Saturday, January 02, 2016

MIRLN --- 13 Dec 2015 - 2 Jan 2016 (v19.01)

MIRLN --- 13 Dec 2015 - 2 Jan 2016 (v19.01) --- by Vince Polley and KnowConnect PLLC (supplemented by related Tweets: @vpolley #mirln)

!!! HAPPY NEW YEAR !!!

permalink

NEWS | LOOKING BACK | NOTES

Online property information aids deed thieves (ABA Journal, 9 Dec 2015) - Online property information is making it easier for swindlers to forge deeds so they can sell vacant homes to unsuspecting buyers. The problem is particularly bad in New York City, where 120 cases are being investigated, the Wall Street Journal (sub. req.) reports. The city posts online copies of deeds, mortgages, liens and other documents. That makes it possible for scammers to see information such as owners' signatures, addresses, emails and phone numbers. The information also makes it easier to obtain owners' Social Security numbers. David Szuchman, chief of the investigative division of the Manhattan District Attorney's office, tells the Wall Street Journal that the online records have become "one-stop shopping for fraud." The New York City Department of Finance is trying to stop the fraud by notifying property owners when a new deed is recorded for their property. Detroit and Chicago are also reporting increased deed fraud. Cook County, which includes Chicago, is currently investigating 62 cases.

top

Ninth Circuit hears arguments on IP address blocking and shared accounts under the CFAA (Orin Kerr, 11 Dec 2015) - On Wednesday, the Ninth Circuit heard argument in Facebook v. Power Ventures , an important case on the Computer Fraud and Abuse Act ("CFAA"). The case considers whether a company violated the CFAA by accessing Facebook accounts with user permission in violation of Facebook's Terms of Service, even after Facebook sent a cease-and-desist letter to the company and blocked its IP address. And that's not the only CFAA case the Ninth Circuit recently heard on using shared passwords. A different panel heard argument in United States v. Nosal on a similar question but involving very different facts. Let's start with the Facebook case. Power Ventures ("Power") allowed Facebook users to set up an account at the Power website and to give Power permission to access the user's Facebook account on the user's behalf. Facebook didn't like this, as it wanted to maintain control of Facebook's system. So Facebook told Power to stop accessing its website and also blocked an IP address used by the Power website. Power continued to access Facebook's site anyway. The legal question: Did the subsequent access by Power, with Facebook user permission but against the permission of Facebook, constitute a criminal unauthorized access under the CFAA? * * * Last month's oral argument in United States v. Nosal (" Nosal II ") provides an intriguing contrast. Nosal II considers whether a former employee violated the CFAA when he persuaded a current employee to give him the employee's username and password to the company network and then used the account for his own purposes. In a forthcoming essay on the CFAA, " Norms of Computer Trespass ," to be published in the Columbia Law Review, I offer an approach to deciding both of these cases. I've mentioned the draft before, but I posted an improved version of the still-forthcoming article two weeks ago. Here's a brief rundown of my approach. * * *

top

New York attorney general solicits help from the public in broadband probe (Reuters, 13 Dec 2015) - New York Attorney General Eric Schneiderman invited the public on Sunday to test the speed of their Internet and submit the results online as part of an ongoing probe into whether large providers may be short-changing customers with slower-than-advertised speeds. The office launched an investigation into Verizon Communications Inc, Cablevision Systems Corp and Time Warner Cable Inc in October over the issue. Schneiderman's office sent the three companies letters asking for a variety of information, including copies of any tests they have done on Internet speeds and copies of the disclosures they have made to their customers. On Sunday, Schneiderman said he wanted feedback from the public to assist with the investigation. He announced his office has created a new online broadband test on a site called Internethealthtest.org that will capture a customer's "throughput" - or the speed at which customers actually access Internet content. After the test is completed, he said he wants customers to submit a screenshot of the results and fill out an online form.

top

- and -

Comcast cap blunder highlights how nobody is ensuring broadband meters are accurate (TechDirt, 28 Dec 2015) - For years now we've noted that while broadband ISPs rush toward broadband caps and usage overage fees, nobody is checking to confirm that ISP meters are accurate . The result has been user network hardware that reports usage dramatically different from an ISPs' meters, or users who are billed for bandwidth usage even when the power is out or the modem is off . Not only have regulators historically failed to see the anti-innovation, anti-competitive impact of usage caps, you'd be hard pressed to find a single official that has even commented on the problem of inaccurate broadband usage meters. Enter Comcast, which has, of course, been slowly but surely expanding its usage caps into more and more noncompetitive markets. And given that Comcast continues to have among the worst customer service in any U.S. industry , the combined end result is about what you'd expect. Like users who say they've been repeatedly over-billed for broadband consumption that never actually occurred: "Oleg received warnings in September and another in October, the latter while he was overseas for a multiple-week vacation with his wife. When they returned home on November 9th, Comcast's data meter was "showing I used 120 gigs of data, like, while I was gone," he wrote. Customers can check their usage on Comcast's website." ...Calls with Comcast customer service agents didn't clear up the problem. "I called Comcast... and was patronizingly informed that 'it must be somebody stealing your Wi-Fi,'" he wrote. "Possible, but highly unlikely. I'm a software developer, Linux kernel contributor, and I take my home security very seriously."

top

Kazakhstan's unsettling new cybersecurity plan (Slate, 14 Dec 2015) - One of the fun and fascinating-and sometimes frightening-things about Internet security policy is that no one has any idea how to do it well. Governments pretty much make it up as they go along-often attempting slight variations on other country's efforts, occasionally coming up with unusual and unexpected new twists. Witness the decision by Kazakhstan earlier this month to require its citizens to install a "national security certificate" on all of their devices as of Jan. 1. Digital certificates are how we make sure that the websites we visit and communicate with are actually the websites we think they are. Kazakhstan's approach here is an odd melding of old and new policy ideas-lots of countries, including the United States, have been struggling to deal with encrypted digital communications and to provide appropriate access channels for law enforcement or intelligence officials. That is, essentially, what a mandatory certificate issued by the Kazakh government would do, by enabling government officials to execute man-in-the-middle attacks on their citizens' encrypted communications. At the same time, Kazakhstan's approach is a relatively new one, both because it seems to rely on its government issuing a certificate specifically designated for the purpose of intercepting traffic, and because it relies on individuals to proactively download that certificate onto devices. [ Polley : reminds me a bit of the "Secure Hardware Environment" in the Vernor Vinge's terrific SciFi novel " Rainbow's End ".]

top

In the race to open Congress's secretive think tank, a new trove of confidential research goes public (WaPo, 14 Dec 2015) - A new website is cracking open Congress's secretive in-house think tank with a free, publicly accessible archive of 33,000 research reports on public policy issues from the U.S. Postal Service to Bitcoin. CRSReports.com joins at least two other efforts to wrest the highly regarded studies by the nonpartisan Congressional Research Service from the confidential files of Senate and House lawmakers, who request the research and keep it secret unless they choose to release it themselves. "What we're doing is simply accessing publicly available websites and downloading what we think are CRS documents," said Antoine McGrath, 30, who is based in San Francisco and has a passion for digital archives. "We're casting a wide net." McGrath, who worked for the nonprofit Internet Archive, a free digital library, is collaborating on his CRS project with two software programmers who have written a code that scans about 100 sites for metadata in CRS studies. The oldest one they've found dates to March 24, 1989: "The Corporate Minimum Tax: Rationale, Effects, and Issues." The new site calls itself the Internet's "largest free and public collection of Congressional Research Service reports." It has competition, from the Federation of American Scientists and the University of North Texas , both of which have amassed impressive digital libraries of CRS reports. But none of the three can claim to scrape the Internet for every one of the thousands of studies issued to members of Congress every year by experts on just about every subject that touches government. So it's a race of sleuths to do the most exhaustive scans they can, from academic sites to postings by embassies and other groups.

top

Half of law firms do not have a data protection committee (SC Magazine, 16 Dec 2015) - As corporations struggle to prepare against massive breaches like those that have rattled the industry over the past year, two reports by a legal competitive intelligence group shed light on how perspectives are shifting among legal professionals. The two reports , published by ALM Legal Intelligence, the competitive intelligence unit of ALM Media, explore reactions to cyber threats as voiced by law firms and corporate clients. The results demonstrated some of the conflicting cyber priorities for corporate entities and their legal teams. As the legal sector weighs the logistical challenge of preventing hacks and data breaches, charting a strategic plan is a challenge for law firms. One of the reports, "Cybersecurity and Law Firms," surveyed 69 professionals at law firms, serving as CIO (28 percent), COO (14 percent), IT director (14 percent), information security director (9 percent), CFO (7 percent) and executive director (7 percent) positions. The report found only half of the law firm professionals surveyed said their firm has a data protection team or committee in place. The report also noted that 73 percent of the professionals surveyed said their firm has a data breach plan in place, while 22 percent of the respondents said their firm is in the process of creating a plan.

top

- and -

A cyber attack is headed your way (ALM, 16 Dec 2015) - Talking about when to "trigger incident response," during a panel discussion, speakers at ALM cyberSecure- which brought 557 attendees to Midtown on Tuesday and was hosted by GlobeSt.com's parent company-first worked to convey to attendees the high probably of an attack. It didn't take them long. "It's virtually impossible that you won't be attacked in the next 18 months," declared panel moderator Mark Sangster, VP, marketing, eSentire. Added Richard Jacobs, assistant special agent in-charge of the cyber branch, New York office, FBI, "There are still companies that don't think an attack against them is likely, but on Sept. 10th, 2001, the thought of airplanes crashing into buildings and killing thousands of people didn't seem likely either. So we need to be ready." Attorney Vince Polley, principal, KnowConnect, echoed that last thought. "The time to start planning is now." He advised professionals to first conduct a risk assessment. "Determine what do you have and what you need. Evaluate using third party service providers and the rules that apply to your behavior set by industry organizations." He also suggested putting together a team of first responders. "Identify the internal team; those who will have to make a decision and take action when an incident happens. That should include people in governance, information technology, legal, press/investor relations, marketing, sales and financial systems. Don't let customers fall into the trap that IT can solve this alone; it can't." Further, Polley advised, "Pre-arrange external resources, such as law enforcement and technical tools/providers. If you've practiced and developed relationships and cues with each other before hand, it's a lot easier-which means cheaper. Organizations that are proactive and have good incident response planning have been shown to see a shift in the costs of mitigating a breach."

top

Ninety Percent of industries, not just healthcare, have disclosed PHI in breaches (Dark Reading, 17 Dec 2015) - Financial services companies, retailers, government agencies, take heed. You're vulnerable to breaches of personal health information (PHI) too, and someone in your sector has already suffered one, according to the first-ever Verizon Protected Health Information Data Breach Report , released yesterday. The report covers 1,900 PHI breaches and spans 20 years of security events between 1994 and 2014 (although most occurred between 2004 and 2014). Over that period, 392 million records were exposed, amounting to half the population of the United States. From those lists, researchers not only selected incidents from healthcare organizations, but also any incidents in which medical records were lost or in which an affected individual was labeled as a "patient" by the breached organization. Therefore, not all "PHI" in this report contains medical records; it might be credit card data scraped from a PoS system at a dentist's office or LAN login credentials at a hospital. And not all PHI is from healthcare organizations; it might be medical records lifted from a university clinic or a corporate wellness program. In fact, what surprised Verizon researchers the most was that unauthorized disclosures of PHI (including medical records) were happening from so many non-healthcare organizations.

top

Secret document exposes how the U.S. government spies on your cellphone (Mashable, 18 Dec 2015) - The Intercept has obtained a secret, internal U.S. government catalogue of dozens of cellphone surveillance devices used by the military and by intelligence agencies. The document, thick with previously undisclosed information, also offers rare insight into the spying capabilities of federal law enforcement and local police inside the United States. The catalogue includes details on the Stingray, a well-known brand of surveillance gear, as well as Boeing "dirt boxes" and dozens of more obscure devices that can be mounted on vehicles, drones, and piloted aircraft. Some are designed to be used at static locations, while others can be discreetly carried by an individual. They have names like Cyberhawk, Yellowstone, Blackfin, Maximus, Cyclone, and Spartacus. Within the catalogue, the NSA is listed as the vendor of one device, while another was developed for use by the CIA, and another was developed for a special forces requirement. Nearly a third of the entries focus on equipment that seems to have never been described in public before. The Intercept obtained the catalogue from a source within the intelligence community concerned about the militarization of domestic law enforcement. (The original is here .) A few of the devices can house a "target list" of as many as 10,000 unique phone identifiers. Most can be used to geolocate people, but the documents indicate that some have more advanced capabilities, like eavesdropping on calls and spying on SMS messages. Two systems, apparently designed for use on captured phones, are touted as having the ability to extract media files, address books, and notes, and one can retrieve deleted text messages. * * * Judges have been among the foremost advocates for ending the secrecy around cell-site simulators, including by pushing back on warrant requests. At times, police have attempted to hide their use of Stingrays in criminal cases, prompting at least one judge to throw out evidence obtained by the device. In 2012, a U.S. magistrate judge in Texas rejected an application by the Drug Enforcement Administration to use a cell-site simulator in an operation, saying that the agency had failed to explain "what the government would do with" the data collected from innocent people. * * *

top

German court orders man to destroy naked images (BBC, 22 Dec 2015) - Germany's highest court has ordered a man to destroy intimate photos and videos of his ex-partner because they violate her right to privacy. The Federal Court said the man, a photographer, should no longer possess naked photos and sex tapes, even if he had no intention of sharing them. The woman had originally agreed to the images but this consent stopped when the relationship ended, the court said. Germany has some of the strictest privacy laws in Europe. The Federal Court was called upon to rule in a dispute between a former couple, who were arguing over whether or not the man should delete intimate photos and videos. In its ruling (in German), the court said everyone had the right to decide whether to grant insight into their sex life - including to whom they grant permission and in what form. It said that by retaining the images, the photographer had a certain "manipulative power" over his ex-lover. He should no longer have rights to the photos and videos once the relationship had ended, it concluded. It is not clear how the ruling will be enforced.

top

Add two more states to those that have adopted duty of technology competence (Robert Ambrogi, 23 Dec 2015) - In my continuing effort to track states that have adopted the ethical duty of technology competence for lawyers, I have two more to add, one that adopted it recently and one that I missed from earlier this year: (1) Iowa adopted the rule on Oct. 15, 2015, effective immediately. Here is the rule and here is the order . from the Supreme Court of Iowa; (2) Utah adopted the rule on March 3, 2015, effective May 1, 2015. Here is the rule and here is the order . Unless I've missed others, that brings the number of states that have adopted the rule to an even 20.

top

How does the Cybersecurity Act of 2015 change the Internet surveillance laws? (Orin Kerr, 24 Dec 2015) - The Omnibus Appropriations Act that President Obama signed into law last week has a provision called the Cybersecurity Act of 2015. The Cyber Act, as I'll call it, includes sections about Internet monitoring that modify the Internet surveillance laws. This post details those changes, focusing on how the act broadens powers of network operators to conduct surveillance for cybersecurity purposes. The upshot: The Cyber Act expands those powers in significant ways, although how far isn't entirely clear. * * *

top

Harvard Law review freaks out, sends Christmas Eve threat over public domain citation guide (TechDirt, 28 Dec 2015) - In the fall of 2014, we wrote about a plan by public documents guru Carl Malamud and law professor Chris Sprigman, to create a public domain book for legal citations (stay with me, this isn't as boring as it sounds!). For decades, the "standard" for legal citations has been "the Bluebook" put out by Harvard Law Review, and technically owned by four top law schools. Harvard Law Review insists that this standard of how people can cite stuff in legal documents is covered by copyright . This seems nuts for a variety of reasons. A citation standard is just an method for how to cite stuff. That shouldn't be copyrightable. But the issue has created ridiculous flare-ups over the years, with the fight between the Bluebook and the open source citation tool Zotero representing just one ridiculous example . In looking over all of this, Sprigman and Malamud realized that the folks behind the Bluebook had failed to renew the copyright properly on the 10th edition of the book, which was published in 1958, meaning that that version of the book was in the public domain. The current version is the 19th edition, but there is plenty of overlap from that earlier version. Given that, Malamud and Sprigman announced plans to make an alternative to the Bluebook called Baby Blue, which would make use of the public domain material from 1958 (and, I'd assume, some of their own updates -- including, perhaps, citations that it appears the Bluebook copied from others ). * * * Apparently, this sent the Harvard Law Review into a bit of a tizzy, and they made their lawyers at the big, respectable law firm of Ropes & Gray come into the office on Christmas Eve to dash off this ridiculous threat letter to Malamud and Sprigman, demanding that they not move forward with releasing Baby Blue. * * *

top

Google defeats copyright lawsuit over Waze data (Eric Goldman, 28 Dec 2015) - The basic copyright rule is clear: facts are not copyrightable; factual compilations can be. However, this simple rule masks considerable nuance. What is a "fact," how does it differ from "non-facts," what does it mean to "compile" facts, and when is a compilation sufficiently original to become copyrightable? These questions are more epistemological than legal, so not surprisingly, the associated legal disputes routinely baffle judges. As a result, the copyright caselaw regarding facts and compilations is confused-and confusing. These issues surfaced again in a recent case where Google defeated a copyright challenge over data used in its Waze navigation application (Google bought Waze in 2013). The plaintiff, PhantomALERT, offers a GPS-based navigational app that competes with Waze. Both apps use databases containing "the location of traffic conditions, road hazards, and traffic enforcement monitors, such as speed cameras" (what the court calls a "points of interest database"). PhantomALERT alleged that Waze ripped off its points of interest database, as evidenced by the alleged presence of fake points of interest created by PhantomALERT appearing in Waze's database. This fact pattern resembles Feist v. Rural Telephone Service , the seminal 1991 Supreme Court opinion involving the copying of telephone "white pages" data. * * * The Feist case casts a long shadow on the PhantomALERT case. The court held that individual points of interest were facts and therefore never copyrightable. PhantomALERT argued that it exercised some judgment deciding where to place each point of interest on its map and how much advance notice to give drivers about each point of interest. The court says the location decision is driven by functional considerations, which I infer means that PhantomALERT sought to be as factually precise as possible to improve the app's functionality. The court also says there's no evidence Waze copied any of PhantomALERT's judgments about where to locate the points of interest or how much notice to give drivers. But what about PhantomALERT's overall compilation of points of interest? Per basic copyright law, PhantomALERT ought to have a compilation copyright for its database as a whole. The judgments PhantomALERT made to prepare a detailed map surely are significantly more extensive than the simplistic alphabetization of white pages info. However, the compilation copyright would be "thin" in the sense that it would only prevent wholesale verbatim copying. Any other implementation shouldn't be copyright infringement because it doesn't copy PhantomALERT's original contributions. Applying these basic principles, the court says there doesn't appear to be any originality in how PhantomALERT organized the points of interest database, but PhantomALERT may have exercised enough judgment selecting which points of interest to include in the database. As evidence of PhantomALERT's editorial judgment about selecting or excluding facts, the court gave the example of how PhantomALERT may delete speed traps from its database if it believes those traps don't pose a significant risk to drivers. * * *

top

Report: 191M voter records exposed online (The Hill, 28 Dec 2015) - Security bloggers and researchers claim to have uncovered a publicly available database exposing the personal information of 191 million voters on the Internet. The information contains voters' names, home addresses, voter IDs, phone numbers and date of birth, as well as political affiliations and a detailed voting history since 2000. While in most states, voter registration lists are a matter of public record, many have regulations restricting access and use. For example, South Dakota requires those requesting access to voter data to confirm that the information "may not be used or sold for any commercial purpose and may not be placed for unrestricted access on the internet." Security researcher Chris Vickery discovered the breach and reported it to DataBreaches.net, which has since reached out to law enforcement, as well as the California attorney general's office. Steve Ragan, a security blogger for the security and risk management website CSO, has also investigated the breach, noting that none of the political database firms he identified and reached out to in connection with the database claimed ownership of the IP address where the files are posted.

top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Bush lets U.S. spy on callers without courts (New York Times, 16 Dec 2005) -- Months after the Sept. 11 attacks, President Bush secretly authorized the National Security Agency to eavesdrop on Americans and others inside the United States to search for evidence of terrorist activity without the court-approved warrants ordinarily required for domestic spying, according to government officials. Under a presidential order signed in 2002, the intelligence agency has monitored the international telephone calls and international e-mail messages of hundreds, perhaps thousands, of people inside the United States without warrants over the past three years in an effort to track possible "dirty numbers" linked to Al Qaeda, the officials said. The agency, they said, still seeks warrants to monitor entirely domestic communications. The previously undisclosed decision to permit some eavesdropping inside the country without court approval was a major shift in American intelligence-gathering practices, particularly for the National Security Agency, whose mission is to spy on communications abroad. As a result, some officials familiar with the continuing operation have questioned whether the surveillance has stretched, if not crossed, constitutional limits on legal searches. "This is really a sea change," said a former senior official who specializes in national security law. "It's almost a mainstay of this country that the N.S.A. only does foreign searches." Nearly a dozen current and former officials, who were granted anonymity because of the classified nature of the program, discussed it with reporters for The New York Times because of their concerns about the operation's legality and oversight. The White House asked The New York Times not to publish this article, arguing that it could jeopardize continuing investigations and alert would-be terrorists that they might be under scrutiny. After meeting with senior administration officials to hear their concerns, the newspaper delayed publication for a year to conduct additional reporting. [Editor in 2005 : This is the story-of-the-decade for me; separation of powers and Article II supremacy. I'm astounded that the Times sat on it for a year. Reminds me of a senior DOD lawyer who carries a copy of the Constitution in his suit coat pocket, and pulls it out several times a day to cite Article II authority, as if there weren't two centuries of statutory, regulatory, and case-law gloss. Editor in 2015 : <sigh>.]]

top

Trojan e-mails suggest trend toward targeted attacks (Computerworld, 17 June 2005) -- A report on Trojan e-mail attacks against critical-infrastructure systems in the U.K. highlights an emerging trend away from mass-mailing worms and viruses to far more targeted ones, analysts said. The U.K.'s National Infrastructure Security Co-Ordination Center yesterday released a report (PDF format) disclosing that more than 300 government departments and businesses were targeted by a continuing series of e-mail attacks designed to covertly gather sensitive and economically valuable information (see story). Unlike with phishing and mass-mailing worms, the attackers appear to be going after specific individuals who have access to commercially or economically privileged information, the report said. The attacks involved the use of e-mails containing so-called Trojan programs or links to Web sites containing Trojan files. Once installed on a user's system, Trojans covertly run in the background and perform a variety of functions, including collecting usernames, passwords and system information; scanning of drives; and uploading of documents and data to remote computers. "The e-mails use social engineering to appear credible, with subject lines often referring to news articles that would be of interest to the recipient," the report said. "In fact, they are 'spoofed,' making them appear to originate from trusted contacts, news agencies or government departments." The report highlights how hackers are starting to tailor their attacks and go after specific high-value targets instead of simply launching mass-mailing worms and viruses, said Mark Sunner, chief technology officer at MessageLabs Ltd., a New York-based provider of e-mail security services.

top

NOTES

MIRLN (Misc. IT Related Legal News) is a free e-newsletter published every three weeks by Vince Polley at KnowConnect PLLC. You can subscribe to the MIRLN distribution list by sending email to Vince Polley ( mailto:vpolley@knowconnect.com?subject=MIRLN ) with the word "MIRLN" in the subject line. Unsubscribe by sending email to Vince with the words "MIRLN REMOVAL" in the subject line.

Recent MIRLN issues are archived at www.knowconnect.com/mirln . Get supplemental information through Twitter: http://twitter.com/vpolley #mirln.

SOURCES (inter alia):

1. The Filter, a publication of the Berkman Center for Internet & Society at Harvard Law School, http://cyber.law.harvard.edu

2. InsideHigherEd - http://www.insidehighered.com/

3. SANS Newsbites, http://www.sans.org/newsletters/newsbites/

4. NewsScan and Innovation, http://www.newsscan.com

5. Aon's Technology & Professional Risks Newsletter

6. Crypto-Gram, http://www.schneier.com/crypto-gram.html

7. Steptoe & Johnson's E-Commerce Law Week

8. Eric Goldman's Technology and Marketing Law Blog, http://blog.ericgoldman.org/

9. The Benton Foundation's Communications Headlines

10. Readers' submissions, and the editor's discoveries

This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

PRIVACY NOTICE: Addresses and other personal information provided during the subscription process will be kept confidential, and will not be used for any other purpose. top

No comments: