Thursday, November 14, 2013

It's a target that eventually offers personal information on hundreds of millions of Americans. Are they surprised to learn it's a target?
The Chicago Tribune reports:
U.S. authorities are investigating a series of cybersecurity incidents targeting the website at the center of President Obama’s healthcare law, a U.S. homeland security official told Congress on Wednesday.
Roberta Stempfley, acting assistant secretary of the Department of Homeland Security’s Office of Cybersecurity and Communications, said her department was aware of “about 16″ reports from the Department of Health and Human Services – which is responsible for implementing the healthcare law – on cybersecurity incidents related to the website.
Testifying before the House of Representatives Homeland Security Committee, Stempfley also said officials were aware of an unsuccessful attempt by hackers to organize a “denial of service” attack to overwhelm and take down the website.
Read more on the Chicago Tribune.

If it's an elected official, all bets are off.
From, we learn:
Montana has a constitutional right to privacy and right to know. The Montana Supreme Court concludes that lower level employees disciplined for viewing pornography on city time on city computers had a reasonable expectation of privacy not to be publicly disclosed, and disclosure of their identities was not in the public interest. [That alone should be sufficient. Bob] The Fourth Amendment reasonable expectation of privacy analogy was not apt because of the state privacy protection. Billings Gazette v. City of Billings, 2013 MT 334, 2013 Mont. LEXIS 455 (November 8, 2013)*:
Read an excerpt from the ruling on

The deck is truly stacked, thinking thoughtful thoughts won't help?
Orin writes:
DOJ has filed its brief in the Lavabit appeal before the Fourth Circuit. I blogged at length on Lavabit’s brief, so I thought I would offer a few thoughts on DOJ’s brief:
1) In general, it’s a solid brief. It’s going to be extremely unpopular in the IANAL computer nerd world, obviously, but it’s mostly pretty solid on the law.
2) DOJ brings up some provocative facts not found in the Lavabit brief that are not going to help Lavabit before the Fourth Circuit judges.
Read more on The Volokh Conspiracy, while I ponder whether Orin includes me in the “IANAL computer nerd” reference.

Interesting idea: legal justification!
Google, Microsoft, and LinkedIn are requesting oral argument on their motion to be able to be more transparent with users about government requests for user information.
Indeed, they seem to have really come out swinging in response to the government’s September 30th response and declaration, which were submitted ex parte and in camera, with the plaintiffs only getting a highly redacted version of the response.
The tech giants are asking the court to strike all the redacted sections, or in the alternative, to give them greater access to the material so they are fighting this on a level playing field. In their argument, they note that there must be a legal justification for the government to prohibit providers from sharing the data they have already been entrusted with (i.e., the number of orders), and the government has failed to provide that legal justification in the redacted materials available to them.

Something strange here. Granted the defendants exposed the data, but were they specifically targeted or were the police looking at ALL P2P traffic? The article suggests the latter...
Jaikumar Vijayan reports:
There can be no expectation of privacy in data exposed to the Internet over a peer-to-peer file-sharing network, a federal judge in Vermont ruled in a case involving three individuals charged with possession of child pornography.
The three men had argued that police illegally gathered information from their computers using an automated P2P search tool and then used that information to obtain probable cause warrants for searching their computers. Each of the defendants was later charged with possession of child pornography based on evidence seized from their computers.
Read more on Computerworld.
[From the article:
The defendants contended that the initial use of the automated P2P search tool to gather information on the contents of their computers, constituted a warrantless search of their systems. They maintained that police violated Fourth Amendment provisions against unreasonable search by looking at private files on each of their systems using the P2P search tool.
They also argued that several of the statements made by investigators to show probable cause for the search warrants were based on incorrect information.
In a 39-page ruling released Friday, District Court Judge Christina Reiss denied the motion to suppress and held that the defendants had essentially given up privacy claims by making the data publicly available on the Internet over a P2P network.
"The evidence overwhelmingly demonstrates that the only information accessed was made publicly available by the IP address or the software it was using," Reiss wrote. "Accordingly, either intentionally or inadvertently, through the use of peer-to-peer file sharing software, Defendants exposed to the public the information they now claim was private."
The ruling is similar to ones reached by other courts in disputes involving documents exposed on the Internet via peer-to-peer networks. Courts in the 11th Circuit, 10th Circuit and 8th Circuit have all held that there can be no expectation of privacy if the contents of a computer can be accessed freely over the public Internet via a file sharing network.

Interesting. So if (hypothetically) someone did something slightly evil and it was traced back to a certain computer law professor, he could show harm. If thousands of victims have their life savings threatened, they can't?
KATU reports from Clackamas County, Oregon:
A woman who fought to clear her name after her identity was stolen and she was arrested for crimes she did not commit won a lawsuit against the county and has been awarded over $100,000 in damages.
Kimberly Fossen’s story began nearly a decade ago when she lost her purse. She was quick to cancel her credit cards and get new identification, but another woman took her identity and racked up arrests under her name in Miami-Dade and Broward counties in Florida.
Read more on KATU.
Over the years, I’ve read a number of reports of ID theft victims being arrested for crimes they did not commit, despite their best efforts to notify everyone of their victim status and/or despite obtaining documentation to show law enforcement that they are an innocent victim. It’s nice to see law enforcement held accountable for not doing their due diligence before arresting and holding an ID theft victim.

Follow-up to Tuesday's blog post, where they claimed the network wasn't being used.
Following up on a concerning report out of Seattle this week, Brendan Kiley and Matt Fikse-Verkerk report:
The Seattle Police Department just announced that it has begun the process of deactivating its wireless mesh network, a powerful tool for sending vast amounts of data that also has powerful surveillance potential. In theory, the network (built by a California-based company called Aruba Networks) could track and indefinitely log the movements of any wireless device with a MAC address (phones, laptops, tablets) that moves through its coverage area.
The possibility of a police department creating a historical digital map of the city, or using such a system for real-time locating of individuals, without governmental or civilian oversight has some serious implications.
The mesh network, as The Stranger reported this week, was quietly purchased with grant money from the Department of Homeland Security and whisked through the Seattle City Council without any serious process of review and approval.
But, SPD spokesperson Sgt. Sean Whitcomb said this evening, “The wireless mesh network will be deactivated until city council approves a draft policy and until there’s an opportunity for vigorous public debate.” Chief Jim Pugel gave the order to begin the deactivation process today.
Read more on The Stranger.

After all that effort, this is what they came up with?
FAA Releases Drone Roadmap, Privacy Not Required for Test Sites
by Sabrina I. Pacifici on November 13, 2013
EPIC – “In a press release, the Federal Aviation Administration announced the “roadmap” for the integration of drones into domestic airspace. After considering numerous public comments on the privacy impact of aerial drones, the FAA proposed a regulation that requires test site operators to develop privacy policies but does not require any specific baseline privacy protections. The FAA rulemaking came about in response to an extensive petition submitted by EPIC, broadly supported by civil liberties organizations and the general public. EPIC urged the agency to require adherence to the Fair Information Practices, disclosure of data collection and minimization practices, and independent audits. For more information, see EPIC: Domestic Unmanned Aerial Vehicles (UAVs) and Drones.”

So, they want to return to using dial-up modems on the hard wired phone system?
Report – Telecoms plan shielded European Internet
by Sabrina I. Pacifici on November 13, 2013
Via Deutsche Welle: ”Deutsche Telekom says the scandal over US and British eavesdropping has prompted German providers to contemplate an inner-German or inner-European Internet. Data would no longer be routed and stored via other continents. Germany’s state-backed Telekom confirmed on Sunday that German providers were discussing an Internet confined within Europe’s “Schengen” countries. One project code-named “Clean Pipe” would help firms to fend off industrial spies and hackers. Schengen is the Luxembourg border town where in 1985 EU nations initiated a visa-free zone that now encompasses 26 European countries but excludes Britain. A Telekom spokesman told the German news agency DPA that talks were taking place with “diverse, likely partners.” The project would be unveiled on Monday at an information technology (IT) conference in Bonn. According to the news magazine Der Spiegel, Telekom managers see fewer technical setup problems than IT experts had at first anticipated. Germany already has a project entitled “E-Mail made in Germany” in which Telekom, United Internet and Freenet handle messages inside the national border.”

A question for my lawyer friends. If I can show you cases with a high probability of a large settlement, would you send the victims appropriately threatening letters? Oh, wait, the RIAA already has law firms that do that.
Lawyering in the Shadow of Data
by Sabrina I. Pacifici on November 13, 2013
Lawyering in the Shadow of Data, Drury D. Stevenson - South Texas College of Law; Nicholas J. Wagoner - South Texas College of Law Alumni. September 12, 2013
“Attorney bargaining has traditionally taken place in the shadow of trial, as litigants alter their pretrial behavior — including their willingness to negotiate a settlement — based on perceptions of likely outcomes at trial and anticipated litigation costs. Lawyers practicing in the shadow of trial have, in turn, traditionally formed their perception of the likely outcome at trial based on their knowledge of case precedents, intuition, and previous interactions with the presiding judge and opposing counsel in similar cases. Today, however, technology for leveraging legal data is moving the practice of law into the shadow of the trends and patterns observable in aggregated litigation data. In this Article, we describe the tools that are facilitating this paradigm shift, and examine how lawyers are using them to forecast litigation outcomes and reduce bargaining costs. We also explore some of the risks associated with lawyering in the shadow of data and offer guidance to lawyers for leveraging these tools to improve their practice. Our discussion pushes beyond the cartoonish image of big data as a mechanical fortuneteller that tells lawyers who will win or lose a case, supposedly eliminating research or deliberation. We also debunk the alarmist clich├ęs about newfangled technologies eliminating jobs. Demand for lawyers capable of effectively practicing law in the shadow of data will continue to increase, as the legal profession catches up to the data-centric approach found in other industries. Ultimately, this Article paints a portrait of what big data really means for attorneys, and provides a framework for exploring the theoretical implications of practicing law in the era of big data.”

Making research easier?
64 Federal Courts Now Publish Opinions on FDsys
by Sabrina I. Pacifici on November 13, 2013
News release: “A project providing free online access to federal court opinions has expanded to include 64 courts. The federal Judiciary and the Government Printing Office partner through the GPO’s Federal Digital System, FDsys, to provide public access to more than 750,000 opinions, many dating back to 2004. The Judicial Conference approved national implementation of the project in September 2012, expanding participation from the original 29 courts. FDsys currently contains opinions from 8 appellate courts, 20 district courts, and 35 bankruptcy courts. Federal court opinions are one of the most heavily used collections on FDsys, with millions of retrievals each month. Opinions are pulled nightly from the courts’ Case Management/Electronic Case Files (CM/ECF) systems and sent to the GPO, where they are posted on the FDsys website. Collections on FDsys are divided into appellate, district or bankruptcy court opinions and are text-searchable across courts. FDsys also allows embedded animation and audio – an innovation previously only available with opinions posted on a court’s own website or on the Public Access to Court Electronic Records (PACER). While the public already can view federal court opinions for free on PACER, the FDSys project presents just another way to make court-related information more accessible to the public.”

No comments: