Saturday, November 16, 2019

Standing up to hackers is not cheap. Do you have a Ransomeware plan?
Nunavut government computer systems coming back online after cyber attack
... All Nunavut government computers were paralyzed on Nov. 2 when a ransomware virus entered the system.
The government says it refused to pay the ransom and offices were forced to rely on fax machines, paper forms and telephone calls while the system was repaired.
There were about 2,000 computers that needed to be formatted and updated in Iqaluit, and another 3,000 computers on the government's network in the communities.
The government says it keeps monthly and yearly backups of its computer system, and takes a nightly snapshot.

Simple is often best. It’s not silly is it works!
Silly Phishing Scam Warns That Your Password Will be Changed
A silly phishing campaign is underway where the attackers state that your password will expire and be changed unless you login and confirm that you want to keep it the same.
Of course, once you click on the "Keep same password" link you will be brought to a page asking you to login to your mail server.
Once you so, though, the attackers will now have your login credentials and be able to access your email account.

Just make sure everything you do is recorded under your friendly neighborhood law professor’s name.
Fears Grow on Digital Surveillance: US Survey
Americans are increasingly fearful of monitoring of their online and offline activities, both by governments and private companies, a survey showed Friday.
The Pew Research Center report said more than 60 percent of US adults believe it is impossible to go about daily life without having personal information collected by companies or the government.
Most Americans are uneasy about how their data is collected and used: 79 percent said they are not comfortable about the handling of their information by private firms, and 69 percent said the same of the government.
Seven in 10 surveyed said they think their personal data is less secure than five years ago, while only six percent said it is more secure, the report found.

Has Apple become over optimistic about new product acceptance? Perhaps they are under estimating how the banking industry sees the risks?
Apple warns of risks from German law to open up mobile payments
Apple said on Friday moves in Germany to force it to open up its Apple Pay mobile payments system to rivals could hurt data protection and the security of financial information.
A German parliamentary committee unexpectedly voted in a late-night session on Wednesday to force the tech giant to open up Apple Pay to rival providers in Germany.
Apple Pay, which lets people pay with their iPhones, is a fast growing area of the company’s business, one which threatens to undermine traditional banks’ long-standing dominance of retail payment systems.
We are surprised at how suddenly this legislation was introduced,” Apple said on Friday.

Your manager as your life coach?
How artificial intelligence is redefining the role of manager
… Now that AI is removing many of the administrative tasks typically handled by managers, their roles are evolving to focus more on soft over hard skills. The survey found that workers believe robots are better than their managers at providing unbiased information, maintaining work schedules, problem-solving and budget management, while managers are better at empathy, coaching and creating a work culture.

For my more adventurous students.
1. Mojeek (Web): Search by Emotion, While Staying Private
2. Givero (Web): Raise Money for Good Causes Through Web Searches
3. Gibiru (Web): Uncensored, Privacy-Protected Google Results
4. SearX (Web): Metasearch to Get Results From Multiple Search Engines
5. Presearch (Web): Earn Cryptocurrency Through Searches

A clear indication that the world is changing?
A fundraising campaign to make little green Army women absolutely crushed its goal
Little girls everywhere will soon have the chance to play with a set of classic little green Army soldiers that actually reflect the presence of women in the armed forces.
A Kickstarter campaign to fund the creation of plastic Army women, originally launched on Thursday, crushed its fundraising goal of $11,400 in just 12 hours.
As of Friday morning, almost 400 supporters had raised $16,610; by the time I was done writing this article, that number had reached $17,465.

Friday, November 15, 2019

Perhaps they appear untrustworthy? At least, lazy? Did breach-free companies out perform the market?
Companies That Experience a Data Breach Will Underperform the Stock Market Over the Long Run
Data breaches at the world’s largest corporations are becoming a commonplace affair, but are investors on Wall Street really paying attention? A new study from UK-based pro-consumer website Comparitech looked at the recent stock market performance of 28 different companies that recently suffered a massive data breach of some kind (defined as a breach impacting 1 million or more customer records), in order to see whether investors were punishing these companies for their data privacy lapses. The overall picture that emerges is that these companies underperform the stock market over the long run – but not by as much as you might think.

Suppose Google determines that people who eat product X and wear product Y never get cancer. Would that be worth sharing the data?
Google’s Totally Creepy, Totally Legal Health-Data Harvesting
… Google has gone from a basic digital reference book to a multibillion-dollar player in the health-care industry, with the potential to combine medical and search data in myriad alarming new ways. Earlier this month, it announced its $2.1 billion acquisition of the wearables company Fitbit, and suddenly the company that had logged all our late-night searches about prescriptions and symptoms would potentially also have access to our heart rates and step counts. Immediately, users voiced concern about Google combining fitness data with the sizable cache of information it keeps on its users.
Google assured detractors that it would follow all relevant privacy laws, but the regulatory-compliance discussion only distracted from the strange future coming into view. As Google pushes further into health care, it is amassing a trove of data about our shopping habits, the prescriptions we use, and where we live, and few regulations are governing how it uses these data.
… “It’s widely agreed that HIPAA is out of date, and there are efforts ongoing right now to update it for the 21st century,” says Kirsten Ostherr, a co-founder and the director of the Medical Futures Lab at Rice University. HIPAA was signed into law in 1996—years before Google knew if you were pregnant or could algorithmically estimate your risk of suicide. “Most of the kind of data [Google’s] trafficking in is not considered to be personally identifiable information in the way that it was conceived back in the ’90s, when [much of] the tech world didn’t even exist.”

They’re big, therefore they must be bad?
States’ massive Google antitrust probe will expand into search and Android businesses
Google’s parent, Alphabet, has a market capitalization of more than $900 billion, making it one of the most valuable companies in the world. Because much of its offerings are free to the user, it can be difficult to prove antitrust violations, which are typically shown by a clear impact on pricing. The Justice Department’s antitrust chief, Makan Delrahim, has indicated in public speeches that quality, innovation and other factors could be considered.

You say tomayto and I say tomahto. Ask Google, how to pronounce tomato
Google search adds pronunciation features
Google Blog: “People around the world come to Search to ask questions related to language, like looking up the definition of a word or double checking the pronunciation of a word in another language. Just this morning I’ve already searched how to define “otorhinolaryngologist” and the translation of “naranja” in Spanish to English. Now, we’re helping people pronounce tricky words and understand the meaning of those words. First, we’re launching a new experimental pronunciation feature that lets you practice word pronunciations right in Search. For the visual learners out there, we’re adding images to our English dictionary and translation features to help you better understand the meaning of a word…”

Thursday, November 14, 2019

Toward a secure architecture. An alternative to a national Guard Cyber Unit, or perhaps a complement?
North Dakota Expands Cyberdefense with New Funding, Workforce
With a recent funding boost for the 2019-21 biennium, the North Dakota Information Technology Department will use $15.4 million to expand its Cyber Operations Center (CyOC), adding a host of new toolsets, employing increased contractor support and analysis, and hiring eight new staff members.
Currently, the CyOC is responsible for a focused effort to conduct a statewide cybermaturity assessment to measure the level of cyber-readiness of 400+ public entities in the state. That effort is part of a larger initiative, launched by a bill passed earlier this year, to strategically align state government behind a unified cyberposture.

They apparently didn’t monitor their resources. Why so long to agree to minimal security?
Company discovered it was hacked after a server ran out of free space
Hacker was detected after creating a giant archive file that took up all the free disk space. Had been inside the company's network for almost two years, undetected.
In 2016, the company announced a security breach during which a hacker stole the personal details of around one million users. Following tips that the company had failed to secure its servers, the Federal Trade Commission (FTC) started an investigation into the hack.
According to an FTC complaint at the time, the hacker exploited a vulnerability in InfoTrax's websites to upload a malicious code that enabled remote control of the company's website and adjacent server infrastructure.
The theft was aided by the fact that InfoTrax was storing customer data in cleartext. Stolen information included Social Security numbers, payment card information, bank account information, and user names and passwords.
This week, the FTC and InfoTrax agreed to a settlement according to which the Utah-based company would implement the security measures that led to the 2016 security breach. The settlement obliges InfoTrax to:
    • inventory and delete personal information it no longer needs;
    • conduct code review of its software and testing of its network;
    • detect malicious file uploads;
    • adequately segment its network; and
    • implement cybersecurity safeguards to detect unusual activity on its network.

For my Security students.
New Study Shows Financial Loss from Multi-Party Cyber Incidents Is 13X Larger than Single-Party Incidents
Today the Cyentia Institute published “Ripples Across the Risk Surface,” an in-depth study sponsored by RiskRecon that analyzes more than 800 cyber incidents and their impact on multiple downstream organizations. According to the study, multi-party loss events that impact thousands of downstream organizations, otherwise known as “ripple events,” result in 13X larger financial loss than traditional single-party incidents. The objective of this first-of-its-kind study is to raise market awareness on the hyper interdependencies organizations have on other organizations, and the ripple effect that grows by an order of magnitude beyond that singular data loss event.

Worth checking?
Brave 1.0 launches, bringing the privacy-first browser out of beta
Brave promises to prioritize security by blocking third-party ads, trackers, and autoplay videos automatically. So you don’t need to go into your settings to ensure greater privacy, though you can adjust those settings if you want to.

Those who grant-ith monopoly can take-ith it away. (As I have suggested for years.)
Victory over telecom industry gives Connecticut towns a way to provide their own faster, cheaper internet service
The telecommunications industry lost and consumers won in a Connecticut Superior Court decision that gives cities and towns the right to use existing utility infrastructure within their borders to create municipal networks that deliver cheap, fast internet service to homes and business.

Gartner trends are based on what senior IT executives are thinking.
10 Data and Analytics Trends for 2020
Data and analytics have gained traction in organizations, driven by the promise of big data a few years ago and the potential of machine learning and other types of artificial intelligence more recently. Even as many enterprises seemed to be stalled in their production AI plans, they are still making those plans, and know they are crucial for success in the years to come.
That's because data and analytics are serving an expanded role in digital business, according to Gartner analyst and VP Rita Sallam. Data and analytics have become key parts of how you serve customers, hire people, optimize supply chains, optimize finance, and perform so many other key functions in the organization.

If you build (gather and store) it, they will come. Field of Law Enforcement’s Dreams
Zack Whittaker reports:
The social media giant said the number of government demands for user data increased by 16% to 128,617 demands during the first half of this year compared to the second half of last year.
That’s the highest number of government demands it has received in any reporting period since it published its first transparency report in 2013.
Read more on TechCrunch.

Legal is not always seen as ethical. Google should have known better just based on the size of the database.
Rob Copeland and Sarah E. Needleman report:
Google’s project with the country’s second-largest health system to collect detailed health information on 50 million American patients sparked a federal inquiry and criticism from patients and lawmakers.
The data on patients of St. Louis-based Ascension were until recently scattered across 40 data centers in more than a dozen states. Google and the Catholic nonprofit are moving that data into Google’s cloud-computing system—with potentially big changes on tap for doctors and patients.
At issue for regulators and lawmakers who expressed concern is whether Google and Ascension are adequately protecting patient data in the initiative, which is code-named “Project Nightingale” and is aimed at crunching data to produce better health care, among other goals. Ascension, without notifying patients or doctors, has begun sharing with Google personally identifiable information on millions of patients, such as names and dates of birth; lab tests; doctor diagnoses; medication and hospitalization history; and some billing claims and other clinical records.
Read more on WSJ.
And this is exactly what happens when you have carve outs for sharing information without explicit notice and consent. FERPA has a carve-out that allows schools to share students’ personal information with third-party entities that they declare as “school officials” and now we see how an exception in HIPAA may have allowed a massive sharing without consent.
It is stunning to me that Ascension would have engaged in this data sharing without anticipating how the public might feel about this. I would feel betrayed by them and horrified.

Spain has published a few useful guidelines already. Where are the rest of the EU members?
The Spanish Supervisory Authority issues guidance on the use of cookies
On November 8, 2019, the Spanish Supervisory Authority (“SA”) issued detailed guidance on cookies and similar technologies in collaboration with stakeholders in the ad industry, including Adigital, Anunciantes, AUTOCONTROL and IAB Spain.

Interesting how lawyers are thinking about AI.
Artificial Intelligence, Finance, and the Law
Lin, Tom C. W., Artificial Intelligence, Finance, and the Law (November 4, 2019). 88 Fordham Law Review 531 (2019); Temple University Legal Studies Research Paper No. 2019-31. Available at SSRN:
Artificial intelligence is an existential component of modern finance. The progress and promise realized and presented by artificial intelligence in finance has been thus far remarkable. It has made finance cheaper, faster, larger, more accessible, more profitable, and more efficient in many ways. Yet for all the significant progress and promise made possible by financial artificial intelligence, it also presents serious risks and limitations.
This Article offers a study of those risks and limitations—the ways artificial intelligence and misunderstandings of it can harm and hinder law, finance, and society. It provides a broad examination of inherent and structural risks and limitations present in financial artificial intelligence, explains the implications posed by such dangers, and offers some recommendations for the road ahead. Specifically, it highlights the perils and pitfalls of artificial codes, data bias, virtual threats, and systemic risks relating to financial artificial intelligence. It also raises larger issues about the implications of financial artificial intelligence on financial cybersecurity, competition, and society in the near future. Ultimately, this Article aspires to share an insightful perspective for thinking anew about the wide-ranging effects at the intersection of artificial intelligence, finance, and the law with the hopes of creating better financial artificial intelligence—one that is less artificial, more intelligent, and ultimately more humane, and more human.”

Try not to frighten the AI controlling your pacemaker!
Fun New Paper Says We Should Make Machines Freak Out About Their Own Mortality
"In a dynamic and unpredictable world, an intelligent agent should hold its own meta-goal of self-preservation, like living organisms whose survival relies on homeostasis: the regulation of body states aimed at maintaining conditions compatible with life," write Man and Damasio in their published paper.
In short, we're talking about giving robots feelings. Making them care might make them better in just about every aspect, and it would also give scientists a platform to investigate the very nature of feelings and consciousness, say Man and Damasio.

What outcome will the App suggest?
AI app may help diagnose mental illness through speech: Study
Researchers have developed a speech-based mobile app that uses artificial intelligence to categorize a patient's mental health status, an advance that may lead to a tool to assist psychiatrists in diagnosing mental illnesses. The study, published in the journal Schizophrenia Bulletin, noted that many people in remote areas do not have access to psychiatrists or psychologists, and others can't afford to see a clinician frequently.
The researchers, including those from the University of Colorado at Boulder in the US, said therapists base their treatment plan largely on listening to a patient talk which they said was an old, subjective and unreliable method.
They developed a machine learning technology that can detect day-to-day changes in speech which hints at mental health decline.

Or perhaps ignoring economic advice is politically advantageous?
Against Economics
There is a growing feeling, among those who have the responsibility of managing large economies, that the discipline of economics is no longer fit for purpose. It is beginning to look like a science designed to solve problems that no longer exist.

I like lists. (How many are available free?)
Explore the list of 100 Novels That Shaped Our World
These English language novels, written over the last 300 years, range from children’s classics to popular page turners. Organised into themes, they reflect the ways books help shape and influence our thinking.

Wednesday, November 13, 2019

Imagine (insert country name here) backed companies as the lowest cost manufacturer of voting machines.
Report: Election Vendors Are 'Prime Targets,' Need Oversight
The private companies that make voting equipment and build and maintain voter registration databases lack any meaningful federal oversight despite the crucial role they play in U.S. elections, leaving the nation's electoral process vulnerable to attack, according to a new report.
The Brennan Center for Justice on Tuesday issued the report, which calls on Congress to establish a framework for federal certification of election vendors.

(Related) Would the response be different depending on which party is in power?
Labour cyber-attack: Hostile nation state could be behind hack, ex-GCHQ boss says
A former GCHQ boss has said nation state hackers may have been behind the "large-scale cyber attack" on the Labour Party.
The party's digital platforms were hit by a "sophisticated and large-scale" cyber attack on Tuesday morning, a Labour spokesperson admitted, although it failed because of the party's "robust security systems" and they were confident that no data breach occurred. [Confident enough to risk the next election? Bob]

I don’t think my students really believe me when I tell them this is how it works. It’s a Catch 22. A breach is evidence of non-compliance.
PCI DSS Compliance Between Audits is Declining: Verizon
Companies subject to PCI DSS security requirements are audited once per year, yet many of these companies continue to be breached. It is not that PCI DSS fails, but that companies fail to maintain compliance from one audit to the next. According to Verizon's 2016-2018 dataset, at the time of a breach, no organization was compliant across all 12 PCI DSS requirements.
This is the primary thrust of the Verizon 2019 Payment Security Report -- the eighth annual report (PDF ) on the state of PCI DSS compliance: compliance sustainability from one annual audit to the next. "Most companies are able to achieve compliance fairly easily," Rodolphe Simonetti, managing director of Verizon's global security consulting, told SecurityWeek, "but what is important is maintaining compliance throughout the year. This is the only way to mitigate risk and manage security properly."
"We can definitively state," says the Verizon report, "we have never reviewed an environment or investigated a PCI data breach involving an affected entity that was truly PCI DSS compliant—even if it had a signed Attestation of Compliance (AOC)." While it cannot confirm industry claims that no PCI DSS compliant company has ever been breached, it does say categorically that no covered breached company within its purview was actually compliant at the time of the breach.

DHS Policy can not amend the constitution. So will each port of entry now need a judge 24X7 to issue warrants?
Federal Court Rules Suspicionless Searches of Travelers’ Phones and Laptops Unconstitutional
EFF – Government Must Have Reasonable Suspicion of Digital Contraband Before Searching People’s Electronic Devices at the U.S. Border – “In a major victory for privacy rights at the border, a federal court in Boston ruled today that suspicionless searches of travelers’ electronic devices by federal agents at airports and other U.S. ports of entry are unconstitutional. The ruling came in a lawsuit, Alasaad v. McAleenan, filed by the American Civil Liberties Union (ACLU), Electronic Frontier Foundation (EFF), and ACLU of Massachusetts, on behalf of 11 travelers whose smartphones and laptops were searched without individualized suspicion at U.S. ports of entry.”

The Electronic Frontier Foundation (EFF) sued the Department of Homeland Security (DHS) today to obtain information that will shine a light on the agency’s use of Rapid DNA technology on migrant families at the border to verify biological parent-child relationships.
In a Freedom of Information Act (FOIA) complaint filed today in federal court in San Francisco, EFF asked a judge to require DHS to disclose information about the agency’s deployment of Rapid DNA systems, including the number of individuals whose DNA has been collected, the accuracy of DNA matches, and the exact gene processing used to identify parent-child relationships. The lawsuit also seeks training materials, consent forms and privacy statements given to families, and locations of DHS’s Rapid DNA pilot programs.
According to media reports, DHS, and its component Immigration and Customs Enforcement (ICE), began a pilot program in May to conduct Rapid DNA testing on adults and children presenting themselves at the U.S. border. The purpose of the testing was to find individuals who were not related through a biological parent-child relationship and prosecute them for fraud. The pilot program then grew, with testing at seven locations at the U.S.-Mexico border. In June, DHS indicated that Rapid DNA testing is now part of the agency’s policy.

It’s the tools you don’t control that cause concern.
Facebook is secretly using your iPhone’s camera as you scroll your feed
… The problem becomes evident due to a bug that shows the camera feed in a tiny sliver on the left side of your screen, when you open a photo in the app and swipe down. TNW has since been able to independently reproduce the issue.
Maddux adds he found the same issue on five iPhone devices running iOS 13.2.2, but was unable to reproduce it on iOS 12. “I will note that iPhones running iOS 12 don’t show the camera (not to say that it’s not being used),” he said.
Update November 13, 7:20AM UTC: Facebook has confirmed the issue, calling it a bug (who would’ve guessed, right?).

The pendulum swings further to the consumers favor?
EU adopts New Deal for Consumers
On November 8, 2019, the European Union adopted the “Directive Modernizing Consumer Law. This directive is part of the so-called “New Deal for Consumer” (see here ), a package of legislative reforms designed to revise existing EU consumer laws. The main objective of these reforms is to adapt EU consumer protection legislation to the realities of the digital era, as well as to foster transparency and ensure effective enforcement of consumer protection laws.
The directive amends the following existing EU consumer laws:

Tuesday, November 12, 2019

Why smart companies hire consultants (to blame if anything goes wrong).
Enhancing the Security of Data Breach Notifications and Settlement Notices
Ryan Amos, Mihir Kshirsagar, Ed Felten, and Arvind Narayanan write:
We couldn’t help noticing that the recent Yahoo and Equifax data breach settlement notifications look a lot like phishing emails. The notifications make it hard for users to distinguish real settlement notifications from scams. For example, they direct users to URLs on unfamiliar domains that are not clearly owned by the company that was breached nor any other trusted entity. Practices like this lower the bar for scammers to create fake phishing emails, potentially victimizing users twice. To illustrate the severity of this problem, Equifax mixed up domain names and posted a link to a phishing website to their Twitter account. Our discussion paper presents two recommendations to stakeholders to address this issue.
First, we recommend creating a centralized database of settlements and breaches, with an authoritative URL for each one, so that users have a way to verify the notices distributed.
Read more on Freedom to Tinker.

Should be interesting to see what Microsoft thinks every privacy law will include.
Microsoft vows to ‘honor’ California’s sweeping privacy law across entire US
On Monday, Microsoft announced that it would honor the “core rights” provided to Californians through the state’s landmark data privacy law and expand that coverage across the entire United States.
Many Democratic lawmakers argue that any national legislation should leave California as a baseline and extend those protections across the country and add more protections if necessary. Republicans and industry stakeholders disagree and are broadly convinced that CCPA goes too far and any federal law should nullify it and any other state laws in order to stave off a “patchwork” of privacy regulations.

Privacy is spreading.
Yomi Kazeem reports:
A new data protection law in Kenya is setting a high standard for the rest of the continent.
As the country looks to engender more safeguards in the collection, handling and sharing of data, Kenya’s president Uhuru Kenyatta has approved legislation which complies with the European Union’s General Data Protection Regulation.
Read more on Quartz Africa/

Perhaps it’s the USPTO’s AI asking these questions.
Can AI Own IP? U.S. Patent and Trademark Office Opens Inquiry into Artificial Intelligence
The U.S. Patent and Trademark Office (USPTO) is asking the public for input on whether computers, in the form of artificial intelligence (AI), can create something that could be copyrighted and whether it could infringe on the copyrights of others.
The first question the office asks is this: “Should a work produced by an AI algorithm or process, without the involvement of a natural person contributing expression to the resulting work, qualify as a work of authorship protectable under U.S. copyright law? Why or why not?”
The questionnaire then goes on to ask another dozen related questions. Such as the following:
To the extent an AI algorithm or process learns its function(s) by ingesting large volumes of copyrighted material, does the existing statutory language (e.g., the fair use doctrine) and related case law adequately address the legality of making such use? Should authors be recognized for this type of use of their works? If so, how?”
It also asks:
Are current laws for assigning liability for copyright infringement adequate to address a situation in which an AI process creates a work that infringes a copyrighted work?”

Thoughts for lawyers.
Lessons for In-House Counsel from Cybersecurity’s Front Lines
Recent developments reinforce the urgent need for general counsel and legal departments to deepen their focus on cybersecurity.
To read the full article, click here

Something to share with our Vet students.
Free Cybersecurity Training Now Available for U.S. Veterans
A new and free cybersecurity training and certification program called Second Watch has been launched today by Palo Alto Networks to help U.S. veterans find new careers in cybersecurity after their military service is over.
This new initiative is designed to provide military veterans with all the online resources needed to aid them to switch to new careers in cybersecurity, a mission that perfectly matches their previous training on effectively responding to threats and preventing attacks.
The free digital learning courses provided by the company through the Second Watch initiative enable veterans to acquire cybersecurity knowledge on various topics ranging from "the basics of malware to managing a global infrastructure of Next-Gen Firewalls."
The program's Skills Learning Path features nine self-paced steps that will guide them through the free digital learning courses available that can be accessed on an online portal.
They will also be able to take the Palo Alto Networks Certified Network Security Administrator (PCNSA) and Palo Alto Networks Certified Cybersecurity Associate (PCCSA) free exams along the way