Cybersecurity: Not just for biglaw and its clients (WSJ, 27 Oct 2014) – Cybersecurity is an increasingly big priority for law firms with big financial institution clients. But it can be a matter of life and death for lawyers doing pro bono work with clients in troubled countries who are battling human trafficking, terrorism and other human rights violations. The interception of sensitive documents by criminals or unfriendly governments can compromise the safety of in-country clients, and in some cases the attorneys with whom they work. “Human rights really is cloak-and-dagger,” Christina Storm, a lawyer and founder of the non-profit group Lawyers Without Borders , told Law Blog. “Lawyers put themselves at risk, and every person in-country who reaches out to us puts themselves at risk.” Ms. Storm’s group focuses on strengthening the rule of law around the world. The organization works with law firms big and small as well as solo practitioners on cases that range from electoral reform to strengthening protections for gay, bisexual and transgender people in African countries. Such work isn’t always popular. In some places, government surveillance might involve keyloggers that track communications between dissidents and their lawyers. Confidential documents that fall into the wrong hands can expose both sides to danger, Ms. Storm said, adding, “Their safety is important to us.” Lawyers Without Borders takes some of its security cues from the big law firms it works with, such as Reed Smith LLP and Linklaters, whose corporate and financial clients requirement myriad steps to prevent hackers from accessing confidential information. At one point the organization tried using encrypted email, but the program was so cumbersome that people abandoned it because it was hard to use. Another document management system ended up being accessed by authorities in an unfriendly country, and the whole thing had to be scrapped.

 

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/sumetho

Would a new crime of “willful refusal to comply with a decryption order” be the best answer to the device decryption puzzle? (Orin Kerr, 17 Oct 2014) – FBI Director James Comey spoke Thursday at Brookings about the FBI’s concerns with how encryption can frustrate search warrants in lawful investigations. The scope of Comey’s remarks goes beyond Apple’s new iOS8 operating system design, but much of it focused on the question of device encryption raised by Apple’s new policy. I wanted to focus on one aspect of Comey’s remarks, the question of whether the government can get access to the contents of encrypted devices directly from a suspect in a criminal case. Here’s Comey : “Finally, a reasonable person might also ask, “Can’t you just compel the owner of the phone to produce the password?” Likely, no. And even if we could compel them as a legal matter, if we had a child predator in custody, and he could choose to sit quietly through a 30-day contempt sentence for refusing to comply with a court order to produce his password, or he could risk a 30-year sentence for production and distribution of child pornography, which do you think he would choose?” I think Comey is wrong that the Fifth Amendment is a “likely” barrier in the cell phone context, because in most of the typical cases, when the government knows who is the owner of the phone, the Fifth Amendment shouldn’t be a problem. But let me put that issue aside for now and focus instead on the rest of Comey’s comment, and specifically his concern that the punishment for refusing to comply with a court order to produce a password would be so low that the bad guys will just make a rational decision to take the lesser contempt punishment. * * *

 

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/basketman

The number of industries getting classified cyberthreat tips from DHS has doubled since July (NextGov, 20 Oct 2014) – Firms from half of the nation’s 16 key industries, including wastewater and banking, have paid for special technology to join a Department of Homeland Security program that shares classified cyberthreat intelligence, in hopes of protecting society from a catastrophic cyberattack. Participation in the Enhanced Cybersecurity Services initiative has more than doubled during the past few months. Through the voluntary program – previously exclusive to defense contractors – cleared Internet service providers feed nonpublic government information about threats into the anti-malware systems of critical sector networks. As of July, only three industries – energy, communications and defense – were using the service, according to an unfavorable DHS inspector general audit . Now, befitting National Cybersecurity Awareness Month, Homeland Security officials say the financial, water, chemical, information technology and transportation sectors also are receiving the threat indicators. Just two months ago, American Chemistry Council officials said they had never heard of the program . The service has been available since 2013.

 

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/KROMKRATHOG

If you don’t agree to the new Wii U EULA, Nintendo will kill-switch it (Cory Doctorow on BoingBoing, 18 Oct 2014) – When you bought your Wii U, it came with one set of terms-of-service; now they’ve changed, and if you don’t accept the changes, your Wii seizes up and won’t work. That’s not exactly what we think of when we hear the word “agreement.” Yet this is how Nintendo’s update to its end-user license agreement (EULA) for the Wii U works, as described by YouTube user “AMurder0fCrows” in this video. He didn’t like the terms of Nintendo’s updated EULA and refused to agree. He may have expected that, like users of the original Wii and other gaming consoles, he would have the option to refuse software or EULA updates and continue to use his device as he always had before. He might have to give up online access, or some new functionality, but that would be his choice. That’s a natural consumer expectation in the gaming context – but it didn’t apply this time. Instead, according to his video, the Wii U provides no option to decline the update, and blocks any attempt to access games or saved information by redirecting the user to the new EULA. The only way to regain the use of the device is to click “Agree.”

 

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/StuartMiles

Law firms face cybersecurity audits by banking clients; are they a ‘weak link’? (ABA Journal, 27 Oct 2014) – Banks are increasingly scrutinizing their law firms’ cybersecurity efforts, including the law firms’ protection of confidential information released to vendors such as word-processing firms and print shops. The law firms are increasingly facing on-site technology audits by banks, even as the banks themselves face cybersecurity pressures from regulators, the Wall Street Journal (sub. req.) reports. Just last week, New York’s Department of Financial Services sent letters to dozens of banks asking about protections for information sent to third-party vendors such as law firms and accounting firms, according to a separate story by the Wall Street Journal (sub. req.). “Law firms increasingly are seen as potential weak links,” the Wall Street Journal says. “Clients often entrust them with everything from valuable trade secrets to market-moving details on mergers and acquisitions.” The story cites information from an American Bar Association technology survey that found 14 percent of the respondents had experienced some type of security breach or theft this year. But only 1 percent said the breach resulted in unauthorized access to sensitive client data. The Wall Street Journal spoke with Goodwin Procter’s chief information officer, Lorey Hoffman, who works with examiners sent by clients who want to know about data protection. The firm also hires its own auditors to check its cybersecurity. “It’s a lot more than just checking a box,” Hoffman said of the firm’s response to client security questions.

 

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/renjithkrishnan

Florida Supreme Court rules warrants a must for real-time cell location tracking (SC Magazine, 20 Oct 2014) – In a ruling that Electronic Frontier Foundation (EFF) staff attorney Hanni Fakhoury believes will be “cited a lot by EFF” and other privacy advocates, the Florida Supreme Court has said that law enforcement agencies must have a warrant to obtain cell phone location information that they need to track a user’s location in real time. The decision by Florida’s highest court adds to the “growing chorus of courts” finding that location information is private, Fakhoury told SCMagazine.com Monday. The case, Tracey vs. Florida made its way to the Supreme Court after police obtained cell tower data from a provider without a warrant to track the movements in real time of suspected drug dealer Alvin Tracey and used that information to illicit a conviction from a criminal court. Officers “obtained an order authorizing the installation of a ‘pen register’ and ‘trap and trace device’ as to Tracey’s cell phone,” which records outgoing and incoming telephone numbers, respectively, the Florida Supreme Court decision noted. But later, without obtaining a warrant or providing additional “factual allegations,” the officers “used information provided by the cell phone service provider” under an earlier order. The information provided “included real time cell site location information given off by cell phones when calls are placed.” * * * Citing Fourth Amendment protections as well as Supreme Court precedent in several cases, including Katz v. United States , the Florida Supreme Court quashed the Fourth District Court ruling, noting that many of smartphone “are ubiquitous and have become virtual extensions of many of the people using them for all manner of necessary and personal matters,” which makes a “phone’s movements its owner’s movements, often into clearly protected areas.”

 

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/phanlop88