prepare a response in the event of an attack. It addresses the current overarching threat as well as ethical issues and special considerations for law firms of all sizes. It also includes the most recent ABA Ethics Opinions and illustrates how to approach the subject of cybersecurity threats and issues with clients, as well as when and how to purchase and use cyber insurance. Rhodes and Litt will deliver a book talk at noon on Dec. 8 at the Army Navy Club - click <a href="https://www.americanbar.org/content/dam/aba/administrative/law_national_security/Cyber%20Flyer.authcheckdam.pdf" > here </a> for information on how to register. <a href="">top </a> </p> <p> <a name="NEWS"> </a> <h3> NEWS </h3> </p> <ul> <li> <a href=""> How Facebook, Google and Twitter 'embeds' helped Trump in 2016 </a> </li> <li> <a href="">How Russian trolls got into your Facebook feed </a> </li> <li> <a href="">Manipulating social media to undermine democracy </a> </li> <li> <a href=""> Days after activists sued, Georgia's election server was wiped clean </a> </li> <li> <a href=""> Law firms fail on cybersecurity, and corporate clients are cracking down </a> </li> <li> <a href=""> Corporate legal's new cybersecurity role: First risk responders </a> </li> <li> <a href=""> Ok, we get technology competence, but how do we get technologically competent? </a> </li> <li> <a href="">Can algorithms send you to prison? Apparently, yes. </a> </li> <li> <a href=""> Oil States amicus briefs seek to stabilize IPR constitutional footing </a> </li> <li> <a href=""> What does a Director of Knowledge Management for a legal firm do? </a> </li> <li> <a href=""> New federal cybersecurity regulations force colleges to strengthen data management </a> </li> <li> <a href="">35 states and DC back bid to collect online sales taxes </a> </li> <li> <a href=""> US Court sides with Google against Canadian de-indexing order </a> </li> <li> <a href=""> TSA plans to use face recognition to track Americans through airports </a> </li> <li> <a href="">Equifax profit falls as hacking costs take toll </a> </li> <li> <a href=""> Equifax looks to in-house lawyer to 'build a new future' after massive breach </a> </li> <li> <a href=""> Alphabet's Project Loon delivers internet service to 100,000 people in Puerto Rico </a> </li> <li> <a href=""> Copyright exceptions for libraries widespread, study at WIPO shows, but disharmony persists </a> </li> <li> <a href="">Guide to cybersecurity due diligence worth reading </a> </li> </ul> <p> <a name="HowFacebook"> </a> <a href="https://www.politico.com/story/2017/10/26/facebook-google-twitter-trump-244191" > <strong> How Facebook, Google and Twitter 'embeds' helped Trump in 2016 </strong> </a> (Politico, 26 Oct 2017) - Facebook, Twitter and Google played a far deeper role in Donald Trump's presidential campaign than has previously been disclosed, with company employees taking on the kind of political strategizing that campaigns typically entrust to their own staff or paid consultants, according to a new study released Thursday. The <a href="http://www.tandfonline.com/doi/full/10.1080/10584609.2017.1364814" target="_blank" > peer-reviewed paper </a> , based on more than a dozen interviews with both tech company staffers who worked inside several 2016 presidential campaigns and campaign officials, sheds new light on Silicon Valley's assistance to Trump before his surprise win last November. While the companies call it standard practice to work hand-in-hand with high-spending advertisers like political campaigns, the new research details how the staffers assigned to the 2016 candidates frequently acted more like political operatives, doing things like suggesting methods to target difficult-to-reach voters online, helping to tee up responses to likely lines of attack during debates, and scanning candidate calendars to recommend ad pushes around upcoming speeches. Such support was critical for the Trump campaign, which didn't invest heavily in its own digital operations during the primary season and made extensive use of Facebook, Twitter and Google "embeds" for the general election, says the study, conducted by communications professors from the University of North Carolina at Chapel Hill and the University of Utah. The companies offered such services, without charge, to all the 2016 candidates, according to the study, which details extensive tech company involvement at every stage of the race. But Hillary Clinton's campaign declined to embed the companies' employees in her operations, instead opting to develop its own digital apparatus and call in the tech firms to help execute elements of its strategy. "Facebook, Twitter, and Google [went] beyond promoting their services and facilitating digital advertising buys," the paper concludes, adding that their efforts extended to "actively shaping campaign communications through their close collaboration with political staffers." <a href="">top </a> </p> <p> - and - </p> <p> <a name="HowRussian"> </a> <a href="https://www.washingtonpost.com/news/the-switch/wp/2017/11/01/how-russian-trolls-got-into-your-facebook-feed/?utm_term=.23c6eabf773e" > <strong>How Russian trolls got into your Facebook feed </strong> </a> (WaPo, 1 Nov 2017) - Americans are getting our first glimpse of how we got played. On Wednesday, Congress released some of the 3,000 Facebook ads and Twitter accounts created by Russian operatives to sway American voters. You can explore them in an analysis the Post published here. These disturbing messages, seen by up to 126 million Americans, raise thorny questions about Silicon Valley's responsibility for vetting the information it publishes. Beyond Washington, it leaves all of us who use social media to keep up with friends, share photos and follow news wondering: How'd the Russians get to me? The short answer is Silicon Valley made it very easy. Facebook's top lawyer told Congress on Wednesday the Russian effort was "fairly rudimentary." Here's what he meant: Ever notice a Facebook ad that's eerily relevant to something you've been talking about? Had an ad for a pair of sneakers follow you around the Internet for a week? Or seen an ad that says your friend "liked" it? * * * You were in Russia's crosshairs if you liked the Facebook page of Donald Trump or Hillary Clinton. Same goes for people who said they were fans of Martin Luther King, Jr. Russians even targeted people who shared enough stuff about the South that Facebook tagged them being interested in "Dixie." <a href="">top </a> </p> <p> - and - </p> <p> <a name="Manipulating"> </a> <strong> <a href="https://freedomhouse.org/report/freedom-net/freedom-net-2017"> Manipulating social media to undermine democracy </a> </strong> (Freedom House, Nov 2017) <strong> </strong>- Key Findings: (1) Online manipulation and disinformation tactics played an important role in elections in at least 18 countries over the past year, including the <a href="https://freedomhouse.org/report/freedom-net/2017/united-states"> United States; </a> (2) Disinformation tactics contributed to a seventh consecutive year of overall decline in internet freedom, as did a rise in disruptions to mobile internet service and increases in physical and technical attacks on human rights defenders and independent media; (3) An record number of governments have restricted mobile internet service for political or security reasons, often in areas populated by ethnic or religious minorities. * * * Russia's online efforts to influence the American election have been well documented, but the United States was hardly alone in this respect. Manipulation and disinformation tactics played an important role in elections in at least 17 other countries over the past year, damaging citizens' ability to choose their leaders based on factual news and authentic debate. Although some governments sought to support their interests and expand their influence abroad-as with Russia's disinformation campaigns in the United States and Europe-in most cases they used these methods inside their own borders to maintain their hold on power. <a href="">top </a> </p> <p> <a name="DaysAfter"> </a> <a href="https://arstechnica.com/tech-policy/2017/10/days-after-activists-sued-georgias-election-server-was-wiped-clean/" > <strong> Days after activists sued, Georgia's election server was wiped clean </strong> </a> <strong> </strong> (ArsTechnica, 26 Oct 2017) - A server and its backups, believed to be key to a pending federal lawsuit filed against Georgia election officials, was thoroughly deleted according to e-mails recently released under a public records request. Georgia previously came under heavy scrutiny after a researcher discovered significant problems with his home state's voting system. <a href="https://www.documentcloud.org/documents/4118047-Gov-Uscourts-Gand-240678-1-2.html" > A lawsuit soon followed in state court </a> , asking the court to annul the results of the June 20 special election for Congress and to prevent Georgia's existing computer-based voting system from being used again. The case, <em>Curling v. Kemp </em>, was filed in Fulton County Superior Court on July 3. As the Associated Press <a href="https://apnews.com/877ee1015f1c43f1965f63538b035d3f/APNewsBreak:-Georgia-election-server-wiped-after-suit-filed" > reported </a> Thursday, the data was initially destroyed on July 7 by the Center for Elections Systems at Kennesaw State University, the entity tasked with running the Peach State's elections. The new e-mails, which were sent by the Coalition for Good Governance to Ars, show that <a href="http://uits.kennesaw.edu/infosec/about/team.php">Chris Dehner </a>, one of the Information Security staffers, e-mailed his boss, Stephen Gay, to say that the two backup servers had been " <a href="https://www.documentcloud.org/documents/4117644-OCT-FOIA-Clean-Copy-Page-Numbered-2.html#document/p43/a384897" > degaussed three times </a> ." * * * According to the AP, the FBI made a forensic image of the relevant server in March 2017 as part of its investigation. Atlanta FBI spokesman Stephen Emmett "would not say whether that image still exists." Neither Emmett nor the FBI field office in Atlanta immediately responded to Ars' request for comment. <a href="">top </a> </p> <p> <a name="LawFirmsFail"> </a> <a href="https://www.law.com/legaltechnews/sites/legaltechnews/2017/10/26/law-firms-fail-on-cybersecurity-and-corporate-clients-are-cracking-down/?kw=Law%20Firms%20Fail%20on%20Cybersecurity%2C%20and%20Corporate%20Clients%20Are%20Cracking%20Down&et=editoria" > <strong> Law firms fail on cybersecurity, and corporate clients are cracking down </strong> </a> <strong> </strong> (LegalTechNews, 26 Oct 2017) - Law firm technology services group LogicForce recently released its quarterly report card on law firm cybersecurity, giving the legal industry a score of only 42 percent on its cybersecurity health. The most recent scorecard aggregated data from client surveys at more than 300 law firms of various sizes. Scores were generated based on the number of firms who reported implementing 12 different factors set forth by LogicForce: information security executives, cybersecurity policies, multifactor authentication, cyber training, cyber insurance, penetration, vulnerability testing, third-party risk assessments, records management policies, cyber investment, full disk encryption, data loss prevention services, and third-party penetration testing. Each factor was weighted differently. The scorecard's most heavily weighted factor was the presence of an information security executive, a position filled at only 38 percent of surveyed law firms. * * * The report also noted that corporate law firm clients are beginning to crack down harder on their outside counsel for their failure to meet cybersecurity standards. The report found that 48 percent of law firms surveyed had their data security practices subjected to an audit by a corporate client in the last year. <a href="">top </a> </p> <p> - and - </p> <p> <a name="CorporateLegals"> </a> <a href="https://www.law.com/corpcounsel/sites/legaltechnews/2017/11/07/corporate-legals-new-cybersecurity-role-first-risk-responders/?kw=Corporate%20Legal%27s%20New%20Cybersecurity%20Role:%20First%20Risk%20Responders&et=editorial&bu=Corporate%20Counsel&cn" > <strong> Corporate legal's new cybersecurity role: First risk responders </strong> </a> (Corporate Counsel, 7 Nov 2017) - As corporations devote more attention to cybersecurity, many are expanding the legal department's role to cover tasks like third-party risk management. But according to Grant Thornton's " <a href="https://www.grantthornton.com/library/survey-reports/advisory/2017/general-counsel-emerging-role-strategic-advisor.aspx" > 2017 Corporate General Counsel Survey </a> " of over 190 general counsel, that's far from where their cybersecurity responsibility ends. Over half (58 percent) of general counsel surveyed said they were highly involved in responding to their organizations' data security risks and cybersecurity incidents. In addition, 23 percent said that responding to such risks and events were their "primary responsibility," up from 11 percent in 2015. Of course, it wasn't always this way. "When we did this survey two years ago, the CFO among other members of the C-suite were driving cybersecurity initiatives," said Johnny Lee, principal and forensic technology practice leader for Grant Thornton's Forensic Advisory Services. But as "breaches become more prevalent and as they represent more downstream risk-regulatory and litigation exposure, for example-we've seen a shift to legal departments taking the helm on the response," he said. In light of legal repercussions of cybersecurity incidents, he added, the legal department's participation in risk response can be an asset given the umbrella of attorney-client privilege. Depending on the nature and extent of a breach, such privilege may need "to be attached early if it's going to be invoked, and may need to be managed carefully if it's going to be protected and preserved." Lee cautioned, however, that the legal department's cybersecurity role "doesn't necessarily mean they're inserting themselves into insurance discussions or being the primary flag holders in front of the board. But it does mean, vis-à-vis the response, that they intend to be the standard bearers there." <a href="">top </a> </p> <p> - and - </p> <p> <a name="OKweGet"> </a> <a href="https://abovethelaw.com/2017/11/ok-we-get-technology-competence-but-how-do-we-get-technologically-competent/" > <strong> Ok, we get technology competence, but how do we get technologically competent? </strong> </a> (Above The Law, Bob Ambrogi, 6 Nov 2017) - By now, you've probably heard of the duty of technology competence. As <a href="https://www.lawsitesblog.com/2015/03/11-states-have-adopted-ethical-duty-of-technology-competence.html" > more and more states </a> adopt it, more and more articles get written about it, and more and more CLEs get presented about it. But the focus of all this is largely on the nature and scope of the duty. One aspect we hear little about is how lawyers can get and remain technologically competent. There are no easy answers to that question. Florida has taken the most dramatic step, not only mandating tech competence but also <a href="https://www.lawsitesblog.com/2016/10/florida-becomes-first-state-mandate-tech-cle.html" > mandating technology training </a> . The first and only state to do this, Florida requires that lawyers complete three hours of CLE every three years in approved technology programs. Another option for law firms and legal departments seeking to promote technology competence is the Legal Technology Assessment developed by Casey Flaherty and his company <a href="https://www.procertas.com/">Procertas </a>. The LTA assesses legal professionals' proficiency with the basic technology tools they use every day - Word, Excel, and PDF - and provides training on tasks in which they are deficient. Now, there is further progress. The past week brought news of two more initiatives that should further promote technology competence among legal professionals. One is online training for lawyers in legal innovation and technology, the other an index tracking how well law schools are preparing students to deliver legal services in the 21 <sup>st </sup> Century. * * * <a href="">top </a> </p> <p> <a name="CanAlgorithms"> </a> <a href="http://ridethelightning.senseient.com/2017/11/can-algorithms-send-you-to-prison-apparently-yes.html" > <strong>Can algorithms send you to prison? Apparently, yes. </strong> </a> (Ride The Lightning, 1 Nov 2017) - <em>The New York Times </em> <a href="https://www.nytimes.com/2017/10/26/opinion/algorithm-compas-sentencing-bias.html?_r=0" target="_blank" > reported </a> in an opinion piece last week on a fascinating and disturbing story. In 2013, police officers in Wisconsin arrested Eric Loomis, who was driving a car that had been used in a recent shooting. He pleaded guilty to attempting to flee an officer, and no contest to operating a vehicle without the owner's consent. Neither of his crimes mandated prison time. But at Mr. Loomis's sentencing, the judge cited, among other factors, Mr. Loomis's high risk of recidivism as predicted by a computer program called COMPAS, a risk assessment algorithm used by the state of Wisconsin. The judge denied probation and prescribed an 11-year sentence - six years in prison, plus five years of extended supervision. No one knows exactly how COMPAS works; its manufacturer won't disclose the proprietary algorithm. We only know the final risk assessment score, which judges may consider at sentencing. Loomis challenged the use of an algorithm as a violation of his due process rights to be sentenced individually, and without consideration of impermissible factors like gender or race. The Wisconsin Supreme Court rejected his challenge. In June, the United States Supreme Court declined to hear his case, meaning a majority of justices effectively condoned the algorithm's use. This may have far-reaching effects. Why are we allowing a computer program, into which no one in the criminal justice system has any insight, to play a role in sending a man to prison? The author of the op-ed piece asked that question - and so do I. Wisconsin is one of several states using algorithms in the sentencing process. * * * <a href="">top </a> </p> <p> <a name="OilStates"> </a> <a href="https://patentlyo.com/patent/2017/11/stabilize-constitutional-footing.html?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+PatentlyO+%28Dennis+Crouch%27s+Patently-O%29" > <strong> Oil States amicus briefs seek to stabilize IPR constitutional footing </strong> </a> (Patently-O, 1 Nov 2017) - As per usual, the briefs are largely divisible into two categories: (1) direct merits arguments focusing on congressional power to enact the IPR regime; and (2) policy briefs arguing that IPRs do important work. I'll note here that the focus of the policy briefs is on <u>efficient </u> and <u>timely </u> adjudication. I have not seen any of the briefs so far that recognize the third reality - that the PTAB is invaliding patents that would have been upheld by a court. For some reason amicus consider it appropriate to identify court failures in efficiency but not to identify failures in the substantive decisionmaking. The closest on-point is likely Apple's Brief which promotes the "well-informed and correct" outcomes of the PTAB. <a href="https://cdn.patentlyo.com/media/2017/11/16-712bsacAppleInc.pdf"> 16-712bsacAppleInc </a> . Overall, the collection of briefs here is quite strong. The most compelling brief in my view is that filed by the well-known team of Duffy and Dabney on behalf of several groups, including the Internet Association. They write: * * * [ <strong>Polley </strong>: Fairly arcane, but absolutely <em>fascinating </em> set of historical analyses, getting to the very fundamentals of US IPR jurisprudence.] <a href="">top </a> </p> <p> <a name="WhatDoesA"> </a> <a href="http://www.nickmilton.com/2017/11/what-does-director-of-knowledge.html" > <strong> What does a Director of Knowledge Management for a legal firm do? </strong> </a> (KnoCo, 2 Nov 2017) - This month there were two "Director of KM" jobs advertised on linked-in. Let's see what this job entails. "Knowledge Management" is a poorly defined term, and Knowledge Management jobs can range from low level data-entry clerks to high level strategic posts, and anything in between. However when you see "Director of Knowledge Management" vacancies, that tells you that this is a high level post. One of these advertised vacancies gives few details of the post, but the second, from CMS (the legal firm) gives a full list of responsibilities and characteristics. These are listed below * * * <a href="">top </a> </p> <p> <a name="NewFederal"> </a> <a href="http://edscoop.com/colleges-and-universities-must-strengthen-cyber-practices-to-comply-with-new-federal-regulations?utm_source=eloqua&utm_medium=email_50766&utm_campaign=22717" > <strong> New federal cybersecurity regulations force colleges to strengthen data management </strong> </a> (EdScoop, 2 Nov 2017) - A new set of federal regulations is forcing colleges and universities to tighten their cybersecurity practices, which will require changes in the way colleges manage their data, according to a <a href="https://dupress.deloitte.com/dup-us-en/industry/public-sector/protecting-classified-uncontrolled-information-higher-education.html?id=us:2el:3pr:dup4321:awa:dup:103117" target="_blank" > new report </a> . Higher education institutions will have to fulfill new contractual obligations to maintain federal grants, research contracts and other transactions in which the institutions receive data from the federal government, according to the report, issued by Deloitte's Center for Higher Education Excellence and nonprofit EDUCAUSE. In 2016, the U.S. Department of Education signaled it would make colleges comply with requirements laid out in the National Institute of Standards and Technology (NIST) Special Publication 800-171, which are designed to protect the confidentiality of "controlled unclassified information." The first compliance deadline schools have to meet is Dec. 31. "Whether a college or university has many large government research contracts or one small contract, each institution will need to comply with these new data protection standards," said Joanna Lyn Grama, director of cybersecurity and IT GRC programs at EDUCAUSE. "Simply put, the evolving higher education threat landscape and very complex regulatory environment means that ad-hoc approaches to data management and protection are no longer adequate and formalized information security programs, based on recognized frameworks and responsive to specific regulations, are required." According to the report, while higher education CIOs and CISOs are aware of the new standard, "this awareness hasn't necessarily translated into progress. "Many institutions are still working out how to get started and get everyone on board," the report says. "Other institutions, notably those that receive significant defense research funding, are much further down the path." Colleges will have to overcome many existing challenges in order to fulfill the requirements, according to experts at Deloitte and EDUCAUSE. And those challenges go beyond just technological problems. They also encompass organizational change management, training, end-user adoption and process controls. Specific challenges outlined in the report include a lack of executive and board-level attention on NIST's regulations. <a href="">top </a> </p> <p> <a name="ThirtyFive"> </a> <a href="https://www.usatoday.com/story/money/taxes/2017/11/03/35-states-and-dc-back-bid-collect-online-sales-taxes/830516001/" > <strong> 35 states and DC back bid to collect online sales taxes </strong> </a> (USA Today, 3 Nov 2017) - Thirty-five state attorneys general and the District of Columbia this week signed on to support South Dakota's legal bid to collect sales taxes from out-of-state Internet retailers. South Dakota is asking the U.S. Supreme Court to review whether retailers can be required to collect sales taxes in states where they lack a physical presence. The case could have national implications for e-commerce. South Dakota Attorney General Marty Jackley said in a statement Thursday that Colorado filed a friend-of-the-court brief supporting South Dakota's petition to the high court. The state is seeking to overturn legal rulings issued mostly before the online shopping boom that hamstring officials who want to collect sales taxes from out-of-state retailers. States have pushed Congress to address the issue without success, and one estimate put the loss to states at roughly $26 billion in 2015. South Dakota estimates it loses about $50 million annually to e-commerce. "The problem with the physical-presence rule is that it was first conceived of in 1967, two years before the moon landing and decades before the first retail transaction occurred over the Internet," according to the brief. Some companies such as Amazon have decided to collect state sales taxes despite the precedent. South Dakota legislators passed a law last year requiring collection of the tax. The law was struck down in September by the state Supreme Court due to precedent. The state had welcomed the defeat so it could try to get the U.S. Supreme Court to take up the case. <a href="">top </a> </p> <p> <a name="UScourtSides"> </a> <a href="http://www.zdnet.com/article/us-court-sides-with-google-against-canadian-de-indexing-order/" > <strong> US Court sides with Google against Canadian de-indexing order </strong> </a> (ZDnet, 3 Nov 2017) - A US federal court on Friday issued a preliminary injunction against a <a href="http://www.zdnet.com/article/canadas-ruling-on-google-search-results-sparks-censorship-concerns/" > Canadian Supreme Court ruling, </a> which asked Google to de-index certain search results not just in Canada but on a global basis. The Canadian ruling "undermines the policy goals of Section 230 [of the US Communications Decency Act] and threatens free speech on the global internet," wrote Judge Edward Davila of the US District Court for Northern California. The ruling pertains to the case <em>Google v. Equustek </em>, which started with a 2011 complaint from the company Equustek Solutions. The British Columbia firm charged that a group of Equustek distributors (known as the Datalink defendants) were selling counterfeit Equustek products online. Datalink continued to sell these goods globally, even after the court ordered it to stop, prompting Equustek to ask Google to intervene. Google initially de-indexed 345 specific webpages associated with Datalink on google.ca. Equustek then sought an injunction to stop Google from displaying any part of the Datalink websites on any of its search results worldwide. A lower court granted the injunction, and the Canadian Supreme Court upheld it. The ruling's global implications <a href="http://www.zdnet.com/article/canadas-ruling-on-google-search-results-sparks-censorship-concerns/" > elicited concern </a> from freedom of speech advocates. Google <a href="http://www.zdnet.com/article/google-asks-us-court-to-block-full-enforcement-of-canadian-de-indexing-order/" > asked </a> the US District Court for Northern California to intervene, arguing that Canada's ruling was "repugnant" to the rights established by the First Amendment and the Communications Decency Act. Furthermore, the company said it "violates principles of international comity, particularly since the Canadian plaintiffs never established any violation of their rights under U.S. law." Now that the US District Court has intervened, Google can seek a permanent injunction and ask the Canadian court to modify its original order, <a href="https://www.eff.org/deeplinks/2017/11/us-federal-court-rejects-global-search-order" > according to </a> the Electronic Frontier Foundation. <a href="">top </a> </p> <p> <a name="TSAplans"> </a> <a href="https://www.eff.org/deeplinks/2017/11/tsa-plans-use-face-recognition-track-americans-through-airports" > <strong> TSA plans to use face recognition to track Americans through airports </strong> </a> (EFF, 9 Nov 2017) - The "PreCheck" program is billed as a convenient service to allow U.S. travelers to " <a href="https://www.tsa.gov/precheck">speed through security </a>" at airports. However, the <a href="https://www.regulations.gov/document?D=TSA_FRDOC_0001-0374"> latest proposal </a> released by the Transportation Security Administration (TSA) reveals the Department of Homeland Security's greater underlying plan to collect face images and iris scans on a nationwide scale. DHS's programs will become a massive violation of privacy that could serve as a gateway to the collection of biometric data to identify and track every traveler at every airport and border crossing in the country. Currently TSA collects <a href="https://www.tsa.gov/precheck">fingerprints </a>as part of its application process for people who want to apply for PreCheck. So far, TSA hasn't used those prints for anything besides the mandatory background check that's part of the process. But this summer, TSA ran a <a href="https://www.regulations.gov/document?D=TSA_FRDOC_0001-0374"> pilot program </a> at Atlanta's Hartsfield-Jackson Airport and at Denver International Airport that used those prints and a contactless fingerprint reader to verify the identity of PreCheck-approved travelers at security checkpoints at both airports. Now TSA wants to roll out this program to airports across the country and expand it to encompass face recognition, iris scans, and other biometrics as well. [ <strong>Polley </strong>: "contactless fingerprint reader?!?] While this latest plan is limited to the more than 5-million Americans who have chosen to apply for PreCheck, it appears to be part of a broader push within the Department of Homeland Security (DHS) to expand its collection and use of biometrics throughout its sub-agencies. For example, in pilot programs in Georgia and Arizona last year, Customs and Border Protection (CBP) used face recognition to capture pictures of travelers boarding a <a href="https://www.dhs.gov/sites/default/files/publications/privacy-pia-cbp-dis%20test-june2016.pdf" > flight out of the country </a> and border and compared those pictures to previous recorded photos from passports, visas, and "other DHS encounters." In the Privacy Impact Assessments (PIAs) for those pilot programs, CBP said that, although it would collect face recognition images of all travelers, it would delete any data associated with U.S. citizens. But what began as DHS's biometric travel screening of foreign citizens <a href="https://www.eff.org/deeplinks/2017/08/end-biometric-border-screening" > morphed, without congressional authorization </a> , into screening of U.S. citizens, too. Now the agency plans to roll out the program to other border crossings, and it says it will retain photos of U.S. citizens and lawful permanent residents for two weeks and information about their travel for 15 years. It retains data on "non-immigrant aliens" for 75 years. <a href="">top </a> </p> <p> <a name="EquifaxProfit"> </a> <a href="http://www.reuters.com/article/us-equifax-results/equifax-profit-falls-as-hacking-costs-take-toll-idUSKBN1D934D" > <strong>Equifax profit falls as hacking costs take toll </strong> </a> (Reuters, 9 Nov 2017) - Equifax Inc ( <a href="http://www.reuters.com/finance/stocks/overview/EFX.N">EFX.N </a>) on Thursday reported lower quarterly profit, and quarterly revenue missed estimates, as the credit bureau warned that its massive data breach had prompted some customers to hold back business. The breach, which compromised sensitive data of 145.5 million people, has harmed the company's reputation and prompted investigations in every U.S. state, a federal criminal probe and hundreds of lawsuits. Equifax said it was not possible to estimate how much it would cost the company to respond to the probes and litigation. The Atlanta-based company said it recorded $87.5 million in expenses related to the hack during the quarter, including legal fees, investigation of the breach, and free credit monitoring for U.S. consumers whose data was exposed in the breach. Equifax estimated a range of additional costs between $56 million and $110 million to continue providing the free services. The company warned there could be further attacks. "We cannot assure that all potential causes of the incident have been identified and remediated and will not occur again," it said in a quarterly filing with the Securities and Exchange Commission. <a href="">top </a> </p> <p> - and - </p> <p> <a name="EquifaxLooks"> </a> <strong> <a href="https://www.law.com/corpcounsel/sites/corpcounsel/2017/11/14/equifax-looks-to-in-house-lawyer-to-build-a-new-future-after-massive-breach/" > Equifax looks to in-house lawyer to 'build a new future' after massive breach </a> </strong> (Law.com, 14 Nov 2017) - As Equifax Inc. continues to face fallout from the massive data breach announced earlier this year, the consumer credit reporting company has selected one of its in-house attorneys to oversee its response to the disaster. Taking on this role is Julia Houston, whose official title is chief transformation officer. Along with leading the company through the aftermath of the breach, Houston will coordinate Equifax's efforts to "build a new future," according to the company's <a href="https://www.equifax.com/about-equifax/corporate-leadership"> corporate leadership page </a> . In response to request for comment on Houston's role and on the timing of her appointment, an Equifax spokesperson said: "Equifax's top priorities are to improve service for consumers and to continue to strengthen our company's security capabilities. We have revised our corporate structure to address both of these areas and have created a Chief Transformation Officer who reports directly to the CEO." The spokesperson added that Houston was appointed to this role in October. Houston joined Equifax in October 2013 and was most recently senior vice president of U.S. legal, where she led Equifax's legal team supporting three businesses in the United States. She previously held the general counsel title at customer management company Convergys Corp. and energy company Mirant Corp. Prior to that, Houston was an in-house attorney at Delta Air Lines Inc. <a href="">top </a> </p> <p> <a name="AlphabetsProjectLoon"> </a> <strong> <a href="https://www.theverge.com/2017/11/9/16630494/alphabet-project-loon-puerto-rico-internet-connectivity-update" > Alphabet's Project Loon delivers internet service to 100,000 people in Puerto Rico </a> </strong> (The Verge, 9 Nov 2017) - Alphabet's Project Loon, which last month partnered with AT&T and T-Mobile to <a href="https://www.theverge.com/2017/10/20/16512178/alphabet-project-loon-puerto-rico-lte-balloons-disaster-relief-connectivity" > bring LTE connectivity to disaster-stricken Puerto Rico </a> , says its helium air balloons have delivered internet to 100,000 residents on the island. A significant portion of Puerto Rico, still struggling to recover from the effects of Hurricane Maria, is still without cell tower reception, with the Federal Communications Commission <a href="http://transition.fcc.gov/Daily_Releases/Daily_Business/2017/db1109/DOC-347693A1.pdf" > reporting earlier today </a> that nearly 44 percent of Puerto Rico cell sites are still out of service. Loon deployed balloons in late October in what was its fastest-ever deployment in an effort to help residents get back online as soon as possible. While 100,000 is an impressive metric on its own, Puerto Rico is an island of nearly 3.5 million people. A map released today by the FCC shows that a vast majority of the island's counties still have between 20 and 60 percent of cell towers out of service. Only four counties are reporting only 1 to 20 percent of cell sites out of service, while another four counties have more than 80 percent of their cell sites down. So while Loon is certainly helping Puerto Rico's government get more residents online, there's a lot of infrastructure work to be done to get the entire island back online and in contact with the rest of the world. <a href="">top </a> </p> <p> <a name="CopyrightExceptions"> </a> <strong> <a href="https://www.ip-watch.org/2017/11/15/copyright-exceptions-libraries-widespread-study-wipo-shows-disharmony-persists/" > Copyright exceptions for libraries widespread, study at WIPO shows, but disharmony persists </a> </strong> (IP Watch, 15 Nov 2017) - Nobody among members of the World Intellectual Property Organization disputes the importance of the public services provided by libraries and archives. However, positions are different when it comes to providing exceptions to copyright to those entities so they can continue to dispense their services, in particular in the digital age. An updated study presented today in a WIPO committee shows that most countries have exceptions relating to libraries, but termed in very different ways, and are hesitant on how to deal with digital technologies. Prof. Kenneth Crews, former director of the copyright advisory office at Columbia University (US) and now an attorney at Gipson, Hoffman & Pancione in Los Angeles, today presented <a href="http://www.wipo.int/edocs/mdocs/copyright/en/sccr_35/sccr_35_6.pdf" > the latest version </a> [pdf] of his original 2008 study, already updated in 2014 and in 2015, during the <a href="http://www.wipo.int/meetings/en/details.jsp?meeting_id=42304"> 35th session </a> of the WIPO Standing Committee on Copyright and Related Rights, taking place from 13-17 November. According to Crews, since 2015, a number of countries have revised their copyright laws and the exceptions they provide to libraries and archives, which, he said, serves as a reminder that this is a dynamic issue. The study covers all 191 WIPO member states and found that 161 of those have at least one provision in their copyright statutes that explicitly applies to libraries or archives. Crews describes four types of exception: type 1 with no library exception (28); type 2 with a general library exception (21); type 3 with specific library exceptions; and type 4 providing for anti-circumvention exemptions. Compared to the last version of the study, fewer countries have no exception, and fewer countries are relying on general exception, Crews said. Specialised exceptions, which constitute the largest share of countries, include preservation and replacement, private study and research, making available on the premises, document delivery, and copy machines in the library. As example, Crews said 102 member states have an exception for preservation, 98 for replacement, and 105 for private study and research. Crews described the influence of several models in current copyright laws, such as the British Copyright Act, which provides multiple provisions such as for preservation and research. He also cited the Bangui Agreement, which also provides clear rules for preservation and research, and the 2001 Information Society Directive and the 2012 Orphan Works Directive of the European Union, which he said have influenced some 14 countries outside of the EU. <a href="">top </a> </p> <p> <a name="GuideToCybersecurity"> </a> <strong> <a href="https://www.law.com/newyorklawjournal/sites/newyorklawjournal/2017/11/15/guide-to-cybersecurity-due-diligence-worth-reading/" > Guide to cybersecurity due diligence worth reading </a> </strong> (NY Law Journal, 15 Nov 2017) - On the subject of business risk, Warren Buffett observed that the rearview mirror is always clearer than the windshield. For an M&A acquirer, one prime risk is assessing the effectiveness of a target's cybersecurity program. As data breach incidents involving Yahoo and Neiman Marcus have shown, such incidents can profoundly impact even the largest deals. With billions of M&A dollars at stake, there is a need to clear the windshield. Ronald [sic] Smedinghoff and Roland Trope prove up to the task in this new book, which compiles topical papers written by M&A lawyers whose practices focus on protecting their clients' high-value digital assets. Although the book is primarily written for M&A lawyers, it can also be useful to a wider audience that includes directors, officers, in-house counsel and data security professionals whose duties include the designing, implementing, updating, testing and monitoring of cybersecurity programs. Throughout the book's thirteen chapters, it explains how an acquirer can properly assess a target's cybersecurity posture. As such, the book is intended as an issue-spotting resource. It is not intended to prepare an M&A lawyer to be an expert in cyber crime, or to serve as a manual of M&A provisions that specifically address cybersecurity risks. Although some of the material is repetitive, the editors have done an admirable job in organizing the topics, eliminating jargon, minimizing the use of acronyms, bullet-pointing key checklists, discouraging run-on sentences, reducing paragraph length and ensuring that the entire text appears as though it was written in plain English by a single author. * * * More than a hundred years ago, Theodore Roosevelt observed that risk is like fire: If controlled it can help you; uncontrolled it will rise up and destroy you. For M&A lawyers assessing a target's cybersecurity risk, this book helps control the fire. [ <strong>Polley </strong>: It's <em>Tom </em> Smedinghoff, not Ronald. Excellent resource, and quite positive review.] <a href="">top </a> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </H3> </p> <p> <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3068786#.WgqRTFXJ75o.twitter" > <strong> Liability for Providing Hyperlinks to Copyright-Infringing Content: International and Comparative Law Perspectives </strong> </a> (Columbia, 12 Nov 2017) - <strong>Abstract: " </strong>Hyperlinking, at once an essential means of navigating the Internet, but also a frequent means to enable infringement of copyright, challenges courts to articulate the legal norms that underpin domestic and international copyright law, in order to ensure effective enforcement of exclusive rights on the one hand, while preserving open communication on the Internet on the other. Several recent cases, primarily in the European Union, demonstrate the difficulties of enforcing the right of communication to the public (or, in US copyright parlance, the right of public performance by transmission) against those who provide hyperlinks that effectively deliver infringing content to Internet users. This article will first address the international norms that domestic laws of states member to the multilateral copyright agreements must implement. It next will explore how two of the most significant regional or national copyright regimes, the EU and the US, have coped with the question of linking, and then will consider the relationship of the emerging approaches to copyright infringement with national and regional laws instituting limited immunity for copyright infringements committed by internet service providers. We will conclude with an assessment of the extent to which the outcomes under US and EU regimes, despite their apparently different approaches, in fact diverge." <a href="">top </a> </p> <p> <a href="http://arizonalawreview.org/preventing-data-breaches-at-law-firms-adapting-proactive-management-based-regulation-to-law-firm-technology/" > <strong> Preventing Data Breaches at Law Firms: Adapting Proactive, Management-Based Regulation to Law-Firm Technology </strong> </a> (Arizona Law Review, Nov 2017) - Today, law firms of every size are relying on technology more than ever before. However, a firm's investment in securing its information systems pales in comparison to that of its corporate counterparts, leaving law-firm clients' data unnecessarily at risk. Although there has been a modest increase in regulation for firm management overall, law firms have largely ignored the threat of data breaches, failing to adhere to widely accepted information security standards. This lack of compliance has caused cyber criminals to shift their sights from the client to the vulnerable information security systems of law firms. This Note proposes a proactive, regulatory approach to establish a technology infrastructure in law firms, thus ensuring the protection of client information. [ <strong>Polley </strong>: Others also have proposed a prescriptive, regulatory approach; I'm unconvinced.] <a href="">top </a> </p> <p> <a name="DIFFERENT"> </a> <h3> DIFFERENT </h3> </p> <p> <a href="https://www.theatlantic.com/magazine/archive/2017/12/second-life-leslie-jamison/544149/" > <strong>The digital ruins of a forgotten future </strong> </a> (The Atlantic, Dec 2017) - Gidge Uriza lives in an elegant wooden house with large glass windows overlooking a glittering creek, fringed by weeping willows and meadows twinkling with fireflies. She keeps buying new swimming pools because she keeps falling in love with different ones. The current specimen is a teal lozenge with a waterfall cascading from its archway of stones. Gidge spends her days lounging in a swimsuit on her poolside patio, or else tucked under a lacy comforter, wearing nothing but a bra and bathrobe, with a chocolate-glazed donut perched on the pile of books beside her. "Good morning girls," she writes on her blog one day. "I'm slow moving, trying to get out of bed this morning, but when I'm surrounded by my pretty pink bed it's difficult to get out and away like I should." In another life, the one most people would call "real," Gidge Uriza is Bridgette McNeal, an Atlanta mother who works eight-hour days at a call center and is raising a 14-year-old son, a 7-year-old daughter, and severely autistic twins, now 13. Her days are full of the selflessness and endless mundanity of raising children with special needs: giving her twins baths after they have soiled themselves (they still wear diapers, and most likely always will), baking applesauce bread with one to calm him down after a tantrum, asking the other to stop playing "the <em>Barney </em> theme song slowed down to sound like some demonic dirge." One day, she takes all four kids to a nature center for an idyllic afternoon that gets interrupted by the reality of changing an adolescent's diaper in a musty bathroom. But each morning, before all that-before getting the kids ready for school and putting in eight hours at the call center, before getting dinner on the table or keeping peace during the meal, before giving baths and collapsing into bed-Bridgette spends an hour and a half on the online platform <a href="http://secondlife.com/">Second Life </a>, where she lives in a sleek paradise of her own devising. <em> Good morning girls. I'm slow moving, trying to get out of bed this morning. </em> She wakes up at 5:30 to inhabit a life in which she has the luxury of never getting out of bed at all. What is second life? The short answer is that it's a virtual world that launched in 2003 and was hailed by some as the future of the internet. The longer answer is that it's a landscape full of goth cities and preciously tattered beach shanties, vampire castles and tropical islands and rainforest temples and dinosaur stomping grounds, disco-ball-glittering nightclubs and trippy giant chess games. In 2013, in honor of Second Life's tenth birthday, Linden Lab-the company that created it-released <a href="https://www.lindenlab.com/releases/infographic-10-years-of-second-life" > an infographic charting its progress </a> : 36 million accounts had been created, and their users had spent 217,266 cumulative years online, inhabiting an ever-expanding territory that comprised almost 700 square miles. Many are tempted to call Second Life a game, but two years after its launch, Linden Lab circulated a memo to employees insisting that no one refer to it as that. It was a <em>platform </em>. This was meant to suggest something more holistic, more immersive, and more encompassing. * * * [ <strong>Polley </strong>: detailed story, worth reading. I haven't logged into SL for years; I may need to go back for another look.] <a href="">top </a> </p> <p> <a href="https://www.insidehighered.com/quicktakes/2017/11/06/math-student-wins-%E2%80%98dance-your-phd%E2%80%99-contest?utm_source=Inside+Higher+Ed&utm_campaign=95ba48b934-DNU20171106&utm_medium=email&utm_term=0_1fcbc04421-95ba48b934-197618481&mc_cid=95ba48b934&mc_eid=01" > <strong>Math student wins "Dance Your Ph.D." contest </strong> </a> (InsideHigherEd, 6 Nov 2017) - <em>Science </em> sponsors an annual <a href="http://www.sciencemag.org/news/2017/11/announcing-winner-year-s-dance-your-phd-contest?utm_campaign=news_weekly_2017-11-03&et_rid=34825145&et_cid=1641651" target="_blank" > "Dance Your Ph.D." contest </a> to highlight research and the importance of communicating findings in ways that help nonspecialists understand them. Below is the video of this year's winner, Nancy Scherich of the University of California, Santa Barbara. She studies topology, the study of geometry in which shape and size don't matter. Her focus is on braid theory, or "the rules that determine the unique representations of twists and knots in high-dimensional spaces." [ <strong>Polley </strong>: I'm guessing the math is real; the 9m dance <a href="https://www.youtube.com/watch?time_continue=477&v=MASNukczu5A"> video </a> (with some subtitles) certainly is intriguing. Remember the string game "Cat's Cradle"?] <a href="">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK </h3> </p> <p> <a href="http://www.nbcnews.com/id/22346236/ns/technology_and_science-security/t/ftc-issues-online-ad-privacy-guidelines/#.WWV71caZO2w" > <strong>FTC issues online ad privacy guidelines </strong> </a> (NBC News, 20 Dec 2007) - On the same day they cleared Google Inc.'s purchase of online advertiser DoubleClick, federal regulators said industry needs to be more transparent about how consumers' Web-surfing habits are tracked. The Federal Trade Commission on Thursday proposed guidelines by which advertisers would voluntarily fess up to Web surfers about whether their online behaviors are monitored and used to personalize ads. Privacy experts said the guidelines could be helpful, but only if industry enforces them. Consumers are largely in the dark about companies tracking them through these ads, the agency said, adding that companies should give people a realistic choice in whether they want to be tracked or not. "You shouldn't have to be a computer geek to protect your privacy," said Peter Swire, an Ohio State University law professor and senior fellow at the Center for American Progress, a liberal think tank. <a href="">top </a> </p> <p> <a name="NOTES"> </a> <h3> NOTES </h3> </p> <p> MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( <a href="mailto:vpolley@knowconnect.com?subject=MIRLN"> mailto:vpolley@knowconnect.com?subject=MIRLN </a> ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line. </p> <p> Recent MIRLN issues are archived at <a href="http://www.knowconnect.com/mirln">www.knowconnect.com/mirln </a>. Get supplemental information through Twitter: <a href="http://twitter.com/vpolley">http://twitter.com/vpolley </a> #mirln. </p> <p> SOURCES (inter alia): </p> <p> 1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, <a href="http://cyber.law.harvard.edu/">http://cyber.law.harvard.edu </a> </p> <p> 2. InsideHigherEd - <a href="http://www.insidehighered.com/">http://www.insidehighered.com/ </a> </p> <p> 3. SANS Newsbites, <a href="http://www.sans.org/newsletters/newsbites/"> http://www.sans.org/newsletters/newsbites/ </a> </p> <p> 4. Aon's Technology & Professional Risks Newsletter </p> <p> 5. Crypto-Gram, <a href="http://www.schneier.com/crypto-gram.html"> http://www.schneier.com/crypto-gram.html </a> </p> <p> 6. Eric Goldman's Technology and Marketing Law Blog, <a href="http://blog.ericgoldman.org/">http://blog.ericgoldman.org/ </a> </p> <p> 7. The Benton Foundation's Communications Headlines </p> <p> 8. Gate15 Situational Update Notifications, <a href="http://www.gate15.us/services.html"> http://www.gate15.us/services.html </a> </p> <p> 9. Readers' submissions, and the editor's discoveries </p> <p> This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. </p> <p> PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. <a href="">top </a> </p> Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-72432542359164050142017-10-28T07:05:00.000-04:002017-10-28T07:05:06.965-04:00MIRLN --- 8-28 Oct 2017 (v20.15)<p> <a name="TOP"> </a> MIRLN --- 8-28 Oct 2017 (v20.15) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_8_28_oct_2017_v2015/" > permalink </a> </p> <p> <a href="#ANNOUNCEMENT">ANNOUNCEMENT </a> | <a href="#NEWS">NEWS </a> | <a href="#DIFFERENT">DIFFERENT </a> | <a href="#RESOURCES">RESOURCES </a> | <a href="#LOOKINGBACK">LOOKING BACK </a> | <a href="#NOTES">NOTES </a> </p> <p> <a name="ANNOUNCEMENT"> </a> <h3> ANNOUNCEMENT </h3> </p> <p> The new Second Edition of the ABA's best-selling Cybersecurity Handbook is a must-read for anyone working in the field, including private-practice attorneys, in-house counsel, non-profit and government lawyers, and others. For more detail, visit the ABA store at http://bit.ly/2x7HNbJ. A pre-release review of the Handbook is here: <a href="https://insidecybersecurity.com/share/7329"> <strong> ABA urges lawyers to adopt encryption, other cybersecurity practices in latest 'handbook' </strong> </a> (Inside Cybersecurity, 24 Oct 2017). </p> <p> <a name="NEWS"> </a> </p> <ul> <li> <a href="#FramingThe">Framing the Museum GitHub Repository </a> </li> <li> <a href="#JeffKoons"> Jeff Koons' augmented reality Snapchat artwork gets 'vandalized' </a> </li> <li> <a href="#CourtDismisses"> Court dismisses FTC's unfairness claims against D-Link </a> </li> <li> <a href="#DoDissues"> DoD issues guidance for compliance with cybersecurity regulations </a> </li> <li> <a href="#PublishersTake"> Publishers take ResearchGate to court, alleging massive copyright infringement </a> </li> <li> <a href="#PetitionToLook"> Petition to look at former CBS lawyer underscores ethical risks of social media </a> </li> <li> <a href="#ComputerVirus"> Computer virus hits US Predator and Reaper drone fleet </a> </li> <li> <a href="#HowRussia"> How Russia harvested American rage to reshape US politics </a> </li><li> <a href="#CyberstalkingCase"> Cyberstalking case highlights how VPN provider claims about not keeping logs are often false </a> </li> <li> <a href="#HostOfHacks">Host of hacks not raising cyber premiums </a> </li> <li> <a href="#WhatCouldEquifax"> What could Equifax CLO John Kelley have done differently? </a> </li> <li> <a href="#WhatCybersecurityStandard"> What cybersecurity standard will a judge use in Equifax breach suits? </a> </li> <li> <a href="#AustralianCourt"> Australian court rules an unsent text message on phone of a deceased man as a valid will </a> </li> <li> <a href="#MicrosoftCloud"> Microsoft cloud can now host classified Pentagon data </a> </li> <li> <a href="#FederalJudge"> Federal judge unseals New York crime lab's software for analyzing DNA evidence </a> </li> <li> <a href="#CasetextNow"> Casetext now automatically 'pushes' legal research to attorneys </a> </li> <li> <a href="#MITissues"> MIT issues diplomas using the Bitcoin blockchain </a> </li> <li> <a href="#DecisionReversed"> Decision reversed: Mistake using file sharing site didn't waive privilege </a> </li> </ul> <p> <a name="FramingThe"> </a> <a href="https://medium.com/berkman-klein-center/framing-the-museum-github-repository-afcc55695129" > <strong>Framing the Museum GitHub Repository </strong> </a> (Berkman Klein, 5 Oct 2017) - When we use information, we need to understand what we're looking at. We do this by framing that information - sharing new details about what it is and how we can use it. For museum collections that connect data points across centuries of artworks and objects, institutions are turning to new tools to share and communicate that data. Here, we can look at four institutions using GitHub as a platform to share collections data - the Metropolitan Museum of Art, Museum of Modern Art (MoMA), Cooper Hewitt Smithsonian, Design Museum, and the Tate collection - as an opportunity to parse current practice in this area. GitHub is a platform for sharing and collaborating on code repositories. In a GitHub repository, the README functions as an overview of the repository and its contents. In the museum context, the README may act as a guide for how institutions have chosen to share their collections data. In identifying what information is commonly included in the README, we can map commonalities in which elements institutions have selected to frame and contextualize their collections data. * * * <a href="#TOP">top </a> </p> <p> - and - </p> <p> <a name="JeffKoons"> </a> <a href="https://techcrunch.com/2017/10/08/jeff-koons-augmented-reality-snapchat-artwork-gets-vandalized/" > <strong> Jeff Koons' augmented reality Snapchat artwork gets 'vandalized' </strong> </a> (TechCrunch, 8 Oct 2017) - Earlier this week, Snapchat launched a new augmented reality art exhibiting feature as part of a collaboration with the artist Jeff Koons. ART, as it's called, will plaster the digital artwork and sculptures of artists into geo-tagged physical locations across the world that viewers can see as a Lens inside the Snapchat app. There has already been a backlash by some in the artistic community who are skeptical of corporations "putting up" digital art that they could potentially monetize wherever they would like. As a way to spark the conversation, earlier this week a group of New York-based artists mocked-up a "vandalized" version of Jeff Koon's AR Balloon Dog. To be fair, this is a patently 2017 issue to have, but also one that we will definitely have conversation build around it as we question the ownership of physical digital locations. The group didn't hack Snap's servers to vandalize the sculpture, the work is more simply a 3D digital recreation of the work placed on top of a photo of the same geo-tagged location as Koons' work. Graffiti artist Sebastien Errazuriz sought to raise some interesting questions with the work done with Cross Lab Studio, positing whether augmented reality experiences should be governed by similar rules to those renting out physical spaces. On an image of the vandalized artwork, he added more questions: <em> Should corporations be allowed to place what ever content they choose over our digital public space? Central Park belongs to the city of NY. Why should corporations get to geo-tag its gps coordinates for free? We know they will make money renting gps spots to brands and bombard us with advertisement. They should pay rent, we should choose to approve what can be geo-tagged to our digital public and private space. </em> These debates might be a few years ahead of their time, but as augmented reality grows less gimmicky and more monetizable, advertising in public space could grow to be a major industry. It's interesting to see artists looking to the government to regulate public companies creating art platforms, but it also shows the hesitation many are feeling to the manner in which tech companies are looking to mesh the digital world onto public physical locations with AR tech. <a href="#TOP">top </a> </p> <p> <a name="CourtDismisses"> </a> <a href="https://www.retailconsumerproductslaw.com/2017/10/ftc-unfairness-claims-d-link/#page=1" > <strong>Court dismisses FTC's unfairness claims against D-Link </strong> </a> <strong> </strong> (Crowell & Moring, 6 Oct 2017) - Earlier this month, the Northern District of California dismissed FTC's unfairness claims against D-Link, a manufacturer of routers and IP cameras, while allowing most of FTC's claims rooted in deception to survive, suggesting that traditional false advertising actions may be FTC's most effective means of addressing suspect data security practices. Further, the Northern District of California's decision to dismiss the unfairness claims shows this court's unwillingness to entertain data security actions rooted in the FTC's unfairness prong, without concrete harm. FTC filed suit against D-Link in January of this year, alleging that the company engaged in both deceptive and unfair practices based on D-Link's claimed flimsy data security practices. Specifically, the FTC alleged that D-Link engaged in deceptive practices by marketing sophisticated and state-of-the-art security provided with its products, while simultaneously failing to protect users from "widely known and reasonably foreseeable risks of unauthorized access." For example, D-Link touted that its products featured "the latest wireless security features to help prevent unauthorized access" and offered the "best possible encryption." But in practice, according to FTC's pleadings, D-Link failed to take "easily preventable measures" against "hard-coded user credentials and other backdoors." And, the Northern District held, these accusations were sufficient to plead a deception claim under the FTC Act. However, where the company did not specifically market its data security practices, its advertising was not deceptive - such as in a brochure where D-Link described the camera as a "surveillance camera" for the "home or small office." Indeed, where D-Link did not refer to its digital security, the court would not imply messages about the state of that security. Notably though, the Northern District dismissed FTC's claims that, because D-Link failed to provide adequate data security, it engaged in unfair practices. Specifically, the court found that, because the FTC could not plead actual harm, it had not sufficiently pled a violation of the FTC Act. FTC was unable, the court noted, to show any "monetary loss or an actual incident where sensitive personal data was accessed or exposed." It was not enough to plead that D-Link put customers at risk. The Northern District did not, however, completely close the door on potential unfairness claims against D-Link. Choosing to dismiss the claims without prejudice, the Northern District noted that "[i]f the FTC had tied the unfairness claim to representations underlying the deception claims, it might have had a more colorable injury element." Accordingly, where a company does not make affirmative representations about its data security practices, a court will likely be reluctant to find a violation of the FTC Act without concrete injury. <a href="#TOP">top </a> </p> <p> <a name="DoDissues"> </a> <a href="https://www.hklaw.com/publications/DoD-Issues-Guidance-for-Compliance-with-Cybersecurity-Regulations-10-06-2017/" > <strong> DoD issues guidance for compliance with cybersecurity regulations </strong> </a> (Holland & Knight, 6 Oct 2017) - The U.S. Department of Defense (DoD) published in 2016 a new Defense Federal Acquisition Regulation Supplement (DFARS) provision and two clauses covering the safeguarding of contractor networks. The final DoD clauses are DFARS 252.204-7008, "Compliance with Safeguarding Covered Defense Information Controls," and DFARS 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting." To comply with the rule, contractors must meet the standards set forth in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations," not later than Dec. 31, 2017. On Sept. 21, 2017, the Office of the Under Secretary of Defense provided guidance to DoD acquisition personnel concerning implementation of the NIST SP 800-171 standards. * * * <a href="#TOP">top </a> </p> <p> <a name="PublishersTake"> </a> <a href="http://www.sciencemag.org/news/2017/10/publishers-take-researchgate-court-alleging-massive-copyright-infringement" > <strong> Publishers take ResearchGate to court, alleging massive copyright infringement </strong> </a> <strong> </strong> (Science Magazine, 6 Oct 2017) - Scholarly publishing giants Elsevier and the American Chemical Society (ACS) have filed a lawsuit in Germany against ResearchGate, a popular academic networking site, alleging copyright infringement on a mass scale. The move comes after a larger group of publishers became dissatisfied with ResearchGate's response to a request to alter its article-sharing practices. ResearchGate, a for-profit firm based in Berlin, Germany, which was founded in 2008, is one of the largest social networking sites aimed at the academic community. It claims more than 13 million users, who can use their personal pages to upload and share a wide range of material, including published papers, book chapters and meeting presentations. Science funders and investors have put substantial funds into the firm; it has raised more than $87 million from the Wellcome Trust charity, Goldman Sachs, and Bill Gates. In recent years, journal publishers have become increasingly concerned about the millions of copyrighted papers - usually accessible only behind subscription paywalls - that are being shared by ResearchGate users. And on 15 September, the International Association of Scientific, Technical, and Medical Publishers <a href="http://www.sciencemag.org/news/2017/09/publishers-go-after-networking-site-illicit-sharing-journal-papers" > wrote to ResearchGate </a> on behalf of more than 140 publishers, expressing concerns about its article-sharing policies. Specifically, the organization proposed that ResearchGate implement a "seamless and easy" automated system that would help the site's users determine if an article was protected by copyright and could be legally shared publicly or privately. The association <a href="https://www.elsevier.com/__data/assets/pdf_file/0010/509068/STM_letter_ResearchGate.20170916.pdf" > asked for a response by 22 September </a> , noting that its members could follow-up individually or collectively if ResearchGate failed to agree to its proposal. (AAAS, which publishes <em>Science </em>Insider, is a member of the association.) Yesterday, a group of five publishers - ACS, Elsevier, Brill, Wiley and Wolters Kluwer - announced that ResearchGate had rejected the association's proposal. Instead, the group, which calls itself the " <a href="http://www.responsiblesharing.org/"> Coalition for Responsible Sharing </a> ," said in <a href="http://www.responsiblesharing.org/coalition-statement/"> a 5 October statement </a> that ResearchGate suggested publishers should send the company formal notices, called "takedown notices," asking it to remove content that breaches copyright. The five publishers will be sending takedown notices, according to the group. But the coalition also alleges that ResearchGate is illicitly making as many as 7 million copyrighted articles freely available, and that the company's "business model depends on the distribution of these in-copyright articles to generate traffic to its site, which is then commercialised through the sale of targeted advertising." The coalition also states that sending millions of takedown notices "is not a viable long-term solution, given the current and future scale of infringement. … Sending large numbers of takedown notices on an ongoing basis will prove highly disruptive to the research community." As a result, two coalition members-ACS and Elsevier-have opted to go to court to try to force ResearchGate's hand. The lawsuit, filed in a German regional court, asks for "clarity and judgement" on the legality of posting such content, says James Milne, spokesperson for the Coalition for Responsible Sharing and senior vice president of ACS's journals publishing group in Oxford, U.K. <a href="#TOP">top </a> </p> <p> <a name="PetitionToLook"> </a> <a href="http://www.law.com/insidecounsel/2017/10/06/petition-to-look-at-former-cbs-lawyer-underscores/" > <strong> Petition to look at former CBS lawyer underscores ethical risks of social media </strong> </a> <strong> </strong> (Inside Counsel, 6 Oct 2017) - After being fired for a controversial Facebook post in the aftermath of the mass shooting in Las Vegas, former CBS lawyer Hayley Geftman-Gold is the subject of a petition calling for the New York State Bar Association to consider whether she is capable of remaining professional in response to a tragedy. This push, which calls for the NYSBA to consider whether Geftman-Gold's social media post is in keeping with her professional obligations, highlights the ethical risks lawyers face when it comes to using social media, attorneys say. Not long after a gunman in Las Vegas killed more than 50 people and injured nearly 500, Geftman-Gold, who was a vice president and senior counsel of strategic transactions at CBS, posted in a Facebook discussion that she was "not even sympathetic" because "country music fans often are Republican gun toters." CBS fired her Monday, saying in a statement Friday to Corporate Counsel that the views expressed by Geftman-Gold on social media were "deeply unacceptable to all of us at CBS." Geftman-Gold, who could not be reached for comment, said in a statement provided to Fox News that she sincerely regrets making the "indefensible post." The petition, addressed to NYSBA executive director Pamela McDevitt, condemns Geftman-Gold's "reprehensible and despicable remarks" and calls on the association to "conduct an ethics review of this individual to measure her abilities to remain professional during the response phase of a national tragedy and to censor herself appropriately." In response to request for comment from McDevitt, Richard Rifkin, special counsel to the NYSBA, told Corporate Counsel that the association has "gotten a number of complaints" about Geftman-Gold. Rifkin added, however, that the NYSBA does not have the ability to discipline attorneys, and so complainants are informed on how "to file a complaint with the appropriate part of the court system." Currently, Geftman-Gold's attorney registration record shows no record of discipline. Posted Monday by the Citizens for Judicial Reform, the petition had more than 12,000 signatures as of publication of this article. "The bigger lesson here is people need to think before they post or tweet," said Ignatius Grande, senior discovery attorney at Hughes Hubbard & Reed, who is also co-chair of the Social Media Committee of the NYSBA's Commercial and Federal Litigation Section. "Especially as a lawyer, because there are a lot of ethical issues that can come back to haunt you." The NYSBA's social media ethics guidelines outline where issues can arise, such as violating rules around advertising or posting confidential information. The guidelines also point to an ethics opinion from the D.C. Bar Legal Ethics Committee in order to make clear that caution should be exercised when stating positions on issues and legal developments on social media platforms that may be inconsistent with those positions of clients. "I think part of what the ethics boards have been dealing with over the last ten years is how to deal with social media, because it really has changed how you apply some of the rules that are out there," Grande said. "And attorneys are looked at with a magnifying glass or looked at with a higher standard, so it's important to look before you post." <a href="#TOP">top </a> </p> <p> <a name="ComputerVirus"> </a> <a href="https://arstechnica.com/information-technology/2011/10/exclusive-computer-virus-hits-drone-fleet/" > <strong>Computer virus hits US Predator and Reaper drone fleet </strong> </a> (ArsTechnica, 7 Oct 2017) - A computer virus has infected the cockpits of America's Predator and Reaper drones, logging pilots' every keystroke as they remotely fly missions over Afghanistan and other war zones. The virus, first detected nearly two weeks ago by the military's <a href="http://www.disa.mil/Services/Information-Assurance/HBSS"> Host-Based Security System </a> , has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech's computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the US military's most important weapons system. "We keep wiping it off, and it keeps coming back," says a source familiar with the network infection, one of three that told Danger Room about the virus. "We think it's benign. But we just don't know." <a href="#TOP">top </a> </p> <p> <a name="HowRussia"> </a> <a href="https://www.nytimes.com/2017/10/09/technology/russia-election-facebook-ads-rage.html?_r=0" > <strong> How Russia harvested American rage to reshape US politics </strong> </a> (NYT, 9 Oct 2017) - YouTube videos of police beatings on American streets. A widely circulated <a href="https://www.youtube.com/watch?v=0R81h6rWgtU"> internet hoax about Muslim men in Michigan </a> collecting welfare for multiple wives. A <a href="http://www.wusa9.com/news/local/dc/marine-attacked-and-left-for-dead-in-nw-dc/55197802" > local news story about </a> two veterans brutally mugged on a freezing winter night. All of these were recorded, posted or written by Americans. Yet all ended up becoming grist for a network of Facebook pages linked to a shadowy Russian company that has carried out propaganda campaigns for the Kremlin, and which is now believed to be at the center of a far-reaching Russian program to influence the 2016 presidential election. A New York Times examination of hundreds of those posts shows that one of the most powerful weapons that Russian agents used to reshape American politics was the anger, passion and misinformation that real Americans were broadcasting across social media platforms. * * * <a href="#TOP">top </a> </p> <p> <a name="CyberstalkingCase"> </a> <a href="https://www.techdirt.com/articles/20171009/10301738370/cyberstalking-case-highlights-how-vpn-provider-claims-about-not-keeping-logs-are-often-false.shtml" > <strong> Cyberstalking case highlights how VPN provider claims about not keeping logs are often false </strong> </a> (TechDirt, 10 Oct 2017) - When the Trump administration recently decided to <a href="https://www.techdirt.com/articles/20170328/09565737026/consumer-broadband-privacy-protections-are-dead.shtml" > gut consumer privacy protections for broadband </a> , many folks understandably rushed to VPNs for some additional privacy and protection. And indeed, many ISPs justified their lobbying assault on the rules by stating that users didn't need privacy protections, since they could <a href="https://www.techdirt.com/articles/20170327/09244537008/just-use-vpn-isnt-real-solution-to-gops-decision-to-kill-broadband-privacy-protections.shtml" > simply use a VPN </a> to fully protect their online activity. But we've noted repeatedly that VPNs <a href="https://www.techdirt.com/articles/20170327/09244537008/just-use-vpn-isnt-real-solution-to-gops-decision-to-kill-broadband-privacy-protections.shtml" > are not some kind of panacea </a> , and in many instances you're simply shifting the potential for abuse from your ISP -- to a VPN provider that may not actually offer the privacy it claims. Latest case in point: like many companies, a VPN provider by the name of PureVPN has been <a href="https://www.purevpn.com/why-purevpn.php"> advertising for years on its website </a> that it keeps no logs of user behavior: <em> "PureVPN operates a self-managed VPN network that currently stands at 750+ Servers in 141 Countries. But is this enough to ensure complete security? That's why PureVPN has launched advanced features to add proactive, preventive and complete security. <u> There are no third-parties involved and NO logs of your activities </u> ." </em> But when the Department of Justice man by the name of Ryan Lin for stalking, one key component of the case involved using PureVPN logs to track his online activities. * * * <a href="#TOP">top </a> </p> <p> <a name="HostOfHacks"> </a> <a href="http://itreasurer.com/Host-of-Hacks-Not-Raising-Cyber-Premiums.aspx?utm_source=eloqua&utm_medium=email_50222&utm_campaign=22317" > <strong>Host of hacks not raising cyber premiums </strong> </a> (iTreasurer, 10 Oct 2017) - Despite the continuing steady flow of news about major companies getting hacked, cyber policy premiums have continued to fall and their coverage broaden as insurers crowd into the space. In fact, the magnitude of cybercrimes only seems to be growing, with recent revelations that all of Yahoo's three billion customer accounts were hacked, as was Equifax's 140 million customers, along with Deloitte's client emails and certain SEC filings. As a result, some cyber insurers have increased underwriting scrutiny for certain risks while others still offer premiums that continue to fall, according to Kevin Kalinich, the global practice leader for cyber risk at brokerage Aon. "We have over 70 cyber carriers out of the US, Bermuda and London. Therefore, despite the recent cyber incidents, unless you are in a 'high risk' industry class, because there's so much competition we're seeing rates come down," Mr. Kalinich said. "If you're buying cyber insurance, now is definitely a good time to buy it." David Bradford, chief strategy officer and director of strategic partnership development at Advisen, a provider of data, media, and technology solutions for the commercial property and casualty insurance market, said that many companies are currently experiencing reductions between 5% and 15%, a trend that should continue for the immediate future. He said the Equifax breach is unlikely to have a significant impact on premiums, because the company has $150 million or less of coverage, and so is unlikely to drive capacity out of the marketplace. "It will probably cause some alarm among certain classes of buyers, but it's within the range of what insurers expected to pay," he said. Premiums remain elevated for companies in industries such as retail and healthcare, which have seen significant breaches in recent years. However, they likely will fall gradually as cybercriminals turn their sights to other industries. The broad downward pressure on premiums fundamentally stems from supply outweighing demand-the 65 insurers Advisen estimates plying the cyber-policy space are chasing after a relatively small pot of premiums, approximately $3.5 billion. Companies can take on upwards of $600 million in coverage, Mr. Bradford said, although brokers must cobble together that capacity using policies from numerous carriers. <a href="#TOP">top </a> </p> <p> <a name="WhatCouldEquifax"> </a> <a href="http://www.law.com/insidecounsel/2017/10/11/what-could-equifax-clo-john-kelley-have-done-diffe/" > <strong> What could Equifax CLO John Kelley have done differently? </strong> </a> <strong> </strong> (InsideCounsel, 11 Oct 2017) - John Kelley, CLO of Equifax, has found himself at the center of the controversy surrounding the recent massive data breach at the company. <a href="http://www.nationallawjournal.com/id=1202799633525?slreturn=20170909171844" > Former Equifax Inc. CEO Richard Smith </a> spent much of last week testifying before Congress about the massive data breach that has affected some <a href="https://www.equifaxsecurity2017.com/"> 145 million U.S. consumers </a> . Many grilling Smith questioned the timeline following the discovery of the incursion and wondered how three Equifax executives were able to sell shares totaling close to $2 million just days later. The answers inevitably came back to the company's <a href="http://www.corpcounsel.com/id=1202797988997/For-Equifaxs-Legal-Team-Breach-Likely-To-Bring-Litigation-Challenges-High-Price-Tag" > chief legal officer, John Kelley III </a> , who along with being <a href="http://www.corpcounsel.com/id=1202797735900/In-the-Wake-of-Equifaxs-Breach-A-Look-at-Whos-Leading-the-Legal-Department" > in charge of security within the company </a> , is responsible for approving share sales by Equifax executives. Parsing the decisions Kelley made in the aftermath of the breach raises some intriguing issues for the many in-house counsel who must grapple with cybersecurity threats and shows that the story of how Equifax responded to its recent breach is anything but simple. * * * [ <strong>Polley </strong>: interesting.] <a href="#TOP">top </a> </p> <p> - and - </p> <p> <a name="WhatCybersecurityStandard"> </a> <a href="https://www.lawfareblog.com/what-cybersecurity-standard-will-judge-use-equifax-breach-suits" > <strong> What cybersecurity standard will a judge use in Equifax breach suits? </strong> </a> (Lawfare, 20 Oct 2017) - Those affected by data breaches now have increasing opportunities to take their claims to court. Last month, in northern California's federal district court, Judge Lucy Koh upheld the right of victims to sue Yahoo for massive breaches between 2013 and 2016. Victims of the Equifax hack, which impacted millions more than initially reported, are filing dozens of lawsuits. And in another ruling last month, Koh upheld a class of health insurance company Anthem's data breach victims right to sue for a recently revealed second breach-shortly after Anthem was ordered to pay $115 million to victims and credit-monitors after the first incident. We've previously described the role of theories of harm to victims, and the duty of care for companies, as courts iron out standards in data breach litigation. But what happens in court? What standards are judges applying for cybersecurity when deciding these lawsuits? What amount of cybersecurity would have been sufficient, in court if not in practice? In other words, we should assume that because a cybersecurity regime is a series of processes, and because no large-scale entity is impenetrable, breaches can and will happen, even when a company exercises care. So, what standard of care is acceptable? Especially in large-scale operations that hold potential for large scale breaches? The Equifax case may set the high-water mark of weak precautions and bungled incident-response plans, coupled with the intimacy of data and vastness of people affected. But what is the lower limit of acceptable standards for situations that are less clear? (Incidents like the Deloitte hack in September that compromised confidential emails of some of its blue-chip clients.) * * * [ <strong>Polley </strong>: interesting, and lengthy; ultimately (unsurprisingly) indeterminate; still, a useful exposition.] <a href="#TOP">top </a> </p> <p> <a name="AustralianCourt"> </a> <a href="http://mashable.com/2017/10/11/judge-unsent-text-will/#RGjrPIxFmmqC" > <strong> Australian court rules an unsent text message on phone of a deceased man as a valid will </strong> </a> (Mashable, 11 Oct 2017) - An unsent message of a deceased man in Australia has been ruled as a valid will. It means he will leave his estate to his brother and nephew as opposed to his son and wife, who he apparently had a difficult relationship with. The decision was handed down by a judge at the Supreme Court of Queensland, following no evidence of any other will created by the deceased man. The man, who tragically took his own life, was found with the phone by his widow in October 2016. The following day, a friend of the widow was asked to look through the deceased man's contact list to see who should be notified of his death. It was there the unsent text message was found, and a screenshot was taken. " <em> Dave Nic you and Jack keep all that I have house and superannuation, put my ashes in the back garden with Trish Julie will take her stuff only she's ok gone back to her ex AGAIN I'm beaten . A bit of cash behind TV and a bit in the bank Cash card pin 3636 MRN190162Q 10/10/2016 My will </em> ," read the text message. The widow, who contested the will, sought to rely on the fact that because the deceased man did not send the text message, he didn't mean it. But the judge in this case, Justice Susan Brown, was satisfied the unsent text constituted as a valid document and the deceased man had made up his mind on where his property would go after his death, due to the words "my will" at the end of the message. Also noted by the judge was the contact between the deceased man, his brother and nephew, prior to his death, and that the text was written close to the date of his death. It was also deemed likely the deceased man intended for the message to be found with him. "In all of the circumstances I consider that the text message was intended by the deceased to operate as his will upon his death," Brown said. <a href="#TOP">top </a> </p> <p> <a name="MicrosoftCloud"> </a> <a href="http://www.nextgov.com/cloud-computing/2017/10/microsoft-cloud-can-now-host-classified-pentagon-data/141844/?oref=ng-HPtopstory&utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong>Microsoft cloud can now host classified Pentagon data </strong> </a> (NextGov, 17 Oct 2017) - Microsoft announced on Tuesday that the Defense Department can host secret classified data in its cloud. The <a href="https://azure.microsoft.com/en-us/blog/announcing-new-azure-government-capabilities-for-classified-mission-critical-workloads/" > <strong> announcement </strong> </a> means the Defense Department, the military services, intelligence agencies and their industry partners working within secret enclaves can host classified data in Microsoft's Azure Government Secret cloud, where they'll have access to new technologies like machine learning. * * * Secret data is traditionally distributed through a system of computer networks managed by the Defense and State departments called the Secret Internet Protocol Router Network, or SIPRNet. Microsoft's Azure Government Secret cloud can now host SIPRNet data. <a href="#TOP">top </a> </p> <p> <a name="FederalJudge"> </a> <a href="https://www.propublica.org/article/federal-judge-unseals-new-york-crime-labs-software-for-analyzing-dna-evidence" > <strong> Federal judge unseals New York crime lab's software for analyzing DNA evidence </strong> </a> (ProPublica, 20 Oct 2017) - A federal judge this week unsealed the source code for a software program developed by New York City's crime lab, exposing to public scrutiny a disputed technique for analyzing complex DNA evidence. Judge Valerie Caproni of the Southern District of New York lifted a protective order in response to <a href="https://www.propublica.org/article/propublica-seeks-source-code-for-new-york-city-disputed-dna-software" > a motion by ProPublica </a> , which argued that there was a public interest in disclosing the code. ProPublica has obtained the source code, known as the Forensic Statistical Tool, or FST, and published it on <a href="https://github.com/propublica/nyc-dna-software">GitHub </a>; two newly unredacted defense expert affidavits are <a href="https://www.documentcloud.org/documents/4112650-10-17-17-Unredacted-NA-Exhibit-C.html" > also </a> <a href="https://www.documentcloud.org/documents/4112649-10-17-17-Unredacted-NA-Exhibit-A.html" > available </a> . "Everybody who has been the subject of an FST report now gets to find out to what extent that was inaccurate," said Christopher Flood, a defense lawyer who has sought access to the code for several years. "And I mean everybody - whether they pleaded guilty before trial, or whether it was presented to a jury, or whether their case was dismissed. Everybody has a right to know, and the public has a right to know." Caproni's ruling comes amid increased complaints by scientists and lawyers that flaws in the now-discontinued software program may have sent innocent people to prison. Similar legal fights for access to proprietary DNA analysis software are ongoing elsewhere in the U.S. At the same time, New York City policymakers are pushing for transparency for all of the city's decision-making algorithms, from pre-trial risk assessments, to predictive policing systems, to methods of assigning students to high schools. <a href="#TOP">top </a> </p> <p> <a name="CasetextNow"> </a> <a href="https://www.lawsitesblog.com/2017/10/casetext-now-automatically-pushes-legal-research-attorneys.html" > <strong> Casetext now automatically 'pushes' legal research to attorneys </strong> </a> (Bob Ambrogi, 23 Oct 2017) - The legal research company <a href="https://casetext.com/">Casetext </a> has introduced a feature that monitors an attorney's litigation dockets for briefs and memoranda from opposing counsel and then automatically delivers a report of case law that is relevant but not included in the document. The feature uses Casetext's legal research assistant <a href="https://casetext.com/cara/upload">CARA </a>, an analytical tool that <a href="https://www.lawsitesblog.com/2016/07/new-casetext-feature-finds-cases-along-will-come-new-pricing.html" > automatically finds cases </a> that are relevant to a legal document but not cited in the document. The standard way to use CARA is for an attorney who has received a brief, memoranda or other legal document to upload it to CARA, and CARA then performs its analysis and generates a list of relevant cases that are not mentioned in the document. With this new feature, which Casetext is calling CARA Notifications, Casetext monitors all the PACER dockets in which an attorney has active matters. Whenever opposing counsel files a substantive document such as a brief or memorandum, Casetext retrieves the document, runs it through CARA, and delivers the report to the attorney. "Traditionally in legal research, an attorney gets a brief and then seeks out case law to oppose the brief," Pablo Arredondo, chief legal research officer at Casetext, explained. "The closest thing there has been to push notification is that some research services let you track a case or track a search. What we're doing now - and I believe we're the first - is pushing the caselaw to oppose the brief automatically based on monitoring the dockets." Seven firms have been using this feature on a pilot basis since Oct. 1, including Quinn Emanuel Urquhart & Sullivan, Ogletree Deakins, and Fenwick & West. The feature is being provided to them as part of their standard subscription, at no extra cost. Casetext is analyzing the text of docket entries and documents to determine which are substantive and which are not, so that it does not run routine filings through the analysis. It only analyzes documents filed by opposing sides in the case, so the attorney's own filings are not automatically analyzed. (Of course, subscribers can always run their documents through CARA before they file them.) One early user called the service "anticipatory knowledge retrieval," Arredondo said. <a href="#TOP">top </a> </p> <p> <a name="MITissues"> </a> <a href="https://www.cryptocoinsnews.com/mit-issues-diplomas-using-bitcoin-blockchain/" > <strong>MIT issues diplomas using the Bitcoin blockchain </strong> </a> (Cryptocoins News, 23 Oct 2017) - The Massachusetts Institute of Technology (MIT) has begun a pilot program to test the benefits and challenges of using the bitcoin blockchain to issue diplomas. As <a href="http://news.mit.edu/2017/mit-debuts-secure-digital-diploma-using-bitcoin-blockchain-technology-1017" > MIT News reports </a> , the pilot program began this summer and provided 111 MIT graduates with the option to receive their diplomas through a blockchain-reliant smartphone app called Blockcerts Wallet, in addition to the traditional hard-copy format. The Blockcerts app, which was developed by the <a href="https://www.cryptocoinsnews.com/tag/mit-media-lab/"> MIT Media Lab </a> in collaboration with Cambridge software company Learning Machine, generates a public-private key pair after a student downloads it and registers for the program. The app then sends the public key to MIT, who writes it into the digital record and adds a one-way hash to the bitcoin blockchain. The app stores the user's private key, enabling him or her to prove ownership of the diploma. The school says "empower[s] students to be the curators of their own credentials." <a href="#TOP">top </a> </p> <p> <a name="DecisionReversed"> </a> <a href="http://ridethelightning.senseient.com/2017/10/decision-reversed-mistake-using-file-sharing-site-didnt-waive-privilege.html" > <strong> Decision reversed: Mistake using file sharing site didn't waive privilege </strong> </a> (Ride the Lightning, 24 Oct 2017) - A case I wrote a post about in March of 2017 has now been reversed - to the relief of many lawyers, I'm sure. As Bloomberg BNA reported (sub. req.), the decision by a state magistrate judge in <em>Harleysville Ins. Co. v. Holding Funeral Home, Inc </em>. was <a href="https://www.bloomberglaw.com/public/desktop/document/Harleysville_Ins_Co_v_Holding_Funeral_Home_Inc_No_115CV00057_2017?1508926722" > reversed </a> by a federal judge in Virginia on October 2nd. Thanks to Dave Ries for letting me know. The decision basically says that inadvertent disclosure of confidential materials through an error in using a file-sharing site didn't waive a plaintiff's attorney-client privilege and work product protection for those materials. The judge also found that defense counsel acted unethically by using the protected materials without notifying plaintiff's counsel and seeking a court ruling on the waiver issue. The case represents a reminder that lawyers generally aren't free to secretly exploit inadvertently disclosed materials even if they believe the disclosure waived any privilege claim. * * * <a href="#TOP">top </a> </p> <p> <a name="DIFFERENT"> </a> <h3> DIFFERENT </h3> </p> <p> <a href="https://www.higheredjobs.com/search/details.cfm?JobCode=176587379"> <strong>Tenure-track Faculty Positions </strong> </a> <strong> </strong> (MIT, 17 Oct 2017) - Tenure track faculty position; Program in Media Arts and Sciences/Media Lab: The MIT Media Lab seeks a new kind of early career faculty member, not defined by discipline, rather by his or her unique and iconoclastic experience, style and points of view. You can be a designer, inventor, scientist, scholar or other - any combination - as long as you make things that matter. Impact is key. This means somebody with at least these three sets of characteristics: (1) being deeply versed in a minimum of two fields, preferably not ones normally juxtaposed; (2) being an orthogonal and counter-intuitive thinker, even a misfit within normal structures; (3) having an adventurous personality, boundless optimism, and desire to change the world. Any disciplines apply as long as their confluence shows promise of solving big, hard and long-term problems. And, most importantly, candidates must explain why their work really can only be done at the Media Lab. We prefer candidates not be similar to our existing faculty. We welcome applicants who have never considered academic careers. Successful candidates will: establish and lead their own research group within the Media Lab; engage in collaborative projects with industrial sponsors and other Media Lab research groups; actively contribute to shaping the open and creative culture that defines our community; supervise masters and doctoral students; and participate in the Media Arts and Sciences academic program. Appointments will be within the Media Arts and Sciences academic program, principally at the Assistant Professor level. A doctorate is not necessary, but evidence of extreme creativity is. * * * [ <strong>Polley </strong>: I'd guess that every MIRLN reader wants this job. Pass it along.] <a href="#TOP">top </a> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <a href="http://lessig.tumblr.com/post/166319652257/a-tool-to-get-your-copyrights-back" > <strong>A tool to get your copyrights back </strong> </a> (Lawrence Lessig, October 2017) - I was incredibly happy to read that Creative Commons and the Authors Alliance have released a tool (cool URL: rightsback.org) to enable authors to recover the rights they had transferred to someone else. This was a project started a decade ago. It was hard then. I am very proud they have delivered it now. Copyright is an incredibly interesting law of property, chock through with weird exceptions and protections. One of those protections is that a creator can get a second chance with his or her copyright. If you created something, and then transferred your copyright to someone else, even though the transfer might say "this is forever …" you have the right to get it back. But (surprise! surprise!) it turns out it is INCREDIBLY difficult to exercise that right properly. And many creators find it just way too difficult (read: expensive) to exercise the right. The tool that CC/AA have created tries to make it as simple as possible. The tool walks you through the steps necessary to determine whether you have a right, and when you need to file. The tool doesn't do the transfer, but it does help you see whether you are entitled, and if you are, it simplifies the process of making that happen. The purpose of copyright law is to help creators. You wouldn't know that by looking at the way the law actually works. But where the law clearly benefits creators, we should do whatever we can to support it. <a href="#TOP">top </a> </p> <p> <a href="https://www.americanbar.org/news/abanews/aba-news-archives/2017/10/aba_committee_onlaw.html" > <strong> ABA Committee on Law and National Security launches national security podcast </strong> </a> (ABA, 23 Oct 2017) - The <a href="https://www.americanbar.org/groups/public_services/law_national_security.html" > ABA Committee on Law and National Security </a> has created a new podcast called <a href="https://www.americanbar.org/groups/public_services/law_national_security/nslt.html" > National Security Law Today </a> . Hosted by committee members and staff, the podcast features legal experts discussing hot topics and current issues in the world of national security, as well as career advice for those looking to break into the field of national security law. Listeners will learn about the specific impact that national security law has on the legal, economic and business world outside the government. The theme for the first year is national security in private practice, focusing on laws and regulations that impact practitioners and their clients. Topics include State Department and Treasury Department sanctions, the Committee on Foreign Investment in the United States, the Foreign Agents Registration Act, export regulations, security clearances and litigation, international tribunals and prosecuting terrorist acts. New episodes air every other Thursday, and each one is approximately a half-hour long. The show is available online on the <a href="https://www.americanbar.org/groups/public_services/law_national_security/nslt.html" > podcast website </a> and you can find it for streaming or subscribing on <a href="https://itunes.apple.com/us/podcast/national-security-law-today/id1276946676?mt=2" > iTunes </a> , <a href="https://www.stitcher.com/podcast/national-security-law-today"> Stitcher </a> , <a href="https://soundcloud.com/nsltoday/">Soundcloud </a> and <a href="https://tunein.com/radio/National-Security-Law-Today-p1026660/"> TuneIn </a> . Upcoming guests include: * * * <a href="#TOP">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <a href="https://www.cnet.com/news/judge-man-cant-be-forced-to-divulge-encryption-passphrase/" > <strong> Judge: Man can't be forced to divulge encryption passphrase </strong> </a> (CNET, 14 Dec 2007) - A federal judge in Vermont has ruled that prosecutors can't force a criminal defendant accused of having illegal images on his hard drive to divulge his PGP (Pretty Good Privacy) passphrase. U.S. Magistrate Judge Jerome Niedermeier ruled that a man charged with transporting child pornography on his laptop across the Canadian border has a Fifth Amendment right not to turn over the passphrase to prosecutors. The Fifth Amendment protects the right to avoid self-incrimination. Niedermeier tossed out a grand jury's subpoena that directed Sebastien Boucher to provide "any passwords" used with his Alienware laptop. "Compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him," the judge wrote in an order dated November 29 that went unnoticed until this week. "Producing the password, as if it were a key to a locked container, forces Boucher to produce the contents of his laptop." Especially if this ruling is appealed, U.S. v. Boucher could become a landmark case. The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for the last decade arguing the merits of either approach. (A U.S. Justice Department attorney wrote an article in 1996, for instance, titled "Compelled Production of Plaintext and Keys.") This debate has been one of analogy and metaphor. Prosecutors tend to view PGP passphrases as akin to someone possessing a key to a safe filled with incriminating documents. That person can, in general, be legally compelled to hand over the key. Other examples include the U.S. Supreme Court saying that defendants can be forced to provide fingerprints, blood samples, or voice recordings. Orin Kerr, a former Justice Department prosecutor who's now a law professor at George Washington University, shares this view. Kerr acknowledges that it's a tough call, but says, "I tend to think Judge Niedermeier was wrong given the specific facts of this case." <a href="#TOP">top </a> </p> <p> <a href="http://www.seattlepi.com/business/article/E-mail-from-the-grave-Microsoft-seeks-patent-on-1226027.php" > <strong> E-mail from the grave? Microsoft seeks patent on 'immortal computing' </strong> </a> (Seattle PI, 22 Jan 2007) -- In this culture of instant information, some Microsoft Corp. researchers are pursuing a radical notion -- the concept of saving messages for delivery in decades, centuries or more. The project, dubbed "immortal computing," would let people store digital information in physical artifacts and other forms to be preserved and revealed to future generations, and maybe even to future civilizations. After all, when looking that far in the future, you never know who the end users might be. One scenario the researchers envision: People could store messages to descendants, information about their lives or interactive holograms of themselves for access by visitors at their tombstones or urns. And here's where the notion of immortality really kicks in: The researchers say the artifacts could be symbolic representations of people, reflecting elements of their personalities. The systems might be set up to take action -- e-mailing birthday greetings to people identified as grandchildren, for example. The previously undisclosed project came to light through a newly surfaced patent application in which the researchers explain some of the concepts they're exploring. The project seeks to address the fact that large amounts of valuable information are stored on media with limited life spans, in formats that could be rendered obsolete. Consider how quickly floppy disks disappeared. But the researchers aren't just thinking about the informational legacies of individuals. "Maybe we should start thinking as a civilization about creating our Rosetta stones now, along with lots of information, even going beyond personal memories into civilization memories," said Eric Horvitz, a Microsoft principal researcher who also is working on the project. <a href="#TOP">top </a> </p> <p> <a name="NOTES"> </a> <h3> NOTES </h3> </p> <p> MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( <a href="mailto:vpolley@knowconnect.com?subject=MIRLN"> mailto:vpolley@knowconnect.com?subject=MIRLN </a> ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line. </p> <p> Recent MIRLN issues are archived at <a href="http://www.knowconnect.com/mirln">www.knowconnect.com/mirln </a>. Get supplemental information through Twitter: <a href="http://twitter.com/vpolley">http://twitter.com/vpolley </a> #mirln. </p> <p> SOURCES (inter alia): </p> <p> 1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, <a href="http://cyber.law.harvard.edu">http://cyber.law.harvard.edu </a> </p> <p> 2. InsideHigherEd - <a href="http://www.insidehighered.com/">http://www.insidehighered.com/ </a> </p> <p> 3. SANS Newsbites, <a href="http://www.sans.org/newsletters/newsbites/"> http://www.sans.org/newsletters/newsbites/ </a> </p> <p> 4. Aon's Technology & Professional Risks Newsletter </p> <p> 5. Crypto-Gram, <a href="http://www.schneier.com/crypto-gram.html"> http://www.schneier.com/crypto-gram.html </a> </p> <p> 6. Eric Goldman's Technology and Marketing Law Blog, <a href="http://blog.ericgoldman.org/">http://blog.ericgoldman.org/ </a> </p> <p> 7. The Benton Foundation's Communications Headlines </p> <p> 8. Gate15 Situational Update Notifications, <a href="http://www.gate15.us/services.html"> http://www.gate15.us/services.html </a> </p> <p> 9. Readers' submissions, and the editor's discoveries </p> <p> This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. </p> <p> PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. <a href="#TOP">top </a> </p> Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-45901636601250342472017-10-07T07:12:00.000-04:002017-10-07T07:12:02.420-04:00MIRLN --- 17 Sept - 7 Oct 2017 (v20.14)<p> <a name="TOP"> </a> MIRLN --- 17 Sept - 7 Oct 2017 (v20.14) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_17_sept_7_oct_2017_v2014/" > permalink </a> </p> <p> <a href="">NEWS </a> | <a href="">RESOURCES </a> | <a href="">FUN </a> | <a href="">LOOKING BACK </a> | <a href="">NOTES </a> </p> <ul> <li> <a href=""> Future Navy accident investigations will look for cyber attacks </a> </li> <li> <a href="">The alternate reality of prior art </a> </li> <li> <a href=""> Lawyers can accept payment in bitcoin, Nebraska ethics opinion says </a> </li> <li> <a href=""> World Wide Web Consortium abandons consensus, standardizes DRM with 58.4% support, EFF resigns </a> </li> <li> <a href=""> Motel 6 to revamp privacy, data sharing policies after Phoenix locations send guest info to ICE </a> </li> <li> <a href=""> New ABA book explores what makes cyber due diligence different </a> </li> <li> <a href=""> Author of key internet freedom law opposes new sex trafficking bill </a> </li> <li> <a href="">The ten most important Section 230 rulings </a> </li> <li> <a href="">Cyber attack, hurricane weigh on FedEx quarterly profit </a> </li> <li> <a href=""> Patent venue: Cyberspace does not expand place of business </a> </li> <li> <a href=""> Deloitte hit by cyber-attack revealing clients' secret emails </a> </li> <li> <a href=""> Law firm inadvertently leaks Pepsi client secrets to Wall Street Journal </a> </li> <li> <a href=""> FBI investigating hack attack on law firm defending top target of Chinese regime </a> </li> <li> <a href=""> FCC proposes to eliminate requirement to keep hard copies of FCC rules </a> </li> <li> <a href=""> Bloomberg Law launches AI research tool to find key points of law </a> </li> <li> <a href=""> New from Fastcase: Instantly add public hyperlinks to case citations in legal documents </a> </li> <li> <a href="">The media really has neglected Puerto Rico </a> </li> <li> <a href="">Restoring those old liner notes in music's digital era </a> </li> <li> <a href="">Elsevier launches encyclopedic tool </a> </li> <li> <a href="">Google to ditch controversial 'first click free' policy </a> </li> <li> <a href=""> Equifax is reportedly reviewing actions of its top lawyer, who oversaw security and stock sales </a> </li> <li> <a href=""> Google's new Gmail security: If you're a high-value target, you'll use physical keys </a> </li> <li> <a href=""> More than 80% of all net neutrality comments were sent by bots, researchers say </a> </li> <li> <a href=""> App listening for audio beacons may be illegal wiretapping-Rackemann v. Colts </a> </li> <li> <a href=""> Supreme Court says live streaming would "adversely affect" oral arguments </a> </li> <li> <a href=""> New CIS cybersecurity guide for small and medium businesses </a> </li> </ul> <p> <a name="NEWS"> </a> </p> <p> <a name="FutureNavy"> </a> <a href="http://www.nextgov.com/defense/2017/09/future-navy-accident-investigations-will-look-cyber-attacks/141025/" > <strong> Future Navy accident investigations will look for cyber attacks </strong> </a> (NextGov, 15 Sept 2017) - Rampant internet speculation aside, there's no evidence yet that any hostile electronic breach led to recent U.S. Navy mishaps, according to the admiral who leads the service's cyber operations. In fact, it was mostly to put such speculation to rest that Vice Adm. Jan Tighe said she dispatched a small team to join the Navy's investigation into the Aug. 21 collision of the USS McCain with a cargo ship off Singapore. That accident followed a similar June 17 incident involving another destroyer, the USS Fitzgerald. Tighe said there's no particular schedule for the team to complete its work. "Quite frankly, with respect to McCain, this is a 'first of.' We have a really hard time predicting a timeline," she said. "It rather depends on what and if we find anything that looks suspicious and what and how we will go about determining whether it is, actually, suspicious or not. So, it could be weeks. It could be months. I don't think it's years." But that's part of the point. As Tighe's investigators sniff around for evidence of meddling, they are trying to figure out where to look, whom to talk to, what angles to consider, and more. They are, in fact, pioneering a new kind of inquiry for the Navy. "Codifying how we will do these types of mishap investigations to account for a cyber component going forward is where we will learn from the results of the McCain investigation," she said. Eventually, the Navy will "make it part of the normal process of how we do mishap investigations." <a href="">top </a> </p> <p> <a name="TheAlternateReality"> </a> <a href="https://patentlyo.com/patent/2017/09/alternate-reality-prior.html?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+PatentlyO+%28Dennis+Crouch%27s+Patently-O%29" > <strong>The alternate reality of prior art </strong> </a> (Patently-O, 17 Sept 2017) - Thought pioneer <a href="https://www.linkedin.com/in/danabelow/">Dan Abelow </a> fits within an interesting designation. So far in 2017, his <a href="https://www.google.com/patents/US20120069131?dq=ininventor:%22Daniel+H.+Abelow%22" > U.S. Patent Publication No. 2012/0069131 </a> - mysteriously titled "Reality Alternate" - is the Most-Oft examiner cited U.S. prior art reference. The document - now patented as U.S. Patent No. 9,183,560 - covers a method of providing "a portal for a user … to be present simultaneously in two or more different non-fictional alternate realities that are distinct from a non-fictional physical reality of the user." [Here, I'm looking at Examiner citations rather than those submitted by Applicants] The Abelow document reads something like science-fiction novel - defining a new Alternate Reality world both in terms of its incredible impact and technical specifications. From the abstract: <em> Just as fiction authors have described alternate worlds in novels, this introduces an Alternate Reality-but provides it as technical innovation. This new Alternate Reality's "world" is named the "Expandaverse" which is a conceptual alteration of the "Universe" name and a conceptual alteration of our current reality. Where our physical "Universe" is considered given and physically fixed, the Expandaverse provides a plurality of human created digital realities that includes a plurality of human created means that may be used simultaneously by individuals, groups, institutions and societies to expand the number and types of digital realities-and may be used to provide continuous expansions of a plurality of Alternate Realities. To create the Expandaverse current known technologies are reorganized and combined with new innovations to repurpose what they accomplish and deliver, collectively turning the Earth and near-space into the equivalent of one large, connected room (herein one or a plurality of "Shared Planetary Life Spaces" or SPLS) with a plurality of new possible human realities and living patterns that may be combined differently, directed differently and controlled differently than our current physical reality. </em> In addition to being written in a way that draws diverse connections (helpful for obviousness conclusions), the reference is also 750 pages long! (The patentee paid an extra $4,000+ in filing costs for the extra page length). One of the best patent attorneys in the country - <a href="https://www.fr.com/david-l-feigenbaum/">David Feigenbaum </a> - filed this case and helped push it through to issuance. [ <strong>Polley </strong>: Hmmmmmm… <a href="http://variety.com/2017/tv/news/amazon-studios-lazarus-snow-crash-ringworld-1202576048/" > Snowcrash </a> ? <a href="https://en.wikipedia.org/wiki/Rainbows_End">Rainbow's End </a>?] <a href="">top </a> </p> <p> <a name="LawyersCanAccept"> </a> <a href="http://www.abajournal.com/news/article/lawyers_can_accept_payment_in_bitcoin_nebraska_ethics_opinion_says" > <strong> Lawyers can accept payment in bitcoin, Nebraska ethics opinion says </strong> </a> <strong> </strong> (ABA Journal, 18 Sept 2017) - Lawyers may accept payment in digital currencies such as bitcoin but must immediately convert the money into U.S. dollars, according to a Nebraska ethics advisory opinion. The <a href="https://supremecourt.nebraska.gov/sites/default/files/ethics-opinions/Lawyer/17-03.pdf" > opinion </a> , issued Sept. 11, is the first by a state ethics body to address the ethics of bitcoin payments, the <a href="http://norfolkdailynews.com/news/attorney-pleased-with-legal-opinion-on-digital-currencies/article_aa9e0f82-9c77-11e7-9be3-07a11d11a8e9.html" > Norfolk Daily News </a> and <a href="https://www.coindesk.com/courting-bitcoin-nebraska-ethics-board-gives-lawyers-ok-accept/" > Coin Desk </a> report. Nebraska lawyer Matt McKeever says he requested the opinion. Eastern Nebraska is a rapidly growing hub for payment processing and financial technology, McKeever told the Norfolk Daily News. Bitcoin ATMs are already in use in the area, and the currency is being used on a daily basis, he said. The ethics opinion by the Lawyer's Advisory Committee says a growing number of law firms in other jurisdictions accept payments in bitcoin, a currency with volatile prices. In 2013, for example, the price fluctuated from about $7 per bitcoin to $1,200 per bitcoin. Immediate conversion to dollars mitigates the risk of volatility and possible unconscionable overpayment for legal services, the ethics opinion says. Lawyers who receive payment in digital currencies should take three steps, the opinion says. First, the lawyer should notify the client that the payment will be immediately converted to U.S. dollars. Second, the lawyer should make the conversion through a payment processor. Third the lawyer should credit the client's account at the time of payment. The opinion also says that lawyers who accept virtual currency "must be careful to see that this property they accept as payment is not contraband, does not reveal client secrets, and is not used in a money-laundering or tax avoidance scheme; because convertible virtual currencies can be associated with such mischief." Lawyers may hold digital currencies in trust for clients after advising that the currency won't be converted to U.S. dollars, but the currency must be held separate from the lawyer's property and must be properly safeguarded, the ethics opinion says. There is no bank or FDIC insurance to reimburse a client for hacked bitcoin, so lawyers should take precautions such as encryption or use of more than one private key for access. <a href="">top </a> </p> <p> <a name="WWWconsortium"> </a> <a href="https://boingboing.net/2017/09/18/antifeatures-for-all.html/amp"> <strong> World Wide Web Consortium abandons consensus, standardizes DRM with 58.4% support, EFF resigns </strong> </a> (Cory Doctorow on BoingBoing, 18 Sept 2017) - In July, the Director of the World Wide Web Consortium <a href="https://boingboing.net/2017/07/07/eschatology-watch.html"> overruled dozens of members' objections </a> to publishing a DRM standard without a compromise to protect accessibility, security research, archiving, and competition. EFF <a href="https://boingboing.net/2017/07/12/save-the-web.html"> appealed the decision </a> , the first-ever appeal in W3C history, which concluded last week with a deeply divided membership. 58.4% of the group voted to go on with publication, and the W3C did so today, an unprecedented move in a body that has always operated on consensus and compromise. In their public statements about the standard, the W3C executive repeatedly said that they didn't think the DRM advocates would be willing to compromise, and in the absence of such willingness, the exec have given them everything they demanded. This is a bad day for the W3C: it's the day it publishes a standard designed to control, rather than empower, web users. That standard that was explicitly published without any protections -- even <a href="https://lists.w3.org/Archives/Public/public-html-media/2017Jun/0017.html" > the most minimal compromise was rejected without discussion </a> , an intransigence that the <a href="https://lists.w3.org/Archives/Public/public-html-media/2017Jun/0019.html" > W3C leadership tacitly approved </a> . It's the day that the W3C changed its process to reward stonewalling over compromise, provided those doing the stonewalling are the biggest corporations in the consortium. EFF no longer believes that the W3C process is suited to defending the open web. We have resigned from the Consortium, effective today. Below is <a href="https://www.eff.org/deeplinks/2017/09/open-letter-w3c-director-ceo-team-and-membership" > our resignation letter </a> : * * * <a href="">top </a> </p> <p> <a name="Motel6"> </a> <a href="https://www.scmagazine.com/motel-6-to-revamp-privacy-data-sharing-policies-after-phoenix-locations-send-guest-info-to-ice/article/689360/" > <strong> Motel 6 to revamp privacy, data sharing policies after Phoenix locations send guest info to ICE </strong> </a> (SC Magazine, 18 Sept 2017) - Motel 6 employees in the Phoenix area who voluntarily and routinely handed guest registers to ICE officials without the benefit of a warrant may not have run afoul of the company's <a href="https://www.motel6.com/en/faq.html">privacy policy </a>, but the hotel chain said it would take steps to shut down or prevent similar operations at its other properties nationwide. The <em>Phoenix New Times </em> <a href="http://www.phoenixnewtimes.com/news/motel-6-calling-ice-undocumented-guests-phoenix-immigration-lawyers-9683244" > reported </a> last week quoted an employee at one of two Phoenix-area Motel 6 locations as saying, "every morning at about 5 o'clock we do the audit and push a button and it sends it to ICE," prompting the American Civil Liberties Union (ACLU) to call out the motel chain on both Twitter and Facebook. "Is this your official company policy?" the ACLU <a href="https://twitter.com/ACLU/status/908064086004563968/photo/1?ref_src=twsrc%5Etfw&ref_url=http%3A%2F%2Fmashable.com%2F2017%2F09%2F13%2Fmotel-6-aclu-guest-list-ice%2F" > tweeted </a> . The Motel Six had said the Phoenix operation was orchestrated by locals and was shut down when corporate caught wind of it. "Moving forward, to help ensure that this does not occur again, we will be issuing a directive to every one of our more than 1,400 locations nationwide, making clear that they are prohibited from voluntarily providing daily guest lists to ICE," according to a Motel 6 statement. "Additionally, to help ensure that our broader engagement with law enforcement is done in a manner that is respectful of our guests' rights, we will be undertaking a comprehensive review of our current practices and then issue updated, company-wide guidelines." <a href="">top </a> </p> <p> <a name="NewABAbook"> </a> <a href="http://www.legaltechnews.com/id=1202798224942/New-ABA-Book-Explores-What-Makes-Cyber-Due-Diligence-Different?kw=New%20ABA%20Book%20Explores%20What%20Makes%20Cyber%20Due%20Diligence%20Different&et=editorial&bu=ALMcyberSecure&cn=20170921&src=EMC-Ema" > <strong> New ABA book explores what makes cyber due diligence different </strong> </a> (LegalTech, 18 Sept 2017) - Companies are now paying much closer attention to cybersecurity issues when involved in mergers and acquisitions. To help explain recent changes, the American Bar Association's Business Law Section has published a new book, the <a href="https://shop.americanbar.org/eBus/Store/ProductDetails.aspx?productId=281539300" > "Guide to Cybersecurity Due Diligence in M&A Transactions." </a> It is edited by Thomas J. Smedinghoff, an attorney at Locke Lord, and Roland Trope, an attorney at Trope and Schramm. The 272-page book is broken down into 13 chapters that explore the importance of cybersecurity to due diligence and M&A, what acquirers should know, and how due diligence impacts a transaction. It also features an appendix that includes a listing of common U.S. data security laws and regulations. Among those working on the book were attorneys who specialize in corporate governance and cybersecurity. In explaining why the book came about, Trope told Legaltech News that "just a few years ago, cybersecurity due diligence was often ignored in M&A deals." He cited one 2015 survey of global dealmakers by an international law firm that found that 78 percent of the respondents indicated that cybersecurity was not analyzed in great depth or specifically quantified as part of the M&A due diligence process. "In the past two years, however, there has been a significant shift toward recognizing the importance of cybersecurity due diligence in the context of M&A transactions," he said. "Moreover, cybersecurity breaches have had a major impact on recent M&A transactions, further highlighting the need to address this important issue." Smedinghoff explained that, in the M&A process, cybersecurity due diligence is similar to due diligence of any other topic, such as finance. "It seeks to determine the state or status of cybersecurity preparedness of the target company," he told Legaltech News. He further highlighted some important questions that companies may want to address: * * * [ <strong>Polley </strong>: In a related vein, the Second Edition of the ABA's bestselling Cybersecurity Handbook will come out in early November; a must-read for anyone working in the field, including private-practice attorneys, in-house counsel, non-profit and government lawyers, and others. For more detail, visit the ABA store at <a href="http://bit.ly/2x7HNbJ" target="_blank">http://bit.ly/2x7HNbJ </a>. A limited number of pre-publication copies are available to the press; contact me for information.] <a href="">top </a> </p> <p> <a name="AuthorOfKey"> </a> <a href="https://arstechnica.com/tech-policy/2017/09/author-of-key-internet-freedom-law-opposes-new-sex-trafficking-bill/?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong> Author of key internet freedom law opposes new sex trafficking bill </strong> </a> (Ars Technica, 19 Sept 2017) - The United States Senate is moving toward passage of a bill that would-for the first time-water down a landmark 1996 law that shields website operators from lawsuits and state prosecution for user-generated content. And one of the authors of that 1996 law, Sen. Ron Wyden (D-Ore.), argued Tuesday that this would be a mistake. The <a href="https://www.congress.gov/bill/115th-congress/senate-bill/1693/cosponsors" > Stop Enabling Sex Trafficking Act </a> now has 28 co-sponsors, and the breadth of that support was evident at a Tuesday hearing before the Senate Commerce Committee. The legislation would allow state attorneys general to prosecute websites that are used to promote sex trafficking-something that's currently barred by Section 230 of the 1996 Communications Decency Act. It would also allow private lawsuits against sites that host sex trafficking ads. But Wyden argued at Tuesday's hearing that weakening Section 230 would be a mistake. In Wyden's view, Section 230 has been essential for establishing the United States as a global technology leader. It freed Internet startups from worrying about getting sued for hosting user-generated content, Wyden claimed. The section also allows startups to focus their resources on hiring developers and designers instead of lawyers. <a href="">top </a> </p> <p> - and - </p> <p> <a name="TheTenMost"> </a> <a href="http://blog.ericgoldman.org/archives/2017/09/new-essay-the-ten-most-important-section-230-rulings.htm" > <strong>The ten most important Section 230 rulings </strong> </a> (Eric Goldman, 26 Sept 2017) - I've posted a new essay entitled " <a href="https://ssrn.com/abstract=3025943"> The Ten Most Important Section 230 Rulings </a> ." It will be published in the Tulane Journal of Technology & Intellectual Property. Everyone loves lists and rankings, but this essay is more than just fluffy clickbait. Organizing Section 230 cases by importance actually creates a helpful narrative about the development of Section 230 jurisprudence and the ongoing dialogue between different judges and courts. I'm pretty sure you can guess what's #1 on the list (and we'll be throwing it a proper 20th birthday party-more on that soon), and maybe you can guess #2, but can you guess #3 or #4? Would you reorder my list? Would you subtract one of my top 10 and replace with something different? Wars have broken out over lesser controversies. As always, I'd love to hear your thoughts, and feel free to thrash out the debate in the comments, too. * * * <a href="">top </a> </p> <p> <a name="CyberAttackHurricane"> </a> <a href="http://www.reuters.com/article/us-fedex-results/cyber-attack-hurricane-weigh-on-fedex-quarterly-profit-idUSKCN1BU2RG" > <strong> Cyber attack, hurricane weigh on FedEx quarterly profit </strong> </a> (Reuters, 19 Sept 2017) - Package delivery company FedEx Corp ( <a href="http://www.reuters.com/finance/stocks/overview?symbol=FDX.N"> FDX.N </a> ) said on Tuesday a June cyber attack on its Dutch unit slashed $300 million from its quarterly profit, and the company lowered its full-year earnings forecast. The company said the cyber attack slashed 79 cents per share from its profit - nearly 40 times the 2 cents per share caused by deadly Hurricane Harvey, which brought catastrophic flooding to southeastern Texas. FedEx joins a string of companies that reported big drops in earnings due to the NotPetya virus, which hit on June 29, crippling Ukraine businesses before spreading worldwide to shut down shipping ports, factories and corporate offices. * * * Excluding the impact of the cyber attack and Hurricane Harvey, FedEx said it would have posted EPS of $3.32, above analysts' expectations. Most services of the Dutch TNT Express unit resumed during the quarter and systems had been restored, but TNT Express volume, revenue and profit still remained below pre-attack levels, the company said. FedEx did not have insurance in place that covered the impact from the cyber attack. <a href="">top </a> </p> <p> <a name="PatentVenue"> </a> <a href="https://patentlyo.com/patent/2017/09/patent-cyberspace-business.html?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+PatentlyO+%28Dennis+Crouch%27s+Patently-O%29" > <strong> Patent venue: Cyberspace does not expand place of business </strong> </a> <strong> </strong> (Patently-O, 21 Sept 2017) - Following the Supreme Court's decision in <em>TC Heartland </em>, the debate has moved to interpretation of the requirement that an infringement defendant have either <u>residence </u> or " <u>a regular and established place of business </u>" in the chosen venue. Any civil action for patent infringement may be brought in the judicial district where the defendant resides, or where the defendant has committed acts of infringement and has a regular and established place of business. 28 U.S.C. § 1400(b). In <em>Raytheon v. Cray </em>, the defendant is a Washington corporation with facilities in Austin and Houston - both of which are outside of the Eastern District of Texas. Still, E.D. Texas Judge Gilstrap found the company to fit within the regular and established place of business venue requirement based upon evidence that two Cray sales executives worked from home within the district - developing new sales and accounts worth ~ $350 million over the past 7 years. The execs received reimbursement for certain utilities and charges within the district and publicly advertised their "office" phone numbers within E.D. Texas. In the process of deciding its case, Judge Gilstrap also set forth an open four-factor test finding a regular and established place of business: physical presence, defendant's representations, benefits received, and targeted interactions with the district. As a general matter, Judge Gilstrap's interpretation appears fairly broad, and on <em>writ of mandamus </em>, the Federal Circuit has rejected Gilstrap's analysis and directed that he transfer the case to a more appropriate venue. * * * <em> Important mandamus order narrowing patent venue. In re Cray (Fed. Cir. 2017) [ </em> <a href="http://www.cafc.uscourts.gov/sites/default/files/Cray_2017-129_9.21.17_ORDER.pdf" > <em>Read the Case </em> </a> <em>] </em> <a href="">top </a> </p> <p> <a name="DeloitteHit"> </a> <a href="https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails" > <strong> Deloitte hit by cyber-attack revealing clients' secret emails </strong> </a> (The Guardian, 25 Sept 2017) - One of the world's "big four" accountancy firms has been targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients, the Guardian can reveal. <a href="https://www.theguardian.com/business/deloitte">Deloitte </a>, which is registered in London and has its global headquarters in New York, was the victim of a cybersecurity attack that went unnoticed for months. One of the largest private firms in the US, which reported a record $37bn (£27.3bn) revenue last year, Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world's biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies. The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments. So far, six of Deloitte's clients have been told their information was "impacted" by the hack. Deloitte's internal review into the incident is ongoing. The Guardian understands Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016. [ <em>see also, </em> <a href="http://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/" > <strong> Deloitte breach affected all company email, admin accounts </strong> </a> (Krebs on Security 25 Sept 2017)] <a href="">top </a> </p> <p> - and - </p> <p> <a name="LawFirmInadvertently"> </a> <a href="http://ridethelightning.senseient.com/2017/09/law-firm-inadvertently-leaks-pepsi-client-secrets-to-wall-street-journal.html" > <strong> Law firm inadvertently leaks Pepsi client secrets to Wall Street Journal </strong> </a> (Ride the Lightning, 28 Sept 2017) - Doesn't it seem like we've heard the same story before with different players? Yes, once again we have an inadvertently misaddressed e-mail going to the last place you want it to go - to a reporter with The <em>Wall Street Journal </em>. <em>Corporate Counsel </em> carried the <a href="http://www.corpcounsel.com/id=1202799058944/Wilmer-Inadvertently-Leaks-Pepsi-Client-Secrets-to-Wall-Street-Journal" target="_blank" > story </a> , reporting that Wilmer, Cutler, Pickering, Hale and Dorr was caught up on September 27 <sup>th </sup> in an e-mail error that revealed secret U.S. Securities and Exchange Commission and internal investigations at PepsiCo, after a Wilmer lawyer accidentally sent a <em>Wall Street Journal </em> reporter privileged documents detailing a history of whistleblower claims at the company. The internal investigation revolves around PepsiCo's 2011 acquisition of the Russian drinks company Wimm-Bill-Dann and the departure of general counsel Maura Smith in 2012 following allegations of financial misreporting and other wrongdoing at PepsiCo. A subsequent SEC investigation into Smith's dismissal, and whether the company fired her in violation of whistleblower laws, is "at an early stage," <em>The Wall Street Journal </em>reported. The reporter learned details about the years-old internal investigation started by Smith and about the more recent SEC probe, for which Smith was subpoenaed. The information included an August 31 memo about Smith's subpoena and her contact with federal investigators that was "mistakenly sent by a WilmerHale attorney to a Wall Street Journal reporter as part of communication to other attorneys working on the matter," the report said. Wilmer's explanation and apology, sent from a spokesman, came less than three hours after the newspaper published its report. The law firm said it "inadvertently" leaked privileged information by e-mail, then asked the reporter to delete what he received. Wilmer accuses the newspaper of going back on its word to delete leaked documents. <a href="">top </a> </p> <p> - and - </p> <p> <a name="FBIinvestigating"> </a> <a href="http://www.worldtribune.com/fbi-investigating-hack-attack-on-law-firm-defending-top-target-of-chinese-regime/" > <strong> FBI investigating hack attack on law firm defending top target of Chinese regime </strong> </a> (World Tribune, 3 Oct 2017) - A law firm that was representing a major dissident who has exposed corruption at the highest realms of the Chinese Communist Party was targeted in a cyber attack, a report said. The FBI is investigating the alleged hacking this month at the Clark Hill law firm, which had been representing Guo Wengui, according to a report by Bill Gertz <a href="http://freebeacon.com/national-security/fbi-eyes-china-posting-hacked-documents-chinese-dissident/" > for the Washington Free Beacon </a> on Sept. 29. The cyber attack "disrupted Clark Hill's information systems for several days and appeared to have been carried out by sophisticated hackers who targeted Guo's personal information and the lawyer representing him," the report said. "Private cyber investigators later traced the cyber attack to China and South Korea," according to persons with knowledge of the FBI investigation cited by the report. <a href="">top </a> </p> <p> <a name="FCCproposes"> </a> <a href="https://www.fcc.gov/document/fcc-proposes-eliminate-requirement-keep-hard-copies-fcc-rules" > <strong> FCC proposes to eliminate requirement to keep hard copies of FCC rules </strong> </a> (FCC, 26 Sept 2017) - The Federal Communications Commission today issued a Notice of Proposed Rulemaking that proposes to eliminate rules requiring certain broadcast and cable entities to keep paper copies of FCC rules. More than forty years ago, the Commission adopted rules requiring low power TV, TV and FM translator, TV and FM booster stations, cable television relay station (CARS) licensees, and certain cable operators to maintain paper copies of Commission rules. These rules were intended to ensure that such entities could access and stay familiar with the rules governing their operations. Because the rules are now readily accessible online, many parties believe that the paper copy requirements are outdated and unnecessarily burdensome. While regulated entities still would be required to be familiar with the rules governing their services, elimination of the paper copy requirements would give them flexibility to determine how to fulfill that obligation. This rulemaking is part of the Modernization of Media Regulation Initiative that the FCC launched earlier this year to reduce unnecessary regulation that can stand in the way of competition and innovation in media markets. <a href="">top </a> </p> <p> <a name="BloombergLaw"> </a> <a href="https://www.lawsitesblog.com/2017/09/bloomberg-law-launches-ai-research-tool-find-key-points-law.html" > <strong> Bloomberg Law launches AI research tool to find key points of law </strong> </a> (Bob Ambrogi, 26 Sept 2017) - Bloomberg Law today rolled out to its subscribers new tool, Points of Law, that uses artificial intelligence and machine learning to help legal researchers quickly find language critical to a court's reasoning and to support their legal arguments. As a researcher scrolls through a court opinion, Points of Law highlights the essential language in the opinion, making it easier for the researcher to browse through the key discussion points and enabling the researcher to more quickly get the gist of the key holdings. A pop-up shows the top three cases cited for the principle. The user can then select any of these Points of Law to see an expanded treatment that shows other cases that make the same point of law and an visual timeline and citation map of these other cases, as well as the ability to see and search related points of law. Each Point of Law has its own distinct page with these elements. "We are using machine learning and AI to extract the sense of a what a judge says in an opinion to allow for quicker and easier research and to uncover language that might be hard to find," Darby Green, commercial product director for Bloomberg Law Litigation Solutions, told me yesterday. Bloomberg says that it has extracted more than one million Points of Law from its database of 13 million published and unpublished state and federal court opinions, and that these Points of Law are being continually updated as new cases are added. In addition to getting to these Points of Law through a court opinion, a researcher can also find them by conducting keyword searches across all case law or specific jurisdictions. <a href="">top </a> </p> <p> - and - </p> <p> <a name="NewFromFastcase"> </a> <a href="https://www.lawsitesblog.com/2017/10/new-fastcase-instantly-add-public-hyperlinks-case-citations-legal-documents.html" > <strong> New from Fastcase: Instantly add public hyperlinks to case citations in legal documents </strong> </a> (Bob Ambrogi, 3 Oct 2017) - The legal research company <a href="https://www.fastcase.com/"> <strong>Fastcase </strong> </a> is introducing a new feature today, Cloud Linking, that automatically converts case citations in legal documents into hyperlinks to the full-text cases. Cloud Linking is notable because the links it creates are public and free - anyone can follow them regardless of whether they have a Fastcase account. While both LexisNexis and Westlaw also have tools that convert citations into hyperlinks, the person following their links must have a subscription to view the source material. "We're trying to make public law more public and useful - to move from a world in which law is scarce to one in which law is abundant," said Ed Walters, Fastcase cofounder and CEO. "Our team at Fastcase has always said that law should be like electric power: nearly ubiquitous, inexpensive, reliable, and useful for powering other things." To convert a document using Cloud Linking, you must be a Fastcase subscriber. In Fastcase 7, Cloud Linking now appears as an option on the top menu bar. In Fastcase 6, click Options in the top menu bar and then select Cloud Linking. <a href="">top </a> </p> <p> <a name="TheMediaReally"> </a> <strong> <a href="https://fivethirtyeight.com/features/the-media-really-has-neglected-puerto-rico/" > The media really has neglected Puerto Rico </a> </strong> (538, 28 Sept 2017) - While Puerto Rico suffers after Hurricane Maria, much of the U.S. media (FiveThirtyEight not excepted) has been occupied with other things: a <a href="http://www.cnn.com/2017/09/26/politics/health-care-republican-senate-vote/index.html" > health care bill </a> that failed to pass, a <a href="https://fivethirtyeight.com/features/the-republican-establishment-and-the-terrible-no-good-very-bad-day/" > primary election </a> in Alabama, and a spat between the president and sports players, just to name a few. Last Sunday alone, after President Trump's <a href="https://twitter.com/realDonaldTrump/status/911654184918880260"> tweets </a> <a href="https://twitter.com/realDonaldTrump/status/911655987857281024"> about </a> the NFL, the phrase "national anthem" was said in more sentences on TV news than "Puerto Rico" and "Hurricane Maria" combined. Those other stories are worth covering, of course. But compared to the other natural disasters of the past few weeks, Hurricane Maria has been relatively ignored. Data from Media Cloud, a database that collects news published on the internet every day, shows that the devastation in Puerto Rico is getting comparatively little attention. [ <strong>Polley </strong>: pretty interesting graphics; more interesting are the techniques employed.] <a href="">top </a> </p> <p> <a name="RestoringThose"> </a> <a href="https://www.nytimes.com/2017/09/29/business/media/tunesmap-liner-notes.html?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email&_r=0" > <strong>Restoring those old liner notes in music's digital era </strong> </a> (NYT, 29 Sept 2017) - Two decades into the era of online music, streaming has been hailed as the industry's savior, but a complaint from the earliest days of digital services persists: What happened to the liner notes? Much of the material that once accompanied an album has long since been stripped away - not just the lyrics and thank-you lists, but also essays, artwork and even basic details like songwriting credits - leaving listeners with little more on their screens to look at but a song title and a postage-stamp-size cover image. One company, <a href="http://tunesmap.com/">TunesMap </a>, wants to return much of that lost information, and more, through an interactive display that, when cued by a song playing on a streaming service, will present a feed of videos, photographs and links to related material. After a decade of development, TunesMap is scheduled to make its debut in November as an Apple TV app that will work with Sonos, the connected speaker system. The app is the brainchild of G. Marq Roswell, a Hollywood music supervisor who has worked with David Lynch and Denzel Washington. He bemoans the way early digital players and online music stores like iTunes removed all sense of music coming from a particular place and time. Working with <a href="http://www.billboard.com/articles/business/7825819/nigel-grainge-ensign-records-founder-exec-lucian-dead" > Nigel Grainge </a> , an influential record executive who died in June; Erik Loyer, an app developer and media artist; and Jon Blaufarb, an industry lawyer, Mr. Roswell in 2007 began to design what he calls an interactive "context engine." Stream a song on a Sonos speaker and, if TunesMap's app is also fired up on Apple TV, images and historical information related to the artist or a song's origins begin to float buy. For a Bob Dylan song, the app shows vintage photographs of Greenwich Village, news clippings and links to related artists (like Martin Scorsese, who directed the Bob Dylan documentary "No Direction Home"). The goal is to present fans with a web of educational "rabbit holes" to explore. <a href="">top </a> </p> <p> - and - </p> <p> <a name="ElsevierLaunches"> </a> <a href="https://www.insidehighered.com/quicktakes/2017/10/03/elsevier-launches-encyclopedic-tool?utm_source=Inside+Higher+Ed&utm_campaign=47acf31ec2-DNU20171003&utm_medium=email&utm_term=0_1fcbc04421-47acf31ec2-197618481&mc_cid=47acf31ec2&mc_eid=012fe6c04" > <strong>Elsevier launches encyclopedic tool </strong> </a> (InsideHigherEd, 3 Oct 2017) - The publisher Elsevier has announced the launch of ScienceDirect Topics, an information platform that has been <a href="https://www.timeshighereducation.com/news/elsevier-launches-free-science-definitions-service" target="_blank" > compared to Wikipedia </a> . The tool, <a href="http://scitechconnect.elsevier.com/ScienceDirectTopicsLive/" target="_blank" > announced </a> last month, uses information from Elsevier books to generate "a quick snapshot of definitions, terms and excerpts on scientific topics." An Elsevier news release said the tool would save researchers time because they won't have to navigate away from Elsevier research articles to look up information outside their core discipline. "Previously, researchers would have had to leave the site, open up a search engine and spend time trying to find the right and trusted information. Not anymore. Our new technology enables researchers to access these foundational references and knowledge quickly, easily and at the point of need," said Sumita Singh, managing director of Elsevier Reference Solutions. <a href="">top </a> </p> <p> <a name="GoogleToDitch"> </a> <a href="https://www.theguardian.com/technology/2017/oct/02/google-to-ditch-controversial-first-click-free-policy?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong> Google to ditch controversial 'first click free' policy </strong> </a> (The Guardian, 2 Oct 2017) - Google is to abandon its controversial policy of forcing news providers to offer free articles in order to appear on its search engine as part of a collection of measures designed to support the growth of digital subscriptions. The US company will replace its so-called "first click free" policy, which requires publishers to offer three free articles a day before readers come across a pay wall. Instead Google will offer a flexible sampling model that allows news organisations to decide how many, if any, articles it offers for free. The "first click free" model has been described as "toxic" by publishers such as <a href="https://www.theguardian.com/media/axel-springer">Axel Springer </a> and Rupert Murdoch's News Corp. Google is making the move after feedback from publishers and readers and after tests with the New York Times and the <a href="https://www.theguardian.com/media/financialtimes"> Financial Times </a> . It is also a recognition of the growth of subscription services and the fact a "one size fits all" approach was not appropriate. As well as dropping "first click free", Google will make it easier for users to subscribe to services. For example, people will be able to subscribe to news providers with one click through Google's existing payment technology. <a href="">top </a> </p> <p> <a name="EquifaxIsReportedly"> </a> <strong> <a href="http://www.abajournal.com/news/article/equifax_is_reportedly_reviewing_actions_of_top_lawyer_who_oversaw_security/?utm_source=maestro&utm_medium=email&utm_campaign=weekly_email" > Equifax is reportedly reviewing actions of its top lawyer, who oversaw security and stock sales </a> </strong> (ABA Journal, 2 Oct 2017) - Equifax's board of directors is reportedly scrutinizing the actions of the company's chief legal officer, John Kelley, because of two of his duties-overseeing security and approving stock sales by executives. The Wall Street Journal (sub. req.) <a href="https://www.wsj.com/articles/at-the-center-of-the-equifax-mess-its-top-lawyer-1506873600" > has the story </a> , based on anonymous sources. Kelley had the responsibility to approve stock sales by senior executives, three of whom <a href="http://www.abajournal.com/news/article/class_action_is_filed_over_equifax_data_breach_information_website_has_arbi" > sold stock </a> worth about $1.8 million days after the company discovered the data breach on July 29, according to the Wall Street Journal. Equifax has said the executives were not aware of the breach when they sold stock. It's unknown when Kelley was told about the hack. Also, the company's former chief security officer reported to Kelley. The company wanted the chief legal officer to oversee cybersecurity rather than an executive who might be concerned about the allocation of money, the article explains. <a href="">top </a> </p> <p> <a name="GooglesNewGmail"> </a> <strong> <a href="http://www.zdnet.com/article/googles-new-gmail-security-if-youre-a-high-value-target-youll-use-physical-keys/" > Google's new Gmail security: If you're a high-value target, you'll use physical keys </a> </strong> (ZDnet, 2 Oct 2017) - Google will soon be offering an Advanced Protection Program to lock down the Gmail accounts of high-value targets. <a href="https://www.bloomberg.com/news/articles/2017-09-29/google-is-said-to-retool-user-security-in-wake-of-political-hack" target="_blank" > According to Bloomberg </a> , the new Gmail service will block third-party apps from accessing user data and introduces a replacement for two-factor authentication based on Google's USB Security Key. Google will begin offering the Advanced Protection Program next month, which will be marketed to "corporate executives, politicians and others with heightened security concerns". Bloomberg notes that the service builds on <a href="http://www.zdnet.com/article/google-takes-2fa-a-touch-further-with-security-key/" target="_blank" > USB Security Key, for which Google introduced software in 2014 </a> . Security Key is a physical USB key used in place of a code required for two-step verification. It's more secure because an attacker needs physical possession of the key to access an account they have credentials for. The USB key also cryptographically verifies the user is on a legitimate Google site and not a phishing site. G Suite <a href="https://security.googleblog.com/2017/02/better-and-more-usable-protection-from.html" target="_blank" > admins can force their users </a> to require the USB key for login. The Advanced Protection Program will require two keys to use the service, according to Bloomberg. <a href="">top </a> </p> <p> <a name="MoreThan80"> </a> <strong> <a href="https://motherboard.vice.com/en_us/article/43a5kg/80-percent-net-neutrality-comments-bots-astroturfing" > More than 80% of all net neutrality comments were sent by bots, researchers say </a> </strong> (Motherboard, 3 Oct 2017) - The Trump administration and its <a href="https://motherboard.vice.com/en_us/article/j5qzm8/democratic-lawmakers-blast-trumps-fcc-for-anti-consumer-agenda" > embattled FCC commissioner </a> are on <a href="https://motherboard.vice.com/en_us/article/4xk87d/net-neutrality-under-assault-trumps-fcc-votes-to-roll-back-open-internet-rules" > a mission to roll back </a> the pro-net neutrality rules approved during the Obama years, despite the fact that <a href="https://motherboard.vice.com/en_us/article/7x9kyg/most-americans-support-the-net-neutrality-rules-that-trumps-fcc-wants-to-kill" > most Americans support those safeguards </a> . But there is a large number of entities that do not: <a href="https://motherboard.vice.com/en_us/article/wnz8ey/big-telecom-is-ecstatic-about-trumps-new-fcc-boss-ajit-pai" > telecom companies </a> , their lobbyists, and hordes of bots. Of all the more than 22 million comments submitted to the FCC website and through the agency's API found that only 3,863,929 comments were "unique," <a href="https://www.gravwell.io/blog/discovering-truth-through-lies-on-the-internet-fcc-comments-analyzed" target="_blank" > according to a new analysis by Gravwell </a> , a data analytics company. The rest? A bunch of copy-pasted comments, most of them likely by automated astroturfing bots, almost all of them-curiously-against net neutrality. "Using our (admittedly) simple classification, over 95 percent of the organic comments are in favor of Title II regulation," Corey Thuen, the founder of Gravwell, told Motherboard in an email. This one was sent to the FCC 1.2 million times: <em> The unprecedented regulatory power the Obama Administration imposed on the internet is smothering innovation, damaging the American economy and obstructing job creation.\n\nI urge the Federal Communications Commission to end the bureaucratic regulatory overreach of the internet known as Title II and restore the bipartisan light-touch regulatory consensus that enabled the internet to flourish for more than 20 years.\n\nThe plan currently under consideration at the FCC to repeal Obama's Title II power grab is a positive step forward and will help to promote a truly free and open internet for everyone.\n </em> In case you are wondering, the "\n" strings as well as other weird symbols that might appear in other comments are alternative representation of certain special characters, or line breaks, according to Thuen. The comment above <a href="http://www.zdnet.com/article/a-bot-is-flooding-the-fccs-website-with-fake-anti-net-neutrality-comments/" target="_blank" > was already spotted as coming from bots in May </a> . (Gravwell <a href="https://docs.google.com/spreadsheets/d/1R5yiz7TFv3UYvI8L__pFAxi3ogHdIPtHmHx5ETbmTro/edit#gid=354083414" target="_blank" > published some of the data they crunched </a> in a spreadsheet in case you are curious.) <a href="">top </a> </p> <p> <a name="AppListening"> </a> <a href="http://blog.ericgoldman.org/archives/2017/10/app-listening-for-audio-beacons-may-be-illegal-wiretapping-rackemann-v-colts.htm" > <strong> App listening for audio beacons may be illegal wiretapping-Rackemann v. Colts </strong> </a> (Technology & Marketing Law Blog, 4 Oct 2017) - This is a lawsuit against the Colts and app developers, alleging that the Colts' app activates a device's microphone and temporarily records portions of audio, for advertising purposes. The app monitors the audio for "beacon tones" which are then used to deploy advertisements. The app is able to listen on command and while running in the background. The app's terms of service allegedly does not disclose the use of beacon technology or that it activates the microphone for the purposes of "listening in". It's unclear from the order precisely when the listening feature was activated. Plaintiff alleged that he downloaded the app from the Google Play store and used it to follow the Colts and as a result, the app listened in on his "private conversations". He sued on his own behalf and on behalf of a putative class. The various defendants (the Colts, app developers) moved to dismiss. The court denies the motions. * * * <a href="">top </a> </p> <p> <a name="SupremeCourt"> </a> <strong> <a href="https://arstechnica.com/tech-policy/2017/10/supreme-court-says-live-streaming-would-adversely-affect-oral-arguments/" > Supreme Court says live streaming would "adversely affect" oral arguments </a> </strong> (Ars Technica, 4 Oct 2017) - The Supreme Court is setting aside a request to live stream its oral arguments. The attorney for Chief Justice John Roberts Jr. told members of Congress that live streaming even the audio portion of its oral arguments might impact the outcome. "The Chief Justice appreciated and shares your ultimate goal of increasing public transparency and improving public understanding of the Supreme Court," Roberts' attorney, Jeffrey P. Minear, <a href="https://arstechnica.com/wp-content/uploads/2017/10/scotusletter.pdf" > wrote </a> (PDF) the four members of Congress <a href="https://connolly.house.gov/uploadedfiles/9292017_joint_letter_to_chief_justice_roberts_live_audio_gill_v_whitford.pdf" > seeking </a> (PDF) to have the court's gerrymandering case live streamed in audio. "I am sure you are, however, familiar with the Justices' concerns surrounding the live broadcast or streaming of oral arguments, which could adversely affect the character and quality of the dialogue between the attorneys and Justices. Consequently, the Court is unable to accommodate your request." For years, members of Congress and the public have been trying to get the high court to televise or to live stream the audio of their oral arguments, in a bid to make the court more transparent. The response has always been an affirmative "NO" out of fear that it could affect the proceedings. The court's oral arguments are open to the public, however, and the audio version of an oral argument is usually made publicly available on the Friday of the week that the case was argued. The court's opinions are also posted to its <a href="https://www.supremecourt.gov/">website </a> when the court releases them. In other ways, however, public access to the court has been stuck in the Dark Ages-such as when it comes to obtaining briefs submitted by parties to the court. The court does not make them available online. But it plans to do so for free <a href="https://www.supremecourt.gov/electronicfiling/"> beginning next month </a> . The lower federal courts started making their records available online nearly two decades ago using a paid system called <a href="https://www.pacer.gov/">PACER </a>. [ <strong>Polley </strong>: Why should the Supreme Court be different from other gov't entities?] <a href="">top </a> </p> <p> <a name="NewCIScybersecurity"> </a> <a href="http://ridethelightning.senseient.com/2017/10/new-cis-cybersecurity-guide-for-small-and-medium-businesses.html" > <strong> New CIS cybersecurity guide for small and medium businesses </strong> </a> (Ride The Lightning, 5 Oct 2017) - The Center for Internet Security (CIS) recently published <a href="https://www.cisecurity.org/white-papers/cis-controls-sme-guide/" target="_blank" > CIS Controls: Implementation Guide for Small- and Medium-Sized Enterprises </a> (SMEs). This guide contains a small sub-set of the CIS Controls specifically selected to help protect SMEs. The guide seeks to empower the owners of small and medium-sized enterprises to help them protect their businesses with a small number of high priority actions based on the CIS Controls - a comprehensive set of cybersecurity best practices developed by IT experts that address the most common threats and vulnerabilities. The guide is only 15 pages - well worth reading in conjunction with the NIST Cybersecurity Framework (covers businesses with up to 500 users) - and it mentions a number of free and low-priced tools. The CIS Controls discussed include: * * * <a href="">top </a> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <a href="https://fpf.org/2017/09/26/law-enforcement-access-to-student-records-a-guide-for-school-administrators-ed-tech-service-providers/" > <strong> Law Enforcement Access to Student Records: A Guide for School Administrators & Ed Tech Service Providers </strong> </a> (Future of Privacy Forum, 26 Sept 2017) - Today, the Future of Privacy Forum released a new paper, <a href="https://fpf.org/2017/09/25/law-enforcement-access-to-student-records" > <em> Law Enforcement Access to Student Records: A Guide for School Administrators & Ed Tech Service Providers </em> </a> . With the repeal of the <a href="https://www.uscis.gov/daca2017" target="_blank"> Deferred Action for Childhood Arrivals (DACA) </a> program last month, it is important that schools - and the companies that serve them - understand their legal options and when they may be required to disclose student personal information to law enforcement. "The Federal Education Rights and Privacy Act (FERPA) broadly prohibits schools from disclosing student records without the written consent of the parent or student," said Amelia Vance, FPF Policy Counsel. "In this Guide, we highlight two key best practices when responding to federal requests for student data: 1) consult legal counsel to determine your obligations; and 2) carefully align the amount and types of data you collect about students to the programs and services you provide," said Vance. The Guide notes that some schools collect student immigration status or other data that can be used to imply immigration status. "If schools collect student immigration status data, it is considered part of the student record and is protected by FERPA," Vance said. The Guide explains that schools may only disclose this information with consent or in response to a valid court order or subpoena. In addition to the Guide, FPF has released an <a href="https://fpf.org/2017/09/25/law-enforcement-access-to-student-records" > accompanying blog </a> with a list of supplemental resources and articles. <a href="">top </a> </p> <p> <a href="http://journals.sagepub.com/doi/full/10.1177/2056305117733344"> <strong> Stop and Frisk Online: Theorizing Everyday Racism in Digital Policing in the Use of Social Media for Identification of Criminal Conduct and Associations </strong> </a> <strong> </strong> (Sage Journals, 28 Sept 2017) - Abstract: <strong> </strong> <em> Police are increasingly monitoring social media to build evidence for criminal indictments. In 2014, 103 alleged gang members residing in public housing in Harlem, New York, were arrested in what has been called "the largest gang bust in history." The arrests came after the New York Police Department (NYPD) spent 4 years monitoring the social media communication of these suspected gang members. In this article, we explore the implications of using social media for the identification of criminal activity. We describe everyday racism in digital policing as a burgeoning conceptual framework for understanding racialized social media surveillance by law enforcement. We discuss implications for law enforcement agencies utilizing social media data for intelligence and evidence in criminal cases. </em> <a href="">top </a> <a name="FUN"> </a> <h3> FUN </h3> </p> <p> <a href="http://mashable.com/2017/09/28/i-fought-the-law-photo-book/#y4BXHHZKlqqI" > <strong> I Fought The Law; A photo exploration of the most absurd American laws and legal legends </strong> </a> (Mashable, 28 Sept 2017) - It all started with one vague conversation. "One winter evening in 2012, a friend told me it was illegal to have an ice-cream cone in your back pocket," says photographer Oliva Locher. "Our conversation quickly moved on to a new topic but that statement stuck with me. After doing some research and learning of many other strange laws I knew I had a new project." That project transformed itself into Locher's new book, <a href="https://www.amazon.com/Fought-Law-Photographs-Olivia-Strangest/dp/1452156956" > <em>I Fought The Law </em> </a> , a photo examination of the absurd laws in American history. For the book, Locher figured out strange laws in each state in the U.S. and photographed each one being broken. <a href="">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <strong> <a href="http://www.mercurynews.com/2007/04/23/yahoo-strikes-deal-to-catalog-lyrics-online/" > Yahoo strikes deal to catalog lyrics online </a> </strong> (SiliconValley.com, 24 April 2007) -- Yahoo has teamed up with Gracenote, an Emeryville company, to offer what it is calling "the largest catalog of legal, licensed song lyrics" on the Web. "It fills a huge, gaping hole out there," said Ian Rogers, general manager of Yahoo Music. While there are plenty of Web sites offering lyrics, Gracenote is the first company to have gone through the painstaking process of negotiating deals with the thousands of publishers who own copyrights to the lyrics. The catalog offered by Yahoo will include lyrics of 400,000 songs owned by more than 10,000 publishers. About 9,000 artists are represented, ranging from classic names such as the Beatles and Bob Dylan to more recent stars like Radiohead and Beyonce. Craig Palmer, chief executive of Gracenote, said it took more than two years and nearly 100 deals to forge the legal framework behind the database. Gracenote then had to create standards for publishing lyrics on the Web and put together an automated system for compensating the songwriters. This can include as many as 10 writers on a single hip-hop song. "The copyrights, the database and the payments issues all had to be solved in order to bring this obvious service to market," Palmer said. Yahoo's song lyrics are supposed to be the official versions. Under the licensing agreement, Yahoo will share with copyright holders the revenue from the ads that will be displayed alongside the lyrics. Music publishers such as BMG Music Publishing, EMI Music Publishing, Sony/ATV Music Publishing, Universal Music Publishing Group and Warner/Chappell Music are contributing lyrics. <a href="">top </a> </p> <p> <a href="http://www.washingtonpost.com/wp-dyn/content/article/2007/11/27/AR2007112701657.html" > <strong>8.3 million Americans victims of id theft </strong> </a> (Washington Post, 27 Nov 2007) - Nearly 4 percent of American adults were victims of identity theft in 2005, but half of them did not incur any out-of-pocket expenses, the U.S. Federal Trade Commission said on Tuesday. An agency survey found identity information was stolen from 8.3 million U.S. adults and most commonly used to access or open accounts for credit cards, bank checking, telephone service, e-mail, and medical insurance. "In more than half of the incidents, victims incurred no out-of-pocket expenses," the FTC said in a statement. However, 10 percent of the victims reported out-of-pocket expenses of $1,200 or more, it said. The FTC survey also looked at the value of goods or services that thieves obtained using the victims' personal information. In half of all incidents, thieves obtained items or services worth $500 or less while in 10 percent of cases, thieves got at least $6,000. Some 37 percent of victims reported problems beyond their out-of-pocket expenses, the FTC said. They included being harassed by debt collectors, denied new credit or loans, unable to use existing credit cards, having utilities cut off, or having difficulty obtaining or accessing bank accounts. <a href="">top </a> </p> <p> <a name="NOTES"> </a> <h3> NOTES </h3> </p> <p> MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( <a href="mailto:vpolley@knowconnect.com?subject=MIRLN"> mailto:vpolley@knowconnect.com?subject=MIRLN </a> ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line. </p> <p> Recent MIRLN issues are archived at <a href="http://www.knowconnect.com/mirln">www.knowconnect.com/mirln </a>. Get supplemental information through Twitter: <a href="http://twitter.com/vpolley">http://twitter.com/vpolley </a> #mirln. </p> <p> SOURCES (inter alia): </p> <p> 1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, <a href="http://cyber.law.harvard.edu/">http://cyber.law.harvard.edu </a> </p> <p> 2. InsideHigherEd - <a href="http://www.insidehighered.com/">http://www.insidehighered.com/ </a> </p> <p> 3. SANS Newsbites, <a href="http://www.sans.org/newsletters/newsbites/"> http://www.sans.org/newsletters/newsbites/ </a> </p> <p> 4. Aon's Technology & Professional Risks Newsletter </p> <p> 5. Crypto-Gram, <a href="http://www.schneier.com/crypto-gram.html"> http://www.schneier.com/crypto-gram.html </a> </p> <p> 6. Eric Goldman's Technology and Marketing Law Blog, <a href="http://blog.ericgoldman.org/">http://blog.ericgoldman.org/ </a> </p> <p> 7. The Benton Foundation's Communications Headlines </p> <p> 8. Gate15 Situational Update Notifications, <a href="http://www.gate15.us/services.html"> http://www.gate15.us/services.html </a> </p> <p> 9. Readers' submissions, and the editor's discoveries </p> <p> This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. </p> <p> PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. <a href="">top </a> </p>
Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-66193614287062673962017-09-16T07:15:00.000-04:002017-09-16T07:15:04.383-04:00MIRLN --- 27 August – 16 Sept 2017 (v20.13)<p> <a name="TOP"> </a> MIRLN --- 27 August - 16 Sept 2017 (v20.13) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_27_august_16_sept_2017_v2013/" > permalink </a> </p> <p> <a href="#NEWS">NEWS </a> | <a href="#RESOURCES">RESOURCES </a> | <a href="#LOOKINGBACK">LOOKING BACK </a> | <a href="#NOTES">NOTES </a> </p> <ul> <li> <a href="#AnAttorneysEthical"> An Attorney's Ethical Duties Regarding U.S. Border Searches of Electronic Devices Containing Clients' Confidential Information </a> </li> <li> <a href="#VWengineer"> VW engineer sentenced to 40-month prison term in diesel case </a> </li> <li> <a href="#DespitePrivacyOutrage"> Despite privacy outrage, AccuWeather still shares precise location data with ad firms </a> </li> <li> <a href="#HowTheNSA">How the NSA identified Satoshi Nakamoto </a> </li> <li> <a href="#CyberCrimeNow">Cyber crime now targeting law firms </a> </li> <li> <a href="#MeetTheSometime"> Meet the sometime-streamer: TV watchers who sign up for one show - then cancel </a> </li> <li> <a href="#ATTexpandsFree"> AT&T expands free HBO to both its unlimited wireless plans </a> </li> <li> <a href="#ToTackleRobo"> To tackle robocalls from illegally spoofed numbers, FCC proposes whopping $82m fine </a> </li> <li> <a href="#WatchdogPressed"> Watchdog pressed to probe post-data breach services </a> </li> <li> <a href="#SixteenColleges">16 colleges, 1 law firm </a> </li> <li> <a href="#JusticeDeptImplores"> Justice Dept implores FCC to combat prison cellphone problem </a> </li> <li> <a href="#YouCanNow"> You can now download information from every congressional session since 1973 </a> </li> <li> <a href="#RussianElection"> Russian election hacking efforts, wider than previously known, draw little scrutiny </a> </li> <li> <a href="#HarvardProfessor"> Harvard professor tells students they should come to class </a> </li> <li> <a href="#MilitaryAppeals"> Military appeals court says demands to unlock phones may violate the Fifth Amendment </a> </li> <li> <a href="#AnotherStateAdopts"> Another state adopts duty of technology competence, bringing total to 28 </a> </li> <li> <a href="#GenderAnalytics"> Gender analytics: Using litigation data to evaluate law firm diversity </a> </li> <li> <a href="#NewsUseAcross"> News use across social media platforms 2017 </a> </li> <li> <a href="#EUministers"> EU ministers test responses in first computer war game </a> </li> <li> <a href="#VirginiaHalts"> Virginia halts use of voting machines considered vulnerable to hacking </a> </li> <li> <a href="#BigTech"> 'Big tech' companies such as Facebook are skating on thin ice </a> </li> <li> <a href="#TurksDetained"> Turks detained for using encrypted app 'had human rights breached' </a> </li> <li> <a href="#TeslaRemotely"> Tesla remotely extended the range of drivers in Florida for free... and that's NOT a good thing </a> </li> <li> <a href="#TheNextYik">The next Yik Yak? </a> </li> </ul> <p> <a name="NEWS"> </a> </p> <p> <a name="AnAttorneysEthical"> </a> <a href="http://s3.amazonaws.com/documents.nycbar.org/files/2017-5_Border_Search_Opinion_PROETHICS_7.24.17.pdf" > <strong> An Attorney's Ethical Duties Regarding U.S. Border Searches of Electronic Devices Containing Clients' Confidential Information </strong> </a> (Bar of the City of NY Formal Opinion 2017-5, July 2017) - Under the New York Rules of Professional Conduct (the "Rules"), a New York lawyer has certain ethical obligations when crossing the U.S. border with confidential client information. Before crossing the border, the Rules require a lawyer to take reasonable steps to avoid disclosing confidential information in the event a border agent seeks to search the attorney's electronic device. The "reasonableness" standard does not imply that particular protective measures must invariably be adopted in all circumstances to safeguard clients' confidential information; however, this opinion identifies measures that may satisfy the obligation to safeguard clients' confidences in this situation. Additionally, Under Rule 1.6(b)(6), the lawyer may not disclose a client's confidential information in response to a claim of lawful authority unless doing so is "reasonably necessary" to comply with a border agent's claim of lawful authority. This includes first making reasonable efforts to assert the attorney-client privilege and to otherwise avert or limit the disclosure of confidential information. Finally, if the attorney discloses clients' confidential information to a third party during a border search, the attorney must inform affected clients about such disclosures pursuant to Rule 1.4. [ <strong>Polley </strong>: Spotted by MIRLN reader <a href="http://www.linkedin.com/in/tropelaw">Roland Trope </a> - @RolandTrope. <u>Very </u> interesting opinion, and should be influential well beyond NYC; contains a scary sentence: " <em> in many cases the attorney will entirely avoid carrying clients' confidential information in an electronic device </em> ", and footnotes the increasing possibility that the same issues may arise upon entry to <em>other </em> countries.] <a href="#TOP">top </a> </p> <p> <a name="VWengineer"> </a> <a href="http://www.reuters.com/article/us-volkswagen-emissions-sentencing/vw-engineer-sentenced-to-40-month-prison-term-in-diesel-case-idUSKCN1B51YP" > <strong> VW engineer sentenced to 40-month prison term in diesel case </strong> </a> (Reuters, 25 Aug 2017) - A federal judge in Detroit sentenced former engineer James Liang to 40 months in prison on Friday for his role in Volkswagen AG's multiyear scheme to sell diesel cars that generated more pollution than U.S. clean air rules allowed. U.S. District Court Judge Sean Cox also ordered Liang to pay a $200,000 fine, 10 times the amount sought by federal prosecutors. Cox said he hoped the prison sentence and fine would deter other auto industry engineers and executives from similar schemes to deceive regulators and consumers. Prosecutors last week recommended that Liang, 63, receive a three-year prison sentence, reflecting credit for his months of cooperation with the U.S. investigation of Volkswagen's diesel emissions fraud. Liang could have received a five-year prison term under federal sentencing guidelines. Liang's lawyers had asked for a sentence of home detention and community service. Volkswagen pleaded guilty in March to three felony charges under an agreement with prosecutors to resolve the U.S. criminal probe of the company itself. It agreed to spend as much as $25 billion in the United States to resolve claims from owners and regulators and offered to buy back about 500,000 vehicles. <a href="#TOP">top </a> </p> <p> <a name="DespitePrivacyOutrage"> </a> <a href="http://www.zdnet.com/article/accuweather-still-shares-precise-location-with-advertisers-tests-reveal/" > <strong> Despite privacy outrage, AccuWeather still shares precise location data with ad firms </strong> </a> (ZDnet, 25 Aug 2017) - AccuWeather is still sending precise geolocation data to a third-party advertiser, <em>ZDNet </em> can confirm, despite updating its app earlier this week to remove a feature that collected user's location data without their permission. In case you <a href="http://www.zdnet.com/article/accuweather-caught-sending-geo-location-data-even-when-denied-access/" target="_blank" > missed it </a> , AccuWeather was until this week sending the near-precise location of its iPhone app users to Reveal Mobile, a data monetization firm -- even when location sharing was switched off. Security researcher Will Strafach, who <a href="https://medium.com/@chronic_9612/advisory-accuweather-ios-app-sends-location-information-to-data-monetization-firm-83327c6a4870" target="_blank" > first reported the issue </a> , also accused the company of sharing a user's precise GPS coordinates under the guise of providing local weather alerts. The news sparked outrage and anger. AccuWeather responded with a forced apology, which <a href="https://daringfireball.net/2017/08/wading_through_accuweathers_bullshit_response" target="_blank" > one leading Apple critic John Gruber </a> called a "bulls**t response." However, tests conducted by Strafach show that the updated app, released Thursday, still shares precise geolocation data with a data monetization and advertising firm. ZDNet independently verified the findings. We found that AccuWeather was still, with location sharing enabled, sending precise GPS coordinates and altitude albeit to a different advertiser, without the user's explicit consent. That data can be used to pinpoint down to a few meters a person's location -- even which floor of a building they are on. <a href="#TOP">top </a> </p> <p> <a name="HowTheNSA"> </a> <a href="https://medium.com/@amuse/how-the-nsa-caught-satoshi-nakamoto-868affcef595" > <strong>How the NSA identified Satoshi Nakamoto </strong> </a> <strong> </strong> (Medium, 26 Aug 2017) - The 'creator' of Bitcoin, Satoshi Nakamoto, is the world's most elusive billionaire. Very few people outside of the Department of Homeland Security know Satoshi's real name. In fact, DHS will not publicly confirm that even THEY know the billionaire's identity. Satoshi has taken great care to keep his identity secret employing the latest encryption and obfuscation methods in his communications. Despite these efforts (according to my source at the DHS) Satoshi Nakamoto gave investigators the only tool they needed to find him -  <a href="http://online.wsj.com/public/resources/documents/finneynakamotoemails.pdf" target="_blank" > his own words </a> . Using <a href="https://en.wikipedia.org/wiki/Stylometry" target="_blank"> stylometry </a> one is able to compare texts to determine authorship of a particular work. Throughout the years Satoshi wrote thousands of posts and emails and most of which are publicly available. According to my source, the NSA was able to the use the 'writer invariant' method of stylometry to compare Satoshi's 'known' writings with trillions of writing samples from people across the globe. By taking Satoshi's texts and finding the 50 most common words, the NSA was able to break down his text into 5,000 word chunks and analyse each to find the frequency of those 50 words. This would result in a unique 50-number identifier for each chunk. The NSA then placed each of these numbers into a 50-dimensional space and flatten them into a plane using principal components analysis. The result is a 'fingerprint' for anything written by Satoshi that could easily be compared to any other writing. The NSA then took bulk emails and texts collected from their mass surveillance efforts. First through <a href="https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29" target="_blank" > PRISM </a> (a court-approved front-door access to Google and Yahoo user accounts) and then through <a href="https://en.wikipedia.org/wiki/MUSCULAR_%28surveillance_program%29" target="_blank" > MUSCULAR </a> (where the NSA copies the data flows across fiber optic cables that carry information among the data centers of Google, Yahoo, Amazon, and Facebook) the NSA was able to place trillions of writings from more than a billion people in the same plane as Satoshi's writings to find his true identity. The effort took less than a month and resulted in positive match. Why go to so much trouble to identify Satoshi? My source tells me that the Obama administration was concerned that Satoshi was an agent of Russia or China - that <a href="http://www.newsweek.com/2016/12/23/virtual-currencies-bitcoin-being-monitored-us-government-532063.html" target="_blank" > Bitcoin might be weaponized </a> against us in the future. Knowing the source would help the administration understand their motives. <a href="#TOP">top </a> </p> <p> <a name="CyberCrimeNow"> </a> <a href="http://www.lawjournalnewsletters.com/sites/lawjournalnewsletters/2017/08/01/cyber-crime-now-targeting-law-firms/" > <strong>Cyber crime now targeting law firms </strong> </a> (Law Journal Newsletters, August 2017) - Cyber attacks and theft are on the rise around the country, and law firms are becoming prime targets. Similar to healthcare providers, a law firm's data ( <em>i.e. </em>, client files) can be the gold standard. Unlike manufacturers, banks and retailers, law firms are unique organizations that result in them being highly vulnerable. * * * Once firms recognize they are targets, and all are, they must be proactive in addressing the situation. Where to start? A comprehensive cyber risk assessment is critical to structuring a strong, multi-pronged defense. Think enterprise risk management - not to mention ethical concerns if breached. The American Bar Association just re-visited the issue of cybersecurity as an ethical consideration for attorneys and sets out some limited guidance. (See the ABA's <a href="https://www.americanbar.org/groups/leadership/office_of_the_president/cybersecurity.html" target="_blank" > <strong>Cybersecurity Legal Task Force </strong> </a> .) An assessment becomes the guide to building a robust cybersecurity defense for any law firm. However, once a firm's security is implemented and verified, the process cannot stop there. Just like malpractice insurance, cybersecurity insurance is a must these days. For many firms, a breach exposing large amounts of clients' private information can quickly escalate into a bet-the-firm proposition to survive. The average cost for responding to a breach is approximately $221 per client. Do the math. And that does not even begin to address a firm's costs to re-secure their network, public relations expenses, lost income, and the likely lawsuits from unhappy clients. * * * [ <strong>Polley </strong>: Nice to see the reference to the ABA's Task Force, which I'm co-chairing with Ruth Bro. Otherwise, the story is unremarkable.] <a href="#TOP">top </a> </p> <p> <a name="MeetTheSometime"> </a> <a href="https://www.washingtonpost.com/news/the-switch/wp/2017/08/28/meet-the-sometime-streamer-tv-watchers-who-sign-up-for-one-show-then-cancel/?utm_campaign=Newsletters&utm_medium=email&utm_source=sendgrid&utm_term=.e41df1b8b84a" > <strong> Meet the sometime-streamer: TV watchers who sign up for one show - then cancel </strong> </a> (WaPo. 28 Aug 2017) - Winter has finally come for "Game of Thrones," whose latest season finale, which aired Sunday, left the land of Westeros in as deep a crisis as it's seen in thousands of years. But with the HBO fantasy series now on hiatus until at least the end of 2018, some viewers say they're taking a break from HBO entirely - highlighting a challenge facing many entertainment companies in an era of constant stimulation and on-demand digital services. Colleen Morrison, a "Game of Thrones" fan in New Jersey, signed up for HBO's online streaming app in June. Now, Morrison says, it's going to be an easy decision to cancel her subscription this week after she re-watches the season finale a second time. "I didn't mind paying the $15 each month because it's the kind of show where I wanted an immediate viewing to avoid spoilers, but I'm also not interested in keeping the service since I'm not invested in anything else," she said. Morrison is part of a small but savvy crowd of consumers who know exactly what they want out of their TV experience. Cost-conscious and empowered by the Internet's convenience-at-a-click mentality, these consumers take advantage of free trials, no-contract commitments and the media industry's own struggle in the face of technological change to help guard their wallets. Ignoring the barrage of in-house teasers and promos for other related content, these viewers resist the siren song of TV networks that, more than ever, are being forced to battle one another for attention dominance. An abundance of high-quality television shows from Netflix, Hulu and old-school cable programmers like AMC, HBO and Showtime are helping some consumers become more discerning in their tastes - and less loyal. Abandoning one series or channel for another has never been more convenient or less risky, particularly when many cable channels offer streaming apps directly to the public instead of through cable companies or other traditional TV providers. "In a world where you can turn anything on and off whenever you want, you're always fighting for my wallet," said Rich Greenfield, a media analyst at BTIG. "I can cancel Hulu or Sling TV or HBO or DirecTV Now - any of these things have become 'point at a button and click.'" <a href="#TOP">top </a> </p> <p> - and - </p> <p> <a name="ATTexpandsFree"> </a> <a href="https://techcrunch.com/2017/09/12/att-expands-free-hbo-to-both-its-unlimited-wireless-plans/?ncid=rss" > <strong> AT&T expands free HBO to both its unlimited wireless plans </strong> </a> (TechCrunch, 12 Sept 2017) - AT&T <a href="http://about.att.com/newsroom/att_unlimited_choice_hbo.html" target="_blank" > announced </a> this morning it's adding free HBO to all customers on its unlimited wireless plans, including both Unlimited Plus and Unlimited Choice. The carrier in April had <a href="https://techcrunch.com/2017/04/05/atts-unlimited-plus-wireless-plan-now-includes-free-hbo/" target="_blank" > offered free HBO only to those on Unlimited Plus </a> - its premium tier - but today's move brings the network to the Unlimited Choice plan as well. Currently, AT&T's Unlimited Choice plan offers unlimited data, talk and text for $60 per month, or 4 lines for under $40 per line. The option will become available to both new and existing AT&T Unlimited Choice customers starting on Friday, September 15th, says AT&T. As before when it rolled out free HBO to Unlimited Plus customers, AT&T is also sweetening this new deal by offering a $25 monthly video credit for Unlimited Choice customers that can be used towards any applicable AT&T video service, including its streaming service for cord cutters, DirecTV Now, as well as DirecTV and U-Verse TV. With the $25 credit, that means AT&T customers can basically add on over-the-top streaming TV for $10 per month, as DirecTV Now's plans begin at $35 per month. The fine print, however, notes that the credit starts within three billing cycles, so don't expect it right away. Customers with an existing AT&T video service will have HBO added for no extra charge to their existing plan, while current HBO subscribers will just no longer have to pay, the announcement explains. For those who don't subscribe to HBO through an AT&T video service, they'll be able to access HBO through the DirecTV Now and HBO GO applications. <a href="#TOP">top </a> </p> <p> <a name="ToTackleRobo"> </a> <a href="http://www.commlawblog.com/2017/08/articles/enforcement-activities-fines-forfeitures-etc/hello-from-the-other-side-i-must-have-called-21-million-times-to-tackle-robocalls-from-illegally-spoofed-numbers-fcc-proposes-whopping-82m-fine/" > <strong> To tackle robocalls from illegally spoofed numbers, FCC proposes whopping $82m fine </strong> </a> (CommLawBlog, 29 Aug 2017) - Earlier this month, in its war against illegal robocalling campaigns the Federal Communications Commission (FCC) <a href="http://transition.fcc.gov/Daily_Releases/Daily_Business/2017/db0804/FCC-17-107A1.pdf" > proposed another hefty fine </a> . That is, a fine of 82 million dollars. The target of the FCC's wrath? Mr. Philip Roesel, who wasn't just calling a la <a href="https://www.youtube.com/watch?v=YQHsXMglC9A">Adele style </a>. Instead, Mr. Roesel is accused of both illegal robocalling in violation of the Telephone Consumer Protection Act (TCPA) (for a refresher on the TCPA and robocalls, <a href="http://www.commlawblog.com/tags/robocalls/">take a look here </a>) and illegal spoofing, which the FCC claims violated the Truth in Caller ID Act of 2009 (TCIA). For his 21 million illegal robocalls, Mr. Roesel received merely a <a href="http://transition.fcc.gov/Daily_Releases/Daily_Business/2017/db0804/DA-17-662A1.pdf" > sternly worded citation from the FCC </a> (more on why later). Following a recent trend, the FCC's massive $82 million fine proposed against Roesel relied primarily on the TCIA's prohibition against the transmission of misleading or inaccurate caller ID information, commonly referred to as spoofing, "with the intent to defraud, cause harm or wrongfully obtain anything of value." What's unique about this proposed fine is two-fold. First, the monetary value of the fine itself is one to write home about. While it doesn't match the record $120 million <a href="https://apps.fcc.gov/edocs_public/attachmatch/FCC-17-80A1.pdf"> fine issued earlier this year </a> in another TCIA case, $82 million isn't chump change. As with past TCIA penalties, the FCC set the base fine for each spoofed call at $1,000, which quickly adds up when there are millions of calls being made each month - though the FCC calculated the proposed fine on only the 82,000 calls verified to have come from spoofed numbers. Second, this fine is yet another instance where the TCIA has been used by the FCC to issue a penalty against illegal robocallers. It's a trend that the FCC started not too long ago but is likely to continue into the future for several reasons. [ <strong>Polley </strong>: <em>see also </em> <a href="http://www.latimes.com/business/lazarus/la-fi-lazarus-robocalls-fcc-task-force-20170901-story.html?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong> Phone industry turns to James Bond for answer to robocall villainy </strong> </a> (LA Times, 1 Sept 2017)] <a href="#TOP">top </a> </p> <p> <a name="WatchdogPressed"> </a> <a href="http://thehill.com/policy/cybersecurity/348605-watchdog-pressed-to-probe-post-breach-services" > <strong>Watchdog pressed to probe post-data breach services </strong> </a> (The Hill, 30 Aug 2017) - Democratic members of the House Energy and Commerce Committee are pressing a government watchdog to further investigate whether existing credit monitoring services do enough to protect consumers affected by data breaches. The Government Accountability Office (GAO) released <a href="https://www.gao.gov/products/GAO-17-254">a report </a> in March on identity theft services offered by the federal government and private companies to consumers who have had their information exposed. While the watchdog concluded that services like credit monitoring offer some benefits, auditors said that they are "limited" in preventing some types of fraud. Democratic Reps. Frank Pallone Jr. (N.J.), Diana DeGette (Colo.) and Jan Schakowsky (Ill.) are now asking the GAO to explore a number of questions raised by the audit, including looking into whether certain credit monitoring services are more effective than others. They also want the watchdog to examine additional options that aren't currently used by private or public companies to protect consumers in the wake of breaches and to divulge "the recent trends in breaches or information theft." <a href="#TOP">top </a> </p> <p> <a name="SixteenColleges"> </a> <a href="https://www.insidehighered.com/news/2017/08/31/unusual-collaboration-16-southern-liberal-arts-colleges-share-law-firm?utm_source=Inside+Higher+Ed&utm_campaign=61409a9a91-DNU20170831&utm_medium=email&utm_term=0_1fcbc04421-61409a9a91-197618481&mc_ci" > <strong>16 colleges, 1 law firm </strong> </a> (InsideHigherEd, 31 Aug 2017) - Collaboration is hard -- so much so that while a majority of campus business officials think their college or university <em>should </em> share back-office functions with other institutions, fewer than one in four say their leaders have seriously considered doing so, according to <em>Inside Higher Ed </em>'s <a href="https://www.insidehighered.com/news/survey/survey-finds-business-officers-increasingly-considering-more-painful-options" target="_blank" > recent survey of business officers </a> . The Associated Colleges of the South is a well-established consortium of 16 private liberal arts colleges that have a history of working together on international programs, teaching workshops and digital learning initiatives, as well as some joint purchasing agreements. But in an environment that the group's leader, R. Owen Williams, believes increasingly requires the colleges to drive down their internal costs (and hence their tuition prices), the coalition is taking collaboration to a new level: a seemingly unprecedented agreement for the 16 independent ACS colleges to share one national law firm, Steptoe & Johnson PLLC, based in West Virginia. Under the arrangement, in which the members are expected to participate to varying degrees, the colleges will continue to use their in-house legal teams (which half of them have) and local law firms for legal work involving the nuances of state law and transactions such as zoning or real estate. But Steptoe will offer both preventative educational advice designed to help keep the 16 colleges out of legal trouble, by better navigating the increasingly complex regulatory environment they face, and project-based legal services at a sharply reduced rate on issues such as federal regulatory compliance, academic freedom, domestic and international admissions, and nonprofit governance. <a href="#TOP">top </a> </p> <p> <a name="JusticeDeptImplores"> </a> <a href="http://hosted.ap.org/dynamic/stories/A/APFN_US_PRISONS_CELLPHONES_SCOL-?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2017-08-31-12-20-45" > <strong> Justice Dept implores FCC to combat prison cellphone problem </strong> </a> (AP, 31 Aug 2017) - The U.S. Department of Justice is pressing federal regulators to come up with a way of keeping inmates from using cellphones in the nation's prisons. In a letter obtained Thursday by The Associated Press, Assistant Attorney General Beth Williams told the Federal Communications Commission that addressing the security threat posed by contraband cellphones "should be a chief priority" of both the FCC and Justice, which oversees the federal Bureau of Prisons. The letter follows an appeal from South Carolina's prisons director to Attorney General Jeff Sessions in June, beseeching the top prosecutor for help pursuing FCC permission to jam cell signals of the phones, which are thrown over fences, smuggled by errant employees, even delivered by drone. A decades-old law says federal officials can grant permission to jam the public airwaves only to federal agencies, not state or local ones. Telecommunications companies are opposed, saying jamming cell signals could set a bad precedent and interfere with legal cell users nearby. <a href="#TOP">top </a> </p> <p> <a name="YouCanNow"> </a> <a href="https://motherboard.vice.com/en_us/article/vbbn3b/you-can-now-download-information-from-every-congressional-session-since-1973-with-propublicas-new-tool?utm_campaign=Newsletters&utm_medium=email&utm_source=sendgrid" > <strong> You can now download information from every congressional session since 1973 </strong> </a> (Motherboard, 31 Aug 2017) - Since 2009, developers have been able to use the ProPublica <a href="https://projects.propublica.org/api-docs/congress-api/" target="_blank" > Congress API </a> (first developed by <a href="https://open.blogs.nytimes.com/2009/01/08/introducing-the-congress-api/" target="_blank" > <em>The New York Times </em> </a> ) to retrieve data about the thousands of bills introduced during every two-year session in the House of Representatives. Until now though, you had to download each piece of information separately, and you needed to know how to write API calls. For example, if you wanted to discover who sponsored a bill and also how members of Congress voted on it, you would need to download those pieces of data individually, and know how to call for them in the software code. That's no longer the case. Wednesday, ProPublica announced that you can now download all the information about all of the bills in each legislative session using its new <a href="https://www.propublica.org/datastore/dataset/congressional-data-bulk-legislation-bills" target="_blank" > bulk bill data set </a> . You can get all of the data for free in the ProPublica data <a href="https://www.propublica.org/datastore/" target="_blank">store. </a> There's also a data dictionary that can be used to decipher the bills <a href="https://github.com/unitedstates/congress/wiki/bills" target="_blank" > here </a> , and you can download them in either JSON or XML formats. Two times a day, ProPublica will generate a single zip file containing metadata for every bill introduced in the current congress. That way, if you're interested in learning about legislation currently being considered, you'll be able to get info about it quickly. The tool also lets you download archived sessions-dating back to 1973. Want to know how the war on drugs progressed through the 1980s, and how each member of Congress voted on related legislation? No problem, just download the bulk data for the corresponding time period, and start poking around. ProPublica hopes the new data will "be useful to researchers, journalists and any other citizen trying to better understand our country's legislature," Jeremy B. Merrill, a news apps developer at the organization, wrote in a post announcing the new tool. <a href="#TOP">top </a> </p> <p> <a name="RussianElection"> </a> <a href="https://www.nytimes.com/2017/09/01/us/politics/russia-election-hacking.html?_r=0" > <strong> Russian election hacking efforts, wider than previously known, draw little scrutiny </strong> </a> (NYT, 1 Sept 2017) - The calls started flooding in from hundreds of irate North Carolina voters just after 7 a.m. on Election Day last November. Dozens were told they were ineligible to vote and were turned away at the polls, even when they displayed current registration cards. Others were sent from one polling place to another, only to be rejected. Scores of voters were incorrectly told they had cast ballots days earlier. In one precinct, voting halted for two hours. Susan Greenhalgh, a troubleshooter at a nonpartisan election monitoring group, was alarmed. Most of the complaints came from Durham, a blue-leaning county in a swing state. The problems involved <a href="http://www.ncsl.org/research/elections-and-campaigns/electronic-pollbooks.aspx" > electronic poll books </a> - tablets and laptops, loaded with check-in software, that have increasingly replaced the thick binders of paper used to verify voters' identities and registration status. She knew that the company that provided Durham's software, VR Systems, had been penetrated by Russian hackers months before. "It felt like tampering, or some kind of cyberattack," Ms. Greenhalgh said about the voting troubles in Durham. There are plenty of other reasons for such breakdowns - local officials blamed human error and software malfunctions - and no clear-cut evidence of digital sabotage has emerged, much less a Russian role in it. Despite the disruptions, a record number of votes were cast in Durham, following a pattern there of overwhelming support for Democratic presidential candidates, this time <a href="http://www.nytimes.com/topic/person/hillary-rodham-clinton?inline=nyt-per" title="More articles about Hillary Clinton." > Hillary Clinton </a> . But months later, for Ms. Greenhalgh, other election security experts and some state officials, questions still linger about what happened that day in Durham as well as other counties in North Carolina, Virginia, Georgia and Arizona. After a presidential campaign scarred by Russian meddling, local, state and federal agencies have conducted little of the type of digital forensic investigation required to assess the impact, if any, on voting in at least 21 states whose election systems were targeted by Russian hackers, according to interviews with nearly two dozen national security and state officials and election technology specialists. The assaults on the vast back-end election apparatus - voter-registration operations, state and local election databases, e-poll books and other equipment - have received far less attention than other aspects of the Russian interference, such as the hacking of Democratic emails and spreading of false or damaging information about Mrs. Clinton. Yet the hacking of electoral systems was more extensive than previously disclosed, The New York Times found. Beyond VR Systems, hackers breached at least two other providers of critical election services well ahead of the 2016 voting, said current and former intelligence officials, speaking on condition of anonymity because the information is classified. The officials would not disclose the names of the companies. <a href="https://www.dni.gov/files/documents/ICA_2017_01.pdf"> Intelligence officials </a> in January reassured Americans that there was no indication that Russian hackers had altered the vote count on Election Day, the bottom-line outcome. But the assurances stopped there. Government officials said that they intentionally did not address the security of the back-end election systems, whose disruption could prevent voters from even casting ballots. That's partly because states control elections; they have fewer resources than the federal government but have long been loath to allow even cursory federal intrusions into the voting process. * * * <a href="#TOP">top </a> </p> <p> <a name="HarvardProfessor"> </a> <a href="https://www.insidehighered.com/news/2017/09/05/professor-who-teaches-harvards-largest-class-says-students-should-show?utm_source=Inside+Higher+Ed&utm_campaign=6ba820df5e-DNU20170905&utm_medium=email&utm_term=0_1fcbc04421-6ba820df5e-197618481&mc_ci" > <strong> Harvard professor tells students they should come to class </strong> </a> (InsideHigherEd, 5 Sept 2017) - This year's <a href="https://docs.google.com/document/d/1NGtWHikRGMWMDpAsB41l7nuWHjnJ_G4-BDp1asK6xaE/edit" target="_blank" > FAQ </a> for CS50, Harvard University's largest course, featured this statement: "Unlike last year, students are encouraged to attend all lectures in person this year." Encouraging the 800-plus students enrolled in the introductory computer programming course may sound typical. But it's a reversal for the course, which is regularly described as one of the most popular and rigorous at Harvard, and <a href="https://www.eschoolnews.com/2017/01/26/effective-teaching-harvard/" target="_blank" > a model of effective teaching </a> . Last year David J. Malan, the Gordon McKay Professor of the Practice of Computer Science, made attending lectures optional. In a very public version of flipping the classroom, Malan said it would be fine for students to watch videos that are made of each lecture. In <a href="https://medium.com/@cs50/this-shall-be-cs50-2016-faed96945f81" target="_blank" > an essay a year ago </a> , Malan wrote that he was requiring students to attend only the first and last lectures of the course. And he questioned the value of saying everyone should attend every lecture. * * * In an email to Inside Higher Ed, Malan said that there was no decline in learning outcomes in the course, even as the number of students who attended lectures in person was not as high as in past years. Malan also said that he realizes there will still be students who have scheduling conflicts with other courses such that they may rely on the recordings, which will be produced live this year. And other students may benefit from watching the recordings after attending the lectures in person. So why revert to telling students they are expected in class? "Enough former students reported that something was missing, not just the students themselves but the energy of an audience, that we decided to bring [encouraging students to attend] live lectures back this fall," Malan said. One of Harvard's satire websites has suggested that -- following Malan's shift -- another course should do the opposite. <a href="#TOP">top </a> </p> <p> <a name="MilitaryAppeals"> </a> <a href="https://www.techdirt.com/articles/20170906/10062338156/military-appeals-court-says-demands-to-unlock-phones-may-violate-fifth-amendment.shtml" > <strong> Military appeals court says demands to unlock phones may violate the Fifth Amendment </strong> </a> (TechDirt, 6 Sept 2017) - A <a href="https://assets.documentcloud.org/documents/3987398/Caaf-5th.pdf" target="_blank" > decision </a> [PDF] handed down by the Appeals Court presiding over military cases that <em>almost </em> affirms <a href="https://www.techdirt.com/articles/20170503/15582137298/miami-judge-says-compelling-password-production-isnt-fifth-amendment-issue.shtml" target="_blank" > Fifth Amendment protections </a> against being forced unlock devices and/or hand over passwords. Almost. The CAAF (Court of Appeals for the Armed Forces) doesn't quite connect the final dot, but does at least discuss the issue, rather than dismiss the Fifth Amendment question out of hand. (h/t <a href="http://fourthamendment.com/?p=28915" target="_blank"> FourthAmendment.com </a> ] The case stems from a harassment case against a soldier who violated (apparently repeatedly) a no-contact order separating him from his wife. After being taken into custody, Sgt. Edward Mitchell demanded to speak to a lawyer. Rather than provide him with a lawyer, investigators asked him to unlock his phone instead. * * * <a href="#TOP">top </a> </p> <p> <a name="AnotherStateAdopts"> </a> <a href="https://www.lawsitesblog.com/2017/09/another-state-adopts-duty-technology-competence-bringing-total-28.html" > <strong> Another state adopts duty of technology competence, bringing total to 28 </strong> </a> (Bob Ambrogi, 6 Sept 2017) - In my continuing effort to keep a tally of the states that have adopted the duty of technology competence, I've discovered another, Nebraska, which brings the total to 28 states. The Nebraska Supreme Court adopted the amendment on June 28, 2017. It amends comment 6 to Nebraska Rule of Professional Conduct § 3-501.1 - the corollary to ABA Model Rule 1.1 on competence - to read as follows: To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. The italicized phrase is the same as the language that the ABA recommended in 2012 when it approved a change to the Model Rules of Professional Conduct to make clear that lawyers have a duty to be competent not only in the law and its practice, but also in technology. <a href="#TOP">top </a> </p> <p> <a name="GenderAnalytics"> </a> <a href="https://patentlyo.com/patent/2017/09/analytics-litigation-diversity.html?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+PatentlyO+%28Dennis+Crouch%27s+Patently-O%29" > <strong> Gender analytics: Using litigation data to evaluate law firm diversity </strong> </a> (PatentlyO, 6 Sept 2017) - More women are entering the legal profession than ever -women now make up about <a href="https://www.americanbar.org/content/dam/aba/administrative/market_research/lawyer-demographics-tables-2016.authcheckdam.pdf" > half of all law students and 36% of all licensed attorneys </a> - but these ratios are not reflected at the highest levels of firm positions. Judges anecdotally <a href="https://www.nytimes.com/2017/08/08/opinion/female-lawyers-women-judges.html?mcubz=1" > report that women rarely </a> act as lead counsel in litigation, and the percentage of female partners <a href="http://www.nalp.org/uploads/Membership/2016NALPReportonDiversityinUSLawFirms.pdf" > at firms hovers around 22% </a> . Corporate clients are aware of the gender imbalance and actively seek out firms that reflect their own commitment to gender diversity. Clients now regularly request firm diversity statistics as part of law firm pitches, putting pressure on firms to support female attorneys at the highest ranks. Law firms typically measure diversity by tracking headcount; the number of male and female associates and partners in their ranks. These metrics can ignore the often more meaningful metric of how often female attorneys actually appear in court-room litigation. Modern legal analytics can play an important role in increasing transparency in law firm gender diversity. Traditional legal analytics show how often parties or law firms win cases, or the likelihood of winning legal relief in front of a particular judge. However, they can also be used to rank and analyze more general litigation trends, including gender diversity. To identify firms with the most balanced male-female attorney ratio, Docket Alarm scours the litigation record, looking at the names of attorneys and their law firm. The gender of each attorney in a case is identified based on the attorney's first name and other factors. The result is that we can now measure firm gender diversity based on attorneys actually staffed on cases, <em>i.e. </em>, those that most substantively participate in litigation, not just by firm head-count. The analysis began with the Patent Trial and Appeal Board ("PTAB"), a specialized court focused on patent validity. The analysis shows that patent litigation is dominated by male attorneys. Of the top 100 law firms, 55 have less than 10% female attorneys on cases, and 8 firms have never had a single female attorney work on their PTAB AIA-Trial cases. On average, attorney appearances are only 12% female. When representing patent owners, the percentage of female attorneys drops further to 9.8%. * * * <a href="#TOP">top </a> </p> <p> <a name="NewsUseAcross"> </a> <a href="http://www.journalism.org/2017/09/07/news-use-across-social-media-platforms-2017/" > <strong>News use across social media platforms 2017 </strong> </a> (Pew, 7 Sept 2017) - As of August 2017, two-thirds (67%) of Americans report that they get at least some of their news on social media - with two-in-ten doing so often, according to a new survey from Pew Research Center. This is a modest increase since early 2016, when (during the height of the presidential primaries) 62% of U.S. adults reported getting news from social media. While a small increase overall, this growth is driven by more substantial increases among Americans who are older, less educated, and nonwhite. This study is based on a survey conducted August 8-21, 2017, with 4,971 U.S. adults who are members of Pew Research Center's nationally representative American Trends Panel. For the first time in the Center's surveys, more than half (55%) of Americans ages 50 or older report getting news on social media sites. That is 10 percentage points higher than the 45% who said so in 2016. Those under 50, meanwhile, remain more likely than their elders to get news from these sites (78% do, unchanged from 2016). Furthermore, about three-quarters of nonwhites (74%) get news on social media sites, up from 64% in 2016. This growth means that nonwhites are now more likely than whites to get news while on social media. And social media news use also increased among those with less than a bachelor's degree, up nine percentage points from 60% in 2016 to 69% in 2017. Alternatively, among those with at least a college degree, social media news use declined slightly. <a href="#TOP">top </a> </p> <p> <a name="EUministers"> </a> <a href="http://www.reuters.com/article/us-eu-defence-cyber/cyber-alert-eu-ministers-test-responses-in-first-computer-war-game-idUSKCN1BI0HR" > <strong>EU ministers test responses in first computer war game </strong> </a> (Reuters, 7 Sept 2017) - European Union defense ministers tested their ability to respond to a potential attack by computer hackers in their first cyber war game on Thursday, based on a simulated attack on one of the bloc's military missions abroad. In the simulation, hackers sabotaged the EU's naval mission in the Mediterranean and launched a campaign on social media to discredit the EU operations and provoke protests. Each of the defense ministers tried to contain the crisis over the course of the 90-minute, closed-door exercise in Tallinn that officials sought to make real by creating mock news videos giving updates on an escalating situation. * * * NATO last year recognized cyberspace as a domain of warfare and said it justified activating the alliance's collective defense clause. The European Union has broadened its information-sharing between governments and is expected to present a new cyber defense plan. The EU exercise made ministers consider how to work more closely with NATO, whose Secretary-General Jens Stoltenberg was there as an observer, diplomats present said. "Over the last year, we saw a 60 percent increase in the number of cyber attacks against NATO networks," Stoltenberg told reporters. "A timely exchange of information (with the EU) is key to responding to any cyber attacks." <a href="#TOP">top </a> </p> <p> <a name="VirginiaHalts"> </a> <a href="http://www.reuters.com/article/us-usa-cyber-election-virginia/virginia-halts-use-of-voting-machines-considered-vulnerable-to-hacking-idUSKCN1BJ2PY" > <strong> Virginia halts use of voting machines considered vulnerable to hacking </strong> </a> <strong> </strong> (Reuters, 8 Sept 2017) - Virginia on Friday agreed to stop using paperless touchscreen voting machines that had been flagged by cyber security experts as potentially vulnerable to hackers and lacking sufficient vote auditing capabilities. The action represented one of the most concrete steps taken by a U.S. state to bolster the cyber security of election systems since the 2016 presidential race, when U.S. intelligence agencies say Russia waged a digital influence campaign to help President Donald Trump win. Virginia's board of elections voted to accept a recommendation from its state election director, Edgardo Cortes, to decertify so-called direct-recording electronic machines, which count votes digitally and do not produce paper trails that can be checked against a final result. Five states still rely solely on direct record electronic machines, according to Verified Voting. They include New Jersey, which will also elect a new governor this year. Eight other states rely on a mix of paper ballots and paperless direct recording electronic machines, the group said. <a href="#TOP">top </a> </p> <p> <a name="BigTech"> </a> <a href="http://thehill.com/blogs/pundits-blog/technology/349489-big-tech-companies-such-as-facebook-are-skating-on-thin-ice" > <strong> 'Big tech' companies such as Facebook are skating on thin ice </strong> </a> (Roger Cochetti in The Hill, 9 Sept 2017) - Internet sex trafficking issues exploded recently when Sens. Rob Portman (R-Ohio) and Claire McCaskill (D-Mo.) introduced S.1693, which could expose internet companies to liability for enabling sex trafficking. Nearly the entire internet industry opposes the legislation, but more than a quarter of both chambers have nonetheless co-sponsored the legislation. It's worth understanding how Section 230 came about and affected the internet ecosystem, and how recent efforts may now be putting it at risk. The world was a very different place in 1995. There were probably 15-20 million internet users and Prodigy, CompuServe and America Online dominated the online industry. Dial-up computer bulletin boards were popular, although many courts had held that their operators were publishers and responsible for the content they displayed. People increasingly believed that making any effort to curate content posted on one's internet service would make the operator responsible for all displayed content. The Senate had actually gone so far as to approve language declaring that online operators were subject to the same obscenity regulations as television broadcasters. The internet looked like it was headed for a life of endless lawsuits and regulations. Then-Reps. Chris Cox (R-Calif.) Ron Wyden (D-Ore.) originally introduced Section 230 to prevent online service providers from being treated as if they were either publishers or TV broadcasters. It introduced the critically important concept of very limited or no intermediary liability for the content created by others. It was approved in the House as a part of the 1996 Telecom Act. * * * Internationally, at the time, few governments had much of an idea of how the internet fit into existing regulations. The internet wasn't a computer bulletin board, a magazine, a bookstore, a telephone service, a closed computer network, broadcast TV, or cable TV. This is why 230 became important: It provided a simple explanation of the internet. The internet has some characteristics of a private computer service and some of a telephone service. Like a telephone service, the intermediaries couldn't be responsible for the content that flows over their network and like a private computer service, operators have a right to get rid of dangerous content. This explanation of how a then-unimportant medium should be viewed caught on internationally; and it's no exaggeration to say that it allowed the Internet as we know it to come into existence. That was then and this is now. Over the last 22 years, a lot has changed. Billions use the internet and virtually every policy-maker knows something about how it works. Big data and AI enable content monitoring that was considered science fiction in 1995 and nudity is far from the top concern about internet content. * * * <a href="#TOP">top </a> </p> <p> <a name="TurksDetained"> </a> <a href="https://amp.theguardian.com/world/2017/sep/11/turks-detained-encrypted-bylock-messaging-app-human-rights-breached" > <strong> Turks detained for using encrypted app 'had human rights breached' </strong> </a> (The Guardian, 11 Sept 2017) - Tens of thousands of Turkish citizens detained or dismissed from their jobs on the basis of downloading an encrypted messaging app have had their human rights breached, a legal opinion published in London has found. <a href="https://www.2bedfordrow.co.uk/opinion-on-the-legality-of-the-actions-of-the-turkish-state/" > The study </a> , commissioned by opponents of the Turkish president, Recep Tayyip Erdoğan, argues that the arrest of 75,000 suspects primarily because they <a href="https://www.theguardian.com/technology/2016/aug/03/turkey-coup-gulen-movement-bylock-messaging-app" > downloaded the ByLock app </a> is arbitrary and illegal. It reflects growing concern about the legality of the Turkish government's crackdown in <a href="https://www.theguardian.com/world/2017/apr/12/moment-of-reckoning-in-turkey-as-alleged-coup-plotters-go-on-trial" > the aftermath of last year's failed coup </a> . The legal opinion was commissioned by a pro-Gülen organisation based in Europe. The two British lawyers involved, William Clegg QC and Simon Baker, are experienced barristers. The report examines transcripts of recent trials of alleged Gülenists in Turkey as well as Turkish intelligence reports on ByLock. It concludes that the cases presented so far breach the European convention on human rights, which <a href="https://www.theguardian.com/world/turkey">Turkey </a> is signed up to. <a href="#TOP">top </a> </p> <p> <a name="TeslaRemotely"> </a> <a href="https://www.techdirt.com/articles/20170910/19392338181/tesla-remotely-extended-range-drivers-florida-free-thats-not-good-thing.shtml" > <strong> Tesla remotely extended the range of drivers in Florida for free... and that's NOT a good thing </strong> </a> (TechDirt, 11 Sept 2017) - In the lead up to Hurricane Irma hitting Florida over the weekend, Tesla did something kind of interesting: <a href="http://jalopnik.com/tesla-remotely-extended-the-range-of-its-florida-owners-1802955287" target="_blank" > it gave a "free" upgrade to a bunch of Tesla drivers in Florida </a> , extending the range of those vehicles, to make it easier for them to evacuate the state. Now, as an initial response, this may seem praiseworthy. The company did something (at no cost to car-owners) to help them evacuate from a serious danger zone. In a complete vacuum, that sounds like a good idea. But there are a variety of problems with it when put back into context. The first thing you need to understand is that while Tesla sells different version of its Model S, with different ranges, the range is actually entirely software-dependent. That is, it <a href="http://www.roadandtrack.com/new-cars/car-technology/news/a29475/tesla-model-s-60-60d/" target="_blank" > uses <em>the same </em>batteries </a> in different cars -- it just limits how much they'll charge via software. Thus, spend more on a "nicer" model and more of the battery is used. So all that happened here was that Tesla "upgraded" these cars with an over the air update. In some ways, this feels kind of neat -- it means that a Tesla owner could "purchase" an upgrade to extend the range of the car. But it should also be somewhat terrifying. In some areas, this has led to discussions about the possibility of <a href="https://teslamotorsclub.com/tmc/threads/is-it-possible-to-hack-the-software-to-unlock-battery-autopilot-etc.79846/" target="_blank" > hacking the software </a> on the cheaper version to unlock the greater battery power -- and I, for one, can't wait to see the CFAA lawsuit that eventually comes out of that should it ever happen (at least some people are <a href="https://electrek.co/2016/12/14/tesla-battery-capacity/" target="_blank" > hacking </a> into the Tesla's battery management system, but just to determine how much capacity is <em>really </em>available). But this brings us back to the same old discussion of whether or not you <a href="https://www.techdirt.com/articles/20160504/16142134346/do-you-own-what-you-own-not-so-much-anymore-thanks-to-copyright.shtml" > really own </a> what you've bought. When a company can automagically update the physical product you bought from them, it at least raises some serious questions. Yes, in this case, it's being used for a good purpose: to hopefully make it easier for Tesla owners to get the hell out of Florida. But it works the other way too, as law professor Elizabeth Jo points out * * * <a href="#TOP">top </a> </p> <p> <a name="TheNextYik"> </a> <a href="https://www.insidehighered.com/news/2017/09/12/could-college-messaging-app-islands-be-new-yik-yak?utm_source=Inside+Higher+Ed&utm_campaign=1961f45e62-DNU20170912&utm_medium=email&utm_term=0_1fcbc04421-1961f45e62-197618481&mc_cid=1961f45e62&mc_eid=" > <strong>The next Yik Yak? </strong> </a> (InsideHigherEd, 12 Sept 2017) - As thousands of students armed with smartphones start the new school year, they'll have plenty of social media options to choose from to find friends and connect with their peers. But at a select group of college campuses, a new player has entered the scene -- a student-centered networking app called <a href="http://islands.im/" target="_blank">Islands </a>. Billed as "Slack for college students," <a href="https://itunes.apple.com/us/app/islands-college-chat/id1121585819?mt=8&ign-mpt=uo%3D4" target="_blank" > Islands </a> is a location-based app designed specifically with college students, rather than business colleagues, in mind. In an interview, Greg Isenberg, CEO of Islands, said that he wanted to create an experience that will "delight people" and help "connect the disconnected." Of course, students already have a lot of ways to connect with each other on campus, but Isenberg believes that a lot of students use apps like <a href="https://groupme.com/en-US/" target="_blank">GroupMe </a> out of necessity rather than by choice. "Ask any college kid what they think of GroupMe, and at least 75 percent will have had a negative experience with it," said Isenberg. "It's crazy, because if you ask them what are the three biggest apps they use on campus, they'll tell you Instagram, Snapchat and GroupMe. You have millions of daily active users using a product, and they're not even loving the experience." The premise of the Islands app is simple. If you're within range of a college campus with access to the app, you'll be able to log in with your Facebook account or email. Inside the app you'll find a number of different group chats, or "islands." Some are public, meaning anyone can join. Some are private, and you must request to join the group. Example public islands available when you log into the app include Buy & Sell, Pickup Basketball and Undergraduate Library. The aim of the app is to connect students to groups of people "they might never have found" otherwise -- whether that is a new best friend, a study partner or someone to play sports with. The way that you choose to communicate when you start a private island is customizable, Isenberg explains. "We give people the Lego building blocks to create a space however they want. If they want to have a room that is anonymous, they could. If they want to have a room where all the messages disappear after an hour, great. If they want the room to just be for sharing photos, they can do that." * * * <a href="#TOP">top </a> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <a href="https://cyber.harvard.edu/node/99985"> <strong> Algorithms in the Criminal Justice System: Assessing the Use of Risk Assessments in Sentencing </strong> </a> (Harvard, 25 Aug 2017) - In the summer of 2016, some unusual headlines began appearing in news outlets across the United States. "Secret Algorithms That Predict Future Criminals Get a Thumbs Up From the Wisconsin Supreme Court," read one. Another declared: "There's software used across the country to predict future criminals. And it's biased against blacks." These news stories (and others like them) drew attention to a previously obscure but fast-growing area in the field of criminal justice: the use of risk assessment software, powered by sophisticated and sometimes proprietary algorithms, to predict whether individual criminals are likely candidates for recidivism. In recent years, these programs have spread like wildfire throughout the American judicial system. They are now being used in a broad capacity, in areas ranging from pre-trial risk assessment to sentencing and probation hearings. This paper focuses on the latest-and perhaps most concerning-use of these risk assessment tools: their incorporation into the criminal sentencing process, a development which raises fundamental legal and ethical questions about fairness, accountability, and transparency. The goal is to provide an overview of these issues and offer a set of key considerations and questions for further research that can help local policymakers who are currently implementing or considering implementing similar systems. We start by putting this trend in context: the history of actuarial risk in the American legal system and the evolution of algorithmic risk assessments as the latest incarnation of a much broader trend. We go on to discuss how these tools are used in sentencing specifically and how that differs from other contexts like pre-trial risk assessment. We then delve into the legal and policy questions raised by the use of risk assessment software in sentencing decisions, including the potential for constitutional challenges under the Due Process and Equal Protection clauses of the Fourteenth Amendment. Finally, we summarize the challenges that these systems create for law and policymakers in the United States, and outline a series of possible best practices to ensure that these systems are deployed in a manner that promotes fairness, transparency, and accountability in the criminal justice system. <em>This is a paper of the </em> <a href="https://cyber.harvard.edu/node/99650"> <em>Responsive Communities </em> </a> <em> project produced by Harvard students Priscilla Guo, Danielle Kehl, and Sam Kessler. This paper is a product of the students' work in the HLS Responsive Communities Lab course, co-led by Susan Crawford and Waide Warner. </em> <a href="#TOP">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <a href="https://www.cnet.com/news/tech-firms-rights-groups-to-form-web-conduct-code/" > <strong>Tech firms, rights groups to form Web conduct code </strong> </a> (CNET, 18 Feb 2007) -- Technology companies Microsoft, Google, Yahoo and Vodafone are in talks with human rights and press freedom groups to draw up an Internet code of conduct to protect free speech and privacy of Web users. The parties said in a statement Friday that they aim to produce a code by the end of this year that would counter such trends as the increased jailing of Internet journalists, monitoring of legitimate online activity, and censorship. Talks are being led by the Washington-based Center for Democracy and Technology and San Francisco nonprofit Business for Social Responsibility. They are trying to craft a code to hold companies accountable if they cooperate with governments to suppress free speech or violate human rights. "Technology companies have played a vital role building the economy and providing tools important for democratic reform in developing countries," said Leslie Harris, executive director of the Center for Democracy and Technology. "But some governments have found ways to turn technology against their citizens--monitoring legitimate online activities and censoring democratic material," Harris said. <a href="#TOP">top </a> </p> <p> <a href="http://www.computerworld.com/article/2544306/security0/tjx-data-breach--at-45-6m-card-numbers--it-s-the-biggest-ever.html" > <strong> TJX data breach: at 45.6m card numbers, it's the biggest ever </strong> </a> (Computerworld, 29 March 2007) -- After more than two months of refusing to reveal the size and scope of its data breach, TJX Companies Inc. is finally offering more details about the extent of the compromise. In filings with the U.S. Securities and Exchange Commission yesterday, the company said 45.6 million credit and debit card numbers were stolen from one of its systems over a period of more than 18 months by an unknown number of intruders. That number eclipses the 40 million records compromised in the mid-2005 breach at CardSystems Solutions and makes the TJX compromise the worst ever involving the loss of personal data. In addition, personal data provided in connection with the return of merchandise without receipts by about 451,000 individuals in 2003 was also stolen. The company is in the process of contacting individuals affected by the breach, TJX said in its filings. "Given the scale and geographic scope of our business and computer systems and the time frames involved in the computer intrusion, our investigation has required a substantial period of time to date and is not completed," the company said. Framingham, Mass.-based TJX is the owner of a number of retail brands, including T.J.Maxx, Marshalls and Bob's Stores. In January, the company announced that someone had illegally accessed one of its payment systems and made off with card data belonging to an unspecified number of customers in the U.S., Canada, Puerto Rico and potentially the U.K. and Ireland. <a href="#TOP">top </a> </p> <p> <a name="NOTES"> </a> <h3> NOTES </h3> </p> <p> MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( <a href="mailto:vpolley@knowconnect.com?subject=MIRLN"> mailto:vpolley@knowconnect.com?subject=MIRLN </a> ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line. </p> <p> Recent MIRLN issues are archived at <a href="http://www.knowconnect.com/mirln">www.knowconnect.com/mirln </a>. Get supplemental information through Twitter: <a href="http://twitter.com/vpolley">http://twitter.com/vpolley </a> #mirln. </p> <p> SOURCES (inter alia): </p> <p> 1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, <a href="http://cyber.law.harvard.edu">http://cyber.law.harvard.edu </a> </p> <p> 2. InsideHigherEd - <a href="http://www.insidehighered.com/">http://www.insidehighered.com/ </a> </p> <p> 3. SANS Newsbites, <a href="http://www.sans.org/newsletters/newsbites/"> http://www.sans.org/newsletters/newsbites/ </a> </p> <p> 4. Aon's Technology & Professional Risks Newsletter </p> <p> 5. Crypto-Gram, <a href="http://www.schneier.com/crypto-gram.html"> http://www.schneier.com/crypto-gram.html </a> </p> <p> 6. Eric Goldman's Technology and Marketing Law Blog, <a href="http://blog.ericgoldman.org/">http://blog.ericgoldman.org/ </a> </p> <p> 7. The Benton Foundation's Communications Headlines </p> <p> 8. Gate15 Situational Update Notifications, <a href="http://www.gate15.us/services.html"> http://www.gate15.us/services.html </a> </p> <p> 9. Readers' submissions, and the editor's discoveries </p> <p> This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. </p> <p> PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. <a href="#TOP">top </a> </p> <p> <a name="TOP"> </a> </p>
Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-33915325197125148602017-08-26T07:21:00.000-04:002017-08-26T07:21:09.259-04:00MIRLN --- 6-26 August 2017 (v20.12)<p> <a name="TOP"> </a> MIRLN --- 6-26 August 2017 (v20.12) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_6_26_august_2017_v2012/" > permalink </a> </p> <p> <a href="#NEWS">NEWS </a> | <a href="#RESOURCES">RESOURCES </a> | <a href="#LOOKINGBACK">LOOKING BACK </a> | <a href="#NOTES">NOTES </a> </p> <ul> <li> <a href="#Estonia"> Estonia steps up plan to counter cyber attacks by siting critical systems offshore </a> </li> <li> <a href="#FacebookIsStarting"> Facebook is starting to put more posts from local politicians into people's News Feed </a> </li> <li> <a href="#YourVoter"> Your voter records are compromised. Can you sue? Theories of harm in data-breach litigation </a> </li> <li> <a href="#GovRauner"> Gov. Rauner signs bill to protect Illinois from cyberthreats </a> </li> <li> <a href="#HarvardGoes">Harvard goes outside to go online </a> </li> <li> <a href="#EFFtoCourt"> EFF to court: Border agents need warrants to search contents of digital devices </a> </li><li><a href="#TwoStudiesSuggest">Two studies suggest trouble ahead for paywall journals </a> </li> <li> <a href="#PartingWith">Parting with our books </a> </li> <li> <a href="#RatingsPrinciples"> Ratings principles: Now coming to cybersecurity </a> </li> <li> <a href="#WhenIsHacking"> When is "Hacking Disclosure" required in SEC filings? </a> </li> <li> <a href="#SECobservations"> SEC observations on cybersecurity Sweep 2 </a> </li> <li> <a href="#AVVOblasts"> AVVO blasts new ethics opinions on attorney match services </a> </li> <li> <a href="#BloombergLaw"> Bloomberg Law adds practice center devoted to e-discovery </a> </li> <li> <a href="#USjudgeSaysLinkedIn"> US judge says LinkedIn cannot block startup from public profile data </a> </li> <li> <a href="#LinkedinConnection"> LinkedIn connection request doesn't violate non-solicitation clause </a> </li> <li> <a href="#ABAandJonesDay"> ABA and Jones Day launch website to connect veterans to legal services </a> </li> <li> <a href="#TheMiamiHeat"> The Miami Heat are switching to smartphone-only tickets for home games this season </a> </li> <li> <a href="#MassiveNew"> Massive new searchable database of federal court opinions, including ones that haven't been formally published </a> </li> <li> <a href="#TechCompaniesUrge"> Tech companies urge Supreme Court to boost cellphone privacy </a> </li> <li> <a href="#VerizonYesVerizon"> Verizon-yes, Verizon-just stood up for your privacy </a> </li> <li> <a href="#JusticeDepartmentFights"> Justice Department fights web hosting company for Trump protester information </a> </li> <li> <a href="#JusticeDepartmentWalks"> Justice Department walks back demand for information on anti-Trump website </a> </li> <li> <a href="#NotPetya"> NotPetya ransomware attack cost us $300m - shipping giant Maersk </a> </li> <li> <a href="#Fitch"> Fitch: NAIC rules may boost US insurers' cyber risk management </a> </li> <li> <a href="#BerkmanKleinStucy"> Berkman Klein study finds partisan right-wing websites shaped mainstream press coverage before 2016 election </a> </li> <li> <a href="#ILTA2017">ILTA 2017: Where have all the lawyers gone? </a> </li> <li> <a href="#ConsortiumFormed"> Consortium formed to drive blockchain adoption in legal industry </a> </li> <li> <a href="#BitcoinAccepting"> Bitcoin-accepting sites leave cookie trail that crumbles anonymity </a> </li> <li> <a href="#IRSnowHas"> IRS now has a tool to unmask bitcoin tax cheats </a> </li> <li> <a href="#HackingCoinbase"> Hacking Coinbase: The great bitcoin bank robbery </a> </li> <li> <a href="#NewNISTdraft"> New NIST draft embeds privacy into US govt security for the first time </a> </li> <li> <a href="#LawFirmsLegal"> Law firms, legal departments predicted to focus more on IT risk </a> </li> <li> <a href="#TheTwitter">The Twitter #hashtag is 10 years old </a> </li> </ul> <p> <a name="NEWS"> </a> </p> <p> <a name="Estonia"> </a> <strong> <a href="http://www.zdnet.com/article/estonias-plan-to-put-critical-systems-on-foreign-soil-against-a-crisis-just-took-a-step-forward/" > Estonia steps up plan to counter cyber attacks by siting critical systems offshore </a> </strong> (ZDnet, 3 Aug 2017) - To thwart a cyber-attack on its national infrastructure or even an invasion, Estonia is getting ready to open its first data embassy overseas. In 2014, <a href="http://www.zdnet.com/article/in-the-event-of-a-crisis-estonia-plans-to-rely-on-its-allies-to-hold-its-critical-systems/" target="_blank" > Estonia introduced initial plans to create 'data embassies </a> ' capable of running duplicates of its critical systems, including databases and services, in secure data centers on foreign soil. Now, three years on, the then seemingly utopian plan is becoming a reality. Estonia has signed its first official contract with Luxembourg to guarantee diplomatic immunity for all the Baltic state's systems that are to be duplicated and run from a data center in the principality. "Next, we have to sign rental and service contracts to use Luxembourg's national data center and then we can start building the technology and 'furnishing' the data embassy," Mikk Lellsaar, ministry of economic affairs and communications executive specialist tells ZDNet. He says the embassy in Luxembourg is going to mirror many data systems of critical importance, such as the state treasury information system, state pension insurance registry, identity documents registry, business register, land register, and land cadastre among many others. <a href="#TOP">top </a> </p> <p> <a name="FacebookIsStarting"> </a> <strong> <a href="https://www.recode.net/2017/8/4/16098364/facebook-politics-posts-news-feed-new-feature-state-local" > Facebook is starting to put more posts from local politicians into people's News Feed </a> </strong> (ReCode, 4 Aug 2017) - Facebook is testing a new feature that inserts posts from local politicians into users' News Feeds, even if they don't necessarily follow those politicians. The new feature, which was first noticed by one of my Recode colleagues, included a label titled "This week in your government." A Facebook spokesperson confirmed that the feature is a test. "We are testing a new civic engagement feature that shows people on Facebook the top posts from their elected officials," this spokesperson said in a statement. "Our goal is to give people a simple way to learn about what's happening at all levels of their government." The feature will appear, at most, once per week, and only for users who follow at least one local, state or federal representative from their area. Facebook knows who your local reps are if you handed over your address to use the company's voting plan feature - or its "Town Hall" feature, which helps people find and follow their elected officials. Otherwise, you'll just see posts from politicians at the state and federal levels. Facebook has been active in the past year about getting its user base more involved in politics. In addition to the features mentioned above, which were rolled out before the November presidential election, Facebook also let users register to vote via the social network, and CEO Mark Zuckerberg claims more than two million people did so. Adding this new feature might inspire more politicians to post to Facebook, especially if they think their posts will be promoted to more voters. It's unclear if Facebook takes political affiliation into account when deciding which posts to show people, but if it does not, it could also be a way for politicians to get their message to voters across the aisle. <a href="#TOP">top </a> </p> <p> <a name="YourVoter"> </a> <a href="https://lawfareblog.com/your-voter-records-are-compromised-can-you-sue-theories-harm-data-breach-litigation" > <strong> Your voter records are compromised. Can you sue? Theories of harm in data-breach litigation </strong> </a> (Lawfare, 7 Aug 2017) - Last year, the Republican National Committee hired a firm called Deep Root Analytics to collect voter information. The firm accidentally exposed approximately 198 million personal voter records. This was 1.1 terabytes of personal information that the company left on a cloud server without password protection for two weeks. On June 21 of this year, victims <a href="http://www.businessinsider.com/deep-root-analytics-sued-after-data-breach-2017-6" target="_blank" > filed a class action </a> in Florida court against Deep Root Analytics for harm resulting from a data breach. Donald Trump has denounced such breaches as "gross negligence." The Deep Root lawsuit took him at his word, using that quote as evidence to make a claim on the legal theory of negligence. <a href="https://www.scribd.com/document/351940362/McAleer-v-Deep-Root#fullscreen&from_embed" target="_blank" > The complaint demands more than $5 million in damages. </a> Defendants in data-breach cases (in this case, Deep Root Analytics is the defendant) often challenge a claim on the grounds that the pleading does not include an injury that is (1) "concrete, particularized and actual or imminent," (2) caused by the defendant, and (3) redressable by a court of law. * * * <a href="#TOP">top </a> </p> <p> <a name="GovRauner"> </a> <a href="https://www2.illinois.gov/Pages/news-item.aspx?ReleaseID=14671"> <strong> Gov. Rauner signs bill to protect Illinois from cyberthreats </strong> </a> <strong> </strong> (Illinois.gov, 7 Aug 2017) - Today, Governor Rauner signed House Bill 2371, requiring all executive branch State of Illinois employees responsible to the Governor, not including public university employees, to undergo annual cybersecurity training to understand the risks, threats and best practices to defend against cyber threats." Hackers and cyber criminals continually grow more sophisticated in their attempts to steal sensitive data and infect state computer systems. It is crucial that state employees have knowledge to protect themselves and the state from the impact of cyber-attacks. This legislation is another advancement in the governor's vision for a cyber-secure Illinois to better protect the personal information of state residents and ensure critical state services are not interrupted. <a href="#TOP">top </a> </p> <p> <a name="HarvardGoes"> </a> <strong> <a href="https://www.insidehighered.com/news/2017/08/08/harvard-teams-corporate-partner-offer-online-business-analytics-program?utm_source=Inside+Higher+Ed&utm_campaign=2e2909c6fa-DNU20170808&utm_medium=email&utm_term=0_1fcbc04421-2e2909c6fa-197618481&mc_c" > Harvard goes outside to go online </a> </strong> (InsideHigherEd, 8 Aug 2017) - If any American university might be positioned to begin a new online program all by itself, Harvard University -- with its world-famous brand, many-billion-dollar endowment and founding relationship with the online course provider edX -- might be it. But the university <a href="https://www.seas.harvard.edu/news/2017/08/hbs-seas-and-fas-partner-with-2u-inc-to-offer-harvard-business-analytics-program" target="_blank" > announced Monday </a> that three of its schools would create a new business analytics certificate program with 2U, the online program management company. A <a href="https://2u.com/about/press/harvard-partner-with-2u-business-analytics-program/" target="_blank" > collaboration between 2U and professors </a> at the Harvard Business School, the John A. Paulson School of Engineering and Applied Sciences, and the department of statistics in Harvard's main college, the Faculty of Arts and Sciences, the program will teach students how to leverage data and analytics to drive business growth. Aimed at executives in full-time work, the program will be delivered through 2U's online platform and will feature live, seminar-style classes with Harvard faculty members. The program will cost around $50,000 for three semesters, with an estimated time requirement of 10 hours per week. Chip Paucek, CEO of 2U, said the technology 2U can offer universities goes far beyond "just what the student sees." The company can use analytics to predict things such as enrollment and completion of courses, in addition to making programs widely accessible, and securing content from cyberattack. Aside from technology, 2U also offers up-front money. The company "invests heavily in each of its partnerships," said Paucek, typically spending between $5 million and $10 million in the first few years. Each 2U partnership lasts a minimum of 10 years to give the company time to recoup its investment from a significant slice of the student enrollment fees. Paucek said the partnership with Harvard was a high point in the company's 10-year history, and that the company was "honored to be a brand ambassador for one of the best-known brands in the world." Deciding to work with 2U was "not a trivial decision" for Harvard, said Paucek, adding that university officials "were clear they would not commit to it if it was not one of the world's best programs." Conversations about working together began around five years ago, according to Paucek. But it was not until two years ago that talks centered specifically on creating a business analytics program. <a href="#TOP">top </a> </p> <p> <a name="EFFtoCourt"> </a> <a href="https://www.eff.org/press/releases/eff-court-border-agents-need-warrants-search-contents-digital-devices" > <strong> EFF to court: Border agents need warrants to search contents of digital devices </strong> </a> (EFF, 8 Aug 2017) - Searches of mobile phones, laptops, and other digital devices by federal agents at international airports and U.S. land borders are highly intrusive forays into travelers' private information that require a warrant, the Electronic Frontier Foundation (EFF) said in a <a href="https://www.eff.org/document/us-v-molina-isidoro-eff-brief" target="_blank" > court filing </a> yesterday. EFF urged the U.S. Circuit Court of Appeals for the Fifth Circuit to require law enforcement officers at the border to obtain a warrant before performing manual or forensic <a href="https://www.eff.org/deeplinks/2017/04/bill-rights-border-fourth-amendment-limits-searching-your-data-and-devices" target="_blank" > searches of digital devices </a> . Warrantless border searches of backpacks, purses, or luggage are allowed under an <a href="https://www.eff.org/deeplinks/2016/12/law-enforcement-uses-border-search-exception-fourth-amendment-loophole" target="_blank" > exception to the Fourth Amendment </a> for routine immigration and customs enforcement. Yet EFF argues that, since digital devices can provide so much highly personal, private information-our contacts, our email conversations, our work documents, our schedules-agents should be required to show they have probable cause to believe that the device contains evidence of a violation of the immigration or customs laws. Only after a judge has signed off on a search warrant should border agents be allowed to rifle through the contents of cell phones, laptops, or tablets. Digital device searches at the border <a href="https://www.eff.org/wp/digital-privacy-us-border-2017" target="_blank" > have more than doubled </a> since the inauguration of President Trump. <a href="#TOP">top </a> </p> <p> <a name="TwoStudiesSuggest"> </a> <a href="https://m.phys.org/news/2017-08-paywall-journals.html"> <strong>Two studies suggest trouble ahead for paywall journals </strong> </a> (Phys.org, 8 Aug 2017) - Two independent studies looking at two aspects of paywalls versus free access to research papers suggest that trouble may lie ahead for traditional journals that continue to expect payment for access to peer-reviewed research papers. In the first study, a small team of researchers from the U.S. and Germany looked at the number of freely available papers on the internet using a web extension called Unpaywall-users enter information and the extension lists sources online for free. In the second study, a team with members from Canada, the U.S. and Germany looked at the popularity of a website known as Sci-Hub that collects and freely distributes research papers. Both groups have written papers describing their studies and results and have uploaded them to the <em>PeerJ Preprints </em> server. Free access to <a href="https://phys.org/tags/research+papers/">research papers </a> is a hot topic in the research community, perhaps indicating coming changes to the status quo. The traditional model, in which a researcher pays for the privilege of reading published articles on journal sites like <em>Science </em> and <em>Nature </em> in order to cite work by others, is under fire. Many have claimed the system is unfair to those who cannot afford to pay such fees. Meanwhile, journal sites maintain their stance that the only way they can continue to exist as profitable entities is to charge access fees. They note also that they provide a valuable service-peer review. In these two new efforts, the researchers with both teams hint that the argument may soon become moot, as people who want to read research papers for free find easier access. In the first paper, the researchers worked with the team that makes the Unpaywall extension to get statistics on its use. They report finding that nearly half (47 percent) of all of the papers that people searched for using the app in 2015 were available for free. They also report that overall, users were able to find free versions of 28 percent of articles they were looking for. In the second <a href="https://phys.org/tags/paper/">paper </a>, the researchers worked with the team behind Sci-Hub, which many have described as a pirating site. They report that visitors could access 85 percent of articles that were still behind a paywall. They found also that the percentage was even higher for papers held behind Elsevier paywalls. They note that the team at Sci-Hub told them that efforts to shut down their site through legal means have resulted in free press, increasing its user base-a term they described as the "Streisand Effect"-after Barbra Streisand, who famously tried to stop distribution of aerial photographs of her home several years ago, inadvertently exposing the photographs to many more people. <a href="#TOP">top </a> </p> <p> <a name="PartingWith"> </a> <strong> <a href="https://www.insidehighered.com/blogs/university-venus/parting-our-books?utm_source=Inside+Higher+Ed&utm_campaign=d46e7c64f9-DNU20170809&utm_medium=email&utm_term=0_1fcbc04421-d46e7c64f9-197618481&mc_cid=d46e7c64f9&mc_eid=012fe6c04c" > Parting with our books </a> </strong> (InsideHigherEd, 8 Aug 2017) - A few weeks ago, we moved into a new house-one much smaller than the home we lived in for 14 years before moving out of state. As part of our family's move to our transitional housing after taking a new job out of state last year, we downsized considerably. We gave away furniture, mementos that meant less and less as more and more time had passed by. We discarded the kids' first outfits from the hospital after their birth, their finger paintings, their first attempts at coloring within the lines, their first try at writing their own names, and a multitude of certificates of accomplishments. In fact, I managed to throw away a purse with my daughter's life fortune, a few hundred dollars that she will never forgive me for accidentally discarding. Disposing of these old and generally-considered sentimental items was nowhere near what it felt like giving away old my old books. The first time I went through the book purge, it was hard. I hate moving and wanted to be done with it! Getting rid of old textbooks on building democratic societies, the fall of the Soviet Union, the rise of the Tiger economies, Mexican political history, economics and econometrics, and even most of my Dostoyevsky collection was somewhat painful, but practical. I knew then that, wherever we would end up living, most of the rooms would not have floor-to-ceiling bookcases as we had in most rooms of the home in which we had thought we would die. It was painful, but it had to be done. Moving into a permanent home now, I went through the book purge again. This time, I gave away more recent books, including some that I had not yet read. When my one of my best friends was writing her dissertation on French and Caribbean literature, I bought so many of the books that she found interesting and I found interesting when she talked about them. They were fiction, which I generally find difficult to read. I bought a ton of them, but read few. This weekend, as I packed those books in French and English, I wondered if there would come a day when I would ever finish Simone de Beauvoir's <em> Le Deuxieme Sexe </em> or the Marie Vieux Chauvet, Jacques Roumain, Rene Depestre and so many other books that I bought a decade ago. The truth is that the probability of me ever finishing or even starting some of those books was very slim-statistically insignificant from zero. So, I packed them feeling never more grateful for my undergraduate, liberal education that exposed me to so much more than statistical methods and measurement, where my reading interests were parked for a very long time. Had it not been for those general education courses, I would have likely stopped reading fiction and literature after high school. I would lack culture (though I can't claim to have a ton of it now). I realized as I packed these new sets of books to give away that, by the time I should ever want to read them, they will be available electronically or in some other form that I can't even imagine now. In many ways, I am old-fashioned. I cannot read books on a Kindle and I never learned how to type, so I pick the letters one by one even as I write this post. This made parting with those books even more emotional. The world is changing, but we don't know what the change will look like exactly. Maybe letting go of the books is somewhat symbolic of letting go of an unrealized aspiration of the cultured person I had the potential of becoming. The universe of things I read about now seems both broader and narrower at the same time. Perhaps, this post should have been titled "In Praise of Liberal Education," but there are so many of those essays already. Parting with our books is hard, but the technology that exists today and will soon come will make it easier to go back to that person that I was becoming. [ <strong>Polley </strong>: strongly resonated with me.] <a href="#TOP">top </a> </p> <p> <a name="RatingsPrinciples"> </a> <a href="https://www.thecorporatecounsel.net/blog/2017/08/ratings-principles-now-coming-to-cybersecurity.html" > <strong>Ratings principles: Now coming to cybersecurity </strong> </a> (CorporateCounsel.net, 9 Aug 2017) - Recently, a group of more than 40 prominent banks, retailers & tech companies released these " <a href="https://www.thecorporatecounsel.net/member/FAQ/PrivacyRights/06_17_USCC.pdf" > Principles for Fair & Accurate Securities Ratings </a> ." Here's a teaser from this <a href="https://www.dataprivacymonitor.com/cybersecurity/us-companies-create-principles-for-cybersecurity-risk-ratings/" > BakerHostetler blog </a> (also see this <a href="https://www.reuters.com/article/us-banks-cyber-idUSKBN19B1ZL"> Reuters article </a> ): <em> The principles are designed to promote fair and accurate cybersecurity ratings - in response to the recent emergence of several ratings companies that collect and analyze publicly accessible data to analyze a company's cybersecurity risk posture. The ratings are increasingly used by insurers - as well as in M&A and other business decisions. The data for risk ratings is typically collected without the target company's knowledge and comes from a variety of sources - e.g. hackers' forums, darknet data, Internet traffic stats, port-scanning tools & open-source malware intelligence sources. Ratings companies then use proprietary methodologies and algorithms to analyze the data and assign a grade. Importantly, however, cybersecurity ratings have the potential for being inaccurate, incomplete, unverifiable and unreliable - if, for example, the source data is inaccurate or the methodology doesn't account for risk mitigations in place at a company. The principles developed by the consortium were designed to increase confidence in and the usability of fair and accurate cybersecurity ratings by addressing the potential problems. The principles were modeled after the Fair Credit Reporting Act. </em> We don't know if cybersecurity risk ratings will become anywhere near as important as credit ratings - but keep them on your radar. The signatories to the principles include Aetna, American Express, Bank of America, Chevron, Eli Lilly, Fannie Mae, FICO, Goldman Sachs, Home Depot, Honeywell, JP Morgan, Microsoft, State Street & lots of other big names. <a href="#TOP">top </a> </p> <p> - and - </p> <p> <a name="WhenIsHacking"> </a> <a href="https://www.thecorporatecounsel.net/blog/2017/08/ratings-principles-now-coming-to-cybersecurity.html" > <strong>When is "Hacking Disclosure" required in SEC filings? </strong> </a> (CorporateCounsel.net, 9 Aug 2017) - By now, most companies have a cyber incident response plan - which should include contacting a securities lawyer to evaluate disclosure requirements. As outlined in this <a href="https://www.thecorporatecounsel.net/Member/Memos/Goodwin/06_17_cyber.pdf" > Goodwin memo </a> , these decisions continue to depend on a fact-specific materiality analysis: <em> What is "material" ends up being far less clear, and there is plenty of room for a public company to determine in good faith that a specific cyber incident does not require separate disclosure. Where the obligation is unclear, a company's reluctance to disclose is understandable: Disclosure may highlight vulnerabilities, and will bring unwelcome attention from customers, regulators and others. The plaintiffs' bar will also circle, smelling the possibility of a class action, and they will not view the company and its managers as the victims. </em> While the SEC won't second-guess a good-faith analysis, they also won't shy away from investigating disclosure lags - see this <a href="https://www.wsj.com/articles/yahoo-faces-sec-probe-over-data-breaches-1485133124" > WSJ article </a> about whether Yahoo's data breach should've been reported sooner to investors. The memo identifies factors affecting disclosure decisions - such as the significance of other notice obligations, existing risk factors & potential remediation costs. Since the decision will probably have to be made quickly, it's not a bad idea to create a decision tree in advance. Our " <a href="https://www.thecorporatecounsel.net/member/FAQ/Checklists/10K-Cybersecurity.pdf" > Cybersecurity Disclosure Checklist </a> " is a good starting point, and check out this <a href="https://www.thecorporatecounsel.net/member/blogs/career/2017/06/state-data-breach-notice-requirements-free-app.html" > blog </a> as well… <a href="#TOP">top </a> </p> <p> - and - </p> <p> <a name="SECobservations"> </a> <a href="https://www.artemissecure.com/blog/sec_observations_2?utm_campaign=Blog%20emails&utm_source=hs_email&utm_medium=email&utm_content=55244743&_hsenc=p2ANqtz-99Q59BVFcI8zm-tiV8_ylC2OIIc20GUtL2BdEm8gyiOymmzxoUp0YrCTFOSsxxOPe23znIV49MhxD2cRLCm2WnN3PtjA&" > <strong>SEC observations on cybersecurity Sweep 2 </strong> </a> (Artemis, 14 Aug 2017) - On Monday, the SEC released "Observations" on the seminal 2015 Cybersecurity Examination Initiative or what they are now referring to as "Sweep 2." While we find this document to be an unremarkable kitchen-sink of cyber-findings, the SEC has offered a concept for what they consider to be robust practices and perhaps a roadmap for achieving a higher level of Cybersecurity maturity for firms. We have reviewed the release and have distilled what we believe to be the key takeaways and suggestions for improving your program. To the degree that observations on a near two-year old examination period are accurate or relevant is questionable. A whole new class of security tools is available, infrastructure and movement toward cloud-based services continues, and firms have been plodding forward on information security practices despite the SEC's nearly two-year silence on the subject. This is not completely fair as the SEC did include Cybersecurity as a concern under "Assessing Market-Wide Risks" in the 2017 Examination Priorities and issued a more timely, May 17 Risk Alert on Ransomware in the wake of WannaCry attacks. There is progression in the SEC's approach to Cybersecurity and now fourth Risk Alert, and the Commission has been clear that they are still finding facts and learning in an area of persistent high risk and developing regulatory scrutiny. The SEC started the initiative with a clear focus on Policies and Procedures and fundamental identification and protection practices. IT security evolves organically from basic blocking and tackling of controls to more advanced practices such as monitoring/detection and testing/validation. The SEC's understanding and corresponding expectations of financial services firms appears to be developing along similar lines - to a call for greater granularity and specificity in certain IT security activities. * * * <a href="#TOP">top </a> </p> <p> <a name="AVVOblasts"> </a> <a href="http://www.newyorklawjournal.com/id=1202795114863/12"> <strong> AVVO blasts new ethics opinions on attorney match services </strong> </a> (New York Law Journal, 9 Aug 2017) - New York has become the latest state to target attorney match service Avvo Inc. for ethical violations. <a href="http://www.nysba.org/EthicsOpinion1132/" target="_blank"> A new bar association ethics opinion </a> says a lawyer paying Avvo's marketing fee to participate in its legal services program is making an improper payment for a recommendation, in violation of state ethics rules. The New York State Bar Association released the opinion by its committee on professional ethics on Wednesday. While the state bar's ethics opinions are advisory only, they are widely read and followed. Lawyers who continue to participate in Avvo's legal services program "do so at their own peril," said state bar president Sharon Stern Gerstman, counsel at Buffalo law firm Magavern Magavern Grimm. But in an interview, Avvo's chief legal counsel, Josh King, encouraged New York lawyers to continue participating, adding that Avvo would back any lawyer facing disciplinary action for his or her participation. To date, King said he is not aware of any attorney in such a position. The ethics opinion examines Avvo Legal Services, which King said has existed for about a year and a half and is only a narrow portion of Avvo's business. Although he declined to say how many New York attorneys participated, he said it can be measured in the "hundreds" and less than 2,000. The New York ethics opinion follows recent actions in other states such as <a href="http://www.njlawjournal.com/id=1202790850219/Avvo-LegalZoom-Rocket-Lawyer-Declared-OffLimits?mcode=0&curindex=0&curpage=ALL" target="_blank" > New Jersey, where a joint opinion by three state's Supreme Court committees has blacklisted three web-based services </a> that match litigants with attorneys, including Avvo, because of concerns over illicit fee-sharing and referral fees. Other states with ethics concerns over lawyer website services include Ohio, Pennsylvania and South Carolina. <a href="#TOP">top </a> </p> <p> <a name="BloombergLaw"> </a> <a href="https://www.lawsitesblog.com/2017/08/bloomberg-law-adds-practice-center-devoted-e-discovery.html" > <strong> Bloomberg Law adds practice center devoted to e-discovery </strong> </a> (Bob Ambrogi, 9 Aug 2017) - <a href="https://www.bna.com/bloomberglaw">Bloomberg Law </a> today is officially announcing the addition to its research platform of the E-Discovery Practice Center, a curated collection of a range of court opinions, tools, sample forms, news and expert guidance related to both federal and state e-discovery practice. The practice center is available to all Bloomberg Law subscribers at no additional cost. Bloomberg says it is the only legal research platform to have a resource of this kind devoted to e-discovery. Bloomberg "soft launched" the practice center for some customers at the recent annual meeting of the American Association of Law Libraries, but today is formally announcing its availability to all customers. The practice center's main page includes federal and state court opinions related to e-discovery, federal and state rules and laws related to e-discovery, news and law reports, and BNA's E-Discovery Portfolio series, which provides an entry point to resources such as practice guides, books and treatises, and law reviews, as well as specific guidance on such issues as understanding and preventing spoliation. E-discovery rules for all states are included. Another section of the practice center provides materials grouped by stage of e-discovery, such as preservation, production and technology-assisted review. Here you can find resources such as a checklist for preparing for a Rule 26 meeting and a guide to preparing a legal hold notice, as well as sample forms for legal holds. <a href="#TOP">top </a> </p> <p> <a name="USjudgeSaysLinkedIn"> </a> <a href="http://mobile.reuters.com/article/amp/idUSKCN1AU2BV"> <strong> US judge says LinkedIn cannot block startup from public profile data </strong> </a> (Reuters, 14 Aug 2017) - A U.S. federal judge on Monday ruled that Microsoft Corp's (MSFT.O) LinkedIn unit cannot prevent a startup from accessing public profile data, in a test of how much control a social media site can wield over information its users have deemed to be public. U.S. District Judge Edward Chen in San Francisco granted a preliminary injunction request brought by hiQ Labs, and ordered LinkedIn to remove within 24 hours any technology preventing hiQ from accessing public profiles. The case is considered to have implications beyond LinkedIn and hiQ Labs and could dictate just how much control companies have over publicly available data that is hosted on their services. "To the extent LinkedIn has already put in place technology to prevent hiQ from accessing these public profiles, it is ordered to remove any such barriers," Chen's order reads. HiQ Labs called the decision an important victory for companies that rely on publicly available data for their businesses. "HiQ believes that public data must remain public, and innovation on the internet should not be stifled by legal bullying or the anti-competitive hoarding of public data by a small group of powerful companies," the company said in a statement Monday evening. That sentiment was echoed by Falon Fatemi, chief executive of Node, a San Francisco startup that uses publicly available data and artificial intelligence to help companies identify potential customers. "If LinkedIn is going to allow profiles to be indexed by search engines to benefit their platform then why shouldn't the rest of the internet benefit from that as well?" she said. The dispute between the two tech companies has been going on since May, when LinkedIn issued a letter to hiQ Labs instructing the startup to stop scraping data from its service. HiQ Labs responded by filing a lawsuit against LinkedIn in June, alleging that the Microsoft-owned social network was in violation of antitrust laws. <a href="#TOP">top </a> </p> <p> <a name="LinkedinConnection"> </a> <a href="http://blog.ericgoldman.org/archives/2017/08/linkedin-connection-request-doesnt-violate-non-solicitation-clause-bankers-life-v-american-senior-benefits.htm" > <strong> LinkedIn connection request doesn't violate non-solicitation clause </strong> </a> (Eric Goldman, 14 Aug 2017) - This is another case considering when LinkedIn activity violates a non-solicitation clause. Bankers Life, a company that sells insurance and financial products, sued one of its ex-employees (and his new employer, ASB) alleging among other things that the ex-employee violated his non-solicitation covenant through his communications on social media. * * * Gelineau's alleged violation? He sent LinkedIn requests to three Bankers Life employees who could "then click on to Gelineau's profile and . . . see a job posting for ASB." Bankers Life also alleged that Gelineau instructed another ASB employee to solicit Bankers Life employees, but the court found Bankers Life's evidence insufficient with respect to this claim. * * * This case is a nice complement to the Mobile Mini case I blogged about last month. There, the posts in question were essentially sales pitches, and the court says they likely violate the non-solicitation clause, whether sent as direct messages or not. Here, the LinkedIn messages had no call to action other than to connect. So it's not unexpected that the court finds there is no violation. It's surprising to see an employer think that a generic "let's connect!" email campaign could violate a non-solicitation clause. But Bankers Life did, and the court rightly shut it down. <a href="#TOP">top </a> </p> <p> <a name="ABAandJonesDay"> </a> <a href="https://www.lawsitesblog.com/2017/08/aba-jones-day-launch-website-connect-veterans-legal-services.html" > <strong> ABA and Jones Day launch website to connect veterans to legal services </strong> </a> (Bob Ambrogi, 14 Aug 2017) - At its annual meeting in New York Saturday, the <a href="https://www.americanbar.org/">American Bar Association </a> announced the launch of <a href="http://vetlex.org/">VetLex.org </a>, a website, developed in partnership with the law firm <a href="http://www.jonesday.com/">Jones Day </a>, that matches veterans in need of pro bono legal services with attorneys willing to provide such services. For now, the new site is only accepting registrations from attorneys, law firms and legal organizations interesting in providing services. By Veterans Day, the site will open on a pilot basis in a limited number of cities and states to accept veterans' cases. The site will become fully operational nationally in 2018, the ABA's announcement said. Once the site opens to veterans, it will provide an online too for them to obtain pro bono counsel for their specific legal needs, including civil, criminal or administrative matters. It will also provide educational information on basic legal concepts, and serve as a repository for paperwork, such as DD 214s, that is required by various service providers. The ABA expects that the site will also be used by organizations that serve veterans in helping them find lawyers to assist their clients. Lawyers who register at the site will be asked to create a profile that defines the kinds of cases they are willing to take. The site will also provide training in handling certain kinds of kinds. * * * <a href="#TOP">top </a> </p> <p> <a name="TheMiamiHeat"> </a> <strong> <a href="https://www.theverge.com/2017/8/14/16143186/miami-heat-only-smartphone-tickets-home-games-season" > The Miami Heat are switching to smartphone-only tickets for home games this season </a> </strong> (The Verge, 14 Aug 2017) - If you're planning on attending a Miami Heat game at the team's home court American Airlines Arena this coming season, you'll need to own a smartphone. The basketball team announced last week that it would be switching over to mobile-based tickets for entry at home games, becoming the first in the NBA to enact such a policy, <a href="http://www.espn.co.uk/nba/story/_/id/20306283/miami-heat-become-first-nba-team-mobile-only-entry" > via <em>ESPN </em> </a> . According to a statement from the team, the new policy is due to the fact that roughly one in every three fans used mobile tickets to attend games last season. While other teams in the NBA like the Timberwolves and the Cavaliers have primarily switched over to mobile tickets, those teams still offer the option for fans use a driver's license and credit card to get into the stadium. The new policy applies to <em>all </em> Heat tickets, too. So, if you walk up to American Airlines Arena and buy tickets at the box office, you'll still get them on your phone now. <a href="#TOP">top </a> </p> <p> <a name="MassiveNew"> </a> <a href="https://www.washingtonpost.com/news/volokh-conspiracy/wp/2017/08/15/massive-new-searchable-database-of-federal-court-opinions-including-ones-that-havent-been-formally-published/?utm_term=.c1c2f3897298" > <strong> Massive new searchable database of federal court opinions, including ones that haven't been formally published </strong> </a> <strong> </strong> (WaPo Eugene Volokh, 15 Aug 2017) - The Free Law Project, famous for its <a href="https://free.law/recap/"> RECAP browser extension for PACER users </a> , has now scraped all the federal court opinions available for free on PACER, and put them in a free database with a fairly powerful <a href="https://www.courtlistener.com/recap/">search engine </a>: <em> At Free Law Project, we have gathered millions of court documents over the years, but it's with distinct pride that we announce that we have now completed our biggest crawl ever. After nearly a year of work, and with support from the U.S. Department of Labor and Georgia State University, we have collected every free written order and opinion that is available in PACER. To accomplish this we used PACER's "Written Opinion Report," which provides many opinions for free. This collection contains approximately 3.4 million orders and opinions from approximately 1.5 million federal district and bankruptcy court cases dating back to 1960. More than four hundred thousand of these documents were scanned and required OCR, amounting to nearly two million pages of text extraction that we completed for this project. All of the documents amassed are available for search in the RECAP Archive of PACER documents and via our APIs. New opinions will be downloaded every night to keep the collection up to date. </em> <a href="#TOP">top </a> </p> <p> <a name="TechCompaniesUrge"> </a> <strong> <a href="https://www.reuters.com/article/us-usa-court-mobilephone-idUSKCN1AV1B3" > Tech companies urge Supreme Court to boost cellphone privacy </a> </strong> (Reuters, 15 Aug 2017) - More than a dozen high technology companies and the biggest wireless operator in the United States, Verizon Communications Inc., have called on the U.S. Supreme Court to make it harder for government officials to access individuals' sensitive cellphone data. The companies filed a 44-page brief with the court on Monday night in a high-profile dispute over whether police should have to get a warrant before obtaining data that could reveal a cellphone user's whereabouts. Signed by some of Silicon Valley's biggest names, including Apple, Facebook, Twitter, Snap and Alphabet's Google, the brief said that as individuals' data is increasingly collected through digital devices, greater privacy protections are needed under the law. "That users rely on technology companies to process their data for limited purposes does not mean that they expect their intimate data to be monitored by the government without a warrant," the brief said. * * * Nathan Freed Wessler, an attorney with the American Civil Liberties Union who is representing Carpenter, said the companies' brief represented a "robust defense of their customers' privacy rights in the digital age." Verizon's participation in the brief was important, he added, given that it receives, like other wireless carriers, thousands of requests for cellphone location records every year from law enforcement. The requests are routinely granted. <a href="#TOP">top </a> <em> </em> </p> <p> <em> </em> </p> <p> - and - </p> <p> <a name="VerizonYesVerizon"> </a> <a href="https://www.wired.com/story/verizon-privacy-location-data-fourth-amendment/amp" > <strong>Verizon-yes, Verizon-just stood up for your privacy </strong> </a> (Wired, 16 Aug 2017)] - Fourteen of the biggest US tech companies filed a brief with the Supreme Court on Monday supporting more rigorous warrant requirements for law enforcement seeking certain cell phone data, such as location information. In the statement, the signatories-Google, Apple, Facebook, and Microsoft among them-argue that the government leans on outdated laws from the 1970s to justify Fourth Amendment overreach. One perhaps surprising voice in the chorus of protesters? Verizon. Verizon's support means that the largest wireless service provider in the US, and a powerful force in Silicon Valley, has bucked a longtime trend of telecom acquiescence. While carriers have generally been willing to comply with a broad range of government requests-even building out <a href="https://theintercept.com/2016/11/16/the-nsas-spy-hub-in-new-york-hidden-in-plain-sight/" > extensive infrastructure </a> to aid surveillance-Verizon has this time joined with academics, analysts, and the company's more privacy-focused corporate peers. Carpenter v. United States is "one of the most important Fourth Amendment cases in recent memory," Craig Silliman, Verizon's executive vice president for public policy and general counsel, <a href="https://www.linkedin.com/pulse/latest-transparency-report-arrives-amid-debates-two-privacy-silliman?published=t" > wrote </a> on Monday. "Although the specific issue presented to the Court is about location information, the case presents a broader issue about a customer's reasonable expectation of privacy for other types of sensitive data she shares with any third party.… Our hope is that when it decides this case, the Court will help us better apply old Fourth Amendment doctrines to an evolving digital era." Carpenter v. United States, which the Supreme Court will hear this fall, relates to the acquisition, without a warrant, of months of individuals' location records by law enforcement officials in 2011. Officials looked back on 12,898 location records, spanning a four-month period, of one of these individuals, Timothy Carpenter, to build their case; Carpenter was eventually convicted. His appeal argues that location-data collection by law enforcement without a warrant violates his Fourth Amendment rights-and Verizon agrees. <a href="#TOP">top </a> </p> <p> <a name="JusticeDepartmentFights"> </a> <a href="https://www.lawfareblog.com/justice-department-fights-web-hosting-company-trump-protester-information" > <strong> Justice Department fights web hosting company for Trump protester information </strong> </a> (Lawfare, 15 Aug 2017) - The Justice Department is fighting for information on all of the visitors to the website <a href="http://www.disruptj20.org/" target="_blank">disruptj20.org </a>, as well as log files on when and from where the visitors logged onto the site, what they looked at, and emails related to the site. The site at the center of the storm bills itself as a platform connecting Trump protesters and "support[ing] the massive and spontaneous eruption of resistance across the United States that's happened since the election." At the <em>New York Times </em>, Charlie Savage <a href="https://www.nytimes.com/2017/08/15/us/politics/justice-department-trump-dreamhost-protests.html?smid=tw-nytimes&smtyp=cur" target="_blank" > reports </a> that federal investigators have issued a search warrant to the internet hosting company DreamHost, which is now challenging the warrant as unconstitutionally broad-complying with it would allegedly require handing over 1.3 million visitor IP addresses and the information, emails and photos of thousands of users. Also see the <a href="https://www.washingtonpost.com/world/national-security/tech-company-is-fighting-a-federal-order-for-ip-addresses-to-find-visitors-to-an-anti-trump-website/2017/08/14/a65b7544-8152-11e7-b359-15a3617c767b_story.html" target="_blank" > <em>Washington Post </em> story </a> last night from Ellen Nakashima. Dreamhost announced the fight yesterday in a <a href="https://www.dreamhost.com/blog/we-fight-for-the-users/" target="_blank" > blog post </a> entitled "We Fight for the Users." Here are the key documents: the <a href="http://lawfare.s3-us-west-2.amazonaws.com/staging/2017/DH-Search-Warrant.pdf" target="_blank" > search warrant </a> ; the Justice Department's <a href="https://www.documentcloud.org/documents/3932972-DH-DOJMotiontoShowCause.html" target="_blank" > motion to show cause </a> ; and DreamHost LLC's <a href="https://www.dreamhost.com/blog/wp-content/uploads/2017/08/DH-Opposition-Motion.pdf" target="_blank" > third-party response in opposition </a> to the Department's motion. [ <strong>Polley </strong>: <em>see also </em> <strong> <a href="https://www.nytimes.com/2017/08/15/us/politics/justice-department-trump-dreamhost-protests.html?mcubz=0" > Justice Dept. demands data on visitors to anti-Trump website, sparking fight </a> </strong> (NYT, 15 Aug 2017)] <a href="#TOP">top </a> </p> <p> - and - </p> <p> <a name="JusticeDepartmentWalks"> </a> <strong> <a href="https://www.theverge.com/2017/8/22/16186474/justice-department-trump-ip-addresses-requests" > Justice Department walks back demand for information on anti-Trump website </a> </strong> (The Berge, 22 Aug 2017) - After controversy over <a href="https://www.theverge.com/2017/8/14/16145812/justice-department-disruptj20-trump-website-warrant" > a broad search warrant </a> that could have identified visitors to an anti-Trump website, the Justice Department says it's scaling back a demand for information from hosting service DreamHost. Last week, DreamHost disclosed that it was involved in a legal dispute with the department over access to records on the website "disruptj20.org," which organized protests tied to Donald Trump's inauguration. The warrant issued by the department was so broad, DreamHost said, that it was effectively requesting information that could identify lawful protestors - including information on more than 1.3 million IP addresses from visitors to the site. The warrant immediately drew condemnation from some privacy law experts. In <a href="https://www.documentcloud.org/documents/3939670-8-22-17-US-Reply-Brief-DreamHost.html" > a legal filing today </a> , the Justice Department argues that the warrant was proper, but also says DreamHost has since brought up information that was previously "unknown." In light of that, it has offered to carve out information demanded in the warrant, specifically pledging to not request information like HTTP logs tied to IP addresses. The department says it is only looking for information related to criminal activity on the site, and says that "the government is focused on the use of the Website to organize, to plan, and to effect a criminal act - that is, a riot." Peaceful protestors, the government argues, are not the targets of the warrant. The filing asks the court to proceed with the new, less burdensome request, which, apart from the carved-out sections, still requests "all records or other information, pertaining to the Account, including all files, databases, and database records stored by DreamHost in relation to that Account." It's unclear if DreamHost will continue to fight the new demand. The company did not immediately respond to a request for comment. <a href="#TOP">top </a> </p> <p> <a name="NotPetya"> </a> <strong> <a href="http://www.theregister.co.uk/2017/08/16/notpetya_ransomware_attack_cost_us_300m_says_shipping_giant_maersk/" > NotPetya ransomware attack cost us $300m - shipping giant Maersk </a> </strong> (The Register, 16 Aug 2017) - The world's largest container shipping biz has revealed the losses it suffered after getting hit by the NotPetya ransomware outbreak, and the results aren't pretty. The malware <a href="https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/" target="_blank" > surfaced </a> in Ukraine in June after being spread by a malicious update to MeDoc, the country's most popular accounting software. Maersk picked up an infection that hooked into its global network and shut down the shipping company, forcing it to halt operations at 76 port terminals around the world. "In the last week of the quarter we were hit by a cyber-attack, which mainly impacted Maersk Line, APM Terminals and Damco," CEO Soren Skou said in a <a href="http://investor.maersk.com/releasedetail.cfm?ReleaseID=1037421" target="_blank" > statement </a> today. "Business volumes were negatively affected for a couple of weeks in July and as a consequence, our Q3 results will be impacted. We expect that the cyber-attack will impact results negatively by USD 200-300m." Admittedly Maersk is massive - it's responsible for around 15 per cent of the world's entire shipping network - but that kind of financial damage is close to a record for such an attack. Then again, the company's entire network was down for days, Skou <a href="https://www.ft.com/content/785711bc-7c1b-11e7-9108-edda0bcbc928" target="_blank" > told </a> the Financial Times. <a href="#TOP">top </a> </p> <p> <a name="Fitch"> </a> <strong> <a href="https://www.fitchratings.com/site/pr/1027897?elq_mid=49158&elq_cid=996107" > Fitch: NAIC rules may boost US insurers' cyber risk management </a> </strong> (FitchRatings, 16 Aug 2017) - The National Association of Insurance Commissioner's (NAIC) CyberSecurity Working Group approved the Insurance Data Security Model Law, which if approved by the NAIC Executive Committee, will promote more rigorous cyber risk management practices in the U.S. insurance market, Fitch Ratings says. At the same time it will add to insurers' compliance costs and associated risks of penalties for compliance violations. In its current form the proposed model law is credit-neutral for the U.S insurance sector. It is largely complementary to other federal and state regulations for cybersecurity, including the New York State Department of Financial Services cybersecurity regulations from March 1, 2017, which apply to more than 3,000 financial service firms doing business in New York. The proposed model law still needs approval of the Innovation and Technology Task Force and NAIC Executive Committee to be a considered a model law. Application of model laws require state-by-state approval, which will take considerable time, and some individual states may adopt their own approaches to regulating insurers' cybersecurity. The NAIC's framework establishes industry standards for data security that will apply to a broad range of parties including insurance companies, agents and brokers. Organizations will be required to have a written information security program for protecting sensitive data, including incident response and data recovery plans to demonstrate their preparedness for cyber events. Companies will have to certify compliance annually to their state insurance commissioner and give notification of data breaches within 72 hours. The model law will also motivate insurers to incorporate cybersecurity into their overall enterprise risk management and corporate governance practices. Key provisions include minimum practices of board and senior management reporting and oversight of information security practices, and monitoring of third party service provider arrangements and the outcome of cybersecurity events. <a href="#TOP">top </a> </p> <p> <a name="BerkmanKleinStucy"> </a> <strong> <a href="http://mailchi.mp/cyber/mediacloud?e=f336d2c02a"> Berkman Klein study finds partisan right-wing websites shaped mainstream press coverage before 2016 election </a> </strong> (Harvard, 16 Aug 2017) - The <a href="http://harvard.us10.list-manage.com/track/click?u=ef13e6d75b74b1791f13115cd&id=59e485a97d&e=f336d2c02a" target="_blank" > Berkman Klein Center for Internet & Society at Harvard University </a> today released a comprehensive analysis of online media and social media coverage of the 2016 presidential campaign. The report, " <a href="http://harvard.us10.list-manage1.com/track/click?u=ef13e6d75b74b1791f13115cd&id=508e931ce9&e=f336d2c02a" > Partisanship, Propaganda, and Disinformation: Online Media and the 2016 U.S. Presidential Election </a> ," documents how highly partisan right-wing sources helped shape mainstream press coverage and seize the public's attention in the 18-month period leading up to the election. "In this study, we document polarization in the media ecosystem that is distinctly asymmetric. Whereas the left half of our spectrum is filled with many media sources from center to left, the right half of the spectrum has a substantial gap between center and right. The core of attention from the center-right to the left is large mainstream media organizations of the center-left. The right-wing media sphere skews to the far right and is dominated by highly partisan news organizations," co-author and principal investigator Yochai Benkler stated. The study found that on the conservative side, more attention was paid to pro-Trump, highly partisan media outlets. On the liberal side, by contrast, the center of gravity was made up largely of long-standing media organizations. Robert Faris, the Berkman Klein Center's research director, noted, "Consistent with concerns over echo chambers and filter bubbles, social media users on the left and the right rarely share material from outside their respective spheres, except where they find coverage that is favorable to their choice of candidate. A key difference between the right and left is that Trump supporters found substantial coverage favorable to their side in left and center-left media, particularly coverage critical of Clinton. In contrast, the messaging from right-wing media was consistently pro-Trump." <a href="#TOP">top </a> </p> <p> <a name="ILTA2017"> </a> <a href="https://lawyerist.com/ilta-2017-lawyers-gone/"> <strong>ILTA 2017: Where have all the lawyers gone? </strong> </a> (Lawyerist, 17 Aug 2017) - In looking at this year's International Legal Technology Association (ILTA) attendance list, I saw lots of legal professionals from well-known and well-heeled law firms, a big group of big tech vendors, a few legal startups, and very few practicing lawyers. Why aren't there more practicing lawyers here? Indeed, I seem to be one of the few outside practicing lawyers in attendance. So much so in meet ups and informal chats, when I tell people I am an active practitioner, I am usually met with raised eyebrows. ILTA touts that the conference "is the premier educational and networking event for the legal sector" that "empowers us to share what works, what doesn't and what's next." If that's the case, it would seem to be one of the more important events for practicing lawyers to attend. * * * There was even a session where in-house counsel from such companies as Microsoft, Exelon, and Sanofi, offered their opinions on what they wanted from their law firms. I think I was the only practicing lawyer in the room. It's as if the big firms for whom most of the legal professionals here work for have basically farmed out all things tech and don't want to get their hands dirty. And therein lies the problem: by creating this gap between the lawyers using the technology and what some lawyers call "staff" a lack of understanding and communication exists. Warren Rheaume of Davis Wright Tremaine, a speaker on the politics of change-and one of the few other practitioners in attendance-calls it a crisis. <a href="#TOP">top </a> </p> <p> <a name="ConsortiumFormed"> </a> <a href="https://www.lawsitesblog.com/2017/08/consortium-formed-drive-blockchain-adoption-legal-industry.html" > <strong> Consortium formed to drive blockchain adoption in legal industry </strong> </a> (Bob Ambrogi, 17 Aug 2017) - Bob Craig, chief information officer at Baker Hostetler, has a vision of a technology that will transform the business of law. That technology is blockchain. Craig and his firm are part of a group of law firms and technology companies that this week announced the formation of the <a href="http://www.legalconsortium.org/"> <strong>Global Legal Blockchain Consortium </strong> </a> . The consortium will work to drive the adoption and standardization of blockchain in the legal industry, with the larger goal of improving the security and interoperability of the global legal technology ecosystem. Members of the consortium include the law firms Baker Hostetler and Orrick, IBM Watson Legal, and the newly formed company <a href="https://www.linkedin.com/company-beta/16256901/"> <strong>Integra Ledger </strong> </a> , which is hoping to become the ledger used throughout the legal industry for blockchain digital identities. At an event Tuesday to announce the consortium's formation, Craig said that establishment of consortia has become common in many industries as a way to get the right people around the table to explore how blockchain technology can solve real-world business problems or, in this case, real-world legal problems. <a href="#TOP">top </a> </p> <p> - and - </p> <p> <a name="BitcoinAccepting"> </a> <a href="https://www.theregister.co.uk/2017/08/20/bitcoins_anonymity_easy_to_penetrate/" > <strong> Bitcoin-accepting sites leave cookie trail that crumbles anonymity </strong> </a> (The Register, 20 Aug 2017) - Bitcoin transactions might be anonymous, but on the Internet, its users aren't - and according to research out of Princeton University, linking the two together is trivial on the modern, much-tracked Internet. In fact, linking a user's cookies to their Bitcoin transactions is so straightforward, it's almost surprising it took this long for a <a href="https://arxiv.org/abs/1708.04748" target="_blank">paper </a> like this to be published. The paper sees privacy researcher Dillon Reisman and Princeton's Steven Goldfeder, Harry Kalodner and Arvind Narayanan demonstrate just how straightforward it can be to link cookies to cryptocurrency transactions: Only small amounts of transaction information need to leak, they write, in order for "Alice" to be associated with her Bitcoin transactions. It's possible to infer the identity of users if they use privacy-protecting services like CoinJoin, a protocol designed to make Bitcoin transactions more anonymous. The protocol aims is to make it impossible to infer which inputs and outputs belong to each other. Of 130 online merchants that accept Bitcoin, the researchers say, 53 leak payment information to 40 third parties, "most frequently from shopping cart pages," and most of these on purpose (for advertising, analytics and the like). Worse, "many merchant websites have far more serious (and likely unintentional) information leaks that directly reveal the exact transaction on the blockchain to dozens of trackers". <a href="#TOP">top </a> </p> <p> - and - </p> <p> <a name="IRSnowHas"> </a> <strong> <a href="http://www.thedailybeast.com/irs-now-has-a-tool-to-unmask-bitcoin-tax-cheats" > IRS now has a tool to unmask bitcoin tax cheats </a> </strong> (Daily Beast, 22 Aug 2017) - You can use <a href="http://www.thedailybeast.com/where-strippers-dance-for-bitcoin"> bitcoin </a> . But you can't hide from the taxman. At least, that's the hope of the Internal Revenue Service, which has purchased specialist software to track those using bitcoin, contract obtained by The Daily Beast. The document highlights how law enforcement isn't only concerned with criminals accumulating bitcoin from selling drugs or hacking targets, but also those who use the currency to hide wealth or avoid paying taxes. The IRS has claimed that only <a href="http://fortune.com/2017/03/19/irs-bitcoin-lawsuit/"> 802 people declared bitcoin losses or profits </a> in 2015; clearly fewer than the actual number of people trading the cryptocurrency-especially as more investors dip into the world of cryptocurrencies, and the value of bitcoin punches past the $4,000 mark. Maybe lots of bitcoin traders didn't realize the government expects to collect tax on their digital earnings, or perhaps some thought they'd be able to get away with stockpiling bitcoin thanks to the perception that the cryptocurrency is largely anonymous. "The purpose of this acquisition is… to help us trace the movement of money through the bitcoin economy," a section of the contract reads. The Daily Beast obtained the document through the Freedom of Information Act. The contractor in this case is Chainalysis, a startup offering its "Reactor" tool to visualize, track, and analyze bitcoin transactions. Chainalysis' include law enforcement agencies, banks, <a href="https://www.newswire.com/news/chainalysis-inks-deal-with-europol-and-raises-1-6m-seed-round-7988091" > and regulatory entities </a> . The software can follow bitcoin as it moves from one wallet to another, and eventually to an exchange where the bitcoin user will likely cash out into dollars or another currency. This is the point law enforcement could issue a subpoena to the exchange and figure out who is really behind the bitcoin. <a href="#TOP">top </a> </p> <p> - and - </p> <p> <a name="HackingCoinbase"> </a> <a href="http://fortune.com/2017/08/22/bitcoin-coinbase-hack/"> <strong>Hacking Coinbase: The great bitcoin bank robbery </strong> </a> (Fortune, 22 Aug 2017) - Sean Everett wasn't sure how his bullish bet on cryptocurrency would turn out. But he definitely didn't expect it to be over so soon. In March, he sold all his stocks, including Apple and Amazon, and used a chunk of the proceeds to buy Bitcoin and Ethereum on a site called Coinbase. The decision made Everett, the CEO of artificial intelligence startup Prome, almost instantly richer, as the blockchain-based currencies' value rocketed up exponentially over the next several weeks. But then, while he was out walking the dog after 10 p.m. on Wednesday, May 17, Everett got the call. It was T-Mobile, ringing him to confirm that it was switching his phone number to a different device. It was a suspicious move that Everett had most certainly not requested. But even as he pleaded with the agent to block the switch, it was too late. Less than five minutes later, Everett's cell service abruptly shut off, and as he rushed to his computer, he saw himself being robbed in real time. A raft of email notifications confirmed that someone had taken control of his main Gmail account, then broken into his Coinbase "wallet." They'd gotten in with the help of his switched-over phone number: Everett's account required him to log in with a two-factor authentication code sent by text message, as a second safeguard-and now the text had gone straight to the thief. * * * [ <strong>Polley </strong>: Long, and fascinating; <em>see also </em> <a href="https://www.nytimes.com/2017/08/21/business/dealbook/phone-hack-bitcoin-virtual-currency.html?_r=1" > <strong> Identity Thieves Hijack Cellphone Accounts to Go After Virtual Currency </strong> </a> <strong> </strong> (NYT, 22 Aug 2017)] <a href="#TOP">top </a> </p> <p> <a name="NewNISTdraft"> </a> <a href="https://www.theregister.co.uk/2017/08/18/new_nist_draft_embeds_privacy_into_security_for_the_first_time/" > <strong> New NIST draft embeds privacy into US govt security for the first time </strong> </a> (The Register, 18 Aug 2017) - A draft of new IT security measures by the US National Institute of Standards and Technology (NIST) has for the first time pulled privacy into its core text as well as expanded its scope to include the internet of things and smart home technology. The <a href="https://regmedia.co.uk/2017/08/17/nist-sec-drft5.pdf" target="_blank" > proposed </a> "Security and Privacy Controls for Information Systems and Organizations" will be the go-to set of standards and guidelines for US federal agencies and acts as a baseline for broader industry. As such, it has a huge impact on how technology is used and implemented across America This version of the document - its fifth draft - concerns itself with edge computing: the rapidly expanding world of interconnected systems and devices that continue to be added to IT systems and the broader internet. With so many of these powerful computing devices now in the hands of millions of private citizens, that review has inevitably led NIST to consider privacy implications and for the first time privacy has gone from being an appendix to being pulled into the main body of the document. "The ultimate objective is to make the information systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable," the document states. Another interesting side effect of the new focus is that NIST has stopped pretending that it is only influencing federal agencies (all federal agencies will now be required to follow this NIST guidance following executive action by President Trump) and is actively pitching its contents to private enterprise in the hope of building a more resilient overall network. Major changes include: * * * <a href="#TOP">top </a> </p> <p> <a name="LawFirmsLegal"> </a> <strong> <a href="http://www.legaltechnews.com/id=1202795999758/Law-Firms-Legal-Departments-Predicted-to-Focus-More-on-IT-Risk?kw=Law%20Firms%2C%20Legal%20Departments%20Predicted%20to%20Focus%20More%20on%20IT%20Risk&et=editorial&bu=ALMcyberSecure&cn=20170824&src=EM" > Law firms, legal departments predicted to focus more on IT risk </a> </strong> (LegalTech, 21 Aug 2017) - Legal departments and law firms are likely to continue to focus more on information technology risk, given a recent projection that global spending on information security services and products will continue to rise. According to a recent Gartner <a href="http://www.gartner.com/newsroom/id/3784965">study </a>, overall global spending in the sector will total $86.4 billion this year, an increase of 7 percent over last year. Similarly, spending is predicted to jump to $93 billion in 2018, the study said. "Gartner's latest report about increased spending on security comes as no surprise, given the increase in data breaches, ransomware and the introduction of GDPR [the General Data Protection Regulation] in 2018," Darren R. Hayes, a professor at Pace University, told Legaltech News. "While the liability associated with data breaches in the U.S. may be limited to reputation, the potential fines associated with the introduction of GDPR [in Europe] should be a wake-up call for multinational corporations," he said. "Google [was] … already fined $2.7 billion by an EU [European Union] antitrust ruling in June of this year so it is clear that the EU will enforce its new draconian cyber-related laws." And GDPR compliance is likely to put a strain on legal professionals. In recent years, financial institutions have prioritized regulatory compliance, as regulatory fines have reached an estimated $100 billion annually, Hayes said. Breach response costs are also increasing, and this problem will be exacerbated by GDPR. The Gartner study predicts GDPR will drive 65 percent of data loss prevention buying decisions through 2018, and security services will continue to be the fastest growing segment in the sector, especially IT consulting, outsourcing and implementation services. "Legal and compliance departments can expect to focus more on IT risk in the near future, which includes greater scrutiny of third-party IT service providers and their associated service level agreements," he added. <a href="#TOP">top </a> </p> <p> <a name="TheTwitter"> </a> <strong> <a href="http://money.cnn.com/2017/08/23/technology/culture/twitter-hashtag-10-years-old/index.html?section=money_technology&utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > The Twitter #hashtag is 10 years old </a> </strong> (CNN, 23 Aug 2017) - The hashtag character (#) popularized on Twitter ( <a href="http://money.cnn.com/quote/quote.html?symb=TWTR&source=story_quote_link" > TWTR </a> , <a href="http://money.cnn.com/technology/tech30/index.html?iid=EL"> Tech30 </a> ) was tweeted for the first time by designer Chris Messina on this day in 2007. He asked his followers: "how do you feel about using # (pound) for groups. As in #barcamp [msg]?" But the hashtag wasn't born on Twitter. The hash -- also called the octothorp -- first appeared on touch-tone telephones in the 1960s. We still use the character to interact with automated phone systems. Users on Internet Relay Chat, a popular chat room software, long used the pound sign on the internet to join different channels. It's unclear who invented the IRC hashtag. Facebook adopted hashtags years later in 2013, but it serves the same purpose. <a href="#TOP">top </a> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <a href="http://lawprofessors.typepad.com/media_law_prof_blog/2017/08/voss-on-the-general-data-protection-regulation-gdpr-and-the-proposed-eprivacy-regulation-wgvoss-toul.html" > <strong> General Data Protection Regulation (GDPR) and the Proposed ePrivacy Regulation </strong> </a> (MLPB, 18 Aug 2017) - W. Gregory Voss, Toulouse Business School, has published <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3008765"> First the GDPR, Now the Proposed ePrivacy Regulation </a> at 21 Journal of Internet Law 3 (July 2017). Here is the abstract: <em> On January 10, 2017, less than nine months after the General Data Protection Regulation (GDPR) was adopted by the European Union, the European Commission issued its proposal for a new ePrivacy Regulation. In analyzing this new proposal, this article first places European Union ePrivacy legislation in context before detailing the main points of the proposed ePrivacy Regulation, including its broad territorial scope, its material scope, its interface with the GDPR, as well as provisions on cookies, confidentiality of communications, application of the concept of consent and unsolicited direct marketing communications and enforcement measures (including sanctions). Next, this article discusses advisory and industry reactions to the proposed Regulation, and outlines the legislative process, prior to making certain conclusory remarks. </em> <a href="#TOP">top </a> </p> <p> <strong> <a href="http://lawprofessors.typepad.com/media_law_prof_blog/2017/08/hoofnagle-on-ftc-regulation-of-cybersecurity-and-surveillance-hoofnagle.html" > Hoofnagle on FTC Regulation of Cybersecurity and Surveillance </a> </strong> (MLPB, 24 Aug 2017) - Chris Jay Hoofnagle, University of California, Berkeley, School of Information, and University of California, Berkeley, School of Law, is publishing <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3010205"> FTC Regulation of Cybersecurity and Surveillance </a> in The Cambridge Handbook of Surveillance Law (David Gray and Stephen Henderson, eds., Cambridge University Press 2017). Here is the abstract: <em> The Federal Trade Commission (FTC) is the United States' chief consumer protection agency. Through its mandate to prevent unfair and deceptive trade practices, it both regulates surveillance and creates cybersecurity law. This chapter details how the FTC regulates private-sector surveillance and elucidates several emergent properties of the agency's activities. First, private-sector surveillance shapes individuals' reasonable expectations of privacy, and thus regulation of the private-sector has effects on the government as surveillant. The FTC's activities not only serve dignity interests in avoiding commercial inference in one's life, they also affect citizens' civil liberties posture with the state. Second, surveillance can make companies directly liable (for intrusive web monitoring, for tracking people offline, and for installing malware) or indirectly liable (for creating insecure systems, for using deception to investigate, and for mediating the surveillance of others) under the FTC Act. Third, the FTC's actions substitute plaintiffs' litigation for privacy, as the class action is burdened in novel ways. Fourth, the FTC's actions increase the quality of consent necessary to engage in surveillance, and in so doing, the FTC has made some kinds of surveillance practically impossible to implement legally. Finally, the FTC's actions make companies more responsible for their surveillance technologies in several ways-by making software vendors liable for users' activities, by imposing substantive security duties, and by narrowing internet intermediary immunity. </em> <a href="#TOP">top </a> </p> <p> <strong> <a href="https://www.cisco.com/c/dam/global/es_mx/solutions/security/pdf/cisco-2017-midyear-cybersecurity-report.pdf?elq_mid=49158&elq_cid=996107&elqTrackId=431CB06BC663718E405384A0CDA4A895&elq=7e4be08488cb4dd7bcc94366d033cae8&elqaid=49158&elqat=1&elqCampa" > Cisco 2017 Midyear Cybersecurity Report </a> </strong> (Cisco, 24 Aug 2017) - For nearly a decade, Cisco has published comprehensive cybersecurity reports that are designed to keep security teams and the businesses they support apprised of cyber threats and vulnerabilities-and informed about steps they can take to improve security and cyber-resiliency. In these reports, we strive to alert defenders to the increasing sophistication of threats and the techniques that adversaries use to compromise users, steal information, and create disruption. With this latest report, however, we find we must raise our warning flag even higher. Our security experts are becoming increasingly concerned about the accelerating pace of change-and yes, sophistication-in the global cyber threat landscape. That is not to say defenders are not improving their ability to detect threats and prevent attacks, or to help users and organizations avoid or recover more quickly from them. But we see two dynamics undermining their hard-won successes, hindering further progress, and helping to usher in a new era of cyber risks and threats: * * * <a href="#TOP">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <a href="http://www.abajournal.com/magazine/article/settling_it_on_the_web"> <strong>Settling it on the web </strong> </a> (ABA Journal, 4 Oct 2007) - Online dispute resolution was supposed to take over the legal profession. With the rise of the Internet, ar­tificial intelligence and other clever bits of technology, lawyers would be able to solve legal disputes with computers, not courtrooms and judges. "Around 1999 or 2000 we thought this would be huge; every court would have a kiosk out front for ODR," says Colin Rule, ODR director for eBay and PayPal. But a funny thing happened after the dot-com bust. ODR seemed to fail. And now, instead of being imposed on the legal profession from the outside, it is bubbling up from within the trade. Rule says ODR is integrated into a lot of business models and has become so integral that many people might not even know it's there. "Look at me: When we started, I worked at a tiny, independent ODR company," he says. "Now I'm part of this big company that handles millions of disputes online, and nobody thinks twice about it." Web technology is now slowly making inroads into dispute resolution that had been handled offline. Dan Rainey, director of the office of alternative dispute resolution services for the National Mediation Board, a federal agency, says he hopes to soon handle 10 percent of its arbitration cases online. <a href="#TOP">top </a> </p> <p> <a href="http://technology.findlaw.com/legal-software/software-provider-liable-for-unauthorized-practice-of-law-in.html" > <strong> Software provider liable for unauthorized practice of law in Ninth Circuit </strong> </a> (Findlaw.com, March 2007) -- Legal software vendors beware! The Ninth Circuit recently held that a seller of web-based bankruptcy software qualified as a bankruptcy petition preparer and, as such, engaged in fraud and the unauthorized practice of the law. Any provider of software that claims to "know the law" and offers automated form selection should examine this decision closely to make sure their activities are within legal boundaries. The suit, Frankfort Digital Services v. Kistler (In re: Reynoso), arose out of a bankruptcy proceeding, during which the petitioner paid to use browser-based software that prepared his bankruptcy petition based on information he provided. The product's web site explained that the software would choose which bankruptcy exemptions to apply for and remove any need for the petitioner to individually select which schedule to use for the various pieces of information involved. During the first meeting with the petitioner's creditors, the Chapter 7 trustee noticed mistakes, learned about the software and filed an adversary action against the software vendor alleging violations of 11 U.S.C. section 110. This action added to the list of section 110 proceedings against the software vendor, which had already run afoul of several other Chapter 7 trustees. The bankruptcy court held that collateral estoppel prevented the vendor from challenging its status as a "bankruptcy petition preparer engaged in the unauthorized practice of law," since a previous case had gone against the vendor on this point. The Bankruptcy Appellate Panel of the 9th Circuit agreed with the bankruptcy court and affirmed based on issue preclusion. The regular Ninth Circuit panel decided to address the merits of the case, however, after accepting defendant's argument that the website had changed since the previous case was decided. The court found that the vendor indeed qualified as a bankruptcy petition preparer, which was the first time that the Ninth Circuit had determined that a software-provider could qualify as such. Since bankruptcy petition preparers are, by definition, not attorneys, the court's next step was to examine California law to determine whether the vendor engaged in the unauthorized practice of the law. Case at <a href="http://caselaw.lp.findlaw.com/data2/circs/9th/0417190p.pdf"> http://caselaw.lp.findlaw.com/data2/circs/9th/0417190p.pdf </a> <a href="#TOP">top </a> </p> <p> <a name="NOTES"> </a> <h3> NOTES </h3> </p> <p> MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( <a href="mailto:vpolley@knowconnect.com?subject=MIRLN"> mailto:vpolley@knowconnect.com?subject=MIRLN </a> ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line. </p> <p> Recent MIRLN issues are archived at <a href="http://www.knowconnect.com/mirln">www.knowconnect.com/mirln </a>. Get supplemental information through Twitter: <a href="http://twitter.com/vpolley">http://twitter.com/vpolley </a> #mirln. </p> <p> SOURCES (inter alia): </p> <p> 1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, <a href="http://cyber.law.harvard.edu/">http://cyber.law.harvard.edu </a> </p> <p> 2. InsideHigherEd - <a href="http://www.insidehighered.com/">http://www.insidehighered.com/ </a> </p> <p> 3. SANS Newsbites, <a href="http://www.sans.org/newsletters/newsbites/"> http://www.sans.org/newsletters/newsbites/ </a> </p> <p> 4. Aon's Technology & Professional Risks Newsletter </p> <p> 5. Crypto-Gram, <a href="http://www.schneier.com/crypto-gram.html"> http://www.schneier.com/crypto-gram.html </a> </p> <p> 6. Eric Goldman's Technology and Marketing Law Blog, <a href="http://blog.ericgoldman.org/">http://blog.ericgoldman.org/ </a> </p> <p> 7. The Benton Foundation's Communications Headlines </p> <p> 8. Gate15 Situational Update Notifications, <a href="http://www.gate15.us/services.html"> http://www.gate15.us/services.html </a> </p> <p> 9. Readers' submissions, and the editor's discoveries </p> <p> This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. </p> <p> PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. <a href="#TOP">top </a> </p>
Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-9571727316728080932017-08-05T07:11:00.000-04:002017-08-05T07:11:07.779-04:00MIRLN --- 16 July - 5 August 2017 (v20.11) <p> <a name="TOP"> </a> MIRLN --- 16 July - 5 August 2017 (v20.11) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_16_july_5_august_2017_v2011/" > permalink </a> </p> <p> <a href="#NEWS">NEWS </a> | <a href="#RESOURCES">RESOURCES </a> | <a href="#LOOKINGBACK">LOOKING BACK </a> | <a href="#NOTES">NOTES </a> </p> <ul> <li> <a href="#NewYorkDFS"> New York DFS publishes FAQs on new cybersecurity regulations </a> </li> <li> <a href="#WhenDoReview"> When do review websites commit extortion?-Icon Health v. ConsumerAffairs </a> </li> <li> <a href="#LloydsOfLondon"> Lloyds of London: Insure cyberattacks like natural disasters </a> </li> <li> <a href="#AllegedRetwee"> Alleged retweet by judge doesn't warrant retroactive recusal, 9th Circuit rules </a> </li> <li> <a href="#MiamiDade"> Miami-Dade judge's Facebook 'friendship' leads to court battle </a> </li> <li> <a href="#CourtRulesThat"> Court rules that politicians blocking followers violates free speech </a> </li> <li> <a href="#Debevoise"> Debevoise protocol to promote cybersecurity in international arbitration </a> </li> <li> <a href="#NewZealand"> New Zealand airports customs officials performing 'digital strip searches' of travelers' electronics </a> </li> <li> <a href="#NYCbarGuides"> NYC Bar guides attorneys on US border e-device searches </a> </li> <li> <a href="#FedExOnPetya"> FedEx on Petya attack: systems still down, no cyber insurance </a> </li> <li> <a href="#PutinsHackers"> Putin's hackers now under attack-from Microsoft </a> </li> <li> <a href="#CourtRejectsCellSite"> Court rejects cell site RF signal map in murder trial because it's evidence of nothing </a> </li> <li> <a href="#AbusesHide"> Abuses hide in the silence of non-disparagement agreements </a> </li> <li> <a href="#SECregulators">SEC regulators are coming after ICOs </a> </li> <li> <a href="#TheUniformLaw"> The Uniform Law Commission has given states a clear path to approach bitcoin </a> </li> <li> <a href="#LawyersEdiscovery"> Lawyer's e-discovery error led to release of confidential info on thousands of Wells Fargo clients </a> </li> <li> <a href="#SciHubsCache"> Sci-Hub's cache of pirated papers is so big, subscription journals are doomed, data analyst suggests </a> </li> <li> <a href="#Elsevier"> Elsevier acquires bepress: Library and knowledge community respond </a> </li> <li> <a href="#LinkedInItsIllegal"> LinkedIn: It's illegal to scrape our website without permission </a> </li> <li> <a href="#Daenerys"> Daenerys Stormborn, Jon Snow and the real enemy of higher education </a> </li> <li> <a href="#ThisShadowy"> This shadowy company is flying spy planes over US cities </a> </li> </ul> <p> <a name="NEWS"> </a> </p> <p> <a name="NewYorkDFS"> </a> <strong> <a href="https://www.insideprivacy.com/data-security/cybersecurity/new-york-dfs-publishes-faqs-on-new-cybersecurity-regulations-2/?elq_mid=48465&elq_cid=996107" > New York DFS publishes FAQs on new cybersecurity regulations </a> </strong> (Covington, 14 July 2017) - As <a href="https://www.insideprivacy.com/data-security/new-york-state-proposes-cybersecurity-regulation-for-financial-services-institutions/" > our readers know </a> , New York's Department of Financial Services ("NY DFS") released a draft of its new Cybersecurity Regulations on September 13, 2016, and the final version of the regulations went into effect on March 1, 2017 ( <a href="http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf"> 23 NYCRR 500 </a> ). Among other things, the regulations require regulated entities to conduct cyber risk assessments and to develop and implement cybersecurity programs to manage their cyber risk. Notwithstanding the fanfare surrounding the <a href="https://www.governor.ny.gov/news/governor-cuomo-announces-proposal-first-nation-cybersecurity-regulation-protect-consumers-and" > announcement </a> of these "first-in-the-nation" regulations, there has been significant uncertainty about precisely how the regulations will be interpreted and enforced. That uncertainty has been increasing with the approach of the <a href="http://www.dfs.ny.gov/about/cybersecurity.htm"> August 28 deadline </a> for compliance with the first round of requirements (Section 500.22(a)). On June 29, 2017, NY DFS took steps to reduce that uncertainty by posting a " <a href="http://www.dfs.ny.gov/about/cybersecurity_faqs.htm"> Frequently Asked Questions </a> " section about the regulations on its website. The FAQs seek to clarify some key provisions of these regulations, including provisions regarding reporting requirements and consumer notification triggers. Some highlights below: * * * [ <strong>Polley </strong>: e.g., a possible obligation to report <u>unsuccessful </u> cyber attacks.] <a href="#TOP">top </a> </p> <p> <a name="WhenDoReview"> </a> <strong> <a href="http://blog.ericgoldman.org/archives/2017/07/when-do-review-websites-commit-extortion-icon-health-v-consumeraffairs.htm" > When do review websites commit extortion?-Icon Health v. ConsumerAffairs </a> </strong> (Eric Goldman, 14 July 2017) - Icon Health and Fitness manufactures exercise equipment, such as the well-known NordicTrack. ConsumerAffairs is a review website. Like many other review websites, its business model is predicated on payments from reviewed businesses. However, ConsumerAffairs' specific practices raise some extra questions. The complaint made the following allegations: <em> Defendants, through that database, favor product manufacturers who agree to pay a one-time setup fee and an ongoing monthly fee to ConsumerAffairs or Consumers Unified, LLC. ConsumerAffairs publishes an "Overall Satisfaction Rating" for each product reviewed on its website. The Overall Satisfaction Rating is expressed as a star rating out of five possible stars. ConsumerAffairs calculates the rating based on an unspecified subset of user reviews hosted on ConsumerAffairs' website. ConsumerAffairs' chooses which consumer reviews to include in given company's Overall Satisfaction Rating based solely on whether that company pays a monthly fee to ConsumerAffairs. ConsumerAffairs alters a company's Overall Satisfaction Rating by intentionally omitting or removing legitimate positive consumer-submitted reviews from pages discussing non-paying companies. </em> <strong>* * * </strong> If these allegations are true, as a consumer I would not consider ConsumerAffairs' review database management practices credible. Nevertheless, to me, these allegations make it clear that ConsumerAffairs qualifies for Section 230 protection (see also the <a href="http://blog.ericgoldman.org/archives/2009/12/consumer_review_1.htm" > Fourth Circuit's Nemet Chevrolet ruling </a> , but see the <a href="http://blog.ericgoldman.org/archives/2016/06/review-website-gets-hammered-in-court-consumer-cellular-v-consumeraffairs.htm" > disastrous Consumer Cellular ruling </a> ). Unfortunately, the court doesn't know what to do with these allegations. Thus, the court bifurcates its opinion into some general principles about Section 230 and then specific applications on a claim-by-claim basis. The net effect isn't too bad for ConsumerAffairs, but the opinion has many interstices. * * * <a href="#TOP">top </a> <em> </em> </p> <p> <a name="LloydsOfLondon"> </a> <strong> <a href="http://thehill.com/policy/cybersecurity/342311-lloyds-of-london-insure-cyberattacks-like-natural-disasters" > Lloyds of London: Insure cyberattacks like natural disasters </a> </strong> (The Hill, 17 July 2017) - Cybersecurity insurers have to become more prepared to treat global cyberattacks more like national disasters than traditional crimes, <a href="https://www.lloyds.com/news-and-insight/risk-insight/library/technology/countingthecost" > concludes a report from </a> <a href="https://www.lloyds.com/news-and-insight/risk-insight/library/technology/countingthecost" > insurer Lloyd's of London </a> . In a report dated last week, the United Kingdom-based firm speculates about two hypothetical "cyber events" that could cause global damage cybersecurity insurance providers may not be prepared for. The report tabulates the potential damage caused by two types of attacks. In one, hackers disrupt cloud service providers. In a second, hackers get their hands on a vulnerability for an operating system used by 45 percent of the global market. Lloyd's of London approximates that average cloud service events of varying severity range from $4.6 billion in total damages for a "large" attack to $53.1 billion for an "extreme" one. In the vulnerability example, the average costs range from $9.7 billion for a large event to $28.7 billion for an extreme one. The report notes that attacks fluctuate dramatically around that average - in the extreme cloud event that averaged $53.1 billion in damages, attacks might do as little as $15.6 billion or as much as $121.4 billion. Lloyd's notes that much of the damages would not be covered by insurance. Only around 15 percent of damages would be covered in the cloud example and 7 percent in the vulnerability example. <a href="#TOP">top </a> </p> <p> <a name="AllegedRetwee"> </a> <strong> <a href="http://www.abajournal.com/news/article/alleged_retweet_by_judge_doesnt_warrant_retroactive_recusal_9th_circuit_rul" > Alleged retweet by judge doesn't warrant retroactive recusal, 9th Circuit rules </a> </strong> (ABA Journal, 17 July 2017) - A federal appeals court has refused to order the retroactive recusal of a federal judge accused of retweeting a news story about a case after he denied a motion. The San Francisco-based 9th U.S. Circuit Court of Appeals said that, even if U.S. District Judge William Shubb was the owner of the anonymous Twitter account at issue, his tweet didn't warrant retroactive recusal, report the <a href="http://www.therecorder.com/id=1202792948808/In-Sierra-Pacific-Appeal-Cautionary-Tale-for-Tweeting-Judges?mcode=1202617072607&curindex=0" > Recorder </a> (sub. req.) the <a href="http://www.sacbee.com/news/local/article161204183.html"> Sacramento Bee </a> and the <a href="http://www.metnews.com/articles/2017/tweet071417.htm"> Metropolitan News-Enterprise </a> . <a href="http://abovethelaw.com/2017/07/did-this-judges-tweeting-constitute-reversible-error/?rf=1" > Above the Law </a> noted the July 13 <a href="http://cdn.ca9.uscourts.gov/datastore/opinions/2017/07/13/15-15799.pdf" > decision </a> (PDF). Sierra Pacific had initially sought to unravel a $122 million settlement related to a massive forest fire in 2007 based on allegations about alleged government misconduct. The government had sued Sierra Pacific and other defendants to recover damages and money it spent fighting the blaze. Shubb refused to grant Sierra Pacific's motion for relief from judgment. Sierra Pacific Industries Inc. claimed Shubb was tweeting at the account <a href="https://twitter.com/Nostalgist1?lang=en">@nostalgist1 </a>. The account had followed the U.S. Attorney office, which tweeted eight times about the case after Shubb's ruling. Sierra Pacific had argued that following the account created the appearance of bias. The news article that was retweeted was headlined "Sierra Pacific still liable for Moonlight Fire damages." Sierra Pacific had objected to the headline because it didn't admit liability and the settlement had said the payment didn't constitute damages. Sierra Pacific said the retweet created an additional inference of bias and constituted an impermissible public comment. Merely following a Twitter account doesn't create a basis for recusal and doesn't constitute improper ex parte communications, the appeals court said. Nor did retweeting a news article constitute plain error requiring recusal, the appeals court also said. Though the appeals court saw no reason to require Shubb's retroactive recusal, it nonetheless said the case was "a cautionary tale about the possible pitfalls of judges engaging in social media activity relating to pending cases." <a href="#TOP">top </a> </p> <p> - and - </p> <p> <a name="MiamiDade"> </a> <strong> <a href="http://www.dailybusinessreview.com/id=1202794267066/MiamiDade-Judges-Facebook-Friendship-Leads-to-Court-Battle?mcode=1202617073880&curindex=0&slreturn=20170631121604" > Miami-Dade judge's Facebook 'friendship' leads to court battle </a> </strong> (Daily Business Review, 28 July 2017) - A North Miami law firm is <a href="http://www.almcms.com/contrib/content/uploads/sites/292/2017/07/FILED-HLG-Petition-for-Writ-of-Prohibition-3D17-1421-1.pdf" > fighting </a> to have a judge removed from a case for being Facebook friends with a lawyer who appeared before her. Miami-Dade Circuit Judge Beatrice Butchko is publicly linked on the social networking site with Israel Reyes, a former colleague from the bench. Reyes, now the managing partner at the Reyes Law Firm in Coral Gables, entered an appearance on behalf of a nonparty in a case before Butchko. The Facebook friendship means Reyes can "influence" Butchko, who therefore "cannot be impartial," argued Reuven Herssein, founding member of Herssein Law Group, in a motion to disqualify Butchko. She <a href="http://www.almcms.com/contrib/content/uploads/sites/292/2017/07/Butchko-recusal-order.pdf" > declined </a> to recuse herself, saying the motion was legally insufficient. The fight is now before the Third District Court of Appeal, where attorneys are debating the ethics of judicial social media use nearly a decade after the state first addressed judges' Facebook friendships. Florida has relatively strict guidelines on social media connections, compared with other states. A <a href="http://www.jud6.org/legalcommunity/legalpractice/opinions/jeacopinions/2009/2009-20.html" > 2009 opinion </a> from the Florida Supreme Court's judicial ethics advisory committee said judges should not send or accept social media friend requests from lawyers who may appear before them. "The committee believes that listing lawyers who may appear before the judge as 'friends' on a judge's social networking page reasonably conveys to others the impression that these lawyer 'friends' are in a special position to influence the judge," the committee wrote, recognizing that a social media "friend" may be nothing more than a distant acquaintance. The Fourth District Court of Appeal relied on the opinion in a decision disqualifying a judge in a criminal case for being Facebook friends with the prosecutor. The court found the social media connection could "create in a reasonably prudent person a well-founded fear of not receiving a fair and impartial trial." But United States Automobile Association, the defendant in the case filed by Herssein Law Group, <a href="http://www.almcms.com/contrib/content/uploads/sites/292/2017/07/USAAs-Response-to-WOP-3D17-1421.pdf" > argues </a> the Fourth DCA decision doesn't apply here. While a criminal defendant might reasonably fear bias in this situation, Herssein and his firm are more sophisticated than that, USAA's counsel argued. "No reasonably prudent Miami lawyer has a well-founded fear of not receiving a fair and impartial trial simply because two judges who sat on the bench in Miami-Dade County are 'friends' on Facebook," wrote Shutts & Bowen attorneys Patrick Brugger and Frank Zacherl of Miami, who did not respond to a request for comment by deadline. Eleven states have issued guidance on judicial social media use, according to the National Center for State Courts. Florida's guidelines are among the most restrictive, with states including California, Kentucky and New York opining that judges can accept Facebook friend requests from lawyers who may appear before them under certain conditions. In California, judges may add lawyers on Facebook if their pages are used only for professional activities, such as interacting with members of a law school alumni group. Other factors include how many friends the judge has, whether he or she declines some attorneys' friend requests but accepts others and how often the attorney appears before the judge. <a href="#TOP">top </a> </p> <p> - and - </p> <p> <a name="CourtRulesThat"> </a> <strong> <a href="http://nymag.com/selectall/2017/07/judge-politicians-blocking-followers-violates-free-speech.html" > Court rules that politicians blocking followers violates free speech </a> </strong> (NY Magazine, 28 July 2017) - While there is no set precedent for the issue, more and more courts are encountering a new type of lawsuit related to social-media blocking. The Knight Foundation, for instance, is suing the U.S. government on behalf of Twitter users <a href="https://www.wired.com/2017/06/trumps-habit-twitter-blocking-may-violate-first-amendment/" > blocked by President Donald Trump </a> , whose Twitter account has become alarmingly vital when it comes to understanding his presidency. This week, a federal court in Virginia tackled the issue when it ruled on behalf of a plaintiff blocked by a local county politician. According to <a href="https://www.wsj.com/articles/court-rules-against-politician-who-banned-access-to-her-facebook-page-1501176625" > <em>The Wall Street Journal </em> </a> , "Brian Davison sued the chairwoman of the Loudoun County Board of Supervisors, who temporarily banned him from her Facebook page after he posted criticism of local officials last year." Judge James Cacheris found that she had violated Davison's First Amendment rights by blocking him from leaving comment, because, in his judgment, the chairwoman, Phyllis Randall, was using her Facebook page in a public capacity. Though it was a personal account, she used it to solicit comments from constituents. "The suppression of critical commentary regarding elected officials is the quintessential form of viewpoint discrimination against which the First Amendment guards," the judge stated in his ruling. Cacheris did emphasize that his ruling should not prohibit officials from moderating comments to protect against harassment. Davison was only banned for 12 hours, and Randall faces no penalties. Still, the ruling is one of the first in a growing, thorny legal issue surrounding social media that has already reached the White house. <a href="#TOP">top </a> </p> <p> <a name="Debevoise"> </a> <strong> <a href="http://www.debevoise.com/~/media/files/capabilities/cybersecurity/Protocol_Cybersecurity_Intl_Arb_July2017.pdf" > Debevoise protocol to promote cybersecurity in international arbitration </a> </strong> (Debevoise, July 2017) - As the prevalence of malicious cyberactors and cyberattacks on high-profile companies and government organizations grows, parties to commercially or politically sensitive international arbitrations increasingly express concerns with respect to cybersecurity. Cybersecurity threats may create significant operational and legal problems that can compromise the arbitral process, including loss or unauthorized disclosure of sensitive data, breaches of attorney-client confidentiality, adverse media coverage and reputational damage, costs associated with breach notification or data recovery, and legal liability. In addition to the threat cyberattacks pose to the parties to an arbitration, failing to address this problem could ultimately lead to a loss of confidence in the arbitral system. To respond to these concerns, the practitioners at Debevoise & Plimpton LLP have developed this Protocol to Promote Cybersecurity in International Arbitration. This Protocol operates on three principles: (i) Establishing Secure Protocols for the Transfer of Sensitive Information at the Outset of Proceedings, (ii) Limiting Disclosure and Use of Sensitive Information, and (iii) Developing Procedures for Disclosing Cyber Incidents. * * * <a href="#TOP">top </a> </p> <p> <a name="NewZealand"> </a> <strong> <a href="https://www.techdirt.com/articles/20170709/14545537748/new-zealand-airports-customs-officials-performing-digital-strip-searches-travelers-electronics.shtml" > New Zealand airports customs officials performing 'digital strip searches' of travelers' electronics </a> </strong> (TechDirt, 17 July 2017) - Despite DHS hints that foreign airports were <a href="https://www.techdirt.com/articles/20170629/13513637699/dhs-to-expand-foreign-laptop-ban-if-overseas-airlines-wont-make-their-security-more-theatrical.shtml" target="_blank" > falling down </a> on the "security theater" job, it appears a few customs officials are more than happy to engage in local versions of " <a href="https://www.techdirt.com/articles/20170222/11492136768/sen-wyden-wants-answers-new-dhs-head-introducing-legislation-to-create-warrant-requirement-border-phone-searches.shtml" target="_blank" > extreme vetting </a> ." New Zealand customs officials are way ahead of the DHS in this department, having turned airports into <a href="https://www.techspot.com/amp/news/69983-new-zealand-airport-customs-officials-routinely-demand-passwords.html" target="_blank" > rights-free zones where nearly anything can happen... to travelers </a> . <em> According to an investigative report by <a href="https://www.tvnz.co.nz/one-news/new-zealand/digital-strip-searches-nz-airports-force-hundreds-kiwis-surrender-mobile-and-laptop-passwords-each-year" target="_blank" > New Zealand's 1 news </a> , airport customs officials routinely force up to two travelers each day to give up their electronic devices and passwords for searching. According to the customs agents, the program is designed to look for smugglers by performing a "digital strip search" on the phones and laptops of travelers. This does not require a court order, but the agents do claim to adhere to New Zealand's privacy act. </em> The data shows more than 1,300 people have been subjected to these suspicionless "strip searches" since 2015, with less than a third of those being New Zealand citizens. The majority of those searched are foreigners and it appears visitors to the country should somehow expect delays of up to five hours thanks to this supposedly random vetting process. And there is no option to refuse this additional, highly-invasive search. As Techspot reports, travelers refusing to hand over their electronic devices can be subject to fines of $5,000. <a href="#TOP">top </a> </p> <p> - and - </p> <p> <a name="NYCbarGuides"> </a> <strong> <a href="https://bol.bna.com/nyc-bar-guides-attorneys-on-u-s-border-e-device-searches/" > NYC Bar guides attorneys on US border e-device searches </a> </strong> (Bloomberg, 28 July 2017) - Attorneys crossing the U.S. border now have more guidance on how they should protect confidential client information stored on electronic devices from the prying eyes of customs and immigration agents. A formal <a href="http://www.nycbar.org/member-and-career-services/committees/reports-listing/reports/detail/formal-opinion-2017-5-an-attorneys-ethical-duties-regarding-us-border-searches-of-electronic-devices-containing-clients-confidential-information" target="_blank" > opinion </a> issued July 25 by the New York City Bar's ethics committee identifies some measures attorneys who travel internationally may take to satisfy their ethical obligations, in light of broad powers that U.S. Customs and Border Protection (CBP) agents assert they have to inspect travelers' electronic devices. The ethics opinion appears to be the first to address the topic and comes at a time when there has been uptick in U.S. border electronic devices searches by CBP agents. There were nearly 15,000 electronic devices searched during the first six month of the CBP's 2017 fiscal year, compared to only just over 8,000 searches during the previous six months, according to CBP statistics released in April. As the number of searches of electronic devices has increased, many major law firms are reevaluating what policies they should have in place in order to protect confidential information, Steven Puiszis, a Chicago-based partner at Hinshaw & Culbertson LLP, who is his firm's general counsel for privacy, security & compliance, told Bloomberg BNA. The American Bar Association has also raised concerns about the handling of privileged and confidential legal materials during border searches. In May, the ABA sent a letter to the Department of Homeland Security, asking it to revise directives on the standards and procedures that CBP and Immigration and Customs Enforcement agents must follow before the contents of a lawyer's electronic device can be searched or seized at the border. ABA asserted that DHS's interpretation of the directives has "resulted in CBP Officers and ICE Special Agents exercising sweeping powers to search electronic devices at the border, with or without reasonable suspicion of any wrongdoing." ABA urged that DHS revise the directives to state that privileged or confidential electronic documents and files on a device cannot be read, duplicated, seized, or shared unless a subpoena or warrant is first obtained. The ethics committee's opinion addresses steps attorneys can take prior to crossing the U.S. border, during border searches, and after a CBP agent reviews confidential information. The opinion provides some practical guidance and highlights an issue that attorneys should be aware of, J. Alexander Lawrence, a New York-based partner at Morrison & Foerster LLP and co-chair of its eDiscovery Task Force, told Bloomberg BNA. * * * <a href="#TOP">top </a> </p> <p> <a name="FedExOnPetya"> </a> <strong> <a href="https://www.cso.com.au/article/622241/fedex-petya-attack-systems-still-down-no-cyber-insurance/" > FedEx on Petya attack: systems still down, no cyber insurance </a> </strong> (CSO, 18 July 2017) - US parcel delivery giant FedEx says customers of subsidiary TNT Express are still experiencing delays due to the Petya ransomware attack and that it didn't have cyber insurance to cover the incident. The company <a href="http://investors.fedex.com/news-and-events/investor-news/news-release-details/2017/FedEx-Files-10-K-with-Additional-Disclosure-on-Cyber-Attack-Affecting-TNT-Express-Systems/default.aspx" > released further details </a> about the impact of the attack in its <a href="https://www.sec.gov/Archives/edgar/data/1048911/000095012317006152/fdx-10k_20170531.htm" > SEC 10-K filing today </a> , revealing the attack affected operational, financial, back-office and secondary business systems. FedEx still does not know when some of the systems downed by the Petya ransomware can be revived. On June 28, a day after the Petya ransomware began spreading in Ukraine, FedEx trading due to an unspecified cyber attack that crippled the operations of TNT Express, its Netherlands-based subsidiary. The attack forced it to move some TNT services across to FedEx. FedEx hasn't calculated the exact damage to its balance sheet, but repeated its initial warning that it would likely materially affect its financial performance. [ <strong>Polley </strong>: from the FedEx <a href="http://investors.fedex.com/news-and-events/investor-news/news-release-details/2017/FedEx-Files-10-K-with-Additional-Disclosure-on-Cyber-Attack-Affecting-TNT-Express-Systems/default.aspx" > press release </a> re the SEC 10-K: " <em> We do not have cyber or other insurance in place that covers this attack. </em> " And: " <em> In addition to financial consequences, the cyber-attack may materially impact our disclosure controls and procedures and internal control over financial reporting in future periods. </em> "] <a href="#TOP">top </a> </p> <p> <a name="PutinsHackers"> </a> <strong> <a href="http://www.thedailybeast.com/microsoft-pushes-to-take-over-russian-spies-network" > Putin's hackers now under attack-from Microsoft </a> </strong> (The Daily Beast, 20 July 2017) - A new offensive by Microsoft has been making inroads against the Russian government hackers behind last year's election meddling, identifying over 120 new targets of the Kremlin's cyber spying, and control-alt-deleting segments of Putin's hacking apparatus. How are they doing it? It turns out Microsoft has something even more formidable than Moscow's malware: Lawyers. Last year attorneys for the software maker quietly sued <a href="http://www.thedailybeast.com/fbi-suspects-russia-hacked-dnc-us-officials-say-it-was-to-elect-donald-trump" > the hacker group known as Fancy Bear </a> in a federal court outside Washington DC, accusing it of computer intrusion, cybersquatting, and infringing on Microsoft's trademarks. The action, though, is not about dragging the hackers into court. The lawsuit is a tool for Microsoft to target what it calls "the most vulnerable point" in Fancy Bear's espionage operations: the command-and-control servers the hackers use to covertly direct malware on victim computers. These servers can be thought of as the spymasters in <a href="http://thedailybeast.com/keyword/russia">Russia </a>'s cyber espionage, waiting patiently for contact from their malware agents in the field, then issuing encrypted instructions and accepting stolen documents. Since August, Microsoft has used the lawsuit to wrest control of 70 different command-and-control points from Fancy Bear. The company's approach is indirect, but effective. Rather than getting physical custody of the servers, which Fancy Bear rents from data centers around the world, Microsoft has been taking over the Internet domain names that route to them. These are addresses like "livemicrosoft[.]net" or "rsshotmail[.]com" that Fancy Bear registers under aliases for about $10 each. Once under Microsoft's control, the domains get redirected from Russia's servers to the company's, cutting off the hackers from their victims, and giving Microsoft a omniscient view of that servers' network of automated spies. "In other words," Microsoft outside counsel Sten Jenson explained in a court filing last year, "any time an infected computer attempts to contact a command-and-control server through one of the domains, it will instead be connected to a Microsoft-controlled, secure server." <a href="#TOP">top </a> </p> <p> <a name="CourtRejectsCellSite"> </a> <strong> <a href="https://www.techdirt.com/articles/20170705/18062937724/court-rejects-cell-site-rf-signal-map-murder-trial-because-evidence-nothing.shtml" > Court rejects cell site RF signal map in murder trial because it's evidence of nothing </a> </strong> (TechDirt, 21 July 2017) - The Maryland Court of Special Appeals has handed down a <a href="http://mdcourts.gov/opinions/cosa/2017/0713s16.pdf" target="_blank" > ruling </a> [PDF] on quasi-cell site location info. The evidence offered by the state isn't being so much suppressed as it is being rejected. The information wasn't obtained illegally and no rights were violated. Rather, the court finds the evidence to be questionable, as in "evidence of what, exactly?" [via <a href="http://lawprofessors.typepad.com/evidenceprof/2017/06/two-days-ago-the-court-of-special-appeals-of-maryland-issued-an-interesting-opinion-in-phillips-v-state-in-phillips-bashu.html" target="_blank" > EvidenceProf Blog </a> ] The defendant in the case is charged with murder. Bashunn Phillips filed a motion to exclude the evidence, which was granted by the lower court. The state appealed. But there's nothing in it for the state. The "evidence" -- which is going to carry around scare quotes for the remainder of this post -- doesn't tie Phillips to anything. What was submitted isn't even the equivalent of coarse cell site location info. What the state submitted is something that can easily be obtained without a warrant… because it doesn't actually target any person at all. <em> Phillips filed a motion in limine on August 7, 2015, seeking to exclude the RF signal propagation map and related testimony. Phillips argued that the method used to create the map was not generally accepted as reliable within the relevant scientific community under Maryland's Frye-Reed test for admissibility of evidence based on novel scientific methodology. Phillips acknowledged that cell phone tower "ping" evidence is admissible, but drew a distinction between the method used to create the RF signal propagation map and the collection of historical cell phone "ping" evidence. * * * </em> <a href="#TOP">top </a> </p> <p> <a name="AbusesHide"> </a> <strong> <a href="https://www.cnbc.com/2017/07/21/abuses-hide-in-the-silence-of-non-disparagement-agreements.html" > Abuses hide in the silence of non-disparagement agreements </a> </strong> (CNBC, 21 July 2017) - * * * As more harassment allegations come to light, employment lawyers say nondisparagement agreements have helped enable a culture of secrecy. In particular, the <a href="https://www.nytimes.com/2017/06/30/technology/women-entrepreneurs-speak-out-sexual-harassment.html" > tech start-up world has been roiled </a> by accounts of workplace sexual harassment, and nondisparagement clauses have played a significant role in keeping those accusations secret. Harassers move on and harass again. Women have no way of knowing their history. Nor do future employers or business partners. Nondisparagement clauses are not limited to legal settlements. They are increasingly found in standard employment contracts in many industries, sometimes in a simple offer letter that helps to create a blanket of silence around a company. Their use has become particularly widespread in tech employment contracts, from venture investment firms and start-ups to the biggest companies in Silicon Valley, including Google. * * * In its buyout agreements, The New York Times asks employees to agree to a limited nondisparagement clause that specifies the agreement does not prohibit people from providing information about legal violations or discrimination to the government or regulators. The terms of other nondisparagement agreements vary. <a href="#TOP">top </a> </p> <p> <a name="SECregulators"> </a> <strong> <a href="https://techcrunch.com/2017/07/25/sec-regulators-are-coming-after-icos/amp/" > SEC regulators are coming after ICOs </a> </strong> (TechCrunch, 25 July 2017) - It looks like <a href="https://techcrunch.com/2017/05/23/wtf-is-an-ico/" target="_blank"> ICOs </a> , shorthand for initial coin offerings, are about to undergo a lot more scrutiny. The SEC has concluded that the digital currency financing events will be regulated as securities, meaning unregistered offerings could be subject to criminal punishment. The decision was <a href="https://www.sec.gov/news/press-release/2017-131" target="_blank"> announced </a> on Tuesday. To reach its findings, regulators evaluated an offering facilitated by "The DAO," which resulted in theft by hackers. The <a href="https://www.sec.gov/news/press-release/2017-131" target="_blank"> report </a> concluded, "that issuers of distributed ledger or blockchain technology-based securities must register offers and sales of such securities unless a valid exemption applies." The SEC said its report served to remind "investors of red flags of investment fraud, and that new technologies may be used to perpetrate investment schemes that may not comply with the federal securities laws." This is a blow to many startups that had been using ICOs as an alternative way to raise capital. There have been a wave of these offerings in recent months, where people have been investing in business ideas via Bitcoin, Ethereum or other cryptocurrencies. But like all startups, these investments bear risks. And the opaque nature of the ICOs meant that there wasn't enough <strong> </strong>oversight about what the businesses did with the proceeds. Many of the coins are traded on secondary markets, which provides short-term liquidity. Although many of the ICOs have been smaller unknown companies, the difficult fundraising environment has caused some venture-backed startups to raise coin offerings for enough capital to get them to the next step. Messaging app . In anticipation of an SEC crackdown, some startups had already prohibited U.S. investors. [ <strong>Polley </strong>: <em>See also </em>, this <a href="https://www.thecorporatecounsel.net/blog/2017/07/initial-coin-offerings-the-sec-speaks.html" > blog posting </a> from TheCorporateCounsel.net.] <a href="#TOP">top </a> </p> <p> - and - </p> <p> <a name="TheUniformLaw"> </a> <strong> <a href="https://www.coindesk.com/uniform-law-commission-given-states-clear-path-approach-bitcoin/" > The Uniform Law Commission has given states a clear path to approach bitcoin </a> </strong> (Coindesk, 27 July 2017) - The Uniform Law Commission (ULC), a private body of lawyers and legal academics, has voted to finalize and approve a uniform model law for the regulation of virtual currency businesses. Now an official model for states to follow, I'm hopeful that over the next year, we'll see state after state pass this language as legislation. For states with badly drafted regulations (like the <a href="https://www.coindesk.com/new-york-releases-final-bitlicense/"> New York "BitLicense" </a> ) or vague money transmission statutes that may or may not cover bitcoin businesses (like in California), this new legislation would be a major improvement and a huge win for our community. For one thing, the model act's language is explicitly clear on what types of digital currency businesses are and are not regulated. In many states, poorly written or outdated legal language that does not account for the properties of open <a href="https://www.coindesk.com/information/what-is-blockchain-technology/" > blockchain </a> networks has created legal gray areas for entrepreneurs. Whether or not they even need licenses is often open to interpretation - a looming prospect that hangs over the head of anyone trying to build a business in those states. * * * <a href="#TOP">top </a> </p> <p> <a name="LawyersEdiscovery"> </a> <strong> <a href="http://www.abajournal.com/news/article/lawyers_e_discovery_error_led_to_release_of_confidential_wells_fargo_client" > Lawyer's e-discovery error led to release of confidential info on thousands of Wells Fargo clients </a> </strong> (ABA Journal, 27 July 2017) - A lawyer representing Wells Fargo in a lawsuit subpoena request has explained how she inadvertently turned over confidential information about thousands of bank clients. Lawyer Angela Turiano of Bressler, Amery & Ross had overseen the e-discovery conducted by a vendor and turned over the documents to a lawyer for a defamation plaintiff without realizing she was releasing information about wealthy Wells Fargo clients, the <a href="http://www.americanlawyer.com/id=1202794024033/Lawyers-Inadvertent-EDiscovery-Failures-Led-to-Wells-Fargo-Data-Breach?mcode=0&curindex=0&curpage=ALL" > New York Law Journal </a> (sub. req.) reports. The plaintiff and his lawyer told the <a href="https://nyti.ms/2txTJmH">New York Times </a> about the release. According to the Times, the information consisted of "a vast trove of confidential information about tens of thousands of the bank's wealthiest clients," including customer names, Social Security numbers and financial data. In an affidavit, Turiano said she used an e-discovery vendor's software to review what she believed to be a complete set of results and marked some documents as privileged and confidential. She did not realize she was using "a view" that showed a limited set of documents. [ <strong>Polley </strong>: May implicate the duty of technological competence.] <a href="#TOP">top </a> </p> <p> <a name="SciHubsCache"> </a> <strong> <a href="http://www.sciencemag.org/news/2017/07/sci-hub-s-cache-pirated-papers-so-big-subscription-journals-are-doomed-data-analyst" > Sci-Hub's cache of pirated papers is so big, subscription journals are doomed, data analyst suggests </a> </strong> (AAAS Science, 27 July 2017) - There is no doubt that Sci-Hub, the infamous-and, according to a U.S. court, illegal-online repository of pirated research papers, is enormously popular. (See <em>Science </em>'s investigation last year of <a href="http://www.sciencemag.org/news/2016/04/whos-downloading-pirated-papers-everyone" > who is downloading papers from Sci-Hub </a> .) But just how enormous is its repository? That is the question biodata scientist Daniel Himmelstein at the University of Pennsylvania and colleagues recently set out to answer, after an assist from Sci-Hub. Their findings, published in <a href="https://peerj.com/preprints/3100/"> a preprint on the <em>PeerJ </em> journal site </a> on 20 July, indicate that Sci-Hub can instantly provide access to more than two-thirds of all scholarly articles, an amount that Himmelstein says is "even higher" than he anticipated. For research papers protected by a paywall, the study found Sci-Hub's reach is greater still, with instant access to 85% of all papers published in subscription journals. For some major publishers, such as Elsevier, more than 97% of their catalog of journal articles is being stored on Sci-Hub's servers-meaning they can be accessed there for free. Given that Sci-Hub has access to almost every paper a scientist would ever want to read, and can quickly obtain requested papers it doesn't have, could the website truly topple traditional publishing? In a chat with <em>Science </em>Insider, Himmelstein concludes that the results of his study could mark "the beginning of the end" for paywalled research. This interview has been edited for clarity and brevity. [ <strong>Polley </strong>: very interesting.] <a href="#TOP">top </a> </p> <p> - and - </p> <p> <a name="Elsevier"> </a> <strong> <a href="http://kevin.lexblog.com/2017/08/03/elsevier-acquires-bepress-library-knowledge-community-respond/" > Elsevier acquires bepress : Library and knowledge community respond </a> </strong> (Kevin O'Keefe, 3 August 2017) - <a href="https://www.elsevier.com/">Elsevier </a>, a Dutch publisher and one of the world's major providers of scientific, technical, and medical information, announced this week the acquisition of <a href="http://bepress.com/">bepress </a>, formerly the Berkeley Electronic Press, an academic repository and software firm founded by academics in 1999. Elsevier is part of Reed Elsevier, the parent of LexisNexis. Much of the publishing Elsevier sells is authored by professionals and submitted for peer review. As I understand it, the research and information then published is only available by subscription, including as to any authority who would want to access their own submissions. Elsevier has been subject to criticism of late from academic institutions worldwide, and even governmental agencies, for their having to fund research/scholarly writing, give it to Elsevier for free and then pay millions to Elsevier to get access to the research and writing. In the case of government funded schools and research centers, the taxpayers pay twice. To fund research that goes to Elsevier, then to pay Elsevier for access to the research their colleges, healthcare centers and government agencies require. Bepress, on the other hand, has open access tools under its "Digital Commons" that allows institutions, including law schools, to showcase and preserve their scholarly output. Law review articles and other legal scholarship is available for free through bepress' Law Commons, part of the larger Digital Commons network encompassing other academic areas. Bepress' acquisition comes on the heels of LexisNexis' acquisition of <a href="https://www.ssrn.com/en/">SSRN </a>, another repository of scholarly output, including that from law professors. Some librarians are looking with some suspicion at whether LexisNexis will retain open access and freely allow legal scholars to use their work freely across the net. How did librarians and knowledge management professionals react to the bepress acquisition? Not well, looking through the "Top" tweets on a Twitter search of bepress in the hours after the acquisition announcement. * * * Attorney and legal tech blogger, Bob Ambrogi, <a href="https://www.lawsitesblog.com/2017/08/elsevier-acquires-bepress-open-access-repository-law-reviews-scholarly-articles.html" > reporting </a> on the acquisition noted that the announcement said nothing about the future of the bepress' Digital Commons. Ambrogi said "we'll have to wait and see what impact this has on scholarly publishing in law." <a href="#TOP">top </a> </p> <p> <a name="LinkedInItsIllegal"> </a> <strong> <a href="https://arstechnica.com/tech-policy/2017/07/linkedin-its-illegal-to-scrape-our-website-without-permission/?amp=1" > LinkedIn: It's illegal to scrape our website without permission </a> </strong> (Ars Technica, 31 July 2017) - A small company called hiQ is locked in a high-stakes battle over Web scraping with LinkedIn. It's a fight that could determine whether an anti-hacking law can be used to curtail the use of scraping tools across the Web. HiQ scrapes data about thousands of employees from public LinkedIn profiles, then packages the data for sale to employers worried about their employees quitting. LinkedIn, which was acquired by Microsoft last year, sent hiQ a cease-and-desist letter warning that this scraping violated the Computer Fraud and Abuse Act, the controversial 1986 law that makes computer hacking a crime. HiQ sued, asking courts to rule that its activities did not, in fact, violate the CFAA. James Grimmelmann, a professor at Cornell Law School, told Ars that the stakes here go well beyond the fate of one little-known company. "Lots of businesses are built on connecting data from a lot of sources," Grimmelmann said. He argued that scraping is a key way that companies bootstrap themselves into "having the scale to do something interesting with that data." If scraping without consent becomes illegal, startups like hiQ will have a harder time getting off the ground. But the law may be on the side of LinkedIn-especially in Northern California, where the case is being heard. In a <a href="https://arstechnica.com/tech-policy/2016/07/startup-that-we-all-forgot-gets-small-win-against-facebook-on-appeal/" > 2016 ruling </a> , the 9th Circuit Court of Appeals, which has jurisdiction over California, found that a startup called Power Ventures had violated the CFAA when it continued accessing Facebook's servers despite a cease-and-desist letter from Facebook. LinkedIn's position disturbs Orin Kerr, a legal scholar at George Washington University. "You can't publish to the world and then say 'no, you can't look at it,'" Kerr told Ars. The CFAA <a href="https://www.law.cornell.edu/uscode/text/18/1030"> makes it a crime </a> to "access a computer without authorization or exceed authorized access." Courts have been struggling to figure out what this means ever since Congress passed it more than 30 years ago. One plausible reading of the law-the one LinkedIn is advocating-is that once a website operator asks you to stop accessing its site, you commit a crime if you don't comply. * * * <a href="#TOP">top </a> </p> <p> <a name="Daenerys"> </a> <strong> <a href="https://www.insidehighered.com/blogs/technology-and-learning/daenerys-stormborn-jon-snow-and-real-enemy-higher-education?utm_source=Inside+Higher+Ed&utm_campaign=4e4eeeaab8-DNU20170804&utm_medium=email&utm_term=0_1fcbc04421-4e4eeeaab8-197618481&mc" > Daenerys Stormborn, Jon Snow and the real enemy of higher education </a> </strong> (InsideHigherEd, 3 August 2017) - There was a moment while watching Daenerys Stormborn and Jon Snow's first meeting in the latest episode of Game of Thrones that reminded me of attending higher education conferences. Daenerys is pushing Snow to bend the knee, and become her loyal subject in the fight against Cersei. Jon Snow's reaction is that Cersei might be evil, but in reality the Seven Kingdoms have much bigger problems. Snow informs Daenerys that it doesn't matter who sits on the Iron Throne, as unless the Night King's Army of the Dead is defeated, she will " be ruling over a graveyard." Those of us who work in higher ed have a similar challenge to The Mother of Dragons and the King of the North. We need to understand who our real enemies are, and which battles we should be fighting. In our world, the Army of the Dead that we should be unifying against is the ongoing state level disinvestment in public higher education. No enemy is as potentially dangerous to the existence of a functional, equitable, and affordable system of postsecondary education as is the decision of state governments to cutback on funding for their public colleges and universities. Adjusting for the growth in students attending public institutions, state support per FTE has declined by <a href="http://www.pewtrusts.org/~/media/assets/2015/06/federal_state_funding_higher_education_final.pdf" target="_blank" > 37 percent between 2000 and 2012 </a> . In inflation adjusted dollars, this is a decline of an average of $7,000 in per-student state support in 2000 to $4,400 in 2012. While federal support grow in this time period, from <a href="https://www.insidehighered.com/views/2017/01/16/reversing-decline-state-support-public-universities-essay" target="_blank" > $3,800 to $5,100 per student </a> , this has not been enough to makeup for the state shortfall. The result, predictably enough, has been <a href="https://www.insidehighered.com/news/2017/07/24/new-study-attempts-show-how-much-state-funding-cuts-push-tuition" target="_blank" > dramatic increases in tuition </a> (and student debt). Another result of public disinvestment in higher education has been the widening gap in available resources between a select few private schools (and well-endowed public institutions), and the public colleges and universities where most students attend. Public disinvestment in higher education is exacerbating trends around inequality. We are moving towards a two-tiered postsecondary system, where only the affluent will enjoy the benefits of a high quality - and in particular <em>a liberal arts </em> - college education. Why the threat of public disinvestment in public education is not the big topic of every higher education conference is a mystery. This is particularly true of my world of educational technology and online learning. We should be calibrating our work, however, to follow the wisdom of Jon Snow. We should be fighting our true enemy - and that enemy is the decline of investment in public higher education. The reason that higher ed people, including edtech people, continue to focus on everything in higher ed except public disinvestment can understood by how Tyrion Lannister explains the world. The Hand of the Queen tells Jon Snow that, " <em> People's minds aren't made for problems that large. White walkers, the Night King, Army of the Dead... it's almost a relief to confront a comfortable, familiar monster like my sister." </em> Like Ser Davos, I fear for higher education that, " <em> If we don't put aside our enmities and band together, we will die. And then it doesn't matter whose skeleton sits on the Iron Throne </em> ." Winter is here. <a href="#TOP">top </a> <strong> <br/> <br/> </strong> </p> <p> <a name="ThisShadowy"> </a> <strong> <a href="https://www.buzzfeed.com/christianstork/spy-planes-over-american-cities?utm_term=.ok8ggnVy7v#.iaOYYGPW2Q" > This shadowy company is flying spy planes over US cities </a> </strong> (BuzzFeed, 4 August 2017) - For six straight days in the middle of March, a small twin-propeller plane flew over Phoenix. Each evening, it picked two or three spots and circled for hours, flying at more than 17,000 feet. The plane was loaded with sophisticated surveillance equipment, including technology developed by the National Security Agency to track cell phones. In June of last year, that same plane spent three weeks circling daily over Wilmington, North Carolina, carrying a state-of-the-art "persistent surveillance" camera that can monitor a large area continuously for hours at a time. The Phoenix and Wilmington flights are among dozens tracked by BuzzFeed News that were flown by companies run by an obscure, Oklahoma-based private equity fund called <a href="http://www.acorngrowthcompanies.com/" target="_blank"> Acorn Growth Companies </a> . Acorn's planes serve as the US military's "A-Team" for aerial surveillance in Africa, including tracking suspected terrorists' phones from the air. In the US, the planes sometimes take part in military exercises - as they were in Phoenix - helping troops practice raids on targets using the same phone-tracking technology. At other times, Acorn serves commercial clients. The Wilmington flights, according to the company that made and operated the persistent surveillance camera, were run for two reasons: to demonstrate the technology's value for traffic surveys, and to track vehicles going to and from retail outlets. This "commercial intelligence" would allow businesses to understand where their customers are driving from. The idea was to give retailers clues to help their marketing, so they can target mailings or other efforts to lure in customers from neighborhoods where people tend to shop at competing stores. Acorn's diverse activities in these and other cities raise questions about how much data is being gathered from ordinary people who come under the visual and electronic gaze of sophisticated spy planes - and how that information is being used. Although the city of Phoenix agreed to the military exercises and knew that the planes would carry out some sort of surveillance, officials did not know specifics about which technologies were used. And because there's no requirement to inform cities when recording aerial imagery, the city of Wilmington wasn't told about the June 2016 flights. * * * Acorn's pilots and sensor operators tend to join the firm directly from military service, often with special ops experience. "You're not talking about any Joe Schmo walking in off the street," one former employee, who spoke on condition of anonymity, told BuzzFeed News. "There are still fairly high security clearances involved." That's not surprising, given the sensitive technology deployed from Acorn's planes. BuzzFeed News found out about this gear from documents submitted to the Federal Aviation Administration to certify that a plane is still safe to fly after structural alterations. The <a href="http://registry.faa.gov/aircraftinquiry/NNum_Results.aspx?NNumbertxt=122TP" target="_blank" > plane </a> that flew over Phoenix in March, for example, <a href="https://www.documentcloud.org/documents/3766790-N122TP-Airworthiness.html#document/p8/a358384" target="_blank" > was </a> <a href="https://www.documentcloud.org/documents/3766790-N122TP-Airworthiness.html#document/p11/a358385" target="_blank" > modified </a> to carry a device called Nebula, which mimics a cell phone tower, causing phones to connect to it. Nebula can then be used to locate and track a target phone from the air, or intercept its communications. A surveillance catalog <a href="https://theintercept.com/surveillance-catalogue/" target="_blank"> leaked to The Intercept </a> in 2015 suggests that the device can also connect to and track satellite phones. "The NSA is leading system development," says the <a href="https://theintercept.com/surveillance-catalogue/nebula/" target="_blank" > section on Nebula </a> , noting that approval for its use rests under "Title 50" of the US Code, <a href="http://harvardnsj.org/wp-content/uploads/2012/01/Vol-3-Wall.pdf" target="_blank" > which </a> covers espionage and covert operations. * * * Phoenix and its suburbs, with a population of more than 4.5 million, is one of several cities to have fallen under Acorn's watch over the past two years. Using data collected by the websites <a href="https://www.flightradar24.com/" target="_blank">Flightradar24 </a> and <a href="https://www.adsbexchange.com/" target="_blank">ADS-B Exchange </a>, which track signals emitted by aircraft transponders, BuzzFeed News spotted planes registered to Commuter Air Technology and Aircraft Logistics Group flying surveillance patterns over cities including Brawley, California; Charlotte, North Carolina; and multiple locations along the Gulf of Mexico in Louisiana, Mississippi, and Alabama. * * * [ <strong>Polley </strong>: interesting; we don't know what we don't know.] <a href="#TOP">top </a> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <strong> <a href="http://lawprofessors.typepad.com/media_law_prof_blog/2017/07/sunstein-and-randall-on-political-control-over-public-communications-by-government-scientists-casssu.html" > Sunstein and Randall on Political Control Over Public Communications By Government Scientists </a> </strong> (MLPB, 24 July 2017) - Cass R. Sunstein, Harvard Law School, and Lisa Randall, Harvard University, Department of Physics, have published <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2997515" target="_blank" > Political Control Over Public Communications by Government Scientists </a> . Here is the abstract: <em> In recent years, there has been a great deal of controversy over political control of communications by government scientists. Legitimate interests can be found on both sides of the equation. This essay argues for adoption and implementation of a framework that accommodates those interests-a framework that allows advance notice to political officials, including the White House, without hindering the free flow of scientific information. </em> <a href="#TOP">top </a> </p> <p> <strong> <a href="https://ssi.armywarcollege.edu/pubs/display.cfm?pubID=1358"> At Our Own Peril: DoD Risk Assessment in a Post-Primacy World </a> </strong> (US Army War College, 29 June 2017) - <em> The U.S. Department of Defense (DoD) faces persistent fundamental change in its strategic and operating environments. This report suggests this reality is the product of the United States entering or being in the midst of a new, more competitive, post-U.S. primacy environment. Post-primacy conditions promise far-reaching impacts on U.S. national security and defense strategy. Consequently, there is an urgent requirement for DoD to examine and adapt how it develops strategy and describes, identifies, assesses, and communicates corporate-level risk. This report takes on the latter risk challenge. It argues for a new post-primacy risk concept and its four governing principles of diversity, dynamism, persistent dialogue, and adaptation. The authors suggest that this approach is critical to maintaining U.S. military advantage into the future. Absent change in current risk convention, the report suggests DoD exposes current and future military performance to potential failure or gross under-performance. </em> <a href="#TOP">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <a href="http://www.siliconvalley.com/mld/siliconvalley/news/editorial/16581257.htm" > <strong>Sony BMG Settles FTC Charges Over Anti-Piracy CDs </strong> </a> (SiliconValley.com, 30 Jan 2007) -- U.S. regulators said Tuesday that Sony BMG Music Entertainment agreed to reimburse consumers up to $150 for damage to their computers from CDs with hidden anti-piracy software. According to the Federal Trade Commission, which announced the settlement, Sony BMG's anti-piracy software limited the devices on which music could be played to those made by Sony Corp., Microsoft Corp. or other Windows-compatible devices. The software also restricted the number of copies of the music that could be made to three, the agency said, and ``exposed consumers to significant security risks and was unreasonably difficult to uninstall." ``Installations of secret software that create security risks are intrusive and unlawful," FTC Chairman Deborah Platt Majoras said. The focus of the FTC action is not the limits themselves, Majoras said, but the lack of notification. ``Ordinary experience with CDs would not lead consumers to expect these limits," she said. ``This was a case about disclosure." The settlement requires the company to allow consumers to exchange through the end of June the affected CDs purchased before Dec. 31, 2006, and reimburse them up to $150 to repair damage done when they tried to remove the software. It also requires Sony BMG to clearly disclose limitations on consumers' use of music CDs and prohibits it from installing software without consumer consent. For two years, Sony BMG also must provide an uninstall tool and patches to repair the security vulnerabilities on consumers' computers and must advertise them on its Web site. The company also is required to publish notices describing the exchange and repair reimbursement programs on its Web site. <a href="#TOP">top </a> </p> <p> <a href="http://www.reuters.com/article/us-newyorktimes-idUSWEN101120070918" > <strong>New York Times to end paid Internet service </strong> </a> (Reuters, 18 Sept 2007) - The New York Times Co said on Monday it will end its paid TimesSelect Web service and make most of its Web site available for free in the hopes of attracting more readers and higher advertising revenue. TimesSelect will shut down on Wednesday, two years after the Times launched it, which charges subscribers $7.95 a month or $49.95 a year to read articles by columnists such as Maureen Dowd and Thomas Friedman. The trademark orange "T's" marking premium articles will begin disappearing Tuesday night, said the Web site's Vice President and General Manager Vivian Schiller. The move is an acknowledgment by The Times that making Web site visitors pay for content would not bring in as much money as making it available for free and supporting it with advertising. "We now believe by opening up all our content and unleashing what will be millions and millions of new documents, combined with phenomenal growth, that that will create a revenue stream that will more than exceed the subscription revenue," Schiller said. Figuring out how to increase online revenue is crucial to the Times and other U.S. newspaper publishers, which are struggling with a drop in advertising sales and paying subscribers as more readers move online. "Of course, everything on the Web is free, so it's understandable why they would want to do that," said Alan Mutter a former editor at the San Francisco Chronicle and proprietor of a blog about the Internet and the news business called Reflections of a Newsosaur. "The more page views you have, the more you can sell," he said. "In the immediate moment it's a perfectly good idea." Starting on Wednesday, access to the archives will be available for free back to 1987, and as well as stories before 1923, which are in the public domain, Schiller said. Users can buy articles between 1923 and 1986 on their own or in 10-article packages, the company said. Some stories, such as film reviews, will be free, she said. American Express will be the first sponsor of the opened areas on the site, and will have a "significant advertising presence" on the homepage and in the opinion and archives sections, the company said. <a href="#TOP">top </a> </p> <p> <a name="NOTES"> </a> <h3> NOTES </h3> </p> <p> MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( <a href="mailto:vpolley@knowconnect.com?subject=MIRLN"> mailto:vpolley@knowconnect.com?subject=MIRLN </a> ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line. </p> <p> Recent MIRLN issues are archived at <a href="http://www.knowconnect.com/mirln">www.knowconnect.com/mirln </a>. Get supplemental information through Twitter: <a href="http://twitter.com/vpolley">http://twitter.com/vpolley </a> #mirln. </p> <p> SOURCES (inter alia): </p> <p> 1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, <a href="http://cyber.law.harvard.edu/">http://cyber.law.harvard.edu </a> </p> <p> 2. InsideHigherEd - <a href="http://www.insidehighered.com/">http://www.insidehighered.com/ </a> </p> <p> 3. SANS Newsbites, <a href="http://www.sans.org/newsletters/newsbites/"> http://www.sans.org/newsletters/newsbites/ </a> </p> <p> 4. Aon's Technology & Professional Risks Newsletter </p> <p> 5. Crypto-Gram, <a href="http://www.schneier.com/crypto-gram.html"> http://www.schneier.com/crypto-gram.html </a> </p> <p> 6. Eric Goldman's Technology and Marketing Law Blog, <a href="http://blog.ericgoldman.org/">http://blog.ericgoldman.org/ </a> </p> <p> 7. The Benton Foundation's Communications Headlines </p> <p> 8. Gate15 Situational Update Notifications, <a href="http://www.gate15.us/services.html"> http://www.gate15.us/services.html </a> </p> <p> 9. Readers' submissions, and the editor's discoveries </p> <p> This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. </p> <p> PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. <a href="#TOP">top </a> </p>
Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0tag:blogger.com,1999:blog-7835588.post-63539376657354512042017-07-15T07:47:00.000-04:002017-07-15T07:47:03.221-04:00MIRLN --- 25 June - 15 July 2017 (v20.10) <p> <a name="TOP"> </a> MIRLN --- 25 June - 15 July 2017 (v20.10) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln) </p> <p> <a href="http://www.knowconnect.com/mirln/article/mirln_25_june_15_july_2017_v2010/" > permalink </a> </p> <p> <a href="#NEWS">NEWS </a> | <a href="#RESOURCES">RESOURCES </a> | <a href="#DIFFERENT">DIFFERENT </a> | <a href="#LOOKINGBACK">LOOKING BACK </a> | <a href="#NOTES">NOTES </a> </p> <ul> <li> <a href="#USgovernment"> US Government wants to permanently legalize the right to repair </a> </li> <li> <a href="#UnderPressure"> Under pressure, Western tech firms bow to Russian demands to share cyber secrets </a> </li> <li> <a href="#PoliceGetBroad"> Police get broad phone and computer hacking powers in Germany </a> </li> <li> <a href="#UScyberInsurance"> U.S. cyber insurance continues to grow, according to Fitch Ratings </a> </li> <li> <a href="#RegulatorsEnlise"> Regulators enlist corporate lawyers in joint response to cyberattacks </a> </li> <li> <a href="#DetectingRiots">Detecting riots with Twitter </a> </li> <li> <a href="#DefenseContractors"> Defense contractors will be held to higher cyber standards </a> </li> <li> <a href="#ThePentagon"> The Pentagon says it will start encrypting soldiers' emails next year </a> </li> <li> <a href="#DLApiper"> DLA Piper hit by cyber attack, phones and computers down across the firm </a> </li> <li> <a href="#SixtySixPercent"> 66% of US law firms reported a breach in 2016 </a> </li> <li> <a href="#DigitalFieldTrip">Digital field trip </a> </li> <li> <a href="#GooglesDeepMind"> Google's DeepMind and UK hospitals made illegal deal for health data, says watchdog </a> </li> <li> <a href="#SupremeCourtUnanimously"> Supreme Court unanimously overturns North Carolina's ban on social-media use by sex offenders </a> </li> <li> <a href="#VeteransGet"> Veterans get a legal checkup with new online tool </a> </li> <li> <a href="#WallStreetJournal"> Wall Street Journal shuts down its law blog </a> </li> <li> <a href="#WhyAllFederal"> Why all federal agencies should break and inspect secure traffic </a> </li> <li> <a href="#AsElitesSwitch"> As elites switch to texting, watchdogs fear loss of transparency </a> </li> <li> <a href="#BakerHostetler"> BakerHostetler forms swat team to help clients deal with active ransomware attacks </a> </li> <li> <a href="#NYUreleases"> NYU releases the largest LiDAR dataset ever to help urban development </a> </li> <li> <a href="#SixMajorUSairports"> Six major US airports now scan Americans' faces when they leave country </a> </li> <li> <a href="#BorderPatrol"> Border Patrol says it's barred from searching cloud data on phones </a> </li> </ul> <p> <a name="NEWS"> </a> </p> <p> <a name="USgovernment"> </a> <a href="https://motherboard.vice.com/en_us/article/d3zbnz/the-government-wants-to-permanently-legalize-the-right-to-repair?utm_campaign=Newsletters&utm_medium=email&utm_source=sendgrid" > <strong> US Government wants to permanently legalize the right to repair </strong> </a> (Motherboard, 22 June 2017) - In one of the biggest wins for the right to repair movement yet, the US Copyright Office <a href="https://www.copyright.gov/policy/1201/section-1201-full-report.pdf" target="_blank" > suggested Thursday </a> that the US government should take actions to make it legal to repair anything you own, forever-even if it requires hacking into the product's software. Manufacturers-including John Deere, Ford, various printer companies, and a host of consumer electronics companies-have argued that it should be illegal to bypass the software locks that they put into their products, claiming that such circumvention violated copyright law. This means that for the last several years, consumer rights groups have had to repeatedly engage in an "exemption" process to Section 1201 of the Digital Millennium Copyright Act. Essentially, the Librarian of Congress decides which circumventions of copyright should be lawful-for example, unlocking your cell phone or hacking your tractor to be able to repair the transmission. But these exemptions expire every three years, and require going through a protracted legal process to earn. Additionally, a separate exemption is required for each product category-right now it's legal to hack software to repair a car, but not to repair a video game console. <a href="#TOP">top </a> </p> <p> <a name="UnderPressure"> </a> <a href="http://www.reuters.com/article/us-usa-russia-tech-idUSKBN19E0XB"> <strong> Under pressure, Western tech firms bow to Russian demands to share cyber secrets </strong> </a> (Reuters , 23 June 2017) - Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has found. Russian authorities are asking Western tech companies to allow them to review source code for security products such as firewalls, anti-virus applications and software containing encryption before permitting the products to be imported and sold in the country. The requests, which have increased since 2014, are ostensibly done to ensure foreign spy agencies have not hidden any "backdoors" that would allow them to burrow into Russian systems. But those inspections also provide the Russians an opportunity to find vulnerabilities in the products' source code - instructions that control the basic operations of computer equipment - current and former U.S. officials and security experts said. <a href="#TOP">top </a> </p> <p> <a name="PoliceGetBroad"> </a> <a href="http://www.zdnet.com/article/police-get-broad-phone-and-computer-hacking-powers-in-germany/" > <strong> Police get broad phone and computer hacking powers in Germany </strong> </a> (ZDnet, 23 June 2017) - Germany's coalition government has significantly increased police hacking powers by slipping a last-minute amendment into a <a href="https://www.bundestag.de/presse/hib/2017_03/-/499646">law </a> that's nominally supposed to deal with driving bans. While the police have so far only been allowed to hack into people's phones and computers in extreme cases, such as those involving terrorist plots, <a href="http://www.zdnet.com/article/expanded-state-hacking-powers-make-a-stealthy-return-to-german-agenda/" > the change </a> allows them to use such techniques when investigating dozens of less serious offences. In Germany, the authorities' hacking tools are widely known as <em>Staatstrojanern </em>, or state trojans. This term essentially refers to malware that the police can use to infect targets' devices, to give them the access they need to monitor communications and conduct searches. The <a href="https://www.gesetze-im-internet.de/stpo/__100a.html"> types of crime </a> where investigators can now use this malware are all of the variety where existing law would allow them to tap a suspect's phone. These range from murder and handling stolen goods to computer fraud and tax evasion. According to the government, the spread of encrypted communications makes traditional wiretapping impossible, so the authorities need to be able to bypass encryption by directly hacking into the communications device. <a href="#TOP">top </a> </p> <p> <a name="UScyberInsurance"> </a> <a href="http://www.propertycasualty360.com/2017/06/23/us-cyber-insurance-continues-to-grow-according-to?eNL=594d5471160ba0680148cdf8&utm_source=PC360_Daily&utm_medium=EMC-Email_editorial&utm_campaign=06232017&elq_mid=48068&elq_cid=996107" > <strong> U.S. cyber insurance continues to grow, according to Fitch Ratings </strong> </a> (Property Casualty 360, 23 June 2017) - Cyber insurance direct written premium volume for the property & casualty (P&C) industry grew by 35% in 2016 to $1.35 billion, according to "Cyber Insurance Market Share and Performance," a <a href="https://www.fitchratings.com/site/home" target="_blank"> new report from Fitch Ratings </a> . "Take-up rates for cyber insurance are increasing with frequent reports of computer hacking incidents, including: network intrusions and data theft, as well as high-profile ransomware attacks that are leading corporations to search for broader insurance protection against cyber threats," said Jim Auden, managing director, Fitch Ratings. The largest cyber insurance writers are American International Group, Inc., XL Group Ltd, and Chubb Limited. These companies had a combined market share of approximately 40% at year-end 2016. The top 15 writers of cyber held approximately 83% of the market in 2016. However, over 130 distinct insurance organizations reported writing cyber premiums for the year. The industry statutory direct loss ratio for stand-alone cyber insurance improved in 2016 to 45% from 50% a year earlier. However, the ultimate profitability of the P&C industry's cyber insurance efforts will take some time to assess as the market matures and future cyber-related loss events emerge. <a href="#TOP">top </a> </p> <p> <a name="RegulatorsEnlise"> </a> <a href="http://www.abajournal.com/news/article/cybersecurity_law_breach_response" > <strong> Regulators enlist corporate lawyers in joint response to cyberattacks </strong> </a> (ABA Journal, 26 June 2017) - Responding quickly to an identity theft, ransomware or other computer attack means having a plan in place. And as participants in the National Institute on Cybersecurity Law learned, that includes a plan to send in the feds. "Figure out if you have to report that breach to my office or other regulators, state and federal," was the advice from Iliana Peters, who's responsible for health care data privacy at the U.S. Department of Health and Human Services. Peters was on a panel of six current and former regulators assembled by the ABA Section of Litigation on Thursday in Chicago. "We want to be sure that entities are prepared to implement these kind of response plans," Peters said. "As it's happening is not the time to be doing that, to be figuring out how you're going to respond." Reporting an incident can bring in experts to evict cyber squatters, said Lucia Ziobro, the head of an <a href="https://www.ic3.gov/default.aspx">FBI internet crime </a> unit. One company's general counsel turned FBI agents away after a security breach, she recalled. For the next week, the lawyer traded messages online with the chief executive and technology executives about what to do next. Meanwhile, hackers monitored the discussion, and covered their tracks. When the feds returned, Ziobro said, "all the evidence we could have collected was gone." Regulators, for their part, are more focused on prevention than prosecution. But they don't like surprises. "If we see a news report and we don't have a breach report from you, it is very likely that we will open an investigation proactively," Peters said. Travis LeBlanc, a former chief enforcer for the <a href="https://www.fcc.gov/general/cyber-security-and-network-reliability" > Federal Communications Commission </a> and the high-tech crime unit of the <a href="https://oag.ca.gov/ecrime"> California Attorney General's Office </a> , stressed that there's little downside to calling in federal or state regulators, who are constrained by law in what information they can share. "So often we hear from companies that they are afraid to report to the FBI or to the Secret Service or the eCrime unit in California," LeBlanc said. "Not one time did we ever on the civil side receive information about a criminal incident from a criminal law authority that resulted in an investigation. "It's very important that when a company is a victim of a crime, it should feel that it can go to the appropriate governmental authority without being chilled by the possibility of regulatory action." <a href="#TOP">top </a> </p> <p> <a name="DetectingRiots"> </a> <a href="https://www.cardiff.ac.uk/news/view/794352-detecting-riots-with-twitter?utm_campaign=Newsletters&utm_source=sendgrid&utm_medium=email" > <strong>Detecting riots with Twitter </strong> </a> (Cardiff Univ, 26 June 2017) - Social media can be an invaluable source of information for police when managing major disruptive events, new research from Cardiff University has shown. An analysis of data taken from the London riots in 2011 showed that computer systems could automatically scan through Twitter and detect serious incidents, such as shops being broken in to and cars being set alight, before they were reported to the Metropolitan Police Service. The computer system could also discern information about where the riots were rumoured to take place and where groups of youths were gathering. The new research, published in the peer-review journal ACM Transactions on Internet Technology, showed that on average the computer systems could pick up on disruptive events several minutes before officials and over an hour in some cases. * * * The researchers used a series of machine-learning algorithms to analyse each of the tweets from the dataset, taking into account a number of key features such as the time they were posted, the location where they were posted and the content of the tweet itself. Results showed that the machine-learning algorithms were quicker than police sources in all but two of the disruptive events reported. <a href="#TOP">top </a> </p> <p> <a name="DefenseContractors"> </a> <strong> <a href="http://www.govconwire.com/2017/06/defense-contractors-will-be-held-to-higher-cyber-standards/" > Defense contractors will be held to higher cyber standards </a> </strong> (GoveconWire, 26 June 2017) - Defense contractors will soon be held to the same cybersecurity standards that the Defense Department has implemented in recent years, according to a top IT official at the Pentagon. "The cyberthreat is not going away; we have to defend our networks and systems, and you're part of that defense," acting DOD CIO John Zangardi said Friday. "DOD is facing the same threats that you are. And with these regulations, we are asking to implement some of the same defenses as we are implementing for the department's networks." Reporting," a new DOD regulation, will go into effect for how contractors respond to and report cyber incidents., and defense contractors have until the end of calendar year 2017 to begin complying. <a href="#TOP">top </a> </p> <p> - and - </p> <p> <a name="ThePentagon"> </a> <a href="https://motherboard.vice.com/en_us/article/bjxjxv/the-pentagon-says-it-will-start-encrypting-soldiers-emails-next-year" > <strong> The Pentagon says it will start encrypting soldiers' emails next year </strong> </a> (Motherboard, 6 July 2017) - For years, major online email providers such as Google and Microsoft have used encryption to protect your emails as they travel across the internet. That technology, technically known as <a href="https://en.wikipedia.org/wiki/STARTTLS" target="_blank"> STARTTLS </a> , isn't a cutting edge development-it's been around since 2002. But since that time the Pentagon never implemented it. <a href="https://motherboard.vice.com/en_us/article/z4mpj3/how-the-us-military-fails-to-protect-soldiers-emails" > As a Motherboard investigation revealed in 2015 </a> , the lack of encryption potentially left some soldiers' emails open to being intercepted by enemies as they travel across the internet. The US military uses its own internal service, <a href="http://www.disa.mil/enterprise-services/applications/dod-enterprise-email" target="_blank" > mail.mil </a> , which is hosted on the cloud for 4.5 million users. But now the Defense Information Systems Agency or DISA, the Pentagon's branch that oversees email, says it will finally start using STARTTLS within the year, according to a letter from DISA. <a href="#TOP">top </a> </p> <p> <a name="DLApiper"> </a> <a href="http://www.law.com/sites/almstaff/2017/06/27/dla-piper-hit-by-cyber-attack-phones-and-computers-down-across-the-firm/" > <strong> DLA Piper hit by cyber attack, phones and computers down across the firm </strong> </a> (Law.com, 27 June 2017) - DLA Piper has been hit by a major cyber attack, which has knocked out phones and computers across the firm. The shutdown appears to have been caused by a ransomware attack, similar to the WannaCry attack that hit organizations such as the NHS last month. DLA's phone system has not been working for much of the day and partners say they have been instructed to turn off their computers as a precaution. Offices in the UK, Europe, the Middle East and the US called by Legal Week all seem to have been affected, with some inside the firm saying email and phone systems have been affected with other systems then locked down as a precaution. <a href="#TOP">top </a> </p> <p> - and - </p> <p> <a name="SixtySixPercent"> </a> <a href="https://www.helpnetsecurity.com/2017/07/06/law-firms-data-breach/"> <strong>66% of US law firms reported a breach in 2016 </strong> </a> (HelpNetSecurity, 6 July 2017) - The majority of US-based law firms are not only exposed in a wide variety of areas, but in many cases, unaware of intrusion attempts. These findings were based on Logicforce survey data from over 200 law firms, anonymous system monitoring data and results from their on-site assessments. Approximately 40% of law firms in the study underwent at least one client data security audit, and Logicforce predicts this will rise to 60% by the end of 2018. Key findings: (1) An average of 10,000 intrusions occur every day at law firms; (2) Both large and small firms are equally at risk of being hacked; (3) 95% of assessed law firms were not compliant with their own data security policies and 100% were not compliant with those of their clients; and (4) 40% of firms were breached without knowing it in 2016. <a href="#TOP">top </a> </p> <p> <a name="DigitalFieldTrip"> </a> <a href="https://www.insidehighered.com/digital-learning/article/2017/06/28/smithsonian-institution-providing-digital-archives-and-materials" > <strong>Digital field trip </strong> </a> (InsideHigherEd, 28 June 2017) - For the 24 students in Virginia Miller's Principles of Chemistry 1 class at Montgomery College last fall, almost every lesson featured a "trip" to a world-class museum. Miller transformed her traditional, face-to-face course through the use of an expansive digital collection from the Smithsonian Institution in Washington, D.C. "It almost looks like a digital museum exhibit," the associate professor said of the five "collections" of chemistry-related space imagery that she curated from Smithsonian's online archives and turned into homework assignments for her students. "These objects jump out at you. You think, 'Let me click on this; this looks worth exploring.' … [Students] enjoyed the visual nature of it." Miller is one of approximately a dozen faculty members and instructors from the suburban Washington, D.C. community college who are using the Smithsonian's 19-month-old digital <a href="https://learninglab.si.edu/">Learning Lab </a> to enhance classes they have taught, lecture- or lab-style, for years. The lab features exhibits, documents, videos, blogs, podcasts and photographs from the Smithsonian's collections. Miller and her colleagues, who are participating in beta testing of the Learning Lab along with a group of high school teachers, teach science, math, nutrition, journalism, art history, music, mythology, developmental English and other subjects. They were tasked with centering at least one assignment on Smithsonian research or exhibits available through the digital lab relevant to classroom lessons. <a href="#TOP">top </a> </p> <p> <a name="GooglesDeepMind"> </a> <a href="https://www.theverge.com/2017/7/3/15900670/google-deepmind-royal-free-2015-data-deal-ico-ruling-illegal" > <strong> Google's DeepMind and UK hospitals made illegal deal for health data, says watchdog </strong> </a> (The Verge, 3 July 2017) - A deal between UK hospitals and Google's AI subsidiary DeepMind "failed to comply with data protection law," according to the UK's data watchdog. The Information Commissioner's Office (ICO) <a href="https://iconewsblog.wordpress.com/2017/07/03/four-lessons-nhs-trusts-can-learn-from-the-royal-free-case/" > made its ruling today </a> after a year-long investigation into the agreement, which saw DeepMind process 1.6 million patient records belonging to UK citizens for the Royal Free Trust - a group of three London hospitals. The deal was originally struck in 2015, and has <a href="https://www.theverge.com/2016/11/23/13726280/deepmind-nhs-data-streams-app-new-deal" > since been superseded </a> by a new agreement. At the time, DeepMind and the Royal Free said the data was being shared to develop an app named Streams, which would alert doctors if patients were at risk from a condition called acute kidney injury. An investigation by the <em>New Scientist </em> <a href="https://www.newscientist.com/article/2086454-revealed-google-ai-has-access-to-huge-haul-of-nhs-patient-data/" > revealed </a> that the terms of the agreement were more broad than hand been originally implied. DeepMind has since made new deals to deploy Streams in other UK hospitals. <a href="#TOP">top </a> </p> <p> <a name="SupremeCourtUnanimously"> </a> <a href="https://www.washingtonpost.com/news/volokh-conspiracy/wp/2017/07/03/supreme-court-unanimously-overturns-north-carolinas-ban-on-social-media-use-by-sex-offenders/?utm_term=.04cfd17ae139" > <strong> Supreme Court unanimously overturns North Carolina's ban on social-media use by sex offenders </strong> </a> (David Post/WaPo, 3 July 2017) - A few weeks ago, the Supreme Court released its <a href="https://www.supremecourt.gov/opinions/16pdf/15-1194_08l1.pdf" target="_blank" > opinion in <em>Packingham v. North Carolina </em> </a> , holding 8-0 that a North Carolina law prohibiting previously convicted sex offenders from accessing or using "social networking" websites violates the First Amendment. The law in question made it a felony for a registered sex offender "to access a commercial social networking Web site* where the sex offender knows that the site permits minor children to become members or to create or maintain personal Web pages." The statute was <a href="https://www.washingtonpost.com/news/volokh-conspiracy/wp/2015/11/10/first-amendment-woes-in-north-carolina/?utm_term=.8e6933bb3e47" > purportedly designed </a> to prevent ex-offenders from "gathering information about minors on the Internet" and using that information to make inappropriate or unlawful contact with them. All eight Justices agreed (with us) that the statute was not sufficiently "narrowly tailored" to serve that purpose. It wasn't even a close call. The court (Justice Anthony M. Kennedy writing for himself and Justices Ruth Bader Ginsburg, Stephen G. Breyer, Elena Kagan and Sonia Sotomayor, with Justice Samuel A. Alito Jr. concurring joined by Chief Justice John G. Roberts Jr. and Justice Clarence Thomas) described the statutory prohibition as "unprecedented in the scope of First Amendment speech it burdens.": <em> [S]ocial media users employ these websites to engage in a wide array of protected First Amendment activity on topics "as diverse as human thought." … Social media allows users to gain access to information and communicate with one another about it on any subject that might come to mind. By prohibiting sex offenders from using those websites, North Carolina with one broad stroke bars access to what for many are the principal sources for knowing current events, checking ads for employment, speaking and listening in the modern public square, and otherwise exploring the vast realms of human thought and knowledge. These websites can provide perhaps the most powerful mechanisms available to a private citizen to make his or her voice heard. They allow a person with an Internet connection to "become a town crier with a voice that resonates farther than it could from any soapbox." … [T]o foreclose access to social media altogether is to prevent the user from engaging in the legitimate exercise of First Amendment rights. </em> [ <strong>Polley </strong>: Sweeping and important language.] <a href="#TOP">top </a> </p> <p> <a name="VeteransGet"> </a> <a href="http://www.law.com/sites/almstaff/2017/07/05/veterans-get-a-legal-checkup-with-new-online-tool/" > <strong>Veterans get a legal checkup with new online tool </strong> </a> (Law.com, 5 July 2017) - "Checkups" are obviously common in health care, but the idea of doing a preventive screening for potential issues has applications in law as well, especially in access to justice efforts. A new legal "checkup" tool for veterans, a collaborative project between the American Bar Association (ABA), legal insurance group ARAG Legal and legal innovation group CuroLegal, aims to help veterans "check up" some of the legal issues they may be facing. Nicole Bradick, chief strategy officer at CuroLegal, said the tool, called <a href="https://veteranslegalcheckup.com/take-action/156"> Veterans Legal Checkup </a> , was designed in alignment with current <a href="http://www.law.com/sites/almstaff/2016/08/04/abas-incoming-president-linda-klein-marshals-legal-aid-for-veterans/" > ABA president Linda Klein's </a> institution of the ABA Veterans Legal Services Initiative. The tool, as its name plainly suggests, is designed for veterans, but Bradick explained that it looks at a few different service areas in particular. "We spoke with a lot of veterans' legal experts, and they highlighted employment, family law and housing as the three biggies," Bradick said. Accordingly, the tool's questionnaire steps users through questions that could bring to light issues veterans face in these areas, like eviction, emergency housing, fair pay, and spousal support. Veterans Legal Checkup is essentially a guided interview; users who access the tool are taken through a number of potential legal issues one question at a time to see if they may have an outstanding legal matter. If the tool can identify a potential claim, it provides a step-by-step walkthrough of the actions users can take to remedy the matter, including useful resources on how to prepare documents and scaffolding for what to say if you call a local legal aid organization. If the tool is unable to identify a particular legal concern, it provides some contact information for a local legal aid agency, paired for some suggestions for what to say when you call. * * * <a href="#TOP">top </a> </p> <p> <a name="WallStreetJournal"> </a> <a href="https://www.lawsitesblog.com/2017/07/wall-street-journal-shuts-law-blog.html" > <strong>Wall Street Journal shuts down its law blog </strong> </a> (Bob Ambrogi, 5 July 2017) - Sad news in the legal blogging world, as the Wall Street Journal on Monday <a href="https://blogs.wsj.com/law/2017/07/03/the-wsj-law-blog-2006-2017/"> shut down its Law Blog </a> , which has regularly covered and broke legal news since its launch in 2006. The closing came as part of the news organization's shut down of eight blogs on Monday covering a range of topics, <a href="http://www.niemanlab.org/2017/07/the-wall-street-journal-shutters-eight-blogs-the-tools-for-telling-stories-have-changed/" > according to the NiemanLab </a> . <a href="#TOP">top </a> </p> <p> <a name="WhyAllFederal"> </a> <strong> <a href="http://www.nextgov.com/technology-news/tech-insider/2017/07/why-all-federal-agencies-should-break-and-inspect-secure-traffic/139196/?oref=ng-channelriver" > Why all federal agencies should break and inspect secure traffic </a> </strong> (NextGov, 5 July 2017) - The <a href="https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach" > data breach that rocked the Office of Personnel Management </a> in 2015 resulted in the theft of an estimated 21.5 million records, including personally identifiable information such as Social Security numbers, names, dates, places of birth, addresses, fingerprint images and background check data. It's billed as <a href="https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/" > the cyberattack that shocked the U.S. government </a> , and it was discovered when a security engineer decrypted and inspected a portion of the SSL traffic that traverses the agency's network and noticed some odd outbound traffic. Hackers had used SSL encryption to shield their activity and to cloak a piece of malware designed to give them access to the agency's servers. They used that malware to steal mountains of data. Had that engineer not decrypted and inspected the network's SSL traffic, that malware may have continued to go unnoticed, making the already monstrous breach more catastrophic. As evidenced by the OPM data breach, one attack method modern hackers use to infiltrate federal networks is encrypted streams. Essentially, they use secure, encrypted traffic to obfuscate malware. Advanced adversaries don't want to something that jumps out at security engineers. There are no shiny, blinking lights that say they're performing a malicious activity. They want to hide among the noise and use SSL encryption for camouflage. SSL traffic has become the largest network blind spot for government and federal agencies. A <a href="https://www.a10networks.com/blog/ponemon-ssl-inspection-not-priority-federal-agencies" > Ponemon Institute survey </a> titled "Hidden Threats in Encrypted Traffic" found 50 percent of malware attacks are expected to be delivered via encrypted channels and 80 percent of organizations are not inspecting their SSL traffic. And of the public-sector respondents indicating they had been attacked, 43 percent of those attacks are believed to have used encryption to evade detection. <a href="#TOP">top </a> </p> <p> - but - </p> <p> <a name="AsElitesSwitch"> </a> <strong> <a href="https://mobile.nytimes.com/2017/07/06/business/as-elites-switch-to-texting-watchdogs-fear-loss-of-transparency.html?referer=https://t.co/EuY1vyq1TI?amp=1" > As elites switch to texting, watchdogs fear loss of transparency </a> </strong> (NYT, 6 July 2017) - Secure messaging apps like WhatsApp, Signal and Confide are making inroads among lawmakers, corporate executives and other prominent communicators. Spooked by surveillance and wary of being exposed by hackers, they are switching from phone calls and emails to apps that allow them to send encrypted and self-destructing texts. These apps have obvious benefits, but their use is causing problems in heavily regulated industries, where careful record-keeping is standard procedure. "By and large, email is still used for formal conversations," said Juleanna Glover, a corporate consultant based in Washington. "But for quick shots, texting is the medium of choice." Texting apps are already creating headaches on Wall Street, where <a href="http://topics.nytimes.com/topics/reference/timestopics/subjects/c/credit_crisis/financial_regulatory_reform/index.html?inline=nyt-classifier" title="More articles about financial regulatory reform." > financial regulations </a> require firms to preserve emails, instant messages and other business-related correspondence. * * * For now, America's elites seem to be using secure apps mostly for one-on-one conversations, but the days of governance by group text might not be far-off. Last year, a group affiliated with Britain's Conservative Party was <a href="http://www.telegraph.co.uk/news/2016/12/19/whatsapp-wars-brexiteers-row-number-messages-secret-chat-forum/" > discovered </a> to be using a secret WhatsApp conversation to coordinate a pro-"Brexit" messaging campaign, while a separate WhatsApp group was being used by politicians backing the Remain effort. Steve Baker, the Conservative member of Parliament who led the pro-"Brexit" group, told The Telegraph that WhatsApp was "extremely effective" as a tool for political coordination. <a href="#TOP">top </a> </p> <p> <a name="BakerHostetler"> </a> <strong> <a href="http://ridethelightning.senseient.com/2017/07/bakerhostetler-forms-swat-team-to-help-clients-deal-with-active-ransomware-attacks.html" > BakerHostetler forms swat team to help clients deal with active ransomware attacks </a> </strong> (Ride the Lightning, 10 July 2017) - I am not usually interested in the semi-spammy press releases that flood my Inbox, but one did catch my attention, announcing that BakerHostetler, in the wake of the NotPetya and WannaCry assaults, has established a SWAT team to help clients deal with active ransomware attacks. According to the release, this team is different from a typical incident response team. The SWAT team is comprised of members of several practice groups which have handled thousands of cybersecurity incidents, including hundreds of ransomware matters over the last few years. SWAT Team members address issues that go along with ransomware attacks - like whether or not to pay ransom and how, preserving crucial evidence when systems are down, engagement of law enforcement at the highest levels for support, establishing compliant offline communications because systems are down, leveraging downtime processes from business continuity plans and disaster recovery plans, working with company Boards to remain focused on restoration of services and legal obligations, and developing communications for internal and external parties. I suspect other law firms are forming similar teams - for a need that is now very pressing and didn't exist at all several years ago. Like one of my labs sniffing the air for interesting scents, the firm made a smart move by scanning the horizon for a new legal services opportunity. And that is an essential part of future-proofing firms and keeping legal services relevant. <a href="#TOP">top </a> </p> <p> <a name="NYUreleases"> </a> <strong> <a href="https://techcrunch.com/2017/07/12/nyu-releases-the-largest-lidar-dataset-ever-to-help-urban-development/amp/" > NYU releases the largest LiDAR dataset ever to help urban development </a> </strong> (TechCrunch, 12 July 2017) - New York University has made available the largest public LiDAR data set ever collected, via its Center for Urban Science and Progress. The laser scanned data, collected using aerial LiDAR instruments, is about 30 times as dense as a typical data set at a resolution of around 300 points per square meter, and covers a 1.5km square region of Dublin's city center. The data was collected by Professor Debra F. Laefer and her NYU CUSP research team, and includes both a top-down view of the roofs and distribution of buildings, as well as info about their vertical surfaces, making it possible to build 3D models of the urban landscape with detail around building measurements, tress, power lines and poles and even curb height, CUSP says. Open access to this scale and quality of data has big implications for researchers working on urban planning and development, and for engineering teams tackling everything from autonomous vehicles, to drone fleet operation, to infectious disease transmission tracking and more. It's something that would understandably be of use if captured for other cities, too - and that's exactly what CUSP hopes to do, with discussions underway to tackle New York City with a similar data imaging project next. If you think you can do something cool with the dataset, <a href="https://geo.nyu.edu/catalog/nyu_2451_38684" target="_blank"> go ahead and grab it here - complete with both LiDAR info and related imagery </a> . <a href="#TOP">top </a> </p> <p> <a name="SixMajorUSairports"> </a> <strong> <a href="https://arstechnica.com/tech-policy/2017/07/6-major-us-airports-now-scan-americans-faces-when-they-leave-country/" > Six major US airports now scan Americans' faces when they leave country </a> </strong> (ArsTechnica, 12 July 2017) - The Department of Homeland Security has been pushing a plan that if enacted would require all Americans submit to a facial-recognition scan when departing the country. This step would be a way to expand a <a href="https://www.law.cornell.edu/uscode/text/8/1365b"> 2004 biometric-tracking law </a> meant to target foreigners. According to the Associated Press, which first <a href="http://hosted.ap.org/dynamic/stories/U/US_AIRPORT_FACE_SCANS_EXPANSION?SITE=CAANR&SECTION=HOME&TEMPLATE=DEFAULT" > reported </a> the plan on Wednesday, facial-scanning pilot programs are already underway at six American airports-Boston, Chicago, Houston, Atlanta, New York City, and Washington DC. More are set to expand next year. In a recent privacy assessment, DHS <a href="https://www.documentcloud.org/documents/3892780-Privacy-Pia-cbp030-Tvs-june2017.html#document/p10/a362223" > noted </a> that the "only way for an individual to ensure he or she is not subject to collection of biometric information when traveling internationally is to refrain from traveling." In recent years, facial recognition has become more common amongst federal and local law enforcement: a 2016 Georgetown <a href="https://arstechnica.com/tech-policy/2016/10/the-perpetual-lineup-half-of-us-adults-in-a-face-recognition-database/" > study </a> found that half of adult Americans are already in such biometric databases. "Americans expect when they fly overseas that their luggage is going to be looked into," <a href="http://www.law.georgetown.edu/academics/centers-institutes/privacy-technology/people.cfm" > Harrison Rudolph </a> , a Georgetown legal fellow, told Ars. "What they don't expect is their face is going to be scanned. This is an expansion of a program that was never authorized for US citizens." John Wagner, the Customs and Border Protection official in charge of the program, said that the agency will delete such scans within 14 days. But he also said that the agency may keep scans longer after it goes "through the appropriate privacy reviews and approvals." <a href="#TOP">top </a> </p> <p> <a name="BorderPatrol"> </a> <strong> <a href="http://www.nbcnews.com/news/us-news/border-patrol-says-it-s-barred-searching-cloud-data-phones-n782416" > Border Patrol says it's barred from searching cloud data on phones </a> </strong> (NBC, 12 July 2017) - U.S. border officers aren't allowed to look at any data stored only in the "cloud" - including social media data - when they search U.S. travelers' phones, Customs and Border Protection acknowledged in a letter obtained Wednesday by NBC News. The letter (PDF), sent in response to inquiries by Sen. Ron Wyden, D-Ore., and verified by Wyden's office, not only states that CBP doesn't search data stored only with remote cloud services, but also - apparently for the first time - declares that it doesn't have that authority in the first place. In April, Wyden and Sen. Rand Paul, R-Ky., introduced legislation to make it illegal for border officers to search or seize cellphones without probable cause. Privacy advocates and former Homeland Security lawyers have said they are alarmed by how many phones are being searched. The CBP letter, which is attributed to Kevin McAleenan, the agency's acting commissioner, is dated June 20, four months after <a href="https://www.wyden.senate.gov/download/?id=B947731A-2394-484B-81E3-FDD49530EBF4&download=1" > Wyden asked the Department of Homeland Security (PDF) </a> , CBP's parent agency, to clarify what he called the "deeply troubling" practice of border agents' pressuring Americans into providing passwords and access to their social media accounts. McAleenan's letter cites several laws that he contends allow officers to search any traveler's phone without probable cause when the traveler enters or leaves the United States. The agency says the practice protects against child pornography, drug trafficking, terrorism and other threats. But the question of whether that broad authority extends to data linked to on remote servers but not physically stored on a phone had remained unclear, according to privacy advocates like the <a href="https://www.aclu.org/blog/free-future/can-border-agents-search-your-electronic-devices-its-complicated" > American Civil Liberties Union </a> and the <a href="https://www.eff.org/wp/digital-privacy-us-border-2017"> Electronic Frontier Foundation </a> . McAleenan's letter says officers can search a phone without consent and, except in very limited cases, without a warrant or even suspicion - but only for content that is saved directly to the device, like call histories, text messages, contacts, photos and videos. <a href="#TOP">top </a> </p> <p> <a name="RESOURCES"> </a> <h3> RESOURCES </h3> </p> <p> <a href="http://www.cccblog.org/2017/06/27/big-data-data-science-and-civil-rights/" > <strong>Big data, data science, and civil rights </strong> </a> <strong> </strong> (Computing Community Consortium, 27 June 2017) - The <a href="http://cra.org/ccc/">Computing Community Consortium </a> (CCC) has been working hard on various white papers over the past couple of months and slowly releasing them. You can see <a href="http://cra.org/ccc/resources/ccc-led-whitepapers/"> all of them here </a> . Today, we highlight another paper, called <a href="http://cra.org/ccc/wp-content/uploads/sites/2/2017/06/BigDataDataScienceandCivilRights-v6.pdf" > <em>Big Data, Data Science, and Civil Rights </em> </a> by Solon Barocas, Elizabeth Bradley, Vasant Honavar, and Foster Provost. <em> Government, academia, and the private sector have increasingly recognized that the use of big data and data science in decisions has important implications for civil rights. However, a coherent research agenda for addressing these topics is only beginning to emerge and the need for such an agenda is critical and timely. Big data and data science have begun to profoundly affect decision making because the modern world is more broadly instrumented to gather data-from financial transactions, mobile phone calls, web and app interactions, emails, chats, Facebook posts, Tweets, cars, Fitbits, and on and on. According to this paper, the necessary research agenda should include: * * * </em> [ <strong>Polley </strong>: Spotted by MIRLN reader <a href="http://www.cebe-itkm.com/about/bio.html">Claude Baudoin </a>] <a href="#TOP">top </a> </p> <p> <a href="https://www.lawfareblog.com/primer-debates-over-law-and-ethics-autonomous-weapon-systems" > <strong> A primer on debates over law and ethics of autonomous weapon systems </strong> </a> (Lawfare, 5 July 2017) - For <em>Lawfare </em>readers interested in law and regulation of autonomous weapon systems (AWS), we're pleased to note our new essay, recently <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2978359" target="_blank" > posted to SSRN </a> , "Debating Autonomous Weapon Systems, Their Ethics, and Their Regulation Under International Law." It appears as a chapter in a just-published volume, <a href="https://global.oup.com/academic/product/the-oxford-handbook-of-law-regulation-and-technology-9780199680849?lang=3n&cc=fr" target="_blank" > <em>The Oxford Handbook of Law, Regulation, and Technology </em> </a> , edited by Roger Brownsword, Eloise Scotfield, and Karen Yeung (Oxford University Press, July 2017). Our chapter can be read on its own as a non-technical and relatively short primer on normative debates over AWS. The book in which it appears addresses emerging technologies and regulation more generally. Some readers might find it interesting to see how debates over the law, regulation, and ethics of AWS compare and contrast with those of other emerging technologies ( <a href="https://global.oup.com/academic/product/the-oxford-handbook-of-law-regulation-and-technology-9780199680849?lang=3n&cc=fr" target="_blank" > Table of Contents tab here </a> ). Although our chapter expresses a point of view on these normative debates (a point of view we've previously conveyed <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2250126" target="_blank" > here </a> , <a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2477095" target="_blank" > here </a> , and elsewhere), it is intended to present, as fairly as we could in a limited space and in non-technical language, the leading positions in the debate. It's not a brief for one side or the other. Teachers looking for a basic introduction to the AWS topic for use in law, international relations, ethics, armed conflict or military studies, etc., might find it useful. <a href="#TOP">top </a> </p> <p> <a name="DIFFERENT"> </a> <h3> DIFFERENT </h3> </p> <p> <strong> <a href="http://gothamist.com/2017/07/10/send_me_art_text_sfmoma.php"> Text this number anything you want and it will text you back art depicting it </a> </strong> (Gothamist, 10 July 2017) - There are 34,678 pieces of artwork in SFMOMA's collection, with only about 5% on view at any given time. To get more eyes on the art, they've created a way to discover some of it. <a href="https://www.sfmoma.org/read/send-me-sfmoma/" target="_blank"> Their highly addictive "Send Me" feature </a> allows you to text them what you want to see, and they'll send you back an image of a piece of art depicting that thing, along with some information on the piece. Here's how to make the magic happen: text "send me [x]" to 572-51, and within seconds SFMOMA will text you back a piece of art that, in some way, shows you that thing. X can = a keyword, a color, and even an emoji. In their announcement of the text service, they noted that "studies have shown that the average museum visitor spends approximately seven seconds in front of any artwork," asking, "In a world oversaturated with information... how can we generate personal connections between a diverse cross section of people and the artworks in our collection? How can we provide a more comprehensive experience of our collection?" In the first four days of the project, they received over 12,000 texts. [ <strong>Polley </strong>: Spotted by MIRLN reader Elizabeth Polley = @ebpolley] <a href="#TOP">top </a> </p> <p> <a href="http://www.caseclothesed.com/specific-laws-that-governs-katana-samurai-sword-ownership/" > <strong> Specific laws that governs katana/samurai sword ownership </strong> </a> (Case Clothesed, July 2017) - In japan, there are certain laws you have to comply with for you to have swords or katana. During the old period in japan, carrying swords in the road is prohibited unless you're a public servant or police. In these days it is hard to find someone who owns a sword. Only those who are associated with the sport Hombu Dojo, or a type of Samurai Sports. Yakuza and other members of the elite community may have access to these swords too. But there are certain laws that restrict the use of this traditional weapon. * * * <a href="#TOP">top </a> </p> <p> <a name="LOOKINGBACK"> </a> <h3> LOOKING BACK - MIRLN TEN YEARS AGO </h3> </p> <p> (note: link-rot has affected about 50% of these original URLs) </p> <p> <a href="http://www.nytimes.com/2007/09/24/business/media/24adcol.html?ex=1348286400&en=2b872e9e7df0ee8f&ei=5090&partner=rssuserland&emc=rss" > <strong>Company will monitor phone calls to tailor ads </strong> </a> (New York Times, 24 Sept 2007) - Companies like Google scan their e-mail users' in-boxes to deliver ads related to those messages. Will people be as willing to let a company listen in on their phone conversations to do the same? Pudding Media, a start-up based in San Jose, Calif., is introducing an Internet phone service today that will be supported by advertising related to what people are talking about in their calls. The Web-based phone service is similar to Skype's online service - consumers plug a headset and a microphone into their computers, dial any phone number and chat away. But unlike Internet phone services that charge by the length of the calls, Pudding Media offers calling without any toll charges. The trade-off is that Pudding Media is eavesdropping on phone calls in order to display ads on the screen that are related to the conversation. Voice recognition software monitors the calls, selects ads based on what it hears and pushes the ads to the subscriber's computer screen while he or she is still talking. A conversation about movies, for example, will elicit movie reviews and ads for new films that the caller will see during the conversation. Pudding Media is working on a way to e-mail the ads and other content to the person on the other end of the call, or to show it on that person's cellphone screen. "We saw that when people are speaking on the phone, typically they were doing something else," said Ariel Maislos, chief executive of Pudding Media. "They had a lot of other action, either doodling or surfing or something else like that. So we said, 'Let's use that' and actually present them with things that are relevant to the conversation while it's happening." <a href="#TOP">top </a> </p> <p> <a name="NOTES"> </a> <h3> NOTES </h3> </p> <p> MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( <a href="mailto:vpolley@knowconnect.com?subject=MIRLN"> mailto:vpolley@knowconnect.com?subject=MIRLN </a> ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line. </p> <p> Recent MIRLN issues are archived at <a href="http://www.knowconnect.com/mirln">www.knowconnect.com/mirln </a>. Get supplemental information through Twitter: <a href="http://twitter.com/vpolley">http://twitter.com/vpolley </a> #mirln. </p> <p> SOURCES (inter alia): </p> <p> 1. The Filter, a publication of the Berkman Klein Center for Internet & Society at Harvard Law School, <a href="http://cyber.law.harvard.edu/">http://cyber.law.harvard.edu </a> </p> <p> 2. InsideHigherEd - <a href="http://www.insidehighered.com/">http://www.insidehighered.com/ </a> </p> <p> 3. SANS Newsbites, <a href="http://www.sans.org/newsletters/newsbites/"> http://www.sans.org/newsletters/newsbites/ </a> </p> <p> 4. Aon's Technology & Professional Risks Newsletter </p> <p> 5. Crypto-Gram, <a href="http://www.schneier.com/crypto-gram.html"> http://www.schneier.com/crypto-gram.html </a> </p> <p> 6. Eric Goldman's Technology and Marketing Law Blog, <a href="http://blog.ericgoldman.org/">http://blog.ericgoldman.org/ </a> </p> <p> 7. The Benton Foundation's Communications Headlines </p> <p> 8. Gate15 Situational Update Notifications, <a href="http://www.gate15.us/services.html"> http://www.gate15.us/services.html </a> </p> <p> 9. Readers' submissions, and the editor's discoveries </p> <p> This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. </p> <p> PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. <a href="#TOP">top </a> </p>
Vince Polleyhttp://www.blogger.com/profile/11939466711834283196noreply@blogger.com0