Introducing MIRLN: miscellaneous IT-related legal news

MIRLN (Miscellaneous IT-Related Legal News) is a free e-newsletter that began in 1997. It is delivered every 3 weeks to members of the American Bar Association’s Business Law Section via Business Law Today and to other members. MIRLN has about 2,000 individual subscribers; 2 of which were former Attorney Generals of the United States.

About Know Connect:

Vincent I. Polley acquired his Bachelor’s Degree in Mathematics from Harvard and his Law degree from the University of Michigan.

In 2006 and 2007, he co-chaired the Information Technology and Security Law practice group at the Dickinson Wright PLLC law firm. He helped clients prevent, plan, and effectively manage IT-related security and privacy problems. Since he was an expert in the area, he oversaw the firm’s specialized law IT assistance such as privacy and e-contracting.

Polley was co-chair of the ABA Commission on Second Season of Service, and served on the Advisory Commission for the ABA World Justice Project and the Council of the ABA’s Section of Business Law.  He’s a former member of the ABA’s Standing Committee on Law and National Security, former chair of the ABA’s Standing Committee on Technology & Information Systems, and the immediate past-chair of the ABA’s Standing Committee on CLE. Polley currently chairs the ABA Content Convergence Working Group, and is the member of the Editorial Board for the ABA Journal.

Since 1997, Polley continuously publishes posts for the Internet Law blog, MIRLN.

Subscribe to MIRLN: Send email to Vince Polley with the word “MIRLN” in the subject line.

MIRLN is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

Contact Information:

E-mail: info@knowconnect.com

Skype: vpolley

Twitter: @vpolley

Article via KnowConnect

Photo: Moo cards for blogging workshop via Steve Bridger [Creative Commons Attribution-NonCommercial-NoDerivs]

 

 


FBI hack to remain secret from Apple

The FBI has no plans to reveal how they hacked the San Bernardino shooter’s iPhone, not even to Apple.

In March, the FBI announced that they would be dropping their case with Apple after having purchased a hacking tool from a third party to aid in breaking into the phone. Apple had cooperated with the FBI, but would not create new firmware to break their own encryption. The high profile nature of this case brought the debate about privacy and security to the national stage. Although there was a judge assigned to rule on the case, the FBI’s purchasing of a hacking tool put the need for a ruling to bed.

Since then, the FBI has been mum on how this hacking tool was able to be successful and how it works. Prior to purchasing the tool, the FBI insisted that it needed Apple to update the firmware in order for them to do a hack on the shooter’s iPhone. The security on iPhone only allows 10 consecutive attempts to break the passcode before all data is erased on the phone.

Apple has a vested interest in understanding the hack, because the tech company would want to patch any vulnerabilities that allowed the FBI to use this tool to access the iPhone.  Hacking into this iPhone will make all iPhones vulnerable to the same sort of attack, which ultimately puts many iPhones around the world at risk.

An Apple attorney has stated that the company has no plans to sue the government to reveal how the San Bernardino iPhone was unlocked.

The government already has policies in place, called theVulnerabilities Equities Process, which governs disclosure of security problems to companies. This policy is notoriously shrouded in secrecy, but the government is generally supportive of vulnerability disclosure in order to ensure that vulnerabilities are not exploited by malicious hackers.

The FBI has found success with this tool, but it doesn’t mean that they are in a place to support vulnerability disclosure. The agency has already made plans to argue that it does not know enough about the hacking tool that it purchased to substantively explain how it works. FBI director James Comey has revealed that his agency spent more than $1 million to obtain the tool.

Article via TechCrunch, 26 April 2016

Photo El FBI no necesita a Apple para desbloquear un iPhone by iphonedigital [Creative Commons Attribution-NonCommercial-NoDerivs]

 


ODR2016: Our Mindfulness Moment at the Peace Palace

As the ODR industry prepares to gather for its fifteenth annual meeting of the minds in the Hague, Netherlands, we do so at a time when the future of technology-enabled dispute resolution appears very bright.  Governments are embracing (and in some cases mandating) ODR as an effective tool; ODR-specific business are emerging and growing faster than ever; and better and more powerful tools are becoming available for individuals, consumers, businesses, and the courts.  But during these halcyon days, it is more important not to forget where we have come from, and, perhaps more importantly, where it is we want to go.

As I recently wrote with several colleagues, “[t]he problem for the legal community is that these changes will happen whether we help shape them or not.  All users of the Internet acting together will begin to define organic norms for online interaction as they continue to communicate, trade and sign agreements.  The justice layer will form on its own.  If we want to do more than witness the process unfold, we must consciously and actively build the justice layer of the Internet.”  In other words, we need to be the change we envision.  And, in our time together at the Peace Palace as we embrace the potential for a peaceful world and a future embodied by relationships that foster a more mindful and empathetic civilization, we must rise to the challenge not only for ourselves, and our industry, but for the world as a whole.

Mindfulness, or the practice of being aware of the present moment, has been all the rage in Silicon Valley for a few years now, with many of the largest tech companies integrating its practices into their workplace cultures.  As I approach ODR 2016, here are a few of the mindfulness moments on my mind:

1We are not alone in this journey – but know the intentions of your partner.  The ODR community has grown significantly, and although many of the same faces from the first conferences will be in attendance at the Hague, there are many who have never attended, but nevertheless are doing work which directly correlates with our own.

One of the most obvious connections is with the artificial intelligence field, with an example being Facebook’s recent implementation of chatbots onto its Messenger platform.  Although chatbots are not a new phenomenon, the technology is quite significant for the ODR field, and its application to a platform as ubiquitous as Facebook has vast implications.  The technology, which takes your personal information as well as all of the knowledge of the internet and applies natural language processing, AI, and human assistance as necessary, has the potential to be, as Facebook hopes, a personal shopper or customer service representative for one of its many advertisers.  For many of us, however, ceding the territory of personal choice as to what we see and experience to corporate developers, is something that should be a choice, not a given. Will we continue to use new technologies without thinking about anything more than the convenience their use brings to our lives?

At  the last year’s  ODR 2015 at Pace University Law School, I had the chance to meet Doc and Joyce Searls, and start a conversation about shifting the balance of power from corporations who presently have the power to shape and decide what technologies we use, to all of us.  I teach a course in Global Cyberlaw, and, the first lesson of my class is that the “Terms of Service” that corporations ask us to “click” and “accept” shift our power of choice from all of us to them.  We do this intentionally, because it is convenient, and we want to use their technology.  But it certainly isn’t a “mindful” choice.  Because we are the same population who complain about the invasions of privacy and surveillance that accompany “mindless” clicks and accepts that result in the aggregation of huge data mine stores about us attract hackers from all corners of the earth.

For the ODR field, we could work to shape this new technology.  It could be our opportunity to make the new technologies such as “chatbots” our personal advocates.  Chatbots, and related technologies could provide every citizen with information relevant to their dispute, advising  them of  their rights, and suggesting potential opportunities for compromise.  The developers of these sorts of tools may not know about the work of ODR2016, but they should, and we should strive to work with them in the future.

2. We must learn from the failings of the old.  Replicating systems of yonder years into the digital world is not changing the system.  It is saving trees.  One example that is mind boggling is the almost 20 years it has taken for e-filing to make its way to the courts.   And yet, e-filing is still a relatively new phenomenon in many US state courts.  Far from transformational, e-filing is just connecting a fast electronic pipe to the brick and mortar courthouse.  Though the filing has been digitized, access to the courthouse itself has not changed.   In the US, the World Justice Project rankings have dropped the US down to 21st in world rankings for access to justice.  And, this ranking only reflects access to formal justice systems such as courts and other government institutions.  Most people don’t think of ‘justice’ in this way.  In fact, the American Bar Foundation points out in a recent research study that 75% of Americans with justiciable concerns don’t even reach out to lawyers, courts, and government as the first stop to address their concerns.

This is our opportunity to think creatively to solve the problems that have plagued our courts for years and have deprived those most in need of assistance in finding what is fair.  This is also an opportunity to change the culture and outside perceptions of lawyers, judges, and the courts.  For too long, the law has been perceived, both rightly and wrongly, as a tool of the haves, and a means of subjugation of the have nots.

To change this perception will require very difficult choices, most notably with regards to sourcing resources for further research and development.  If ODR systems are developed (or paid for) by the very entities which have a stake in the outcomes, how will the public perceive these systems?  Or in a worst case scenario, will we be merely creating modern contracts of adhesion or rigged binding arbitration clauses with digital procedures added for good measure?  But if the resources of interested parties are not used, will these systems ever be built to scale?  I suspect that a middle ground will be necessary, one which emphasizes the importance of established best practices and standards, independent neutrals and regulators, and transparency in design and outcomes.

3. Technology alone is not the answer.  Rule of Law is not an algorithm.  The efficiencies and economies of scale of technology are undeniable, but the human touch is irreplaceable.  For all the bots and lines of code, there is no comparison to an empathetic ear, the patience of reassuring counsel, or the tone of a reproaching or sympathetic judge.  I am not so naive to think that if large-scale dispute resolution systems are to be implemented, less direct human interaction will be required, but to the degree that we do not accept this as a given, and that we constantly strive to deliver tools and resources that cater to our humanity and uniqueness, the better off, and more successful, this industry will be.

InternetBar.org Institute, Inc.  19 April 2016
Photo: World Wide Web  by Ai.Comput’In [Creative Commons Attribution-NonCommercial-NoDerivs]


Panel: U.S. government sending mixed encryption messages

Privacy professionals are saying the U.S. government is sending mixed encryption messages to technology companies. They build privacy and security by design in products and services, but leave them open to backdoor access by default. This issue became more prominent after an argument whether the Federal Bureau of Investigation (FBI) can force Apple, Inc. to unlock an iPhone used by one of the shooters involved in the San Bernardino terrorist attack.

On Feb. 16th, a federal judge ordered Apple to provide the FBI with software to disable the security feature that auto-erases the phone’s data after multiple incorrect attempts to enter the pass code. Demetrios Eleftheriou, Symantec Corp. global privacy director said, “It just seems like there’s a bit of an inconsistent message from the government. We have law enforcement on the one end saying you build back doors, they want broken by design.”  On the other end are “the regulators saying you have to incorporate security by default, privacy by default in the product,” he said.

Eleftheriou asserts that the U.S. government needs to consider if their ambivalent stance on consumer encryption is compatible with the new European Union General Data Protection Regulation requirements for privacy by design and security by default. “A weakness is a weakness. It can be exploited by anybody.”

Will DeVries, Google Inc. privacy counsel said companies “want the process to be really clear, really defined and based on principles that we can apply globally to our services that actually make sense and keep us all safe.”DeVries believes the argument against accessing a terrorist’s phone is just one “red herring”. “We’re actually worried about the precedent of saying can you ask a tech company to undermine the security of devices that’s out in the public, not just for the device they’re talking but a security flaw that then can be used on any device,” DeVries said.

Companies can be ordered to assist with law enforcement to get at some data, Chris Jay Hoofnagle, member of the advisory board of Bloomberg BNA’s Privacy & Data Security Law Report, said. “Obviously, what makes this situation so dangerous and difficult is that the work the government would like Apple to do could be used prospectively and could be used to erode privacy and security in devices generally,” Hoofnagle said. The technology industry is at this point in time now where the devices can outsmart these forensic appliances so whatever happens paves the way for the future of device security.

Hoofnagle sees that this tinkers with the Fourth Amendment. “We might come to a world in the U.S. where we basically have different Fourth Amendment standards for the terrorism case where maybe we do feel as though the phone should be unlocked versus other types of crimes that aren’t as serious.”

Article via Bloomberg BNA, February 19, 2016

Photo: System Lock via Yuri Samoilov


Fight for your right to fix

The Repair Association is fighting the manufacturing industry for your “right to repair everything.”

Today, with big corporations dominating the manufacturing industry, it is typically difficult for consumers to find specific parts to fix any kind of technology. The Repair Association is an organization hoping to help make the parts accessible to everyone.

With groups like iFixit, Fixer’s Collective, and the Electronic Frontier Foundation, the association is asking manufacturers to sell tech parts along with instructions on how to fix the product without professional help needed.

“A free, independent market for repair and reuse is more efficient, more competitive, and better for consumers,” the association writes on its website. “Repair helps create local jobs, and repair and reuse benefits the environment by reducing end-of-life electron products.”

Apart from the demands for the manufacturing industry, the association also aims to amend the Digital Millennium Copyright Act to address the growth of a self-taught consumer base.

Not only does iFixit sells repair parts, but the company also provides online guides for individuals seeking to fix their appliances independently. But due to Section 1201 of the DMCA’s “anti-circumvention” provision, people are not allowed to tamper with technology that has copyrighted software.

“Under U.S. copyright law, you’re not allowed to modify protected software or look at it—even for the purpose of repair,” Kyle Wiens, CEO of iFixit says. “Manufacturers are using other parts of copyright law to restrict outside access to service manuals, schematics, and repair instructions. They are developing an unfair monopoly over the aftermarket of their goods.”

As unjust as it is, the monopoly is defended by lawyers and lobbyists, says Wiens. The Repair Association is needed to represent repairmen, women, local business, to fight for their right to repair.

“We aren’t just fighting for your right to repair smartphones and computers—we are fighting for your right to repair everything,” Wiens says.

Article via Good, 4 February 2016
Photo: Mobile Butchery by Meena Kadri [Creative Commons Attribution-NonCommercial-NoDerivs]


Oracle pulls plug on Java browser plug-in

Oracle announced earlier last week its decision to cut the Java browser plug-in. It will not be included in the next version of the kit for Java developers. This plug-in had been a frequent target of hackers and decision to remove was fueled by the browser maker’s withdrawal of support for the plug-in.

Oracle did realize that plug-ins have become unwanted in a tech world that has become increasingly mobile. In a release they stated “the rise of web usage on mobile device browsers, typically without support for plugins, increasingly led browser makers to want to restrict and remove standards based plugin support from their products, as they tried to unify the set of features available across desktop and mobile versions.”

Jim McGregor, lead analyst at Tirias Research, said that Google and Microsoft have already left out the Java plug-in. “It’s an evolution of the software environment,” he told TechNewsWorld. “Plug-ins were great when we were first trying to enable multimedia features at websites, but the way that things are programmed now, they’re more a security hazard than a benefit.”

Plug-ins are closely related to browser extensions. They were initially created to allow non-HTML content to be viewed from within the browser. Something like a PDF could be viewed right from the browser instead of a different program opening up.  This won’t affect many consumers but businesses could be impacted.

Overall, the purpose of this is to improve security. Simon Crosby, CTO at Bromium said this is “a good-step forward.” Craig Williams, senior technical leader at Cisco’s Talos Security Intelligence and Research Group told TechNewsWorld “by removing plug-ins from the browser, we remove this attack surface, making all users more safe from both known and unknown zero-day vulnerabilities.” Pulling the plug means developers will have to move any apps that use it to another technology.

Article via TechNewsWorld, January 30, 2016

Photo: oracle via Dave [Creative Commons Attribution-NonCommercial-NoDerivs]