Saturday, June 06, 2015

MIRLN --- 17 May - 6 June 2015 (v18.08)

MIRLN --- 17 May - 6 June 2015 (v18.08) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

permalink

PROGRAM ANNOUNCEMENT

Cybersecurity & Data Protection Legal Summit (ALM, et al.; NYC June 16, 2015) - The road has split with organizations choosing either proactive preparation or reactive crisis management to ongoing cyberattacks and threats. What road has your organization taken, and are you protected? To help answer these vital questions and more, the publishers of Corporate Counsel and Legaltech News are pleased to invite you to attend the Mid-Year Cybersecurity and Data Protection Legal Summit on Tuesday, June 16 at the Harvard Club of New York, NY. This event will provide a practical overview of the latest risk profiles, best practices, and evolving industry standards for data security and cyber protection. [ Polley : I'm presenting on "Protect Your Ethics: Infosec Responsibilities in the Attorney-Client Relationship" #CyberLaw15]

NEWS | RESOURCES | LOOKING BACK | NOTES

Creepy ads use litterbugs DNA to shame them publicly (Wired, 15 May 2015) - Next time you're about to toss a cigarette butt on the ground, consider this freaky fact: It takes less than a nanogram (or less than one billionth of the mass of a penny) of your dried saliva for scientists to construct a digital portrait that bears an uncanny resemblance to your very own face. For proof look to Hong Kong, where a recent ad campaign takes advantage of phenotyping, the prediction of physical appearance based on bits of DNA, to publicly shame people who have littered. If you walk around the city, you'll notice portraits of people who look both scarily realistic and yet totally fake. These techno-futuristic most-wanted signs are the work of ad agency Ogilvy for nonprofit Hong Kong Cleanup , which is attempting to curb Hong Kong's trash problem with the threat of high-tech scarlet lettering. It's an awful lot like the Stranger Visions project from artist Heather Dewey-Hagborg , who used a similar technique a couple years back to construct sculptural faces as a way to provoke conversation around what we should be using these biological tools for. In the case of Hong Kong's Face Of Litter campaign, the creative team teamed up with Parabon Nanolabs , a company out of Virginia that has developed a method to construct digital portraits from small traces of DNA. Parabon began developing this technology more than five years ago in tandem with the Department of Defense, mostly to use as a tool in criminal investigations. Parabon's technique draws on the growing wealth of information we have about the human genome. By analyzing saliva or blood, the company is able to make an educated prediction of what you might look like. Most forensic work uses DNA to create a fingerprint, or a series of data points that will give a two-dimensional look at an individual that can be matched to pre-existing DNA samples. "We're interested in using DNA as a blueprint," explains Steven Armentrout, founder of Parabon. "We read the genetic code." The DNA found on the Hong Kong trash is taken to a genotyping lab, where a massive data set on the litterbug is produced. This data, when processed with Parabon's machine-learning algorithms, begins to form a rough snapshot of certain phenotypes, or traits.

top

- and -

'Devious defecator' case tests genetics law (NYT, 29 May 2015) - Seven years ago, Congress prohibited employers and insurers from discriminating against people with genes that increase their risks for costly diseases, but the case that experts believe is the first to go to trial under the law involves something completely different: an effort by an employer to detect employee wrongdoing with genetic sleuthing. Amy Totenberg, the federal district judge in Atlanta who is hearing the case, called it the mystery of the devious defecator. Frustrated supervisors at a warehouse outside Atlanta were trying to figure out who was leaving piles of feces around the facility. They pulled aside two laborers whom they suspected. The men, fearing for their jobs, agreed to have the inside of their cheeks swabbed for a genetic analysis that would compare their DNA with that of the feces. Jack Lowe, a forklift operator, said word quickly spread and they became the objects of humiliating jokes. The two men were cleared - their DNA was not a match. They kept their jobs but sued the company. On May 5, Judge Totenberg ruled in favor of the laborers and set a jury trial for June 17 to decide on damages. She determined that even though the DNA test did not reveal any medical information, it nonetheless fell under the Genetic Information Nondiscrimination Act , or GINA. Atlas Logistics Group Retail Services, which operates the warehouse, has not decided whether to appeal, its lawyer, Dion Kohler, said. The company had contended that the test provided no medical information about the employees and that both kept their jobs and suffered no discrimination. The decision in this case means the scope of the law goes far beyond what Congress seems to have envisioned, legal experts said. Even if an employer, as in this case, did not seek an employee's DNA to look for medical conditions, it was getting a trove of data that it arguably should not have, said Jessica L. Roberts director of the Health Law and Policy Institute at the University of Houston Law Center. The judge, she said, ruled that "a genetic test is a genetic test is a genetic test."

top

Court won't force US to divulge secret strategy to cut mobile phone service (Ars Technica, 15 May 2015) - A federal appeals court won't force the US to disclose its clandestine plan to disable cell service during emergencies. That was the decision from the US Court of Appeals for the District of Columbia Circuit concerning Standard Operating Procedure 303. The court had taken the same position in February and agreed with the government's contention that the Freedom of Information Act (FOIA) allows the Department of Homeland Security to withhold documents if their exposure could "endanger" public safety. After the decision, the Electronic Privacy Information Center (EPIC), which brought the FOIA suit, had asked the court to revisit the issue in what is known as an en banc review. The appeals court declined (PDF) in a one-sentence order Wednesday. The privacy group had demanded the document way back in 2011 following the shuttering of cell service in the San Francisco Bay Area subway system to quell a protest. The DHS refused to divulge the documents associated with SOP 303, which the appeals court described as a "unified voluntary process for the orderly shut-down and restoration of wireless services during critical emergencies such as the threat of radio-activated improvised explosive devices."

top

Controversial 'Innocence of Muslims' ruling reversed by appeals court (Hollywood Reporter, 18 May 2015) - On Monday, the 9th Circuit Court of Appeals took another shot at Cindy Lee Garcia's dispute with Google over whether YouTube must remove Innocence of Muslims and chose to reverse its prior holding by deciding against a preliminary injunction. The actress claims that when she agreed to appear in the movie, she didn't know that she was signing up for an anti-Islamic film. She says she signed no waivers and held on to the copyright of her performance. After a trailer of the film was released and sparked worldwide protests, Garcia received death threats, and so she sent a takedown notice to YouTube. In February 2014, 9th Circuit chief judge Alex Kozinski stunned many in the industry by determining that Garcia could assert a copyright interest in her performance in the film and that a federal judge was wrong to find against her injunction motion. The decision caused an outcry, especially among tech companies who worried that the decision could empower bit performers and other contributors to copyrighted work to assert their own authorship rights and enjoin anything they didn't like. Today, after the case was reviewed by a fuller panel of judges en banc, the appeals court agrees that Kozinski's decision can't stand. As a result, Innocence of Muslims may soon reappear on YouTube. "In this case, a heartfelt plea for personal protection is juxtaposed with the limits of copyright law and fundamental principles of free speech," writes 9th Circuit judge M. Margaret McKeown. "The appeal teaches a simple lesson - a weak copyright claim cannot justify censorship in the guise of authorship." In setting up the analysis, McKeown speaks of why it's important that the legal standards be "demanding" upon someone seeking an injunction. She writes that Garcia not only show she's likely to succeed in her lawsuit, but that "the law and facts clearly favor her position." The difficulty in this case was attempting to figure out Garcia's copyright authority. Usually, actors sign release forms (or perform in a work-for-hire context) that take away the question altogether. When Kozinski previously decided that in the absence of such a release, Garcia could assert copyright on her performance, he did so upon the conclusion that an actor evinced sufficient creativity. The ruling seemed at odds with prior holdings - particularly Aalmuhammed v. Lee , which concerned the 1992 Spike Lee film Malcolm X and dealt with joint authorship of works "intended by everyone involved with it to be a unitary whole." McKeown notes that when the Copyright Office got its own chance to address Garcia's copyright registration on her performance, it rejected the application because "a motion picture is a single integrated work."

top

Clients demand more of firms on data security (Global Legal Post, 18 May 2015) - The increasing focus on data security and privacy, which permeates all levels of the business community, is starting to force the pace of change in the legal profession. David Ray, a Director with the Huron Consulting Group, highlights the efforts law departments, law firms, and other service providers are making to protect sensitive and confidential data. He says that 'By nature, the legal industry deals with a large amount of potentially sensitive information, and as a result, data privacy is becoming increasingly more important.' The legal profession has seen itself as 'somewhat immune to these issues. However, the increased overall focus on privacy and recent data breaches is affecting the legal sector just like any other. Law departments, law firms, and legal vendors are recognising this growing pressure and have started to make changes accordingly.' According to Mr Ray, a data privacy and security expert, the five biggest trends in data privacy in the legal industry are in the following areas: * * *

top

4 ways you are putting your clients' information at risk (Lawyerist, 19 May 2015) - A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. (Rule 1.6(c).) So what are reasonable efforts when it comes to your clients' information stored on your computer? You have to make an effort, obviously. But how much effort is so unreasonable that you don't have to make it? At a minimum, a reasonable effort has to mean taking advantage of the easy-to-use security features already available on your computer and device(s). Where the potential harm is great and the potential fix is cheap and easy to implement, it is also be a reasonable effort. With that in mind, here are four ways you may not be making a reasonable effort. * * *

top

US aims to limit exports of undisclosed software flaws (Reuters, 20 May 2015) - The U.S. Commerce Department proposed new export controls Wednesday that would treat unknown software flaws as potential weapons, a move aimed at reducing the security industry's aid to rival nations. The department said it was following through on an international commitment to address the evolution of warfare to include more technology. But some security researchers said the rules, which are subject to public comment for 60 days, would fail to curb the black market while hindering cross-border collaboration and sales of defensive products. The regulations are broadly written and cover what are known as "zero-day" flaws, or security vulnerabilities that the software vendors do not know about. Hackers and defense contractors often sell information about such flaws to government agencies or the maker of the software, and internal U.S. sales could continue. But sales of zero-day and supporting capabilities would be barred without special license outside of the United States, United Kingdom, Canada, Australia and New Zealand. [ Polley : This seems unwise. How will this be implemented/enforced? See also What is the US doing about Wassenaar, and why do we need to fight it? (EFF, 28 May 2015)]

top

Sixth Circuit creates circuit split on private search doctrine for computers (Orin Kerr on Volokh Conspiracy, 20 May 2015) - The Sixth Circuit handed down a new decision on computer search and seizure that may be the next computer search issue to make it to the Supreme Court. The issue: How does the private search reconstruction doctrine apply to computers? The new decision creates an apparent circuit split with the Fifth and Seventh Circuits. First, some context. Private parties acting on their own are not regulated by the Fourth Amendment. When a private party has conducted a prior search, the private party can reconstruct the search for the government without implicating the Fourth Amendment. The idea is that the private search has already shed the Fourth Amendment protection over what was searched, so that the government can ask the private party to redo the private party's search to show the police what the private party saw. Granted, if the officer asks the private party to conduct a new search that goes beyond the old one, then that can violate the Fourth Amendment. The new search that exceeds the old one is at the government's behest, and the new invasion of privacy triggers the Fourth Amendment. But just going over the old ground is permitted. The idea seems simple enough. But the application raises a puzzle: When a private party sees a file on a computer, what exactly has been searched for purposes of later reconstruction? I discussed this problem in my 2005 article, Searches and Seizures in a Digital World . The question is, what's the right measuring unit to use - the data, the file, the folder, the physical device, or something else? The issue is really important for computer searches, as it determines how much the government can search computers without a warrant after a private citizen finds evidence of crime on a computer and calls for help. The cases were already mixed in 2005, although at the time the Fifth Circuit was the only federal circuit court to weigh in. The Fifth Circuit had held that the unit was the physical computer, so that a private search of one file allowed the private party to turn over the entire computer to the government for a warrantless search. Since then, there have been some added cases. In 2012, the Seventh Circuit joined the Fifth Circuit by adopting the unit of the device. And last month, a cert petition was filed at the Supreme Court on this issue in Gunter v. United States . But I hadn't thought there was a particularly clear split. At least until this morning. This morning, the Sixth Circuit handed down a new case, United States v. Lichtenberger , that adopts the proper unit as data or a file instead of the physical device.

top

The legal industry is about to get Ubered hard (Lawyerist, 20 May 2015) - Adapt, move, or die." The Theory of Evolution teaches us that these are species' only three choices in the face of changing environments. These are also the three choices available to the species lawyericus attornius in the face of a legal environment being transformed by technology. "Law is an information technology-a code that regulates social life." Thus begins a new paper about how machines will transform the role of lawyers in the delivery of legal services. It's the academic equivalent of the canary in the coal mine for today's lawyers, and lays out how, when, and why the legal industry is due for a shakeup similar in size and scope to what happened to American newspapers when the internet rolled around. Moore's Law describes the exponential growth of computing power. But certain industries, like law, have not innovated in tandem with technological progress. Law, like ground transportation and telephony, will instead endure a major disruption. To avoid death, lawyers will need to move into the areas touched last by the tidal wave or adapt by learning how to utilize new tech. * * * But law, as authors John O. McGinnis & Russell G. Pearce point out, is about to get Ubered. Hard. Or, as they put it, innovation is causing the "weakening of lawyers' market power over providing legal services."

top

Fan streaming apps have sports world debating TV rights (CNBC, 21 May 2015) - Ask big names in the sports business what's on their mind, and live streaming by fans is one of the first things they'll mention. Television, with its ever-escalating contracts, increasingly finds itself competing against new technologies such as live-streaming apps Periscope and Meerkat that threaten to disrupt the entire business model. Even Internet giants like Google may be entering the space. (Periscope is owned by Twitter, and CNBC's parent company Comcast is an investor in Meerkat.) Broadcasters, sports executives and athletes the Sports Business Journal's 2015 Sports Business Awards in New York on Wednesday were of two minds when asked about fan streaming apps, with the old guard having bigger problems with the technology than the younger generation had. Dick Ebersol, a former chairman of NBC Sports, said that live streaming through apps like Periscope and Meerkat shouldn't be allowed. "I happen to think it's wrong," he said, arguing that consumers need to pay for what they are watching. "Are you going to let them steal the signal?" NHL Commissioner Gary Bettman said that the league isn't banning streaming apps for personal use but is serious about stopping commercial uses: "There is a difference between fan engagement and commercial exploitation; it's one we are going to have to be prepared to draw." Bettman reaffirmed the league's position that it won't let reporters use the apps at its matches. It has "notified our credential media holders that those apps are not OK to use under their credential. A fan experience is different than fan exploitation." Abe Madkour, executive editor of Sports Business Journal, predicted a 12- to 16-month time frame "before we start seeing changes on what's protected and what's blocked." "The people who own the intellectual property, the rights holders, will take a more active stance to protect their property," he said Last month, Major League Baseball's president of business and media, told CNBC last month that the league will not ban fans from using live-streaming apps at stadiums. Cris Collinsworth, a NBC broadcaster and former player, on Wednesday said he wondered when the rights bubble would burst. "I keep thinking we are going to reach a saturation point, and people are going to say enough football," he said, "but we're not even close to that. Everyone is begging for the next rights to the games." WNBA star player Swin Cash took a different approach, saying that fans were going to use the apps anyway. The leagues and owners need to figure out how to make it all work, she said.

top

Universities 'peculiar creatures' in cybersecurity world (NJLJ, 21 May 2015) - Cyberattacks targeting Rutgers University and Penn State University have brought the issue of cybersecurity close to home-but also served to reestablish that higher-education institutions are unique targets. "Universities are kind of peculiar creatures for cybersecurity," said Vincent Polley, an attorney based near Detroit who co-authored "The ABA Cybersecurity Handbook" and who heads technology consultancy KnowConnect. In the university structure-"a confederation of schools that are fairly loosely coordinated"-there's "frequently not a lot of top-down management," he said. "Add to that an environment where people are encouraged to experiment," and it's a dynamic that's "probably not replicated or experienced in any other environment, anywhere," he said. Scott Christie, a partner in the cybersecurity and data privacy practice at Newark's McCarter & English, called universities "relatively soft targets" when compared to other entities such as financial institutions. "Given the fact that it's in the university context, it relies upon the level of security that the school network administrators impose, which may or may not be the same as a non-university network," he said. What's frustrating about the Rutgers attack that began in March-as well as another attack at nearby Fairleigh Dickinson University (FDU) around the same time-is that neither appears to have relied specifically on network security weaknesses, attorneys and consultants said. Both universities, according to reports, experienced what are called distributed denial-of-service attacks (DDoS attacks), which seek to deluge the target's systems with requests-typically from outside machines, said Polley, former cochair of the information technology and security law practice group at Detroit-based Dickinson Wright.

top

NSA planned to hijack Google app store to hack smartphones (The Intercept, 21 May 2015) - The National Security Agency and its closest allies planned to hijack data links to Google and Samsung app stores to infect smartphones with spyware, a top-secret document reveals. The surveillance project was launched by a joint electronic eavesdropping unit called the Network Tradecraft Advancement Team, which includes spies from each of the countries in the "Five Eyes" alliance - the United States, Canada, the United Kingdom, New Zealand and Australia. The top-secret document, obtained from NSA whistleblower Edward Snowden, was published Wednesday by CBC News in collaboration with The Intercept . The document outlines a series of tactics that the NSA and its counterparts in the Five Eyes were working on during workshops held in Australia and Canada between November 2011 and February 2012. The main purpose of the workshops was to find new ways to exploit smartphone technology for surveillance. The agencies used the Internet spying system XKEYSCORE to identify smartphone traffic flowing across Internet cables and then to track down smartphone connections to app marketplace servers operated by Samsung and Google. As part of a pilot project codenamed IRRITANT HORN, the agencies were developing a method to hack and hijack phone users' connections to app stores so that they would be able to send malicious "implants" to targeted devices. The implants could then be used to collect data from the phones without their users noticing. Previous disclosures from the Snowden files have shown agencies in the Five Eyes alliance designed spyware for iPhones and Android smartphones, enabling them to infect targeted phones and grab emails, texts, web history, call records, videos, photos and other files stored on them. But methods used by the agencies to get the spyware onto phones in the first place have remained unclear. The newly published document shows how the agencies wanted to "exploit" app store servers - using them to launch so-called " man-in-the-middle " attacks to infect phones with the implants.

top

Think you don't need cyber insurance? Think again! (Bloomberg BNA, 22 May 2015) - Big Law is a big target for cyber thieves, experts warn. For starters, law firms are viewed by criminals as low-hanging fruit - because firms are perceived as having "relatively lax security as compared with their sophisticated corporate clients," said Roberta Anderson, a partner at K&L Gates, and co-founder of the firm's Cyber Law and Cybersecurity practice group. Big Law firms have treasure troves full of the exact kind of data that sophisticated cyber criminals seek: protected, personally identifiable information and protected health information. On top of that, "law firms typically are a repository for valuable corporate data, including intellectual property, such as patents and trade secrets, information about important M&A activity, and other sensitive data," said Anderson. "'Typically' is an interesting word in the world of cyber insurance because cyber insurance is the wild west of the insurance marketplace," said Scott Godes , a partner at Barnes & Thornburg. "Nonetheless, there is some standardization in terms of cartridges that are offered in a cyber insurance policy." Law firms should look for these coverages: * * *

top

- and -

Clueless clause: Insurer cites lax security in challenge to cottage health claim (Security Ledger, 26 May 2015) - In-brief: In what may become a trend, an insurance company is denying a claim from a California healthcare provider following the leak of data on more than 32,000 patients. The insurer, Columbia Casualty, charges that Cottage Health System did an inadequate job of protecting patient data. There wasn't anything particularly surprising about the news, in December, 2013, that confidential data on patients at Cottage Health System had been exposed on the Internet. Indeed, in light of subsequent attacks on healthcare industry firms like Athena (80 million records exposed) and Premera , the data leak at California-based Cottage, which involved 32,755 patients, looks like a rounding error. But the incident may prove to have an impact that far exceeds the number of individuals affected, now that Cottage's insurer, Columbia Casualty Insurance is denying an insurance claim linked to the breach and citing Cottage Health's lax security practices as the reason. In a complaint filed in U.S. District Court in California, Columbia alleges that the breach occurred because Cottage and a third party vendor, INSYNC Computer Solution, Inc. failed to follow "minimum required practices," as spelled out in the policy . Among other things, Cottage "stored medical records on a system that was fully accessible to the internet but failed to install encryption or take other security measures to protect patient information from becoming available to anyone who 'surfed' the Internet," the complaint alleges. Among the failures cited by Columbia were Cottage's "failure to continuously implement the procedures and risk controls identified in its application " for the coverage. Those controls include configuration and change management for its IT systems as well as regular patch management. Cottage also failed to regularly "re-assess its information security exposure and enhance risk controls" and to "deploy a system to detect unauthorized access or attempts to access sensitive information stored on its servers."

top

Security researchers start effort to protect 'smart' cities (NYT, 26 May 2015) - It's a brave new world when hackers step in to protect citizens because regulators are not getting the job done. Two years after President Obama signed an executive order setting voluntary guidelines that companies could follow to prevent cyberattacks - especially on critical infrastructure like dams and water treatment facilities - security experts have found that American critical infrastructure is still wide open to attack. The order was a weakened alternative to cybersecurity legislation that the White House tried and failed to push through Congress after Senate Republicans argued the minimum standards would be too onerous on the private sector. Last year, Cesar Cerrudo, an Argentine security researcher, began pointing out critical vulnerabilities in America's so-called smart cities, where wireless sensors control a growing portion of city infrastructure from traffic lights to water and waste management systems. One year later, Mr. Cerrudo discovered that little had been done to patch those basic vulnerabilities, even as cities around the world poured billions of dollars into bringing more of their basic infrastructure online. Without renewed focus on security, he and other researchers warn, those cities are just creating larger and larger targets for nation states and cyberterrorists. In response, on Tuesday, he and others from IOActive Labs; Kaspersky Lab, the Russian cybersecurity company; and a growing list of security experts will announce a new Securing Smart Cities initiative . Their goal is to bring private security researchers and public administrators together to set up basic cybersecurity checklists for smart cities, including properly installed encryption, passwords and systems that can be easily patched for security holes. They are also seeking to set up better security requirements and approval procedures for the vendors who install, monitor and oversee crucial systems. They want to track access to smart city systems; run regular tests to look for loopholes; and set up emergency response teams that can funnel reports of vulnerabilities from security researchers, coordinate patches and share that information with other cities. They also want to create manual overrides for all smart city systems, in the event they are compromised.

top

Let Oracle own APIs, Justice Dept tells top court in surprise filing (Fortune, 26 May 2015) - Many are uneasy about a court ruling that said Oracle can sue Google over copyrighted API's. Now, the White House has just sided with Oracle. The right of companies to use key elements of computer code, known as application programming interfaces (APIs), was cast deeper into doubt on Tuesday after the Justice Department urged the Supreme Court not to hear a controversial case that pits Google and a long list of supporters against Oracle. The news came after the Supreme Court asked the Obama Administration in January to weigh in on a lower court ruling last year that favored Oracle, and shocked many in the tech industry. The issue before the court is when, if at all, APIs can be protected by copyright. The outcome has serious repercussions not just for Google, but the entire software industry, since APIs act as a sort of lingua franca that allow different computer programs to deliver instructions to each other. In the case of Oracle and Google, the dispute turns on the search giant's use of certain Java APIs for its Android software. Java is a programming language that was developed by Oracle's predecessor, Sun Microsystems, and is widely used by software developers. Google, backed by tech trade groups and law professors, does not dispute that computer code can be copyrighted. The parties argue instead that Google only used a small portion of Oracle's Java Standard Library, and did so only in order to use common signposts or headers, rather than reinventing the instructions from scratch. The argument, in effect, is that developers should be able to use these small chunks of code, which serve as industry standards, free of copyright restrictions. U.S. District Judge William Alsup, a respected Silicon Valley judge, initially sided with Google in 2012 after teaching himself Java for the trial. He found that the APIs were functional, and fell on the wrong side of copyright law's "idea/expression dichotomy" and merger doctrine - these are rules that prevents copyright law from becoming too broad, and covering everyday things like menus and simple instructions. Last year, however, the U.S. Federal Circuit appeals court overturned that finding, and likened the Java APIs to Charles Dickens and other literary works. The ruling drew widespread scorn at the time: * * * [ Polley : See also Copyright on computer programs: Solicitor General argues that APIs are unquestionably copyright eligible (Patently-O, 29 May 2015)]

top

The invisible learners taking MOOCs (InsideHigherEd, 27 May 2015) - "Anyone, anywhere, at any point in time will be able to take advantage of high quality education." That could be a tagline from just about any enthusiast or provider of open online courses (often called MOOCs). The intention certainly seems laudable and, if not transformational, at least desirable. What are the caveats? Recent research suggests that the majority of people enrolled in these open online courses are highly educated . As far as US participants are concerned, a large percentage also live in high-income neighborhoods . And yet, despite the extensive research and data on open online courses, we really do not know much about these millions of learners engaged in everything from courses on computer science to poetry to physiotherapy to gender studies to bioinformatics. In fact, apart from a few anecdotes of extraordinary individuals who overcome insurmountable struggles to succeed (e.g., the exceptional Nigerian man who completed 250 courses ) or abstract descriptions of learners and their activity (e.g., " less than 10% complete courses ," " auditors ," or " latecomers ") these learners might as well be invisible. And thus, my fellow researchers and I are asking more questions. We want to better understand open courses and their learners (and their successes and their failures). How do these people experience open courses? Why they do they things that they do in these courses? We are currently in the midst of conducting the largest series of interview studies in open courses. Our research is motivated by the fact that very few commentators and researchers to date have paused to talk to learners and to listen to them describe their experiences and activities. In fact, what researchers know about MOOCs is largely the result of analyzing the data trails that learners leave behind as they navigate digital learning environments. * * *

top

Financial institutions claim Home Depot breach caused 'billions of dollars' in fraud losses (Atlanta Business Chronicle, 27 May 2015) - Financial institutions claim Home Depot's data breach caused total fraud losses "in the billions of dollars." In a consolidated complaint filed May 27 in federal court in Atlanta, more than 100 financial institutions state their case for why The Home Depot Inc. (NYSE: HD) is responsible for the massive data breach that the world's largest home improvement retailer suffered in 2014. The lawsuit takes direct aim at the company's former top executive and management, starting off with a quote from Home Depot's recently retired CEO Frank Blake , which states, "If we rewind the tape, our security systems could have been better...Data security just wasn't high enough in our mission statement." The complaint goes on to charge that "The data breach was the inevitable result of Home Depot's longstanding approach to the security of its customer's confidential data, an approach characterized by neglect, incompetence, and an overarching desire to minimize costs." The financial institutions claim they have incurred more than $150 million in costs just to reissue compromised cards, and that "industry sources further estimate that the total fraud losses for all financial institutions are in the billions of dollars." Claiming that Home Depot is still at risk of another data breach ("the risk of another such breach is real, immediate, and substantial," the financial institutions claim), the financial institutions are asking the court to order the company to implement a number of security improvements.

top

Average cost of data breach is $6.5M (SC Magazine, 27 May 2015) - In a year already characterized by data breaches at recognizable healthcare organizations, such as CareFirst BlueCross BlueShield, and at major government entities, including the IRS, it's no surprise that victims' personal information is a hot commodity. An annual study from the Ponemon Institute and IBM released on Wednesday found that the average cost per capita cost in a data breach increased to $217 in 2015 from $201 in 2014. Plus, the average total cost of a data breach increased to $6.5 million from $5.8 million the prior year. The cost per record takes into account indirect costs, such as abnormal turnover or churn of customers, as well as direct costs caused by the breach itself, including technology investment and legal fees. Only $74 was attributed to direct costs. The study also noted, however, that not all records are seen as equal when stolen. Health records have an average cost of $398 each, whereas retail records cost $189 each. See also Cost of data breaches increasing to average of $3.8 million, Ponemon study says (Reuters, 27 May 2015), and Ponemon: Data breach costs now average $154 per record (CSO Online, 27 May 2015) - * * * On average, it took respondents 256 days to spot a breach caused by a malicious attacker, and 82 days to contain it. Breaches caused by system glitches took 173 days to spot and 60 days to contain. Those caused by human error took an average of 158 days to notice, and 57 days to contain. * * *

top

Netflix now accounts for almost 37 percent of our Internet traffic (WaPo, 28 May 2015) - Netflix's share of Internet traffic is exploding. The streaming service now accounts for 36.5 percent of all bandwidth consumed by North American Web users during primetime, according to the Canada-based network firm Sandvine . That's way up from even last November , when Sandvine estimated Netflix's bandwidth footprint at 34.9 percent of Internet traffic. Sandvine's regular reports on Internet usage - based on traffic as it passes through its systems - have become a reliable indicator of which services are taking up the most bandwidth. Both the season five premiere of "Game of Thrones" and the most recent "Call of Duty" downloadable content led to massive spikes in data consumption, the latest report also finds.

top

Cybersecurity on the agenda for 80 percent of corporate boards (CSO, 28 May 2015) - Cybersecurity is a topic of discussion at most board meetings, according to a new survey of 200 corporate directors. The survey , conducted jointly by NYSE Governance Services and security vendor Veracode, revealed that more than 80 percent of board members say that cybersecurity is discussed at most or all board meetings. Specifically, 35 percent said that cybersecurity was discussed at every board meeting and 46 percent said it was discussed at most meetings. Only 10 percent said they discussed cybersecurity after an incident in their industry or at their company -- and only 1 percent said they never discussed cybersecurity at all. According to the survey, the board members held the CEO primarily responsible for cybersecurity, with the CIO as the second-most responsible executive. 66 percent of board members are not confident of their companies' ability to defend themselves against cyberattacks. Only 4 percent said they were "very" confident. And, despite this lack of confidence, security ranked second to last in priority when it comes to developing new products and services. The board members surveyed said that brand damage, data breach costs, and theft of intellectual property were the top concerns when it came to cybersecurity.

top

How law firms use Facebook and other data to track down medical victims (Bloomberg, 28 May 2015) - For ambulance chasers, persistence and a phone book just don't cut it anymore. Law firms, which once relied on television commercials, billboards, and cold calling numbers in the white pages to find plaintiffs for medical lawsuits, have begun to embrace technology. To locate their ideal pharma victims more quickly and at lower costs, they're using data compiled from Facebook, marketing firms, and public sources, with help from digital bounty hunters like Tim Burd. Burd is a devoted practitioner of the art of sales. His Skype username begins with the phrase made famous by Glengarry Glen Ross , a play about desperate real estate salesmen: "Always be closing." As chief executive officer of DigitizeIQ, Burd feeds demographic data from the U.S. Centers for Disease Control and Prevention into general marketing tools offered by Facebook to identify people most likely to be exposed to a particular drug or medical treatment. For example, Burd was hired for a lawsuit claiming a medical device used in hysterectomies, known as a laparoscopic power morcellator, causes ovarian cancer to spread in patients. The CDC says women over 55 are most likely to contract that kind of cancer. Burd says CDC data are especially powerful in combination "with Facebook, which is why we love it so much, because there's ovarian cancer support groups and stuff like that. So we target women in the country over the age of 55 that 'like' an ovarian cancer support group. That's a pretty targeted demographic." * * * The sophistication of newer plaintiff procurement techniques is leaving pharmaceutical companies inundated by mass tort lawsuits. Johnson & Johnson is facing more than 24,000 lawsuits over its vaginal mesh implants. A jury in California ordered the company on March 5 to pay $5.7 million to a woman who said one of its vaginal mesh implants eroded inside of her. In January, J&J lawyers told a federal judge that firms were violating medical data laws to track down plaintiffs. * * *

top

Proposed rule change to expand feds' legal hacking powers moves forward (Ars Technica, 29 May 2015) - A controversial proposed judicial rule change allowing judges to issue warrants to conduct "remote access" against a target computer regardless of its location has been approved by a United States Courts committee, according to the Department of Justice. Federal agents have been known to use such tactics in past and ongoing cases: a Colorado federal magistrate judge approved sending malware to a suspect's known e-mail address in 2012. But similar techniques have been rejected by other judges on Fourth Amendment grounds. If this rule revision were to be approved, it would standardize and expand federal agents' ability to surveil a suspect and to exfiltrate data from a target computer regardless of where it is. (Both the United States Army and the Drug Enforcement Administration are known to have purchased such exploits, most likely zero-days.) In the United States, federal warrants are issued by judges who serve one of the 94 federal judicial districts and are typically only valid for that particular jurisdiction. Typically those warrants are limited to the district in which they are issued. Peter Carr, a DOJ spokesperson, told Ars: "I am not aware of any data on the number of times this has been previously authorized." In February 2015, Richard Salgado, one of Google's top lawyers, wrote a blog post articulating the company's opposition to the move: "The implications of this expansion of warrant power are significant, and are better addressed by Congress." The rule change has a long way to go before becoming standard practice. It has to be approved later this year by the Judicial Conference, then be approved by the Supreme Court. If Congress does not intervene at that stage, it will take effect as of December 1, 2016.

Ad panel equates texts with prohibited direct solicitations (Florida Bar News, 1 June 2015) - The Standing Committee on Advertising has denied a law firm permission to send texts to potential clients. The committee reviewed proposals from the firm, which contended that texts are more akin to email than phone contacts, but the panel voted 6-1 against the idea. At issue was Bar Rule 4-7.18(a), which prohibits direct communication or solicitation of potential clients in person or via telephone, telegraph, or fax. Direct mail, including emails, are permitted if they follow the requirements in Rule 4-7.18(b), including that the message must be clearly labeled as an advertisement, the first line must advise the recipient to ignore the communication if he or she already has an attorney, and that it must give the sending attorney's qualifications and geographical address, among other things. Jacob Stuart, representing the petitioning firm, argued in this case the phone number is more like an email address in that it is used to deliver a text message that would otherwise comply with Bar rules for direct mail. Smartphone users, he added, use their mobile devices more to check email, send texts, and post to social media than they do to make actual phone calls. "The phone number has become an address," Stuart said. "It is simply the address for a variety of accounts, one of which is the phone." He said the firm planned to obtain phone numbers of those arrested or issued traffic citations from clerks, run them through a database that identifies those that are mobile devices, and then use a computer to send them text messages. Stuart said the practice would help bring legal services to low- and moderate-income people who rely primarily on their smartphones for information. Bar Ethics and Advertising Counsel Elizabeth Tarbert said a majority of Bar staff recommended against the text system. She noted that although the rule was written more than 20 years ago, before texts were possible and portable phones were in widespread use, the rule did not prohibit telephone "calls." Rather it prohibits the use of telephones, as well as telegraphs, faxes, and in-person appeals to make direct solicitations to potential clients. Those restrictions, she said, address "the urgency and intrusiveness" of the communication.

top

A new journal - dedicated to cybersecurity (Lawfare, 2 June 2015) - I'd like to announce the new Journal of Cybersecurity , an interdisciplinary journal encouraging submissions in all aspects of cybersecurity. This new journal will publish original research in the inherently interdisciplinary area of cybersecurity. While there are some meetings, including the Privacy Legal Scholars Conference and the Workshop in Economics of Information Security , that transcend the barriers between fields, there largely have not been academic journals that do so. By encouraging submissions in anthropological studies, human factors and psychology, computer science, legal aspects, political and policy perspectives, cryptography and computer security, strategy and international relations, security economics, and privacy, the Journal of Cybersecurity , seeks to provide a home for such interdisciplinary work. Journal of Cybersecurity is published by Oxford University Press . We're looking for papers that can be read at both the disciplinary and interdisciplinary level. Editors-in-chief are David Pym and Tyler Moore , and area editors include an international set of interdisciplinary characters, including yours truly (I'll be running the Political and Policy Perspectives section). Spread the word. And submit - we're eager for your work.

top

RESOURCES

Law Enforcement Access to Evidence in the Cloud Era (The Chertoff Group, 21 May 2015) - The Chertoff Group, a premier advisory firm focused on security and risk management, released a new white paper examining how our global Internet economy has created significant change when it comes to the nature of law enforcement activity. This paper - Law Enforcement Access to Evidence in the Cloud Era - outlines the challenges faced by law enforcement today as they seek to gather and collect evidence in a world where such proof is no longer largely discovered within a single jurisdiction. Instead, this data or proof is often collected, stored, and processed globally by transnational companies holding this information in the cloud. As a result, significant potential exists for the disruption of law enforcement activities because those who hold relevant evidence may be subject to conflicting legal obligations, unilateral actions by a single jurisdiction, and significant economic pressures. Authored by experts within The Chertoff Group, Law Enforcement Access to Data in the Cloud Era outlines the scope of the problem and surveys existing technical, legal, and policy conflicts. While it does not endorse a single solution, this paper identifies potential responses to the changing dynamic. White paper is here . [ Polley : Spotted by MIRLN reader Claude Baudoin ]

top

Government secrets under law, and government secrets about laws (MLPB, 20 May 2015) - Jonathan M. Manes, Yale Law School, has published Secret Law . Here is the abstract: Recent disclosures of the secret legal rules governing a variety of government programs - from electronic surveillance to targeted killing - have demonstrated that secret law not only exists, but is a regular feature of governance in this country, particularly in matters of national security. While the government is surely entitled to carry out certain functions in secret, the notion that the very rules that empower and constrain the government could themselves be secret is deeply unsettling, raising profound concerns about government's accountability, the public's role in a democracy, and the protection of individual liberties. While there is a significant literature on the government's authority to keep secrets in general, the government's power to keep the law itself hidden from the public is a special problem that has thus far received little scholarly attention. This Article is the first to offer a general examination of the phenomenon of secret law in the context of national security, describing its place in the existing transparency regime, providing an account of the competing normative commitments that animate debates about secret law's legitimacy, and offering proposals rein in the practice of secret law. The Article argues that existing institutional arrangements give the executive branch significant discretion to keep law secret. This creates an equilibrium that produces too much secret law, and fails to adequately account for strong countervailing interests in transparency. Drawing on contemporary examples of secret laws governing surveillance, watch-listing, and targeted killings, the Article proposes both institutional and substantive reforms that would result in a more defensible and stable legal equilibrium that produces fewer problematically secret laws. In particular, it argues that Courts should adopt a clear statement rule against secret law so that law must be disclosed unless secrecy is specifically authorized by Congress. Such a rule would result in a better accommodation between secrecy interests and transparency values by requiring inter-branch contestation and agreement on the scope of secret law. Moreover, a presumption against secret law is grounded in Constitution's text and structure, notably the Presentment and Journal Clauses, and the First Amendment. The full text is not [sic] available from SSRN. [ Polley : Really? Not available on SSRN? Pretty ironic, huh?]

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

US Supreme Court reverses Grokster decision (BNA's Internet Law News, 28 June 2005) -- The US Supreme Court has ruled against file-swapping companies Grokster and StreamCast Networks in their high profile battle with the content industries. The court sought to leave the 1984 Sony Betamax decision untouched, but added the notion of active inducement. Although the 9-0 decision was a loss for Grokster, the court provided a potential roadmap for future P2P services by ruling that there is no liability for knowledge of potential or actual infringement; no liability for product support or technical updates, and (absent other evidence of intent) no liability for failure to take affirmative steps to prevent infringement. Decision at http://laws.findlaw.com/us/000/04-480.html

top

Google urged to drop reactor images (News.com.au, 8 August 2005) -- The head of Australia's nuclear energy agency has called on the owners of an internet satellite program to censor images of the country's only nuclear reactor. Australian Nuclear Science and Technology Organisation executive director Ian Smith said he would ask internet search engine Google to remove the Lucas Heights reactor from its Google Earth program. The online program combines satellite images with aerial photographs and maps to let users zoom in on almost any building in the world. While Google Earth "censors" the White House with blocks of colour over the roof and the nearby Treasury Department and Executive Office buildings, anyone with a computer and web connection can use the free program to see aerial shots of sensitive Australian sites such as the Lucas Heights reactor, the secret US spy base at Pine Gap, outside Alice Springs, and Parliament House in Canberra.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. top

No comments: