|
Law.com
What's Next
Future + Law
|
|
Ben Hancock
|
|
|
|
|
Hello, World! Welcome to the official inaugural edition of What's Next, a briefing on the future of law. I'm Ben Hancock, a reporter for Law.com based in San Francisco. Each week I'll be bringing you news and analysis on how law and the courts are coping with new tech (or not, as the case may be), as well as how innovation is shaping legal practice.
Those of you who joined me on the beta voyage of this newsletter know the drill: Got tips? Suggestions? Vulnerability disclosures? Just drop a line to bhancock@alm.com.
Want to subscribe? This briefing—and others by my Law.com colleagues—are now available. You can check out the offerings and sign up for a free trial subscription here.
|
|
|
Watch This Space: Uncle Sam Has Your Vulnz
They may not know it, but any company that got hit with the WannaCry ransomware attack over the past year witnessed first-hand the downside of a secretive U.S. government policy mechanism known as the VEP. Short for the "Vulnerabilities Equities Process," it's the procedure through which the government decides to hang on to its knowledge of computer security flaws for offensive uses (i.e. hacking), or disclose them to ensure they get patched.
Obviously, as Microsoft chief legal officer Brad Smith could have told you back in May, this process does not always achieve its desired objective. Exhibit A: The Shadow Brokers. But now, at least we know a little bit more about how it works.
In a blog post last Wednesday, White House Cybersecurity Coordinator Rob Joyce unveiled for the first time a public version of the VEP Charter. The 14-page document describes in broad strokes the balancing act government hackers must go through when they discover new vulnerabilities (or "vulnz" as they're known in the hacker community). It also lists the various agencies involved in making a decision about whether to "disseminate or restrict" the vulnerability, and when there might be exceptions to submitting a known security weakness to the VEP.
Joyce, a former NSA official, writes: "Our national capacity to find and hold criminals and other rogue actors accountable relies on cyber capabilities enabled by exploiting vulnerabilities in the digital infrastructure they use. Those exploits produce intelligence for attribution, evidence of a crimes, enable defensive investigations, and posture us to respond to our adversaries with cyber capabilities. The challenge is to find and sustain the capability to hold rogue cyber actors at risk without increasing the likelihood that known vulnerabilities will be exploited to harm legitimate, law-abiding users of cyberspace."
The announcement was greeted fairly warmly by some quarters of the tech world. Mozilla, a strong advocate of the open internet, welcomed the release of the Charter in a blog post that broke down key elements of the announcement—even though the company and other digital rights advocates have called for legislation that would more clearly establish the process for vetting vulnerabilities.
"The new charter makes an important policy decision that the presumption lies in favor of disclosing the vulnerabilities to the companies," Michelle Richardson, a deputy director at the Center for Democracy and Technology wrote in an email. "While several Obama officials had said as much in their personal capacities, it is crucial to have it be an official declaration from the whole of government."
But the charter doesn't shed a whole lot of light on how the government decides not to disclose, noted Stewart Baker of Steptoe & Johnson, a former Department of Homeland Security official and host of the always-interesting Steptoe Cyberlaw Podcast. "If this is the dance of the seven veils, this is another couple of veils gone," Baker said.
Baker said the charter does underscore one important thing: If the government tells a company about a security hole, it better make sure it's prepared to patch it— not just throw up its hands and say, "We don't support that version anymore." Choosing to disclose after going through a VEP review could be a signal the government believes the flaw is potentially disastrous.
Also worth noting? The U.S. apparently isn't the only state that has a vulnerability vetting system: according to new research, China operates one too.
>> Think Ahead: Companies should consider whether they might be liable for failing to patch, especially once put on notice by the government, Baker says.
|
|
|
On the Radar: 3 Things to Know
1. Data privacy is officially an antitrust issue now: Missouri opens investigation into Google.
● Missouri’s attorney general last week opened an investigation into Google Inc., questioning whether the search engine company’s data-collection and privacy practices violate state consumer protection laws, reports my colleague Cheryl Miller.
● “My office will not stand by and let private consumer information be jeopardized by industry giants, especially to pad their profits," said the state AG, Josh Hawley, who is running for U.S. Senate.
>> Data Point: This could be the prelude to a groundbreaking case centering on market dominance over personal data. The FTC looked into related issues when Google bought advertising server DoubleClick Inc., but never acted.
2. FBI v. Apple, one more time?
● Authorities investigating the mass shooting at a church in a San Antonio suburb have served a search warrant on Apple seeking digital photos, messages, documents and other types of data that might have been stored by gunman Devin Patrick Kelley, the San Antonio Express-News reports.
● "Court records ... show Texas Ranger Kevin Wright obtained search warrants on Nov. 9 for files stored on Kelley’s iPhone, a second mobile phone found near his body and for files stored in Kelley’s iCloud account."
>> Data Point: Kelley reportedly possessed an iPhone SE, and it seems unlikely Apple would be willing to break the phone's security features to comply with the warrant. But according to The Verge, it's not clear whether it will have to.
3. Max Schrems is a major thorn in Facebook's side. But after a court recommendation, he's just one thorn.
● The advocate-general to the European Court of Justice has recommended that Austrian lawyer Max Schrems be allowed pursue his privacy case against Facebook—but not on behalf of a class of consumers across Austria, Germany, and India.
● That's surely a relief to Facebook: The AG's opinion is typically followed by the full court. At the same time, Schrems beat arguments by the company that he could not sue because he is a "professional" and not a "consumer."
>> Data Point: The case is only one of several that Schrems has launched against Facebook. He successfully upended the US-EU Safe Harbor agreement, and a pending case threatens another legal mechanism for transatlantic data transfers.
|
|
|
"In a time where the winds have shifted to really be not as friendly to Silicon Valley ... I think this is a point where Rosenstein and his colleagues really smell blood in the water."
—Riana Pfefferkorn of Stanford Law's Center for Internet and Society, talking about Deputy AG Rod Rosenstein's push for "responsible encryption."
Read the Q&A or listen to the full interview on my podcast, "Unprecedented."
|
|
|
The Conversation: Did Don Jr. Violate the CFAA?
The Computer Fraud and Abuse Act has become a controversial law in part for its broad scope. Just how broad is it? Well, according to some, broad enough to ensnare Donald Trump Jr. if he passed along login credentials to an anti-Trump campaign site. The Atlantic reported last week that the younger Trump had received the login info from Wikileaks.
Cyberlaw guru Orin Kerr of George Washington University, who's set to join USC's Gould School of Law in January, kicked off a thread on this idea on Twitter:
In reply, former SDNY Assistant U.S. Attorney Andrew McCarthy put some things in perspective:
—➤➤ Are you enjoying What's Next? Click here to find other premium Law.com briefings and sign up for a complimentary trial.
|
|
|
In Futuro
I focus a lot on how the law is wrestling with technology. In this section, I'm flipping the lens to look at how tech and innovation are changing the practice of law. Ideas? Observations? I'm all ears: bhancock@alm.com
➤➤ Building legal tech, in house.
Silicon Valley stalwart law firm Orrick, Herrington & Sutcliffe has launched Orrick Labs, an in-house technology incubator tasked with developing efficiency technology for the firm, reports my colleague Gabrielle Orum Hernandez. "The 'lab' is currently working on a firm-wide document management dashboard platform and intends to develop other technology to support firm operations."
Jackson Ratcliffe, technology architect for Orrick Labs, explained that the idea for the incubator derived originally from the technology strategy at Venture Law Group, a firm that rode the boom and bust of the late 90s dot-com wave. "Their whole focus was they had the most advanced tech that any law firm could have," Ratcliffe said.
>> In Context: A growing trend? In addition to Orrick, some other large firms like Paul Hastings have moved into doing some coding and software-development in house to streamline discovery.
|
|
|
Dose of Dystopia
We're talking about the future here, and as much as we humans like to hope that things will go right, we're also fascinated by how things could go creepily wrong. Think Minority Report, Black Mirror, The Matrix. In that spirit, I bring you a dose of dystopia for the future of law.
This week: Did you take your medicine? Now your doctors—and maybe lots of other people—know the answer.
A digital-pill version of the antipsychotic Abilify, which is used to treat conditions like schizophrenia, was approved by the Food & Drug Administration earlier this month. The pill is aimed at improving "adherence," the technical terms for making sure patients keep up with their meds. It contains minerals that generate an electrical signal when they come in contact stomach juices, which is then detected by a sensor worn by the patient, The New York Times explains.
If schizophrenia—symptoms of which include paranoia—seems like an odd ailment to choose in introducing big-brother style medical monitoring, you're not alone. “You would think that, whether in psychiatry or general medicine, drugs for almost any other condition would be a better place to start than a drug for schizophrenia," Dr. Paul Appelbaum, director of law, ethics and psychiatry at Columbia University’s psychiatry department, told the Times.
But the medication also introduces a range of questions in the criminal and civil law space, as Utah-based attorney Anikka Hoidal wrote back in 2015 when the digital pill was still in the works. Privacy is probably the largest concern, she noted, especially in light of recent hacks. But could medical adherence data could into play into court custody battles over children?
And what about in law enforcement—might corrections officers make "medical compliance" a term of parole, coercing convicts into taking medication they may not want?
"Hopefully the legal and ethical world will be able to keep up with the medical advancements," Hoidal concluded. Here's hoping, indeed.
|
|
|
That's all for now.
Have a good week and stay tuned for What's Next!
|
|
|
