Cybersecurity Ethics

At an MLCE today and got this hypothetical:

Your Company learns that a bug in one of your apps could have provided bad guys with access to confidential user information, but you do not have evidence that anyone actually obtained such information. You’ve fixed the bug. Arguably, privacy statutes require the Company to make disclosure to users and/or regulators. Management makes decision not to disclose, because no indication of actual breach. Ethical issue?

The audience of lawyers split 75% / 25% (live polling) calling this an ethical issue. Fascinating.

Two points: (1) I think the right answer is no. If the statute “arguably” does not require disclosure (i.e. reasonable people disagree) then this is not an ethical issue. But also (2) this scenario is almost certainly true all the time for all companies with confidential user data and internet-facing systems. Should they all be disclosing all the time? Is that even realistic?

Just take a look at the National Vulnerability Database, do a blank search, and look at the security bugs listed today. Awful security bugs are being found, published, and fixed every day for every major application everywhere. If you have confidential user information and internet-facing applications, you may face this hypothetical every single day.

Permian Extinction Resolved / Replicated

So this is bad:

On Thursday, a team of scientists offered a detailed accounting of how marine life was wiped out during the Permian-Triassic mass extinction. Global warming robbed the oceans of oxygen, they say, putting many species under so much stress that they died off. 

And we may be repeating the process, the scientists warn. If so, then climate change is “solidly in the category of a catastrophic extinction event,” said Curtis Deutsch, an earth scientist at the University of Washington and co-author of the new study, published in the journal Science.

https://www.nytimes.com/2018/12/07/science/climate-change-mass-extinction.html

Feels like this should be bigger news.

The Complexity of the Legal Domain

How to comply with legal rules? It’s even worse in other countries.

Speaking personally, I recently spent about a year living in Spain (helping out our Barcelona office) and I read everything I could on Spain visas before I went but I knew that I still didn’t know enough to do it on my own. So I hired a really good and really expensive Spain immigration lawyer and in about three hours she totally set me straight and I walked out of her office knowing exactly what to do and I did it and it worked. 90 percent of what I had read about Spain visas on the internet was true but ten percent that was either dead ass wrong or had changed recently changed or just did not apply to our specific situation. Had I gone with just what I had learned on the internet, I likely would have been booted out of Spain in 90 days. Despite all that I had learned by going through all of this, when it came time for another American lawyer in my firm to take my place in Spain, he too went to this same Spain immigration lawyer and he reported back to me the same result. She saved him huge amounts of time and huge amounts of problems.

And the whole point of this excerpt is that China is way worse.

Link

Impactful Legal Technology

One of the simplest (conceptually) but potentially most impactful areas of legal technology is just easier access to data and services that are already available. From Business Insider, a story on DoNotPay:

First Joshua Browder went after parking tickets, building a bot that helped hundreds of thousands of users challenge their fines.

Then, the 21-year-old student broadened his focus, expanding into everything from landlord disputes to chasing compensation for lost luggage on flights.

In 2018, Browder  took aim at Equifax after a data breach exposed the personal data the firm held on tens of millions of Americans, and his app DoNotPay was used to help file 25,000 lawsuits against the company.

See also Bad Landlord? These Coders Are Here to Help.

Can software tools help non-experts effectively navigate domains that experts have created and maintained? First step: access the underlying data.

Life Advice

Ran across this Twitter thread from Patrick McKenzie and thought it was great. Here are some lines for emphasis:

Companies find it incredibly hard to reliably staff positions with hard-working generalists who operate autonomously and have high risk tolerances. This is not the modal employee, including at places which are justifiably proud of the skill/diligence/etc of their employees.

and

Technologists tend to severely underestimate the difficulty and expense of creating software, especially at companies which do not have fully staffed industry leading engineering teams (“because software is so easy there, amirite guys?”)

and

There is no hidden reserve of smart people who know what they’re doing, anywhere. Not in government, not in science, not in tech, not at AppAmaGooBookSoft, nowhere. The world exists in the same glorious imperfection that it presents with.

Your Lawyer’s Email Advice is Wrong

What do your lawyers tell you about email? Don’t write bad emails, right?

Here’s a bad email:

“OMG we totally infringe this patent.”

And the response:

“Hey guys, the lawyers told us not to discuss patents on email. Let’s take this discussion offline.”

So now it looks like discussion, offline, about how much they infringe the patent. And that’s probably not what happens.

It’s fine to email. The mistake is speculating and exaggerating in email.

The truth is the author has no idea if they infringe the patent. They are expressing a fear. Infringement is a legal analysis and almost always requires a full technical investigation.

Email is fine. But don’t fucking speculate. Don’t panic. State the facts and loop in your lawyer.

Guaranteed Patent Validity vs No Permanent Injunctions

Fascinating and bold proposal by Professor Paul Janicke of the University of Houston Law Center to fix the U.S. patent system:

(1) Continue to allow prosecution of as many claims as desired, but after allowance require the applicant to choose no more than three for issuance. During the first three years from grant, attacks on these claims can be made in the PTO or the courts, to the same extent as now. After three years from the issue date, validity of the claims becomes incontestable.

(2)  In exchange for (1), the remedy of permanent injunction disappears, except in ANDA cases. It will be replaced by a revised financial remedy: equitable sharing in the infringer’s revenues from the infringing activity, as set by the judge.

He anticipates the objections but argues radical change is needed. And it is certainly appealing to think about a fundamental rebalancing. The patent system is broken.

Cryptocurrency Hype Cycle Part 3

The hype cycle of cryptocurrency may be hitting another inflection point. I tend to believe it’s going to stay down for some time.

The Economist reports:

Economists define a currency as something that can be at once a medium of exchange, a store of value and a unit of account. Lack of adoption and loads of volatility mean that cryptocurrencies satisfy none of those criteria. That does not mean they are going to go away (though scrutiny from regulators concerned about the fraud and sharp practice that is rife in the industry may dampen excitement in future). But as things stand there is little reason to think that cryptocurrencies will remain more than an overcomplicated, untrustworthy casino.

If Cyber Attacks Go Personal

We tend to think cyber attacks will be directed to institutional weaknesses: power grids, communications, etc. But the following scenario imagines that we are equally vulnerable at a personal level. Bruce Schneier links to this:

The U.S. secretary of defense had wondered this past week when the other shoe would drop. Finally, it had, though the U.S. military would be unable to respond effectively for a while.

The scope and detail of the attack, not to mention its sheer audacity, had earned the grudging respect of the secretary. Years of worry about a possible Chinese “Assassin’s Mace” — a silver bullet super-weapon capable of disabling key parts of the American military — turned out to be focused on the wrong thing.

The cyber attacks varied. Sailors stationed at the 7th Fleet’ s homeport in Japan awoke one day to find their financial accounts, and those of their dependents, empty. Checking, savings, retirement funds: simply gone. The Marines based on Okinawa were under virtual siege by the populace, whose simmering resentment at their presence had boiled over after a YouTube video posted under the account of a Marine stationed there had gone viral. The video featured a dozen Marines drunkenly gang-raping two teenaged Okinawan girls. The video was vivid, the girls’ cries heart-wrenching the cheers of Marines sickening And all of it fake. The National Security Agency’s initial analysis of the video had uncovered digital fingerprints showing that it was a computer-assisted lie, and could prove that the Marine’s account under which it had been posted was hacked. But the damage had been done.

There was the commanding officer of Edwards Air Force Base whose Internet browser history had been posted on the squadron’s Facebook page. His command turned on him as a pervert; his weak protestations that he had not visited most of the posted links could not counter his admission that he had, in fact, trafficked some of them. Lies mixed with the truth. Soldiers at Fort Sill were at each other’s throats thanks to a series of text messages that allegedly unearthed an adultery ring on base.

The variations elsewhere were endless. Marines suddenly owed hundreds of thousands of dollars on credit lines they had never opened; sailors received death threats on their Twitter feeds; spouses and female service members had private pictures of themselves plastered across the Internet; older service members received notifications about cancerous conditions discovered in their latest physical.

Leadership was not exempt. Under the hashtag # PACOMMUSTGO a dozen women allegedly described harassment by the commander of Pacific command. Editorial writers demanded that, under the administration’s “zero tolerance” policy, he step aside while Congress held hearings.

There was not an American service member or dependent whose life had not been digitally turned upside down. In response, the secretary had declared “an operational pause,” directing units to stand down until things were sorted out.

Then, China had made its move, flooding the South China Sea with its conventional forces, enforcing a sea and air identification zone there, and blockading Taiwan. But the secretary could only respond weakly with a few air patrols and diversions of ships already at sea. Word was coming in through back channels that the Taiwanese government, suddenly stripped of its most ardent defender, was already considering capitulation.

Institutions are made of individuals, and attacking individuals can cripple institutions. But it is also enormously more difficult to attack many individual accounts. I find this scenario compelling, implausible, and a useful exercise in thinking laterally.

“John McCain Would Have Passed the Anne Frank Test”

RIP John McCain, a man of honor and character.

Jeffrey Goldberg, writing for The Atlantic:

I told him then that he would most definitely pass the Anne Frank Test. He was unfamiliar with the concept (mildly surprising, given that his best friend was Joe Lieberman). The Anne Frank test, something I learned from a Holocaust survivor almost 40 years ago, is actually a single question: Which non-Jewish friends would risk their lives to hide us should the Nazis ever return?

McCain laughed at the compliment. Then he became serious. “I like to think that in the toughest moments I’d do the right thing, but you never know until you’re tested.” I found this to be an absurd thing for him to say. Few men had been tested like John McCain; few men have passed these tests in the manner of John McCain. Of all the many stories of McCain’s heroism in Vietnamese captivity, the one I’ve always found most affecting is this one: When presented with the opportunity to be freed—he was the son of an important admiral, and his release would constitute a propaganda victory for the North Vietnamese—McCain demurred; it was not his turn (prisoners were generally released based on their time in captivity), and he would not skip to the head of the line. When he rejected the Vietnamese offer, he knew that intense torture would be his reward. And he did it anyway. His sense of honor would allow him to do nothing else.

I pressed him on this point. “I’ve failed enough in my life to know that it’s always an option,” he said. “I like to think I would do what it takes, but fear will make you do terrible things.”

John McCain Would Have Passed the Anne Frank Test